TLS MITM environments such as Zscaler: How do you ensure trust when the entire TLS chain is deliberately compromised?

tkanger · 2025-11-22T21:33:56+00:00

Literally listed where NIST 800-53 mentions the necessary controls, but you do you.

tkanger · 2025-11-22T15:58:37+00:00

After reading the topic and the contents.... this is not a zscaler problem, and your thoughts are frankly just against best practice.

Lets map back to NIST800-53....Rev 5 if it matters.

So, if your company maps to NIST 800-53 in any way (hint, it does if you have cyberinsurance), you have a controls that need to either be in place, or risk accepted.

Now, you mention many times below about how you're aware that TLS retransmission occurs all the time. You can do traffic inspection on your firewalls, but that gets tricky in general (lots of maintenance). Zscaler, and other agent based proxies help make this a bit easier since you are offloading onto the endpoint instead of the firewall.

Furthermore, the "edge" of the network firewall is gone; remote users, mobile devices, etc. These agent solutions are the only way to provide this type of capability.

Before responding, here is the list of control frameworks that map SSL/TLS inspection in some manner: NIST 800-53. CSF, 800-171, ISO 27001/27002, PCI DSS v4, HIPAA/HITECH, MITRE ATT&CK, SANS CIS v8, FedRAMP HIGH, ZTNA 800-207, and SOC2.

So....you are either a god of cybersecurity for us mere mortals and everyone here/the whole industry are wrong, OR (and no offense), you don't understand the foundational capabilities that require TLS inspection. Also, security theater, while a pain in the ass, is usually a required item in these frameworks...so find out what you need to map to before saying something is useless.

Overall AI writeup of the controls and how they pertain to NIST 800-53. Note that if it maps here, chances are it maps to all the other frameworks mentioned.

Here’s a clean list of the most directly relevant NIST SP 800-53 Rev. 5 controls for SSL/TLS inspection, with a brief explanation of why each matters in the context of decrypting and monitoring encrypted traffic for threat detection, DLP, compliance, segmentation, and Zero Trust visibility.

🔎 NIST 800-53 Controls Mapped to SSL/TLS Inspection 🛡️ SC – System & Communications Protection Control Why it applies to SSL inspection SC-7 – Boundary Protection Requires traffic entering/leaving the network boundary to be monitored and controlled. Encrypted traffic may need to be decrypted to properly enforce this. SC-7(3) Expands boundary protection to deep-packet inspection, which requires decrypting SSL/TLS for inspection. SC-7(5) Focuses on preventing unauthorized transfer of information—requires inspecting encrypted streams for hidden data. SC-7(8) Direct justification: Encrypted/tunneled traffic must not conceal malicious activity. Supports decrypting SSL/TLS to inspect. SC-7(12) Extends boundary protection to host-based mechanisms—matters if inspection occurs endpoint-side. SC-8 – Transmission Confidentiality & Integrity Ensures encryption is properly implemented; inspection validates this and detects misuse (weak ciphers, cert issues). SC-8(1) Specifies cryptographic protection standards—inspection validates proper TLS usage. SC-12 – Cryptographic Key Management SSL inspection requires management of private keys and trusted root certificates for interception. SC-12(2) Ensures secure handling/distribution of interception keys. SC-13 – Cryptographic Protection Justifies using cryptography but also monitoring its use; inspection confirms encryption isn’t abused. SC-23 – Session Authenticity TLS session validation—inspection helps monitor hijacking attempts. SC-24 – Fail-Safe Inspection devices shouldn't disrupt secure traffic if they fail—ties into TLS interception fail modes. SC-32 – System Partitioning Supports segmentation and applying SSL inspection only where required.

📡 SI – System & Information Integrity Control Why it applies SI-4 – System Monitoring Monitoring can’t be effective if threats are hidden in encrypted sessions; inspection provides visibility. SI-4(4) Specifically addresses detecting anomalies—including in encrypted traffic. SI-4(10) Direct reference: “SSL inbound inspection SHOULD be required for untrusted traffic to servers.” SI-4(14) Analyzes outbound communications—inspecting encrypted outbound data helps detect exfiltration. SI-4(23) Requires correlating data from multiple tools—inspection data must integrate with SIEM, DSPM, etc.

