What ist the benefit of IPS, Zero-Day Protection, ATP and web filtering without deep packet inspection on TLS sessions

Question

stupid question, I know, but honestly: what is the benefit of the Xstream protection when you decide not to break TLS sessions at all (besides mail filtering)? 
 Will someone earn any higher protection level with all these features activated without breaking TLS in comparison to a base licence? 
 I am asking because when I look around (ca. 100 and more customers, even at enterprise level), nobodoy, really nobody does TLS decryption in any case but for testing purposes. There are a lot of reasons against: privacy breach (admins may read passwords of users in clear text) and simply because many things won't work anymore because lots of (web) applications rely just on working https connections. Things get more and more complicated. 
 So on one hand every manufactor praises zero-trust, xstream, total protection, 360 degree of comfort or whatever term came to your mind, but what does it help in reality when you are able only to inspect unsecured connections? How much do you raise your security level? In percentage maybe: 5, 10, 25 or even 42%? 
 I can read and read whitepapers and watch demos: It will not get to my mind, what is the purpose of buying all these features, when nobody make use of it? 
 Some help and clarification would be really appreciated.

Michael Dunn · Accepted Answer

I tried to address some of those questions in the FAQ that LuCar linked to. 
 I am on the dev team and I deal with escalations, so I know know the sales side and what average customers do. However I know a reasonable percentage of our customers do HTTPS decryption because I see it if I need to go onto their boxes. I don't know how many, but a good portion. The most common reason I hear about for not decrypting is the able to deploy the Certificate Authority to BYOD devices. Compatibility with sites mostly works out of the box and really is just a pain for the first week as people get things up and running. 
 As to your original question please understand this is only my off-the-cuff opinion. If you do not do HTTPS scanning: - website blocking due to category or domain name fully works, including known malware sites (5% worse) - antivirus scanning is only HTTP (90% worse) - zero day protection is only HTTP (90% worse) - ATP (Advanced Threat Protection) of callhomes is lower but still good (25% worse) - IPS and App control is lower but still good (25% worse) 
 If you were asking specifically about whether you should buy a bigger license (eg with Zero Day Protection) remember that even though you've lowered the usefulness in web by not doing decryption, you still get it for email.

Vivek Jagad · Answer

Hello Dr No ,
Thank you for reaching out to the community, With intrusion prevention, you can examine network traffic for anomalies to prevent DoS and other spoofing attacks. Using policies, you can define rules that specify an action to take when traffic matches signature criteria. In addition to blocking risky files, zero-day protection also provides detailed reports of the analysis performed to help you understand the risk. Advanced threat protection analyzes incoming and outgoing network traffic for threats. Using ATP, you can quickly detect compromised clients in your network and log or drop the traffic from those devices. Further more we recommend a read - the new DPI Engine for web proxy explained. Additionally you can refer the License bundles are available for XGS and XG Series firewalls.

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Global Support & Services

Log a Support Case | Sophos Service Guide
Best Practices – Support Case

Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.

What ist the benefit of IPS, Zero-Day Protection, ATP and web filtering without deep packet inspection on TLS sessions

Top Replies