What is the Body Language of Your Encrypted Network Traffic Really Saying?
Imagine this scenario – you walk into a meeting room with a colleague and they are sitting at the table with their arms crossed. You immediately think to yourself, this meeting is not going to go well, this person is already displeased with me and I have not said anything yet. However, you are making an assumption based solely on one aspect of their behavior. Why not consider other factors or possible explanations for their body language: Is the room highly air-conditioned and they are cold? Is it Winter and they just came in from outside? Behavioral body language of people is dependent upon multiple factors to gain visibility into a person’s state of mind.
The rapid rise of encrypted traffic is changing the threat landscape; the increase in digital business has led to a rise in the number of services and applications using encrypted traffic to secure information. As the digital economy continues to grow, so will the rise in encrypted traffic. More specifically, encrypted traffic has increased by more than 90 percent year over year, with more than 40 percent of websites encrypting traffic in 2016 versus 21 percent in 2015. Gartner predicts that by 2019, 80 percent of web traffic will be encrypted.
The challenge with encryption technology is that it is a double-edged sword; it enables greater privacy and security, particularly necessary for mobile, cloud and web applications. However, we are not the only ones interested in encrypted traffic. Threat actors have also increased their use of encryption for their malicious intents. In fact, Gartner believes that half of all malware campaigns in 2019 will use some type of encryption to conceal malware delivery, command and control activity, or data exfiltration.
Threat actors are using encrypted traffic for malware insertion in ways where users can be most vulnerable. A simple internet search by an employee browsing the Internet over HTTPS can lead to a malware infection. This user’s seemingly benign web browsing session can actually initiate a command and control session which can lead to data exfiltration of corporate assets. Traditional methods of solving this problem would be to decrypt the encrypted traffic to detect malware. However, due to the volume of encrypted traffic, decrypting the treat actors’ traffic is not just impractical, it is next to impossible and has never been an option.
This is why Cisco’s innovation in flow monitoring is critical to better understanding the behavior of encrypted traffic, without the requirement to decrypt the encrypted traffic. Cisco’s encrypted traffic analytics is new technology, which uses new types of data elements and telemetry to determine behaviors of encrypted traffic. By looking at observable data like the first data packet, as well as multiple behaviors within the traffic (such as the lengths of time between packets and the messages within a flow of traffic), accurate inferences can be made about the traffic even though it is still encrypted.
Encrypted Traffic Analytics focuses on identifying malware communications in encrypted traffic through passive monitoring, the extraction of relevant data elements, and supervised machine learning with cloud-based global visibility. This technology is something that could only be developed by Cisco since it is a pitch/catch between Cisco’s network as well as its security technology.
There are many benefits of using encrypted traffic analysis, particularly the ability to gain visibility into the behavior of encrypted traffic that may contain threats without the need for decryption. This visibility can be used to inform decisions to quickly contain effected devices and users. Compliance requirements can also be met more easily when armed with the knowledge of what is, and what is not, encrypted on the network. Cisco uniquely can get the network itself to exhibit this rich telemetry so that modern security analytics can be performed, lowering the administrative and operational costs of these high value features.