I wonder what's best practice in oder to identify theats via the Anti Spyware function. Most of the connections today are encrypted, so using the Anti Spyware function without ssl/tls decryption seems not to be a big security improvement.
So there come the following questions to me:
- is activation of ssl/tls encryption the only way?
- how will TLS 1.3 with cert pinning behave?
- is there a way to mirror encrypted (web) traffic in oder to decrypt it and test this function?
Best practice would still be to apply the profile to capture as much as you possibly can, even if you aren't decrypting traffic. You'll capture the unencrypted traffic still, and not all payload is delivered over encrypted connections (although the vast majority of it is, which is why you really should be decrypting traffic).
Websites and services that utilize certificate pinning will require decryption exceptions. The good thing about this is that you're going to be building the exceptions, so if someone is trying to hide behind certificate pinning a good decryption profile will prevent users from navigating to the site unless an exception has been made.
As to your mirroring question, you can of course mirror the traffic and offload it, however you aren't going to be able to decrypt that traffic after the fact. The best way to test something like this would be to put together a profile that simply has everything set to 'alert' so identified traffic isn't actioned.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!