Encryption is becoming an increasingly prevalent aspect of digital communications – even when it comes to malware. A Cisco analysis of more than 400,000 malicious binaries found that about 70 percent had used at least some encryption to evade detection as of October 2017. Decrypting this traffic for malware inspection is not cost effective, while ignoring the problems can be disastrous. Organizations need a way to detect encrypted threats without decryption.
The Cisco network and Cisco Stealthwatch Enterprise work together to provide the most powerful network security analytics and threat detection solution on the market. To address the reality of encrypted threats, Cisco further enhanced this solution to create Encrypted Traffic Analytics, which uses enhanced telemetry from Cisco routers and switches and Stealthwatch Enterprise to identify malicious traffic patterns in encrypted communications without using decryption.
Encrypted Traffic Analytics is the only solution on the market that can accurately and quickly detect encrypted threats without the use of decryption. To prove this claim, Cisco engaged technology testing and certification firm Miercom to evaluate the efficacy and performance of Encrypted Traffic Analytics. The results were exceptional, earning Encrypted Traffic Analytics the Miercom Performance Verified certification.
You can read the full report here. Here are a few highlights:
Cisco Encrypted Traffic Analytics showed as much as 36 percent faster rates of detection, finding 100 percent of threats in three hours
Miercom tested a variety of malware, both encrypted and unencrypted, along two network paths. Both paths utilized Cisco networking equipment and Stealthwatch Enterprise, but one path had Encrypted Traffic Analytics enabled and the other did not. The malware tested included exploits such as Trojans, botnets, ransomware, and keyloggers, and more than two-thirds of these threats used encrypted communications. Without Encrypted Traffic Analytics this malicious activity would have persisted undetected.
On the path using Encrypted Traffic Analytics, threats were detected up to 36 percent faster – than the path that did not use Encrypted Traffic Analytics. Furthermore, all threats were detected in 3 hours. Faster, more complete detections is something your attackers do not want you achieve.
Encrypted Traffic Analytics detected 100 percent of malicious flows within three hours.
Immediate detections – those in under five minutes – and learning capabilities over three hours showed impressive performance. In under five minutes, Encrypted Traffic Analytics detected nearly two-thirds of all malicious flows, almost double of the non-Encrypted Traffic Analytics path. Even with low volumes of 0 to 20 flows, Encrypted Traffic Analytics showed higher detection results, while 2000+ flows allowed for 100 percent detection.
Stealthwatch Enterprise with Encrypted Traffic Analytics displays a detailed view of detected threats for additional intelligence on threat sources and similar threats in the network infrastructure
Stealthwatch Enterprise with Encrypted Traffic Analytics rates detected threats on a simple 1-to-10 scale, where 10 means a confirmed threat. Similarly, many threats are attributed to specific threat types.
The image below shows a high-level ranking of detected threats. These alerts are sorted by incident, identity (for example, IP address), last time seen, and state.
In addition, investigators can quickly drill down to see the details of an alert. This helps accelerate incident investigation and response.
In addition, confirmed and attributed threats contain plain English descriptions of the threat, how it works, and how you can remediate it and protect yourself from reinfection.
Encrypted Traffic Analytics allows for queries to ensure communications are encrypted as per corporate cryptographic policies
Many corporations have policies or must comply with industry regulations, such as PCI DSS, in regards to cryptographic standards. Applications that use weak and outdated encryption sets can place corporate data at risk. Encrypted Traffic Analytics enables organizations to query east-west and north-south traffic for cryptographic compliance.
For instance, organizations can monitor for applications using TLS 1.0, which contains vulnerabilities that were fixed in later versions. In fact, TLS 1.0 use will no longer be compliant with PCI DSS standards on June 30, 2018.
This visibility comes from data exported from routers and switches, which means there is complete coverage of the network, including branch networks. This level of visibility and compliance verification is unparalleled in the market.
Learn more
The Miercom Performance Verified certification proves that Cisco Encrypted Traffic Analytics is an innovative and effective solution for detecting encrypted threats. It confirms that threats are detected faster and more accurately with Encrypted Traffic Analytics.
To read the full Miercom report, click here. To learn more about Cisco Encrypted Traffic Analytics, visit http://cisco.com/go/eta. You can also get a demo of the solution at the upcoming RSA Conference.
I was lucky enough to see TK's presentation at #CLMel 2018 and was surprised and astounded to hear that Encrypted Traffic Analysis was able to pick out malicious streams without needing to decrypt the packets. A very ingenious solution to a tricky problem, which is obviously increasing its validity – keep up the good work.