Gigamon’s ‘Precryption’ to block attacks hiding behind encryption

With promises of unprecedented visibility into encrypted traffic across virtual machines (VM) and container workloads, deep observability company Gigamon has launched a new “Precryption” technology.

Gigamon’s GigaVUE 6.4 will deploy the Precryption technology to enable IT and security teams to conduct encryption-centric threat detection, investigation, and response across the hybrid cloud infrastructure.

“There’s encryption everywhere now, including traffic or lateral movement within all virtualized and containerized environments, which is a good thing because it provides confidentiality for all of our information,” said Michael Dickman, chief product officer at Gigamon. “The danger is that attackers can use encryption to hide their own movement and their own attacks, making it look like just another encrypted traffic flow, and that goes undetected.”

The new Precryption technology will be delivered as a part of Gigamon’s existing licenses and will be charged per usage (eg. Terabytes).

Gigamon’s Precryption uses eBPF

The new Precryption technology by Gigamon leverages Linux’s Extended Berkeley Packet Filter (eBPF) technology to insert custom observability programs into the workload networks and bring them back to a centralized location.

eBPF is a flexible technology in the Linux kernel that allows users to write and load custom programs that run within the kernel space. eBPF programs are typically used for network packet filtering, monitoring, and other kernel-level tasks, but their use cases have expanded to various aspects of system observability and control.

Simply put, “Gigamon’s new technology allows network traffic to be inspected by capturing traffic before encryption or after decryption using eBPF,” said Christopher Steffan, vice president of research at EMA. “It doesn’t require encryption keys and doesn’t need to perform resource-intensive decryption.”

“With the new tech, you don’t actually have to manage, track or use keys,” Dickman said. “There’s no computing needed for an additional overlay of secondary decryption because that’s how decryption usually works where you interrupt a traffic stream, and then decrypt it and re-encrypt, which is quite expensive, compute-wise.”

Update receives additional capabilities

The latest GigaVUE release has added a few other capabilities, other than the Precryption technology, to support visibility and decryption in a host of environments.

With the new “Cloud SSL decryption” capability, Gigamon looks to extend classic on-premises decryption capabilities to virtual and cloud platforms. “Application Metadata Intelligence” is another capability that allows for the detection of vulnerabilities and suspicious activities across both managed and unmanaged hosts.

Most significant and integral to Gigamon’s Precryption is the “Universal Cloud Tap” capability that serves a single, executable tap for platforms to allow control and configuration of eBPF. “UCT is how we pull out visibility to network data in containers as well as VMs in a very efficient manner,” Dickman said.

Gigamon’s latest capabilities are well received by analysts who deem it long overdue. “So many organizations have network encryption requirements, but many do not have a method of adhering to these requirements of implementing network encryption while retaining the ability to monitor network traffic,” said Chris Steffen, vice president of research at EMA. “Precryption solves this problem, allowing security and network administrators to deliver on encryption controls while maintaining their ability to protect company resources by not losing visibility on their internal and external network traffic.”


Go to Source