The increasingly distributed nature of modern business operations is creating headaches for organizations that are struggling to see everything that is going on in their networks and to monitor their digital certificates.
Corporate IT environments are stretching farther away from central data centers, with more business being done and data being moved over wireless networks. At the same time, SSL/TLS certificates that are used to authenticate the identity of websites, servers, and services and ensure data in transit is protect via encrypted communications are expiring at a faster rate, requiring organizations to tighten their certificate management capabilities even more.
The expanding gaps in visibility are creating more security risks for companies and MSSPs already under constant cyberthreat.
According to
Eileen Haggerty, area vice president for product and solutions marketing for
NETSCOUT, there are “growing blind spots in highly distributed networks, specifically at remote locations and within encrypted traffic flows.”
“For enterprises, this gap is a liability because you cannot secure or manage what you cannot see,” Haggerty told MSSP Alert. “Threats typically emerge from silent failures such as expired SSL/TLS certificates that aren't centrally tracked. The result is a cascade of costly unplanned downtime, broken APIs, and a significant erosion of customer trust and brand reputation when services unexpectedly go dark.”
Adding to nGeniusONE
NETSCOUT this week added to its nGeniusONE observability platform with enhancements aimed at supporting real-time deep packet inspection over Ethernet or Wi-Fi 7 as well as its certificate monitoring capabilities, which executives said will improve the user experience, reduce outages caused by expiring certificates, ensure regulatory compliance, and better protect against threats like man-in-the-middle attacks.
“The primary driver of modern operational risk is the increasingly distributed nature of business operations,” she said. “As certificate lifespans shrink and hybrid-cloud ecosystems expand, the scale of managing these connections exceeds human capacity without visibility into them. This creates an environment where unmonitored remote ports or forgotten certificates expose organizations to threats.”
A Shorter Certificate Lifespan
The
Certification Authority Browser Forum in April 2025 – after much debate – approved shortening the lifespan of Transport Layer Security (TLS) certificates. The forum – which includes certificate authorities like
DigiCert and
GlobalSign, as well as
Apple,
Google,
Microsoft,
Mozilla, and other browser companies – argued that the shorter lifespan reduce the opportunity for bad actors to exploit compromised.
However, it puts greater pressure on organizations to manage their certificates, a challenge given that, according to the Ponemon Institute,
51% of organizations don’t know how many digital certificates they have.
TLS certificates now are good for 398 days, but that drops to 200 days on March 15, 100 days next year, and 47 days in March 2029.
Proactive Approaches
The new additions to NETSCOUT’s nGeniusONE will enable organizations to detect SSL certificates that are reaching their expiration dates and find unknown certificates running on non-standard ports. Such certificates can be disguised by hackers or arise from shadow IT. It’s a proactive approach rather than a reactive one, according to the company.
The companies also is taking a proactive tact with the rapidly growing Wi-Fi 7 market, which analysts with BCC Research expects to grow on average 61.5% every year between last year and 2030 as demand for faster speeds and lower latency expands to address continuing digital transformation efforts and the industrial Internet of Things.
The Wi-Fi 7 support comes with backward compatibility with other Wi-Fi standards – 6E, 6, and 5 – and adds it to the Ethernet support nGenius Edge Sensors. Organizations will get early notifications to help them head off potential problems that could affect customer service, productivity, or revenue streams, the vendor said.
Good for MSSPs, Too
The new capabilities in nGeniusONE also will improve visibility for MSSPs and MSPs, which
Tom Bienkowski, product marketing director for NETSCOUT, said are “on the frontlines of digital resilience for their clients, but they can be bogged down by extended mean-time-to-resolution when troubleshooting blind spots.”
The security services providers can shift to preventative operations by offering the new NETSCOUT capabilities to clients. Expired certificates are a shared-responsibility point of failure, according to the vendor, adding that MSSPs and MSPs can add significant security value in this area.
“Our tools enable service providers to proactively identify and resolve issues, such as expiring certificates or performance dips, before the client even becomes aware of a problem,” Bienkowski said. “This lowers operational costs while providing a high-value security and compliance service that ensures clients stay ahead of emerging risks.”
Other vendors also are addressing the challenges.
CyberArk – which is the process of being bought by
Palo Alto Networks for about
$25 billion – in November
unveiled its TLS Certificate Renewal Impact Calculator and TLS Certificate Discovery Scan tools to help organizations understand the operational and financial impacts of the shorter certificate lifespans.
