The Role of the network in Encrypted Traffic Analytics
Cisco Systems, Inc.
Technology, Innovation, Enterprise Networking
One of the key pillars of the Cisco intuitive network that we launched recently is Encrypted Traffic Analytics (ETA). ETA builds on Cisco’s Network as a Sensor architecture to deliver two critical use cases for customers: detection of malware in encrypted traffic without decryption and performing a cryptographic audit of the network. In previous blogs, we’ve talked about why we strive for providing security that does not compromise on privacy, and the machine learning based research that enabled this pioneering innovation. I want to articulate the critical role that the network plays in being able to deliver this solution.
Malware running on the end-points will do two things that will leave a fingerprint – it will communicate with the command and control server at periodic intervals and will leverage specific Transport Layer Security (TLS) libraries for encrypting their sessions. From a network perspective, this translates to two observable pieces of information – the sequence of packet lengths and the time interval between the packets, and specific fields from the initial TLS exchange. Together, the behavioral profile of the malware that generated the traffic, and the specific TLS library that is being used by the malware, help in identifying encrypted malware communication.
The key question is – how do we get this metadata? Given the plethora of end-points, each running a different operating systems, it becomes very difficult to come up with an end-point based approach to enable collection of this information. That is where the role of the network becomes critical. The network is in the best position to observe the traffic and make observations that would help determine the behavior of the application generating the data as well as the TLS library being used by the application.
Our recent launch of catalyst 9300 and 9400 switches powered by the UADP 2.0 ASIC, which is positioned at the access layer in the network, will enable us to observe every packet that ever originates from the end-points in the enterprise, irrespective of the medium of connection (i.e. wired vs wireless). It includes typical wired and wireless end-points in the enterprise like laptops and collaboration devices (phones and telepresence units), as well as IoT devices in future. The UADP 2.0 ASIC enables the data features to be extracted and exported to the flow collector without any impact to the overall throughput of the flow. The power of the new IOS-XE operating system is being leveraged for telemetry – the collected metrics are sent as soon as they become available to the Stealthwatch flow collectors, which leverages the cloud based cognitive analytics engine to be able to detect malware in encrypted traffic. The output of Cognitive Analytics is seen on the Stealthwatch Management Console. Once the malware is detected, Stealthwatch will leverage ISE to push mitigation policies to the network. The catalyst 9300 and 9400 switches will once again be in the fore-front, by actually implementing the mitigation policies based analytics to solve what many in the industry thought was unsolvable. What’s even better are the possibilities that this solution opens up for further innovations in this space…and I can tell you that your decision to invest the catalyst 9300 and 9400 series switches will enable you to take advantage of these innovations to secure your network and the digital transformation of your enterprise.
About the Author
Sarav Radhakrishnan is a Distinguished Engineer and a 17+ years Cisco veteran who has worked on a number of products and solutions during his tenure in Cisco.Sarav is the architecture lead for the highly profitable catalyst switching portfolio.
He has a proven track record of driving innovation in the portfolio and productizing the innovations. His current research and development interests include security, wireless, QoS, LiFi, virtualisation and machine learning.