Blue Hexagon Blog

Why We Launched Blue Hexagon for Encrypted Traffic

One of the key tenets of the Blue Hexagon mission is to develop the technologies our customers need to level the playing field against the bad guys. When we were in early concept phase, we spoke to a number of security leaders, and identified several challenges they were grappling with. 

These are what has driven our product strategy and roadmap. 

Speed and Volume of Attacks

One of the first challenges our customers brought to us was the speed and volume of attacks they were facing. As an industry, we’ve been aware for a while that attackers are launching threats at unprecedented speeds and volume, using malware variants to bypass existing defenses. In the Verizon DBIR 2018, it was reported that at least 37 percent of malware hashes appear only once. This means most cyber criminals treat malware as single-use, immediately ditching samples once they’ve seen the light of day in a campaign and replacing them with slightly altered versions in order to evade signature-matching antivirus detection. 

This was the original challenge we addressed with our deep learning platform — the ability to be as fast and as accurate as “signatures” in detecting threats, and yet be able to also detect the unknown threats without having to wait for a sandbox analysis to be completed. 

Cloud Migration

The second challenge we tackled was security for the cloud. EVERY enterprise has a cloud strategy, either in process or planned. What we heard from customers was the desire to have a consistent threat protection story on-premises and in the cloud. Key network perimeter defenses like sandboxes for example cannot be deployed in the cloud because most vendors use cloud-hosted sandboxes themselves. 

We were able to address cloud security challenges with the help of our partner AWS. With the Amazon VPC Traffic Mirroring feature, you can send a copy of any VPC traffic to us for inspection. No agents, no re-architecture. Just the same deep learning threat inspection extended to cloud. Prevention is enabled via AWS services such as SNS, which enables security teams to quickly isolate an infected virtual machine. 

Encrypted Traffic 

The third common challenge we heard from customers was about encrypted traffic. It was probably the top question asked on every sales call. Their concern? Encryption is being increasingly used for Internet traffic, which presents serious challenges to threat monitoring and detection. 

Many cyberattackers use encrypted communications for cover, knowing that limitations inherent in security products continue to restrict an organization’s ability to inspect encrypted data without seriously impacting network performance. According to test results from NSS Labs, the performance hit for deep packet inspection when encryption is enabled is 60 percent; connection rates dropped by an average of 92 percent and response time increased by a whopping 672 percent. Even more concerning, not all products were able to support the top 30 cipher suites, meaning that some traffic that appeared to be analyzed wasn’t being processed by some of the security devices at all.Detection of encrypted traffic isn’t new. We’ve had a slew of industry solutions, from inspection of certificates to TLS fingerprinting using JA3/JA3S. The most recent solutions have involved machine learning to identify anomalies in network protocols. The challenge with all these solutions is they can create false positives and take too long. 

These are the issues we address with Blue Hexagon for Encrypted Traffic. We inspect encrypted traffic for threats in real-time at high-fidelity so you don’t have to tradeoff among speed, efficacy or coverage. 

Follow us on @bluehexagonai and as we continue on our next deep learning journey. If you’re looking to refresh your perimeter defenses, replace your sandbox, or secure your AWS workloads, we’re here to help.