This year at RSA Conference, I had the privilege of presenting a technical session on the implications of TLS 1.3 for security operations visibility along with Josh Northrup at Fiserv, an important ExtraHop customer that worked with us to test and refine a highly scalable solution for TLS 1.3 decryption.

The talk was well-received so I wanted to share it with the hope of benefiting a broader audience, especially organizations that are considering their options for handling TLS 1.3. I've outlined the presentation below, but the slides and a video recording are available on the RSA Conference session page: The Network Is Going Dark: Why Decryption Matters for SecOps

• Introduction
  • The trend is toward total encryption of network traffic both on the Internet and within datacenter, cloud, and campus environments
  • TLS 1.3 is more secure, but creates challenges for out-of-band monitoring by using ephemeral session keys
• Options for organizations
  • Analysis of encrypted traffic using fingerprinting and other techniques
  • Man-in-the-middle appliances to break and inspect encrypted traffic
  • Session-key forwarding for local services
• My recommendations
  • For user and BYOD traffic, use the break-and-inspect method
  • For local services that you control, use session-key forwarding at choke points such as application delivery controllers and proxies
• Fiserv deployment of session-key forwarding
  • Large deployment with 3,500+ servers and 6,000 sessions per second across multiple data centers
  • Not just for HTTPS, but also services such as LDAP
  • Session-key forwarders are built into the automation framework