Cisco ETA (Encrypted traffic Analytics)
Encrypted traffic is on the rise and that’s both good and bad news. Encrypted traffic offers much greater data privacy and security to enterprises without large capex investments. Although, attackers are using encrypted traffic to hide malware inspection and detection. In fact, by 2019 over 70% of attacks use encryption for making the contents of that traffic largely invisible to threat inspection.
As decryption is costly slow and could potentially violate privacy policies this leaves large parts of a network in the dark. So how do you light up these growing dark spots? Cisco’s encrypted traffic analytics (Cisco ETA) with Cisco StealthWatch think of these shadows.
You don’t need to see all the details to know that this is harmless but this probably best to look into what’s going on there without decryption. StealthWatch illuminates encrypted traffic by using enhanced network telemetry and threat intelligence combined with multi-layer machine learning to continually trained classifiers and detect malicious or benign activity.
So as threats adapt, ETA will also adapt automatically and in real-time the result is stronger protection and accurate detection cutting response times from months to minutes using telemetry from your existing network all without compromising performance or privacy.
Cisco ETA essentially uses new types of data elements that are independent of protocol details, generated by the new Cisco switches and routers. This new telemetry or enhanced NetFlow is then collected by a Cisco StealthWatch Enterprise which applies machine learning to analyze encrypted traffic StealthWatch enterprises.
Cisco’s network visibility and security analytics solution which collects traffic from your existing network creates a baseline of normal behavior and triggers alarms when anomalies are detected. The use cases that are made possible by ETA is detecting malware in encrypted traffic.
Today customers do periodic audits to look for any TLS violations to ensure encrypted traffic is policy compliant but it’s not a great strategy when there is so many devices within your business.
There are three key factors that allow for analysis and discrimination of legitimate versus malicious traffic. the first one is the initial data packet or IDP. The initial packets of any connection contain valuable information about the content which IDP allows the analytics engine to access the SSL headers of the HTTP flows and application headers of related connections, the sequence of packet lengths and types or split.
The split field gives the visibility beyond the first packet of the encrypted flows which is measured the by size of packets and the timing differences to see what kind of content with a video web voice or downloads is being delivered within the connection.
StealthWatch Enterprise uses its cloud-based multi-layer machine learning platform to analyze these data elements. It also employs a global risk map that maintains very broad behavioral statistics about the servers on the Internet.
Later servers that are related to attacks will be selected which may be exploited or may be used as a part of an attack in the future. this is not a blacklist but a holistic picture of the server in question from a security perspective.
By multi-layered machine learning StealthWatch Enterprise can correlate threat behaviors seen in the enterprise with those same globally by processing massive amount of data near real time to discover anomalous and malicious network activity that is indicative of a breach the system analyzes user and device behavior to discover malware infections command and control communications data exfiltration and potentially unwanted applications operating in organization’s infrastructure.