A is incorrect: Signature-based detection rules cannot be applied to encrypted payload content because the payload is not accessible in plaintext form. Encryption by design prevents inspection of the data content within the payload, making signature matching against encrypted content technically impossible regardless of protocol normalization steps. Detection of threats within encrypted traffic requires analysis of observable metadata attributes, not the inaccessible encrypted content itself.
B is correct: AI-driven NDR solutions can detect threats within encrypted traffic by analyzing traffic metadata without requiring decryption. ML models examine features such as packet sizes, inter-arrival timing, flow duration, TLS handshake parameters, certificate information, and connection patterns to identify anomalies. These observable metadata features differ between legitimate and malicious traffic, allowing the model to flag suspicious encrypted sessions without accessing plaintext payload, thereby preserving end-to-end encryption and user privacy while still providing detection capability.
C is incorrect: Using stored private keys for session decryption involves actively decrypting traffic, which contradicts the stated requirement. Additionally, modern TLS versions such as TLS 1.3 use ephemeral key exchange mechanisms like Diffie-Hellman that make passive decryption with stored private keys technically infeasible. This approach cannot meet the requirement of detecting threats without performing any form of decryption on the network traffic.
D is incorrect: Deploying inline TLS proxy appliances to decrypt and inspect traffic is a traditional approach that breaks end-to-end encryption. This method directly conflicts with the stated requirement to detect threats without decrypting the payload. TLS proxies also introduce infrastructure complexity, create potential single points of failure, and raise significant privacy concerns. This approach decrypts traffic rather than analyzing it in its encrypted state.