In June 2017, Cisco announced the Encrypted Traffic Analytics (ETA) solution – a breakthrough technology stack that allows us to gain insight into encrypted traffic without decryption. That insight provides an unprecedented view into the use of encryption across your entire network and allows us to identify malware using those encrypted network connections.

Today, I want to give a summary of our work-to-date and explain some exciting new expansions to the solution. As the nature of how organizations use encryption continues to change due to rising costs and fewer opportunities for inline decryption and inspection, Cisco ETA serves as an ideal addition to your detection arsenal and provide you with the necessary security analytics you need to cover these critical gaps.

A Security Analytics and ETA Primer

Traditional network security systems detect malicious behavior through the inspection of the network packet stream and matching against a library of patterns that are known to indicate compromise. Security analytics on the other hand, rely on advanced analytic techniques, including various forms of machine learning, applied to large volumes and varieties of telemetry and log data to detect threats.

ETA embodies that approach with the following elements:

  1. Specially designed metadata exported in telemetry from Cisco’s network element platforms
  2. Cisco Stealthwatch Enterprise to collect and analyze that telemetry for Cryptographic Audit (vulnerability discovery), threat investigation or hunting and malware detection using our multi-layer machine-learning engine.

This technology has the unique property of both allowing us to ensure the privacy of our most important business data and allowing us to detect malware that is using that same privacy to cover its tracks. As anyone who has been in the security industry for any amount of time knows, it is not often that you can satisfy both sides of that particular equation. Cisco Fellow David McGrew has great discussion on this here.

What Have We Found?

We continue to have great success in our customer environments and we can share the results of monitoring the Cisco Live USA 2018, Mobile World Congress 2018 and Mobile World Congress 2019 conferences. The categories of threats that the technology has detected in these and other environments include, but not limited to:

  • Illicit Cryptomining
  • Android OS Trojans
  • Ad Injectors
  • SALITY malware
  • Malware using SMB service discovery
  • Potentially unwanted applications such as Tor and BitTorrent

In addition, we can share an evaluation from testing and certification from Miercom, where Cisco Encrypted Traffic Analytics showed as much as 36 percent faster rates of detection in the presence of the ETA telemetry and related analysis.

Extending the ETA Telemetry Sources

At launch, ETA telemetry was available from our family of campus switches:

  • Cisco Catalyst 9300 and 9400 Series

Following that, we extended that capability to the routing platforms that span the branch, WAN, and cloud:

  • Cisco Integrated Services Router (ISR) 4000, 1000 Series and the ISRv on ENCS 5000 series
  • Cisco Aggregation Service Router (ASR) 1000 Series
  • Cisco Cloud Services Router (CSR) 1000V

Today, we are happy to extend our telemetry coverage to the wireless network through instrumentation in our wireless LAN controllers:

  • Cisco Catalyst 9800 Series

We are really happy with our progress on giving our customers more comprehensive visibility, both north-south and east-west, across their networks from campus, branch, cloud, and WAN. Security analytics become more effective as we increase the variety and completeness of the telemetry, so we are aggressively seeking every opportunity to instrument your digital business. These newest additions are just the first steps we’ve added with so much more to come!

ETA on the Stealthwatch Flow Sensor

This is the sort of expansion to the ETA solution that really gets me excited! If you did not already know, the Stealthwatch Flow Sensor is a packet sensing device that we use to extend the breadth and depth of visibility across the network.

It is really helpful in parts of the network that cannot natively produce telemetry. The canonical example of this is the traffic between virtual machines within a virtual machine server cluster (VMWare or KVM). This traffic never hits a physical network and the virtual network cannot be easily modified. The Flow Sensor can be dropped into that server cluster and produce telemetry that we never had before. We also provide appliance versions that can sit off a network TAP or mirror port.

For unencrypted traffic, the Flow Sensor already includes a high-speed DPI engine that can populate the telemetry with application identification and transaction metadata. Now, we have added ETA metadata to the telemetry export of the Flow Sensor which allows our security analytics to peer into those hard-to-reach areas of the network.

This is a fully baked-in feature of the Flow Sensor that will be available soon in the next software release, Stealthwatch 7.1. In other words, if you are an existing Flow Sensor customer, the ETA solution is just an upgrade away! And if you aren’t, now you can easily accelerate your ETA deployment to the entire network.

Security Analytics to Detect Cryptomining

We passionately believe that we need to keep turning-the-crank on making the most of the telemetry that we are collecting from across your digital business. Our multi-layer machine learning engine is a cloud-hosted service that we are constantly improving. Today, I’d like to highlight a recent and noteworthy addition.

Cryptomining is fast becoming the revenue-stream of choice for many cyber criminals. It is far more invisible to the targets and provides a more reoccurring revenue model versus extortion techniques such as ransomware.

We have now deployed a new cryptomining classifier that uses the ETA data features to detect behavior specific to cryptomining and connections to cryptomining pools. The key thing is that the classifier does not rely on external feeds or lists of IP addresses. Instead, it provides results with high precision and can distinguish between short-term and long-term mining activities just based on network behavior. This is one of the many ways in which Stealthwatch applies security analytics to detect illicit cryptomining.

Automated ETA Deployment

We have been working hard on making our vision of intent-based networking a reality. A key part of that vision is the automation of tasks that do not require deep engineering oversight. That automation has now been extended to make it easier than ever before to configure and deploy Network-as-a-Sensor (NaaS) and Encrypted Traffic Analytics (ETA) within the network infrastructure and Stealthwatch.

Cisco Digital Network Architecture Center (Cisco DNA Center) is at the heart of this automation and will contain a provisioning service called Stealthwatch Security Analytics which provides a workflow that gets things up and running in just a few clicks.

The outline of the workflow goes something like this:

  • Register your Stealthwatch Management Console (SMC) with Cisco DNA Center so that it can understand your Stealthwatch Enterprise deployment
  • Automatic readiness check of the network elements based on required software, hardware, roles, and licenses, to identify which locations are ready to deploy
  • Select where to deploy by site, building, or even floor and then select where to send the telemetry. Perfect for when you have multiple Stealthwatch Flow Collectors
  • Schedule the roll out of the configuration changes
  • Visibility into the ongoing state of the deployment

The Stealthwatch Security Analytics service will be available in Cisco DNA Center 1.4

Easily Ensure Cryptographic Compliance

We have also recently introduced the “ETA Cryptographic Audit” app within Stealthwatch that provides an assessment of the “quality” of encryption being used, which is helpful to audit cryptographic compliance. For example, using SSL or early TLS violates PCI compliance. It also helps to understand trends and changes in the amount and type of encryption.

What’s Next for ETA?

We are really excited by our progress-to-date and the expansions to the solution that I have discussed. I hope that this illustrates Cisco’s commitment to the Encrypted Traffic Analytics solution and more generally to security analytics as a first-class component of a security architecture.

We have much more that we are pushing through the R&D pipeline, especially when it comes to security monitoring and analytics of the cloud and in the cloud.

I cannot wait to give you all the next update on the exciting new features to come!


To learn more about Cisco Encrypted Traffic Analytics, go to www.cisco.com/go/eta



Sunil Amin

Principal Engineer

Cisco Stealthwatch