Cisco Switzerland Technology Blog

Securing encrypted traffic: How we defend what we can’t see

- Thursday, 7 September 2017 13:09 CEST

First thing to know about me is that I spend more time watching TV series than I care to admit. But what can I say? I absolutely love crime series. My heart races when I watch a clever detective breaking an impossible case based on the tiniest bit of evidence or just by noticing a suspicious behaviour that nobody else saw.

Take The Mentalist, for example. The main character, Patrick Jane, can read people so well that he can tell when they are hiding something, even if he doesn’t know what that big secret is. What most people would see as a “lucky guess” actually comes from a sharp intuition, combined with years of experience in interpreting human behaviour.

So it’s very exciting to see Cisco come up with a cybersecurity technology that works just like a mentalist to secure encrypted traffic. We can tell if hackers are hiding threats in encrypted traffic, without actually decrypting confidential data. This is an incredible breakthrough because it helps stop malware without compromising the integrity of an otherwise very important type of communication.

Encryption is essential for data privacy and is even a legal requirement in some countries. Not surprisingly, it is growing fast. Half of all online traffic is already encrypted. Gartner predicts that by 2019, 80% of the world’s enterprise web traffic will be encrypted.

On the one hand, encrypted traffic can help stop hackers from stealing customer data. On the other hand, hackers can use the same tricks to spread threats without getting caught. So if the data is encrypted and therefore, private, how can you tell genuine data traffic apart from malicious traffic?

Here’s where our trained detectives come in. Cisco has thousands of highly skilled security professionals working day and night to learn more about how threats evolve and how to deal with them. Just at Talos we have 250 threat researchers constantly looking for the latest threats.

Most security systems cannot identify threats within SSL traffic or HTTPS traffic. So far, a common way to tackle the problem was using next-generation firewalls, but the process takes time. Cisco’s new Encrypted Traffic Analytics (ETA) functionality can tell benign and malicious traffic apart, in real time and without slowing the network down. It does that by analysing patterns in their unique flows.

Cisco tested millions of unique flows to see how TLS, DNS, and HTTP are used differently in genuine and malicious encrypted traffic. It then came out with the exact features that can help identify malware. ETA analyses the initial data packet, the sequence of packet length and times and even the byte distribution across the payloads of the packets within the flow. And with machine learning, each flow that ETA analyses helps improve its detection capabilities over time.

It’s like one of those crime series I love to watch. Trained officers can see thousands of people in a crowd and still spot the criminals just by watching their body language. ETA is part of a new era of networking. It’s like the tech version of this “intuition and experience” combo. No sniffer dogs required.

Leave a comment