It’s here. Cisco has solved one of the biggest challenges facing the security industry – and now thousands of Cisco customers can start using this breakthrough new network security technology.
Back in June, Cisco announced Encrypted Traffic Analytics – a breakthrough technology that identifies malware in encrypted traffic, without having to break apart the packets and inspect the contents. This unique solution allows security teams to balance security and privacy – and significantly reduce costs along the way.
Since then, Encrypted Traffic Analytics – or ETA – has been in early field trials with customers around the world. The feedback has been incredibly positive, and we’re now moving into general availability. But, as a great man once said, there’s one more thing … and we think it’s a big deal.
Today, we’re also expanding support for ETA beyond campus switching to the majority of our enterprise routing platforms, including our branch office router (the ISR and ASR) and our virtual cloud services routers (CSR).
So, what’s the big deal? First, it extends state of the art security detection and visibility close to the user in the branch, where 80 percent of employees and customers are served. This group of users are often underserved by security due to the scale and complexity of deploying sophisticated sensors to hundreds or thousands of branch offices. Secondly, this next generation detection technology can easily be rolled out across their enterprise by leveraging software upgrades for the nearly 50,000 Cisco customers already using the world’s most popular enterprise routers, the ISR, and the world’s leading network detection software, Stealthwatch.
Here’s why this matters:
- Evolving security landscape: Through 2019, Gartner* predicts more than 80 percent of enterprises’ web traffic will be encrypted and during 2019, more than 50 percent of new malware campaigns will use various forms of encryption and obfuscation to conceal delivery, and to conceal ongoing communications, including data exfiltration. While we believe encryption is the right trend for privacy and regulatory compliance, IT teams will face a massive influx of traffic that they cannot see without decryption technology. This makes encrypted malware one of the industry’s biggest emerging threats.
- How does it work? When you visit your doctor complaining of a pain in your shoulder or a sore back, the doctor doesn’t wheel you into surgery right away. Instead, the doctor looks for symptoms and checks for telltale signs of a muscle pull or a more serious injury before advocating more intrusive methods, such as x-rays or even surgery. The same is true with ETA and encrypted traffic. ETA uses network visibility and multi-layer machine learning to look for observable differences between benign and malware traffic. How? First, ETA examines the initial data packet of the connection. This by itself may contain valuable data about the rest of the content. Then there is the sequence of packet lengths and times, which offers vital clues into traffic contents beyond the beginning of the encrypted flow. Since this network-based detection process is aided by machine learning, it adapts to change and its efficacy is maintained over time.
- Security vs privacy: Security possesses a complex relationship with privacy, where the former can augment or compromise the latter. Large organizations regularly balance this relationship when protecting information systems. As Cisco Fellow Dave McGrew points out, ETA’s principal benefit is preserving the privacy of legitimate traffic by not relying solely on decryption for security inspection. It instead analyzes encrypted traffic by deeply investigating important data features that are observable through passive monitoring. Suspicious flows can then be selectively decrypted or blocked leveraging Cisco’s intent-based networking to dynamically redirect or block suspicious flows.
- Cryptographic compliance: Meeting compliance standards around encrypted traffic is becoming a major issue in many industries, and ETA provides an elegant solution. ETA identifies encryption quality instantly from every network conversation, providing the visibility to ensure enterprise compliance with cryptographic protocols. It delivers the knowledge of what’s being encrypted on your network and what isn’t, so you can confidently trust that your digital business is protected. This cryptographic assessment is displayed in Stealthwatch and can be exported via APIs to third-party tools for monitoring and auditing of encryption compliance. Finally, the network itself is delivering the necessary telemetry security and not just network operations.
- Branch, WAN and cloud: For ETA to function at high speeds, it requires a blend of best-in-class hardware and software. Over the past few years, we’ve been laying the foundation for these capabilities by rebuilding the brains of our networking architecture, our network operating system. We now have a single, modular operating system – IOS-XE – that allow us to quickly roll out advanced capabilities, such as ETA, across our entire enterprise networking portfolio. ETA, which was initially available only on our new family of campus switches, the Catalyst 9300 and 9400 series, has now been extended to routing platforms spanning the branch, WAN and cloud, including:
- Integrated Services Router (ISR): 4000 Series, the new 1000 Series, ISRv on ENCS 5000 series
- Aggregation Services Router (ASR) 1000 series
- Cloud Services Router (CSR) 1000V
- A dynamic duo: Everything touches the network, which is what makes network visibility so critical. And this is what makes the application of ETA to the network such a powerful security additive. End host monitoring agents have deep visibility on the devices where they are installed but this typically only covers desktops and laptops with Windows or MacOS. The network has much broader visibility, covering devices for which no host monitoring is available such as IoT and mobile. The number of IoT and mobile devices already outnumber desktop and laptop OS deployments and are both growing exponentially.
We’re excited to bring these much-needed security innovations to our customers and we will be rolling out additional capabilities in the months to come. As the industry leader in networking and security, we are in a unique position to offer customers a deeper level of end-to-end visibility and protection. The network is already one of the most powerful tools in a security practitioner’s arsenal. Encrypted Traffic Analytics makes the network even more powerful, detecting threats in a way that no one else in the industry can – preserving user privacy, distributing security as close to the user or device as possible, and detecting malware.
If you are interested in learning more about Encrypted Traffic Analytics, we welcome you to see the ETA white paper, deployment guide, TechWise TV demo, and website.
Learn more @ cisco.com/go/eta
*Gartner Predicts 2017: Network and Gateway Security, Lawrence Orans, Adam Hils, Jeremy D’Hoinne, Eric Ahlm, 13 December 2016.
Who is Cisco customer in ETA space ?
I'm really appreciating the "Security vs Privacy" focus and prioritizing passive monitoring. Here's another ETA video specific to SD Access that may be useful.
https://salesconnect.cisco.com/open.html?c=e283ae05-c391-49f2-8696-72fa902c3b99