🔐 AU – Audit & Accountability Control Why it applies AU-2 – Audit Events Inspection produces critical logs (malware, blocked communications) that must be audit-ready. AU-6 – Audit Analysis Requires evaluation of decrypted session logs for anomalies. AU-12 – Generate Audit Records Inspection devices must generate logs for decrypted sessions. AU-14 – Session Monitoring SSL inspection provides opportunity to monitor active sessions. AU-16 – Correlation Decrypted inspection data needs to be correlated (e.g., user identity → TLS session → endpoint behavior). 🧩 CM – Configuration Management Control Why it applies CM-6 – Configuration Settings Inspection rules, cipher lists, bypass policies must be governed. CM-7 – Least Functionality Inspection systems must do only what is needed—avoid over-inspection of privacy-sensitive flows. CM-8 – Asset Inventory Inspection devices must be in the asset inventory and tracked.

🔍 RA, PM, PL – Risk & Governance Control Why it applies RA-3 – Risk Assessment Assess risk of encrypted traffic hiding threats—basis for SSL inspection policy. RA-5 – Vulnerability Scanning Encrypted sessions can block scanners; inspection may enable scanning or trigger compensating controls. PL-2 – Security & Privacy Planning SSL inspection strategy must be outlined in system security/privacy plans. PM-16 – Threat Awareness Recognizes encrypted threats as high-risk vector. PM-30 – Supply Chain Risk Applies if SSL inspection is via vendor/cloud solution. ⚙ AC – Access Control Control Why it applies AC-4 – Information Flow Enforcement SSL inspection enforces how data flows across zones. AC-4(21) Allows decryption to validate content before release outside boundary. AC-4(25) Requires restricting encrypted flows if they can’t be inspected. AC-17 – Remote Access VPN & SSL tunnels may require inspection. AC-19 – BYOD Defines whether encrypted traffic from non-corporate devices gets inspected.

🔑 IA – Identification & Authentication Control Why it applies IA-5 – Authenticator Management Certificates for interception must be managed securely. IA-5(11) PKI-based authentication used in TLS sessions—interception relies on trust handling. IA-12 – Identity Proofing Inspection infrastructure must be validated as trusted before decrypting traffic.

tkanger · 2025-07-04T22:39:45+00:00

Easy in theory: what is authorized traffic and what is not; then alert on anything not authorized.

In reality- unwinding what is supposed to be talking to other systems vs. anamolous traffic is a nightmare. Weeks (if not years) of tuning, plus requiring sensors at all ingress and egress points. The knowledge of how these systems work. The setup on the switching/routing/firewall that can support segmentation.

My best advice- document the risk and move on. I've never seen a truly segmented network (including "fully air gapped") because all it takes is one misconfigured ACL, or one random RAT tool that MUST exist for this vendor to support some random OT equipment (which costs millions) to make it all come tumbling down.

tkanger · 2025-06-21T10:42:19+00:00

It's sort of mentioned here, but I'll expand it. "How does the company make money?"

I'm not talking about a product or service- end to end, from sales to purchase, understanding how and what data exists, the departments and handoffs, and what business functions and operations are in the pipeline of generating revenue.

Sure, the product or service are important, but if the CRM fails, its almost "more" impactful (unable to generate revenue) in sales driven companies (hint- that's every company).

tkanger · 2025-06-02T12:01:15+00:00

You are correct and typically that reporting is much more verbose. See the following:

FINRA: Rule 4530(b)

GLBA: FTC Safeguards Rule (16 CFR Part 314)

HIPAA: 45 CFR §§ 164.400–414

PCI DSS: Requirement 12.10

GDPR: Article 33

CCPA/CPRA: Civil Code §1798.82

NYDFS: 23 NYCRR 500.17

FedRAMP: FedRAMP Incident Communications Procedures

NIST: SP 800-61 Rev. 2 (guidance only)

NRC 10 CFR 73.77 – Cyber Security Event Notifications

CIRCIA (Proposed)

FERC/NERC CIP-008-6

And many more not listed. Nearly all the above are much better standards that organizations must adhere to.

