Cisco Extends Encrypted Traffic Analytics

Encryption is proving to be both a blessing and a curse in that it ensures privacy, while simultaneously making it simpler for cybercriminals to deliver malware undetected. With much fanfare and some hyperbole, Cisco announced last summer it had developed Encrypted Traffic Analytics (ETA) capability to detect malware in encrypted traffic using machine learning algorithms embedded in its datacenter switches. Today, Cisco announced that it is extending that capability to its ISR and ASR branch office routers and CSR virtual cloud services routers.

The goal is to enable 50,000 Cisco customers to take advantage of a software upgrade that applies analytics to all the networking information attached to a packet as well as the way the packer interacts with networking services to determine whether malware is lurking inside, says Sandeep Agrawal, product line manager for security analytics at Cisco. Indications that a packet might be compromised include everything from how it moves across the network to any anomalous requests to exfiltrate data.

Once it’s determined that a packet is showing indications of being compromised, it is then automatically exposed to Cisco Stealthwatch analytics software for further evaluation using, for example, security intelligence data collected via the Cisco Talos service. This approach means that organizations no longer need to decrypt every packet to examine the contents for malware, says Agrawal. If malware is discovered, organizations can immediately apply a new policy to quarantine any additional network traffic being generated by the original source, adds Agrawal.

Most IT organizations today can’t detect malware hidden inside encrypted traffic. Agrawal says encrypted network traffic is on a trajectory to soon account for more than 80 percent of all traffic. While that’s generally a good thing in terms of protecting privacy, Agarwal says as much as more than half that encrypted traffic is likely to be infected with malware.

“Studies show that 41 percent of cyberattacks are already using encryption to avoid detection,” says Agrawal.

Agrawal says Cisco is committed to sharing the underlying machine learning technology it has developed with the IEEE later this year to help make networking more secure in general. But for the moment at least, ETA is only available on Cisco switches and routers.

The degree to which the Cisco approach identifies malware hidden in encrypted traffic remains to be seen. Agrawal says cybercriminals will get better at emulating the characteristics of normal network traffic, which will make it harder to detect anomalous behavior. Agarwal notes that a forthcoming 1.3 update to the Transport Layer Security (TLS) encryption protocol will also make the handshake that gets established between browser clients and network services more secure and, by extension, harder to spoof. As part of the capabilities embedded in Cisco ETA, Agrawal says Cisco will also be able to evaluate the strength and quality of the encryption being implemented at any given time.

Obviously, more advanced analytics is better than none. But as Agrawal notes, the battle between cybersecurity professionals and cybercriminals will continue, for the foreseeable future, an arms race without end.