More Encrypted Traffic Than Ever - Fortinet Certifications

As organizations invite more mobile and IoT devices into their networks and adopt increasingly complex multi-cloud architectures, data and workflows are no longer confined to a static and highly secured segment of the network. Web and application-based traffic comprise a higher volume of total traffic, with much of that traffic including sensitive data or accessing information that was traditionally hidden deep in the data center. To accommodate this change, organizations are increasing their reliance on encryption, primarily secure sockets layer (SSL) and transport layer security (TLS), to protect their data in motion.

More encrypted traffic than ever

As a result, encrypted traffic has hit a new all-time threshold of over 72 percent of all network traffic. That’s a nearly 20 percent increase in just a single year, up from 55 percent in Q3 of 2017. There are many benefits to this strategy, the most important of which is that it allows data, applications, workflows, and transactions initiated by both employees and consumers to travel wherever business requirements demand. In turn, this enables our global transition to a digital economy.

While in many ways the growth of encryption is a good thing for security, higher encryption rates also present severe challenges to deep inspection of traffic to monitor for and detect threats. Because encryption is merely a tool, it can be used to protect any traffic from detection, whether good or malicious. Cybercriminals, for example, are very aware of the growth of encryption and use it to their advantage to obscure their presence and evade detection, whether delivering malware of exfiltrating stolen data. And as the volume and percentage of encrypted data continue to grow, these criminal tactics are increasingly likely to be able to hide in plain sight.

Few security devices can keep up

One reason why this is a growing concern and is about to hit a critical threshold is that inspecting encrypted traffic imposes critical performance limitations on nearly all firewall and IPS devices available on the market today. Generally speaking, examining encrypted traffic puts an enormous strain on a security device. Using ciphers to decrypt and inspect SSL/TLS traffic correctly is extremely CPU-intensive. 

According to recent test results from NSS Labs, very few security devices can inspect encrypted data without severely impacting network performance. On average, the performance hit for deep packet inspection is 60 percent, connection rates dropped by an average of 92 percent and response time increased by a whopping 672 percent. Even more concerning, not all products were able to support the top 30 cipher suites either, meaning that some traffic that appeared to be analyzed wasn't being processed by some of the security devices at all.

Of course, these types of results render most traditional security devices nearly useless in today’s networks where encryption is the norm and performance is critical. It’s also why most security vendors literally don’t publish their SSL/TLS inspection numbers and why salespeople tend to avoid the issue when it comes up. As a result, much of today’s encrypted traffic is not being analyzed for malicious activity—making it an ideal mechanism for criminals to spread malware or exfiltrate data.

At the same time, enterprises must be aware of and concerned if they are not decrypting and inspecting SSL traffic, not just from untrusted sources, but from devices – especially IoT – that have been intentionally deployed inside the network.

Addressing the challenge

Here are a handful of suggestions to help organizations address this growing security concern:

Practice good security hygiene – Nearly every list of recommendations should start here. The reality is that most problems encountered in today's networks are the result of a failure to patch, upgrade or replace vulnerable devices, to check configurations for errors and to harden things like ports to prevent easy exploitation.

Our experts say about Fortinet Certification Exams

Cybersecurity Skills Report: Data Shows What CISOs Look for In Security Architects

A New Study on the Security Architect Recruiting Process

The role of Security Architect, who is tasked with building security infrastructures that not only responds to but can also anticipate threats, has traditionally drawn applicants that demonstrate hard, tactical skillsets. However, CISOs are increasingly focusing on candidates that share a balanced mix of hard and soft skills, as indicated by a recent Fortinet study.

Cybersecurity is an extremely competitive field due to the cyberskills shortage, an issue that goes beyond a lack of incoming talent but also encompasses those in the field without the skills necessary to meet today’s specific needs. To this end, the Security Architect Skill Gap Report illuminates the information needed to minimize the impact of this skills shortage. This is done by providing CISOs with the data and context needed to hone their recruiting process for Security Architects while demonstrating how applicants must adapt to evolving business requirements.

The Skills CISOs Are Looking for In Security Architects

As CISOs aim to build out their security teams with professionals who can combat modern cyberattacks and secure their digital transformation efforts, they seek a variety of hard and soft skills that highlight strategy and analysis in addition to traditional design and configuration abilities. While these requirements may vary across organizations based on specific needs, there are a few trends worth noting.

Hard Skillsets

CISOs require candidates to be proficient in risk management and security standards, as well as an understanding of business goals and how they will translate into security practices. These types of skills were mentioned more often in Security Architect job ads than tactical abilities such as encryption, firewalls, or security controls.