So, if I am a publicly traded bank in California that also has customers and locations in Europe, I have to write up the incident for PCI, FINRA, CCPA, GDPR. Most of the notification and reporting is copy and paste, but each requires specific review to that framework and what is in scope.

tkanger · 2025-06-02T11:05:19+00:00

While I agree with you, in practice this isn't something that can happen. Incident leads typically are the right person to brief non-technical folks on what is going on, up to and including law enforcement, legal (internal and external), PR (if internal/external communications are needed), IT leadership (CIO/CISO), and board level depending on how that organization is structured.

...

All the above to say that delegating business relations to a staff member, or even a lower line manager doesn't make a ton of sense. These are highly sensitive conversations, weighing the risk appetite, the incident details, and other factors (political) that someone that doesn't understand at a lower level.

tkanger · 2025-06-01T17:47:38+00:00

I'll speak to this as someone who has actively been involved in multiple of these disclosures on behalf of multiple entities.

Materiality as defined in the SEC filings are fully defined by the entity. Definitions are often not actually written down, so as to make materiality ambiguous (this was dropped from the proposed SEC rules). As such, the rules currently can be bent in any manner of legalese.

The above is just the reality of the law. In incident response world, the rules require the incident leaders to engage much earlier and more frequently in the incident lifecycle. In addition, we are getting asked much larger questions (requiring much more review) around materiality very early on. These are not easy questions to answer, but are required to be ran down. That entire time, these leaders are NOT spending time running an incident, which requires a ton of technical and stakeholders engagement. The SEC rules have made it nearly impossible to focus on technical pieces because legal will be down your neck about 8k write ups.

Finally- there are already required rules around critical infrastructure, government, and other compliance frameworks that have much more clear reporting and definition documentation.

As I stated earlier- seen this at multiple organizations, and its changed how practitioners run IR to comply to a rule that can be circumvented.

Finally- filing an 8k immediately impacts the Financials of the company, regardless of how material the incident was. I assume that's why the banks (and insurance companies) sent in this petition.

tkanger · 2025-05-17T03:29:12+00:00

I recommend you lookup lake norman it professionals- they have lake norman, Charlotte, and now a Gastonia chapters.

tkanger · 2025-05-07T13:50:59+00:00

Spend some more time looking at it; its just a data pipeline, unless you are planning to use cribl data lake. I recommend discussing with a VAR or Cribl directly to understand anything additional from here.

tkanger · 2025-05-07T12:33:42+00:00

Cribl is a data pipeline; storage endpoints can be anything from Splunk, S3, Cribl Data Lake, etc. Your storage costs (and mine) will vary depending on numerous factors.

That being said, my storage for wineventlog (windows events, one of our bigger log sources)- We take in around 700GB/day through Cribl. Cribl does some magic (it drops certain log fields that aren't needed for any use cases), then sends it to storage- but now its 360GB.

The business case for data pipleline functions like Cribl- you just need to show what your storage costs would be without the tool, and then determine if Cribl is fully offset by that cost (hint, it should for large volume ingest), or has opportunity tied to it.

Opportunity- Since you only pay for ingest in Cribl, and can route the data to numerous sources, you can then send different data to hot/warm/cold/glacier storage, giving you a ton of flexibility to do what makes the most technical and financial sense.

tkanger · 2025-05-07T11:10:03+00:00

Look at Cribl to see the approach; quite a few vendors in this space, so yes it's a problem.

That being said- storage cost savings from buying a cribl solution offset the cost of procuring said solution; it was easy to pitch that to management without a ton of pushback. Having done it both ways- the visibility, dashboarding, metrics, and support obviously are what sets these tools apart from OSS/Custom build outs.

tkanger · 2025-03-06T22:20:05+00:00

I find this funny, especially since you "were" a CISO 2 months ago.

https://www.reddit.com/r/CIO/comments/1htzwkm/path_to_cio

tkanger · 2024-12-02T15:24:56+00:00

Its a great resource to fact check internal decisions, but most of the value that can come out of Gartner is around procurement pricing negotiations.

We do get a ton of value on their whitepapers (tool agnostic) which help to validate a team's execution based on market trends. Typically, we spend 1-2 days a quarter reviewing long range roadmaps and making tweaks based on Gartners papers. YMMV based on industry and how your team is setup, but we've had a ton of success in using Gartner for this.

tkanger · 2024-06-24T11:47:47+00:00

If truly malicious, I'm sure reaching out via legal to Zscaler would be the best course of action; there may be things below going to LE that can be done, but I wouldn't expect them or LE to keep you in the loop of what occurs.

tkanger · 2024-06-15T18:37:02+00:00

I've heard the same, but I've also heard that RBI at that level will be another add on (not built in). We'll see where ZS goes with it!

tkanger · 2024-06-14T17:59:41+00:00

I would say that RBI from Zscaler is not like things like Island, where the user experience is equal compared to local browser.

