Avatar

Security owns a complex relationship with privacy, one that can work to protect privacy or undermine it. It is often a compromise, one for the other. Enterprises and other organizations regularly balance this relationship when protecting information systems.

I am excited about Cisco’s launch of Encrypted Traffic Analytics (ETA), which offers a better balance point between privacy and security for some important use cases.

ETA uses enhanced network visibility to detect encrypted malware traffic on enterprise networks. Its principal benefit is preserving the privacy of legitimate traffic by not relying on the process of decryption. It instead analyzes encrypted traffic by deeply investigating important data features that are observable through passive monitoring.

In a blink of an eye, faster than the human mind can comprehend, ETA uses an extensive understanding of the TLS/SSL protocol to fingerprint TLS client libraries, scrutinize certificates, analyze the lengths and arrival times of encrypted messages, and then combine this analysis with knowledge of known-bad and suspicious Internet servers.

It’s an exciting new capability for Cisco’s threat analytics service.

You may have heard by now the underpinning issue that network traffic is increasingly encrypted using protocols such as HTTPS. This is great news for application security, because TLS encrypts and authenticates application data, preventing eavesdropping and tampering. TLS also makes cryptographically strong authentication of the client and server possible.

Applications that use HTTP (without the ‘S’), must trust all of the devices on the network path between the client and the server, while applications using HTTPS need only trust the client and server (and the issuing certificate authority). These important security benefits are driving the growing use of HTTPS. In the past year, the amount of traffic using TLS has grown significantly. Most estimates expect between 50 and 70 percent of all traffic will be encrypted by the end of this year.

Unfortunately, malware can also take advantage of those security benefits, and use HTTPS as a

way to hide from network monitoring. Malware’s use of HTTPS is increasing along with that of benign applications. Malware uses the network to spread itself, to exfiltrate stolen data, to ransom encrypted data, and to receive commands from its operators. Each time that malware uses the network, it provides enterprise security operations teams a chance to detect it and block it.

Traditional HTTP monitoring methods also have shortcomings when it comes to encrypted traffic. Web security gateways, for instance, cannot be applied to HTTPS. One way around that is to have the inspection point decrypt HTTPS sessions. A web security gateway or Intrusion Protection System (IPS) can act as a trusted Man-In-The-Middle (MITM), which terminates, inspects, and then re-originates the SSL/TLS session.

While trusted MITM approach is suitable for some scenarios, and is used by many enterprises, in other cases it can be problematic. If the application traffic contains personal data for instance, it is exposed to the MITM. This conflict with privacy makes it a non-starter in some regulatory environments. A web security gateway can be configured so that MITM decryption is not applied to selected traffic, as a way to avoid sensitive application data. This is good, but in many cases the whitelist is large, dynamic, and constantly growing.

Besides the privacy considerations, an HTTPS MITM can be difficult to deploy and manage, as it requires HTTPS applications or endpoints to be provisioned with a root certificate. It can be costly, because the MITM must perform as much cryptographic processing as the endpoints themselves. Also, some applications and endpoints cannot be configured to work with a MITM, causing them to fail outright or increasing support tickets for confused users met with a confusing “click-to-continue” prompt.

By design, ETA does threat detection on enterprise networks, and it is emphatically not about tracking the activity of human users. Previous academic research has shown that the passive analysis of encrypted traffic can reveal information about human activity, such as what Netflix movie a person is watching, or some spoken phrases inside of encrypted Voice over IP sessions. ETA also performs passive analysis of encrypted traffic, but with the totally different goal of detecting and understanding malware, using classifiers trained on the vast Cisco network and the ever-growing ThreatGRID library of malware.

Everything touches the network, which is what makes network visibility so powerful. And this is what makes the application of ETA to the network such a powerful security additive. End host monitoring agents have deep visibility on the devices where they are installed, while the network has much broader visibility, covering devices for which no host monitoring is available.

This product is a huge advancement in Cisco’s goal to use the network to apply security everywhere. And I’m excited to work with Cisco’s product teams on new ways to use the network to detect and stop malware.

For more information on how ETA works and its results on live data tests, see Blake Anderson’s blog post here.



Authors

David McGrew

Cisco Fellow

Security