Yesterday, Cisco rolled out Encrypted Traffic Analytics (ETA), a breakthrough technology that identifies malware in encrypted traffic without the need of intercepting and decrypting data streams.
The solution, one of a kind, has been in field trials with selected customers since June last year.
Now Cisco says it will expand ETA support from campus traffic switching products to the company's enterprise routing platforms, such as office router line (the ISR and ASR) and virtual cloud services routers (CSR).
ETA uses machine learning to analyze HTTPS traffic
Cisco says the new ETA technology works by employing a multi-layer machine-learning-based system to read encrypted data and spot the tiny differences between benign and malware traffic. The company explains:
Cisco says ETA's main advantage is that it preserves privacy without compromising local security or breaking the numerous compliance protocols many enterprises must adhere to.
Customers need the latest Cisco gear
Because of the way the new ETA technology works, Cisco says only customers with the latest hardware will be able to take advantage.
"ETA, which was initially available only on our new family of campus switches, the Catalyst 9300 and 9400 series, has now been extended to routing platforms spanning the branch, WAN and cloud," says Scott Harrell, Senior Vice President and General Manager of Cisco's Enterprise Networking Business.
Product lines such as the ones below will be able to receive ETA support in the form of an additional component for Cisco's IOS XE operating system:
- Integrated Services Router (ISR): 4000 Series, the new 1000 Series, ISRv on ENCS 5000 series
- Aggregation Services Router (ASR) 1000 series
- Cloud Services Router (CSR) 1000V
A report released by Phish Labs last month reveals that one in four phishing sites currently loads via HTTPS. A Gartner report predicted that by 2019 80% of all Internet traffic will be encrypted and around 50% of new malware campaigns will also switch to using encryption and various obfuscation techniques.
Below is Cisco's overly-dramatic video introducing its new ETA tech:
Comments
DavidLMO - 6 years ago
Wow!! Wonder if this technology can be brought down to ends users? Obviously, it cannot now.
the_moss_666 - 6 years ago
This can't work for good encryption algorithms. If you can tell a difference between encrypted text and random data, encryption algorithm is not good enough. If this thing works, it's time to to use new and better encryption.
By the way, recognising a malware in encrypted text means you can extract some information about it's content. So technically, cicso IS breaking your encryption a little bit.
StevTheDev - 6 years ago
The quote in the report suggests that ETA is making inferences based off data besides the packet contents. Without examining the contents of packets, this sounds a lot like a heuristic based IDS to me.
Like other heuristic IDS I'm guessing a newly designed malware would get passed this at first. I wonder, how quickly ETA can recognize a new threat? Also, how long will a new build of ETA need to learn its environment? Restricting a heuristic system access to limited data about the packet would make its job extremely difficult I would think. If it works well and the results aren't filled with false positives and negatives, cisco must have a really clever solution. (Or they're breaking the encryption as you say)