This is indicative of the need to focus on security in conjunction with business enablement. However, this does not mean that CISOs have stopped looking for technical skills and experience with specific systems altogether.

Among the top hard skillsets that organizations are looking for in Security Architect applicants include:  

·       Security architecture

·       Risk Management

·       Integration

·       Security Standards

·       Encryption

·       Firewalls

·       Security Controls

Soft Skillsets

As security teams play a greater role in business enablement, CISOs also seek candidates with demonstrated

abilities in the soft skillsets necessary to collaborate and strategize across lines of business. The data shows that the soft skills referenced in Security Architect job ads and responding resumes typically fall into four categories:

·       Analytical: Analysis, research, and problem solving

·       Leadership: Planning, mentoring, leading

·       Personal Characteristics: Integrity, focus

·       Communication / Interpersonal: Interpersonal, collaboration, communications

The data indicates that CISOs are now looking for candidates that are comfortable shifting between strategic and tactical tasks. For example, preparing for or responding to a security incident without ignoring important ongoing strategic tasks such as conducting risk assessments or defining secure approaches for cloud adoption.

Success Secrets: How you can Pass Fortinet Certification Exams in first attempt

Over 50 Fortinet Security Fabric Solutions Earn the U.S. Department of Defense’s Endorsement for Its Approved Product List Certification

Bob Fortna, President of Fortinet Federal Inc.

“Achieving DoDIN APL certification for additional solutions within the Fortinet Security Fabric platform is important for us because it demonstrates our commitment to stringent testing and validation guidelines specifically for the Department of Defense. DoD agencies require the most comprehensive cybersecurity solutions available to scale for their complex and mission critical requirements, while maintaining high-performance.”

Manish Chadha, President and CEO, Federal Defense Solutions

“Fortinet serves both classified and unclassified federal systems and is used by all 15 cabinet-level agencies and numerous independent agencies. Gaining DoDIN certification provides authorized sales channels into DoD agencies including the Army, Navy, Marines, Air Force and more, serving up more opportunities for us based on Fortinet's Security Fabric solutions that have passed vigorous DoD compliance testing.”

News Summary

Fortinet® (NASDAQ: FTNT), a global leader in broad, integrated and automated cybersecurity solutions, today announced that over 50 additional Fortinet Security Fabric solutions have achieved Department of Defense Information Network (DoDIN) Approved Products List (APL) certification.

The certification qualifies designated Fortinet products for sale to Department of Defense (DoD) agencies based on stringent Security Technical Implementation Guide (STIG) testing, a standardized methodology for the secure installation and maintenance of computer software and hardware.
The addition of these products to the APL means that the DoD can choose from a wider range of Fortinet’s industry-leading Security Fabric solutions when seeking new technology to address its unique and demanding cybersecurity needs.
Fortinet’s U.S. Federal Agency security solution is ideally suited to protect agencies within the intelligence community and the Department of Defense, as well as civilian agencies. The Fortinet Security Fabric protects classified and unclassified Federal systems used by all of the 15 cabinet-level agencies and by numerous independent executive agencies. These platforms make use of our USG products that are specially configured for the Federal market. They comply with Federal certification requirements including the National Institute of Standards and Technology FIPS 140-2 certification, National Information Assurance Partnership Common Criteria certification, and the Commercial Solutions for Classified certification.

Fortinet products that have received DoDIN APL certification include the following: FortiGate Firewalls, (30D, 30D-POE, 50E, 51E, 52E, 60D, 60E, 60E-POE, 61E, 80D, 80E, 81E, 81E-POE, 90D, 90D-POE, 92D, 92D-POE, 100D, 100E, 100EF, 101E, 200D, 200E, 201E, 240D, 240D-POE, 300D, 400D, 500D, 600D, 800D, 900D, 1000D, 1200D, 1500D, 2000E, 2500E, 3000D, 3100D, 3200D, 3700D, 3810D, 3815D, 5001D), FortiGate-VM, FortiGate Rugged (60D, 90D), and FortiWifi (30D, 50E, 51E, 60D, 60E, 61E, 90D, 90D-POE)

To achieve DoDIN APL certification, all approved Fortinet products were tested against applicable Security Technical Implementation Guides (STIGs) and Security Requirements Guides (SRGs). This includes the following: Unified Capabilities Requirements 2013 (UCR 2013) Change 2, Application Layer Gateway (ALG) SRG v1r2, Firewall STIG v8r25, Intrusion Detection and Prevention Systems (IDPS) SRG v2r3, IPSec VPN Gateway STIG v1r15, Network Device Management SRG v2r13, Network Infrastructure Policy STIG v9r5, Remote Access VPN v2r7, Web Server SRG v2r2.