With the rise of encrypted traffic, it is becoming extremely resource intensive for organisations to decrypt traffic for security use cases. And with increasing adoption of TLS 1.3 and privacy-oriented TLS mechanisms like certificate pinning (HPKP), decryption using man in the middle (MITM) techniques is becoming impossible. While this is a great step forward, it also means organisations can no longer look into traffic for malware or acceptable use policy (AUP) enforcement. At the same time, malware writers are increasingly using encrypted channels to hide in plain sight.

These dynamics create new challenges for organisations to detect malware and threats while maintaining the privacy of users. While Cisco security devices (firewalls and proxies) still have the ability to decrypt traffic at line rate when MITM techniques allow, Cisco has also developed several mechanisms in core network infrastructure and services to help organisations detect threats and enforce AUP without breaking applications and user privacy. Below is a quick summary of various options.

  1. Encrypted Traffic Analytics (ETA) with Cisco Switches, Routers and Stealthwatch – the ability to use NetFlow to extract contextual data about encrypted traffic (initial data packet, sequence of packet lengths and times) and apply threat intelligence along with machine learning techniques to identify malicious encrypted traffic as well as alert on cryptographic non-compliance.
  2. Security Intelligence Feeds on Cisco Firepower Threat Defense (FTD) Firewalls – the ability to apply threat intelligence feeds (both Cisco & 3rd party) on traffic when possible using MITM techniques to detect malware, command and control channels, phishing, fast flux domains and much more.
  3. DNS based Protection using Cisco Umbrella – the ability to stop threats from being launched by applying threat intelligence at the DNS resolution layer, before most connections are established. Also the ability to intelligently redirect to cloud based proxy when decryption for further investigation (eg. file inspection and sandboxing) is desired (and possible using MITM techniques).
  4. Security on the endpoint using Cisco Anyconnect – the ability to extract flow data (including app and process level details) from the endpoint using the Network Visibility Module, protect roaming users with vpn and/or DNS based protection, and perform file analytics for advanced malware protection (AMP) at the endpoint.
  5. Security of Sanctioned Apps in the Cloud – the ability to apply advanced machine learning algorithms to detect and control anomalous or non-compliant user behaviour, and provide data loss prevention using native APIs (no MITM needed) across sanctioned cloud apps using Cisco CloudLock .
  6. Rapid Threat Containment – the ability to quickly and automatically respond to an incident (encrypted or un-encrypted) both at the network using Cisco Identity Services Engine (ISE) and at the endpoint using Cisco AMP to prevent malicious file propagation and further infection.

At the end of the day, discreet products solving niche problems can only go so far. A holistic approach that brings together multiple security capabilities and controls into a single architecture delivers better outcomes. Protecting users while maintaining their privacy is one such problem that the Cisco Security Architecture can address for our customers.


Jatin Sachdeva

Multi-Domain Security Architect

Global Security Architecture Team (GSAT)