Review: How Barac ETV analyzes encrypted data streams

Barac’s Encrypted Traffic Visibility Platform can halt encrypted attacks — without breaking the encryption. In our tests, the results seemed mostly instantaneous.

CSO > Micsoroft Windows logo emblazoned on a security shield in a field of abstract binary data.
Arkadiusz Wargua / Getty Images / Microsoft

Encryption is one of the best ways that organizations can protect their data from thieves. If critical information is stored or transported in an encrypted format, it has some measure of protection even if it gets compromised or stolen. For example, even a huge database of credit cards is not much good to a hacker if the whole thing is heavily encrypted and unreadable.

But hackers use encryption to their advantage too, mainly by using encrypted channels to launch attacks against networks. If the code of an attack is encrypted, there is a much better chance of it slipping past cybersecurity defenses.

Some cybersecurity platforms today can inspect encrypted traffic, most commonly by examining each packet directly, or by decrypting them for scanning before sending them on their way. While this kind of process works, it can be somewhat cumbersome and use a lot of computing resources and/or bandwidth, depending on the application. And it may not work for much longer. That is because the Transport Layer Security (TLS) 1.3 standard has been finalized and is starting to see deployments. TLS 1.3 prevents any decryption or inspection in transit, seeing it as a compromise. As such, it may soon be impossible at most organizations to inspect encrypted traffic without first completely decrypting and assembling it. And doing that gives malicious code a chance to perform its nefarious mission.

That situation is why Barac created the Encrypted Traffic Visibility (ETV) Platform. It’s designed to analyze encrypted data streams and determine whether or not they are malicious — without unencrypting them or doing any kind of deep inspection that would indicate tampering under TLS 1.3.

Getting started

The platform is installed in two main pieces. The first is the brains of the program that analyzes all the information about traffic and puts it into a graphical interface. The core of the ETV platform can also take automatic actions like blocking malicious data streams or sharing threat data with a security information and event manager (SIEM). It can exist as an appliance within a network or be accessed through the web in a software as a service model.

The second part of the platform are the collectors. For the most part, collectors are also appliances, though they can be virtualized. They sit at all the gateways to a network so that they can monitor both inbound and outbound traffic, as the ETV platform works both ways. There are no APIs, agents or secondary apps needed.

Pricing for the program is based on a subscription model that counts the number of endpoints being protected. That way, organizations are not penalized for having a lot of encrypted traffic.

Testing ETV

How the platform works is that when a traffic stream begins, the ETV collector will send the metadata for that traffic, and only the metadata, over to the main part of the platform for analysis. Because the metadata is what all the various switches and routers along the way use to route traffic, it’s designed to be read and is always unencrypted. Plus, the TLS 1.3 framework won’t mind if the metadata is examined.

ETV Platform Dashboard CIO

The graphical interface for the Encrypted Traffic Visibility Platform makes it easy to analyze encrypted attacks, or to get a handle on any encrypted traffic. (Click image to enlarge.)

Right from the start, logging into the ETV console will show information about all the active and historical streams on a network. This includes a lot of useful facts about that data, like what kind of encryption is being used and its strength. You can even set the console to block streams that are encrypted too weakly, which is a nice touch even before employing the platform’s key cybersecurity benefits.

Whenever a new encrypted stream comes into a network protected by the ETV platform, the metadata is automatically analyzed to determine the intent of the traffic. This includes looking at things related to the encryption, like the relevant certificates, the server key exchange, the server hello process, any change request in the CipherSpec and other factors. It also examines things like the IP header, length of the packets and any included padding.

ETV Platform Alert CIO

The ETV Platform is able to detect encrypted attacks either by their behavior, like this one which is trying to set up data exfiltration, or by matching the metadata against known attacks and threat actors. (Click image to enlarge.)

At that point, the platform uses two main methods to identify malicious activity. First, there is a machine learning engine that is kept up to date about the various methods and techniques used by attackers. This will eliminate known attacks based on their patterns and works regardless of the encryption level. Second, there is a behavior analysis engine that looks at what the packet is trying to do. It was surprising how accurate the ETV platform was in detecting an attack by simply examining the metadata for things like packet, message and traffic information, and then applying the behavioral analysis.

The ETV platform is fast, too. Probably because it is simply looking at metadata, it can process a new encrypted stream and come up with a determination about its maliciousness in about a millisecond. In fact, in a typical deployment situation, the company says it can process up to 100 million events per second. Our testbed was not nearly large enough to accommodate those kinds of numbers, so for this review the results seemed mostly instantaneous.

ETV Platform Stream Data CIO

Every encrypted data stream has its information recorded by the ETV platform, even those that are not considered malicious. And because the platform only looks at metadata, it should comply with most privacy or government frameworks and mandates.

No sooner had a malicious stream been initiated than it was detected and stopped. For example, the ETV platform was able to discover and stop encrypted ransomware attacks, DDOS disruptions hiding in encrypted traffic, man in the middle type attacks, SQL injection attacks and data exfiltration attempts during our testing.

There are a variety of automatic actions that the platform can take when an encrypted attack is detected. The program will log it into its own console interface and can also send an alert to any connected SIEM. But it can also block the data stream for either a period of time or forever. Shutting down the stream in a couple milliseconds and blocking it from starting up again was highly effective in halting encrypted attacks before they could gain a network foothold.

ETV Platform Attacks Log CIO

Because the platform groups encrypted attacks by type and time, users can see what assets are most under attack, potentially shifting cybersecurity resources and personnel to provide threatened areas more cover. (Click image to enlarge.)

Though it would of course be advisable to have traditional cybersecurity defenses in place behind the ETV platform, they should not have nearly as much work to do. The ETV platform was extremely accurate and quick to stop encrypted attacks before they could fully or even partially execute. And it worked with any encryption algorithm or cypher strength, since it was only really concerned with the unencrypted metadata.

Hackers can do a lot of damage in a short amount of time, especially those skillful enough to encrypt their attacks. Given that reality, having a system in place like Barac’s Encrypted Traffic Visibility Platform, with its ability to halt attacks in milliseconds without ever breaking the encryption, is a cybersecurity protection whose time has come.

Copyright © 2019 IDG Communications, Inc.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!