Gigamon Metadata Engine detects fake SSL certificates
Gigamon Metadata Engine detects fake SSL certificates
Jai Balasubramaniyan, Director, Security Product Management, Gigamon
Jai Balasubramaniyan, Director, Security Product Management, Gigamon

Gigamon has released an update to its Metadata Engine that speeds up the detection of invalid SSL certificates. Cybercriminals are using fake and fraudulent SSL certificates to impersonate a range of companies. These certificates are deployed on fake websites which are used to install malware on users computers or steal personal data. Detecting fake SSL certificates is not easy which is why Gigamon has updated its security analytics tools to help.

Jai Balasubramaniyan, Director, Security Product Management, Gigamon said: “Organizations know that their network traffic contains a lot of potential intelligence that can help remediate breaches. Gigamon is revolutionizing big data security analytics by uniquely extracting metadata from this data-in-motion and delivering it at network speeds to security technologies that use it to detect and remediate threats faster.”

How is Gigamon doing this?

The Metadata Engine starts by generating HTTP SSL certificate metadata. That data is then compared to information from SSL certificate exchanges. It looks at a wide range of data from the certificate to detect anomalies. Among the data it looks at are the: “..issuing certificate authority, requested and responding domain names, dates of expiry, which ciphers are being used and whether the certificates are self-signed.

Generating the SSL certificate metadata is just part of the solution. It requires a very significant amount of processing power to check and validate every certificate interaction by users. This is where Gigamon uses its security analytics and Metadata Engine extensions. It combines the certificate metadata it has generated with other data. For example, by using DNS data it can see where a user is being sent to the wrong server or to a Command & Control (C&C) server.

Conclusion

This is not just about detecting fake sites. There is a lot of data being exfiltrated from organisations hidden inside SSL traffic. It takes a lot of processing power to look inside SSL traffic to detect data being stolen. Combining traffic volume with SSL certificate validation should help refine the analytics to detect breaches.

The use of security analytics is improving rapidly. A few years ago it was more marketing hype than a production quality solutions. The ability to now take so much different data and combine it to detect anomalies is good news for companies. However, it should not be seen as the final solution. As fast as vendors and their customers are adopting analytics to detect attacks, the bad guys are using them to create workarounds.

LEAVE A REPLY

Please enter your comment!
Please enter your name here