Cisco ETA solves one of the biggest cybersecurity problems

Cisco Encrypted Traffic Analysis (ETA), now generally available, addresses one of the biggest pain points in the cybersecurity industry — finding malware in encrypted traffic.

Cisco ETA solves one of the biggest cybersecurity problems
Blogtrepreneur (CC BY 2.0)

Last summer, Cisco announced a product called Encrypted Traffic Analysis (ETA), which solves one of the biggest cybersecurity problems — finding malware in encrypted traffic.

The use of encrypted traffic continues to grow. In fact, it’s over half of all traffic today and will be well over 80 percent by 2020. The benefit of encrypting traffic is that the bad guys can’t access the data, so it’s protected. The downside of it is that security tools can’t inspect it for malware, making it the perfect place for a threat actor to hide any kind of malicious traffic.

The only way to “see” inside encrypted traffic is to decrypt it before it's sent to the security tool. This is a very CPU-intensive process and typically requires standalone appliances or a network packet broker. These solutions work, but they are very expensive and have the obvious downside of having to decrypt the traffic, which does expose it to threats. A 2016 Ponemon report cited that only 38 percent of companies decrypt traffic, meaning the majority of businesses are susceptible to threats in encrypted traffic.

Cisco’s ETA uses a combination of telemetry information generated by Cisco network infrastructure and machine learning algorithms to look for the differences between good and possibly infected traffic. One of the dirty little secrets of the security industry is that most malware is only a slight deviation from existing malware. The right machine learning algorithms with the right data can identify the encrypted traffic that might contain malware. That traffic can then be sent to advanced security tools, such as Cisco Stealthwatch, for further investigation and cleansing.

The data that ETA uses is a combination of information made available from Cisco infrastructure, including NetFlow. It’s important to note that Cisco ETA looks at every flow, whereas many third-party tools that leverage NetFlow sample it. That means it grabs a subset of flow data, which can cause tools to miss things. With network management tools, this can be annoying. With security, this can be the difference in catching malware and being breached.

Cisco extends use of ETA

Initially, ETA was available only on the new Cisco Catalyst 9000 campus switches, which were part of the Network Intuitive launch, meaning only traffic in the campus can be inspected. This is obviously important, but there’s more to a business network than the campus. Cisco has extended ETA to the branch platforms that run IOS XE, including the following platforms:

  • Integrated Services Router (ISR) 4000 Series, new 1000 Series and ISRv on ENCS 5000
  • Aggregation Services Router (ASR) 100 Series
  • Cloud Services Router (CSR) 100V

This extends ETA across the WAN, out to the branch and into the cloud for complete protection across the network. While the data center wasn’t specifically called out, an enterprise could put one or more of the platforms that support ETA into the data center to look at traffic there. I suspect Cisco will eventually make ETA a standard part of every product, including the Nexus family of switches.

cisco eta Cisco

Encrypted Traffic Analysis (ETA) finds malware in encrypted traffic

The low-hanging fruit for ETA is obviously finding malware, but Cisco has added another feature that lets businesses meet cryptographic compliance standards. Many industries now have strict guidelines around encrypted traffic that need to be met, throwing another monkey wrench into the compliance efforts for many companies.  Since ETA sees all encrypted traffic, it’s able to assess the quality and provides visibility as to whether the organization is meeting the mandates. The cryptographic assessment can be viewed in Stealthwatch or can be exported to another third-party tool via APIs.

Cisco also announced that the product is now coming out of the early field trial phase and is now generally available to all of its customers. The Catalyst 9000 series was a new product line, so ETA was available to only a handful of customers. The addition of the other IOS XE platforms creates a significantly larger install base. Cisco estimates the number of customers running one of the above products to be about 50,000. 

The amount of encrypted traffic certainly isn’t going down any time soon, making the security teams job increasingly more difficult. Cisco’s ETA can bring some badly needed help to overworked security teams, as it solves one of the biggest problems in cybersecurity today.

New! Download the State of Cybercrime 2017 report