With cybersecurity high on everybody's list, Cisco unveiled a product to help find malware in encrypted traffic. Called Encrypted Traffic Analysis, or Cisco ETA, its aim is to tackle the very large problem of vulnerabilities hiding within encrypted traffic. The problem isn't getting any smaller, which can be seen both as something good and bad.
The reason it can be viewed as good is because encrypting traffic can help protect your data so it’s more difficult for any malicious actors to infiltrate it. It’s anticipated that over 80 percent of traffic will be encrypted by 2020.
However, this is also tough on cybersecurity experts and tools because it’s difficult to inspect this encrypted traffic for malware, meaning that malicious actors can be hidden inside. To inspect it, it must be decrypted before it is sent to your security solutions.
The reason this isn’t done often, though, is because it’s a very CPU-intensive process. On top of this, it often needs standalone appliances or a network packet broker, and decrypting the traffic can expose it to the threats you were trying to protect against in the first place, meaning that the majority of companies can’t afford the time or money to complete this process.
In fact, only 38 percent of companies decrypt traffic according to a 2016 Ponemon report. This is where Cisco ETA comes in. Cisco customers are now able to use this network security technology to help identify malware in encrypted traffic without the need of opening the packets to inspect the content.
This way, protecting data can be less costly while still providing adequate security and privacy. Since the announcement last summer, ETA has been undergoing early field trials, and it is now open to general availability.
Additionally, Cisco has also expanded support “for ETA beyond campus switching to the majority of our enterprise routing platforms, including [their] branch office router (the ISR and ASR) and our virtual cloud services routers (CSR).”
How Cisco ETA works
Cisco ETA works by utilizing telemetry information generated by Cisco network infrastructure in combination with machine learning algorithms that detect safe or potentially infected traffic. It is particularly useful because it works to extend the security detection and visibility close to the user in the branch, “where 80 percent of employees and customers are served.”
This is an important facet of Cisco ETA because these users typically don’t have the security that they need, as it’s difficult to deploy complex sensors to a very large amount of branch offices.
Additionally, Cisco says that “this next generation detection technology can easily be rolled out across their enterprise by leveraging software upgrades for the nearly 50,000 Cisco customers already using the world’s most popular enterprise routers, the ISR, and the world’s leading network detection software, Stealthwatch.”
So, because the majority of new malware only slightly deviates from existing viruses, a sophisticated machine learning algorithm would be able to identify which encrypted traffic could contain malware. Then, this questionable traffic is sent to their security tools like Cisco Stealthwatch to help investigate and clean it.
In addition to the more than 80 percent of enterprises’ web traffic predicted to be encrypted, “more than 50 percent of new malware campaigns will use various forms of encryption and obfuscation to conceal delivery, and to conceal ongoing communications, including data exfiltration.”
Encryption as a threat?
It’s odd to think of encryption as a threat when it helps to protect your data and privacy, but if IT teams are unable to see what’s inside this large influx of traffic, encryption becomes a major problem as it could contain hidden malware.
Cisco’s ETA finds observable differences between benign and malware traffic by first examining the initial data packet of the connection that could potentially contain valuable data about the rest of the content.
After this, the Encrypted Traffic Analysis finds clues into traffic contents beyond the beginning of the encrypted flow by looking into the sequence of packet lengths and times. According to Cisco, because “this network-based detection process is aided by machine learning, it adapts to change and its efficacy is maintained over time.”
The company also comments on the balance between security and privacy, admitting that security does possess a complex relationship with privacy. Cisco’s ETA actually improves privacy because it is not necessary to decrypt all traffic to inspect it.
Instead, ETA focuses on the vital data features that are able to be seen through passive monitoring to analyze the encrypted traffic. Then, it’s only necessary to decrypt or block the suspicious traffic by leveraging Cisco’s intent-based networking to block or dynamically redirect these suspicious flows.
Another important aspect of encryption that Cisco’s ETA helps with is cryptographic compliance. ETA is able to identify encryption quality from each network conversation instantly, so companies can prove enterprise compliance with cryptography protocols.
It helps these companies and the regulatory agencies know exactly what is being encrypted on their network and what is not, so you can certainly know if your information is protected.
Know if you are protected
For the average business, Cisco ETA can help to:
- Enhance visibility, assisting in gaining insight into threats within encrypted traffic by using network analytics and machine learning instead of decryption.
- Shorten time to respond by rapidly containing infected devices and users and securing your network.
- Promote compliance by alerting you to what is and is not encrypted on your network, promoting compliance with cryptographic protocols.
- Save time and money by helping you protect your data without needing to spend the time and money to decrypt all of your traffic.
Cisco explained that they’ll be continuing to roll out additional capabilities in the months to come in order to offer customers a deeper level of end-to-end visibility and protection, something they are uniquely able to do as an industry leader in networking and security.
With the amount of encrypted traffic ever-increasing, the security department’s job is not going to get any easier. Cisco ETA can help assist this department with cybersecurity, making your data safer than before in a less costly and time-consuming way while still preserving privacy.
Photo credit: Pixabay