Cisco Encrypted Traffic Analytics Ups The Ante On Network Threat Detection


Cisco Systems, the networking giant, released a new technology last Wednesday called Encrypted Traffic Analytics (ETA). Cisco claims the software can spot attack attempts within encrypted traffic.

According to Gartner and NSS Labs, 55% of current Internet traffic is already encrypted and this is expected to rise to 75% by 2019. Businesses are increasingly turning to Secure Socket Layer (SSL) and Transport Layer Security (TLS) encryption to facilitate secure transmissions of private data over the web, including credit card details, passwords and sensitive personal data.

“The increase in secure web transactions is encouraging since this means sensitive information is being protected”, Jason Pappalexis, NSS Labs research director, said in the recent NSS Labs press statement. “However, encryption also creates a false sense of security since threats can be missed because they are now hidden within the packet payload that is encrypted. It is imperative that security solutions are validated so that they are addressing this,” he added.

Cisco says that given the huge rise in encrypted traffic, traditional threat inspection, which utilizes bulk decryption, analysis and re-encryption, will become unfeasible. A team of Cisco engineers started to work on the problem a couple of years ago and published a research paper in 2016. They discovered that you could determine whether or not encrypted data had malicious traffic within it without first unscrambling the data. Encrypted Traffic Analytics is based on this insight.

ETA does this in several steps: (i) the technology inspects the initial unencrypted packets for overt red flags, such as whether they stem from a blacklisted address (ii) a “multilayer machine learning (ML) tool looks for patterns for more subtle threat indicators (iii) it utilizes Talos, Cisco’s threat intelligence.

Cisco’s TK Keanini, Principal Engineer, Lancope Engineering, said, “All three of these work in concert with each other to make up the hit song Encrypted Traffic Analytics,” Keanini said. “Any threats, when they show up on the network, are going to show up in one of these three buckets.”

The ML tool uses algorithms to scan the encrypted data for possible deviations from regular traffic that may indicate a hacker’s presence; for example, an irregular time period between certain events, or a surprising length of individual packet sequences. The ML engine continuously changes its detection criteria to match the changing movement of customer environments.

Cisco says the technology could also improve user privacy as it identifies threats in encrypted traffic without decrypting it. According to David Goeckeler, Senior Vice President and General Manager of Networking and Security, only Cisco can do this.

ETA also helps with customer privacy as Cisco is giving companies the option to identify which specific streams of encrypted data they want examined more carefully. This will reduce the amount of legitimate traffic that needs to be decrypted and inspected.

Three Cisco products come together to deliver Encrypted Traffic Analytics:

-The Catalyst Series Switches allow organizations to centrally manage policy, deploy end-to-end security, and gain visibility into wired and wireless access networks.

Stealthwatch then gathers the collected enhanced telemetry from the network in order to provide real-time monitoring and views into all network traffic, offering the ability to view and search on a range of parameters, such as encryption algorithm, TLS/SSL version, etc. It improves response times to incidents across the network and creates a baseline of normal activity for a user or host, then applying context-aware analysis to automatically detect out-of-the-ordinary behaviors.

Cognitive Analytics, a cloud-based threat detection and analytics capability available in Cisco Stealthwatch, that provides additional contextual information allowing for the identification and prioritisation of new and emerging threats across the extended network.

ETA is part of Cisco’s intent-based network initiative (known as ‘network intuitive’), which the company started to roll out last year. Initially, it only supported Cisco’s latest campus switches, the Catalyst 9300 and 9400 series; but last week, Cisco announced it was extending out the technology to around 50,000 additional customers. ETA works in tandem with Cisco’s Integrated Services Routers (ISR), branch office router, Aggregation Services Routers (ASR 1k), and Cloud Services Routers (CSR). This will allow enterprises to expand threat detection across their entire operations.

Furthermore, ETA moves Cisco closer to a fully autonomous network.

“The architecture and the way ETA was implemented speaks volumes to the network intuitive — it is the network itself that is telling you whether it’s secure or not,” Keanini said. “The routers and switches are providing not just networking telemetry, but now security telemetry.”

Scroll to Top