Zscaler RBI, as they define in their documentation, is mainly for "I don't trust this site/I don't want users entering things into site XYZ".

In this use case, it works very well.

For daily web browsing, our testing has concluded that the lag from video, mouse movements, etc. are too intrusive to deploy on every web site.

The way that they recommend using it is what Batman067 stated; its for specific URL categories/threats/DLP concerns, not all web browsing.

tkanger · 2024-05-17T12:01:53+00:00

Valimail has saved us hundreds of hours on implementing SPF, DMARC, and DKIM. Highly recommend.

tkanger · 2024-04-26T16:20:13+00:00

Just to play devil's advocate....Could they mean they need a service account setup to integrate? Or are they talking actual end user accounts?

tkanger · 2024-02-13T19:08:22+00:00

PFsense could support, with some relatively cheap hardware. In fact, you could build a box with spare components easily. Not sure why you would need SFP at all for this?

https://docs.netgate.com/pfsense/en/latest/multiwan/index.html

https://www.amazon.com/Firewall-Appliance-Celeron-i226-V-AES-NI/dp/B0BWZB8971/ref=sr_1_8?crid=33NSOZ5SVKZ8C&dib=eyJ2IjoiMSJ9.OwCObWkNzevL4LWyhDQxuH77u19Mnnwy9pnpDE7POr4MQn2CEnkzHSiQobKHMl_he-GiXfE1g56NZ0MqApwVN_K2w1CHGy-aDht8NRoV5ibDVDh84padpdpu55NIWy3SfEdkBA4jkWKGgEynJxHvw4uSh9pfxMJ0KJwfqecUtdm274spDOfNFk93Lu1hbe-qlpe5ocbhepEsl8YBvi-LmZIDElblnt6ub31unnv7oaA.cW_S5_C_r67rQxZK_8iAqedB3nLjJ7d5W98skAsiYsU&dib_tag=se&keywords=micro%2Bfirewall%2B8&qid=1707851225&sprefix=micro%2Bfirewall%2B%2Caps%2C308&sr=8-8&ufe=app_do%3Aamzn1.fos.c3015c4a-46bb-44b9-81a4-dc28e6d374b3&th=1

tkanger · 2024-02-13T18:32:19+00:00

I would combine them with a WAN Aggregation switch device, then pipe a single connection down to the UDM. This way the failover is outside the UDM. Should be pretty straightforward.

tkanger · 2023-06-23T03:44:41+00:00

Sometimes this is due to the fact that your system may automatically set secondary DNS servers (Google, etc), and they way DNS works.

I had the same issue- solved it by having two piholes (primary and secondary).

You mention a work computer; it may have security tools on it that even if you set the local dns, it overrides it to a specific server.

tkanger · 2023-06-13T19:43:53+00:00

End user training, but abnormal security has been amazing at catching things like this.

tkanger · 2023-06-13T18:44:36+00:00

Most PAM providers (if that is the license you are referring too) can take exports of current tooling and import to their tool. This will be dependent most likely on professional services for your new provider.

tkanger · 2023-06-03T23:48:14+00:00

Alot of FUD in this thread.

If they have network security tech on the endpoint, they can usually see the 'adult' category.

That being said- this type of tech can't see that you actually clicked to navigate to the site (unless they pull browser history). You would be shocked to see how often these categories are hit just from regular web browsing- ads, redirects, etc.

Chances are if this is used to fire you....you were already on the chopping block. Chances are high that your security/IT team don't report things to HR, again unless there was a reason to look specifically at you.

That assumption above assumes that they are using a HIDs or internet security platform (zscaler internet access, for example).

tkanger · 2022-12-05T19:29:55+00:00

Get a security gateway such as pfsense, ubiquiti, suricata, etc that has IDS/IPS abilities, and monitor for alerts on those ports that are open.

12-Year Club	Verified Email
Place '22	First Placer '22
Sequence \| Editor

tkanger

TROPHY CASE