Organizations around the globe are steadily increasing the use of strong encryption to keep their data confidential. Unfortunately, cybercriminals are also using the technology to mask their activities.
At issue is the fact that encryption not only hides data from would-be hackers, but also from common security tools. Gartner analysts predict that nearly three-quarters of malware campaigns in 2019 will use some type of encryption to conceal malware delivery, command-and-control activity or data exfiltration.
Until recently, there were no good options for detecting malicious content in encrypted traffic. Cisco is changing that with its Digital Network Architecture (DNA), a software-driven network solution that uses analytics and machine learning to find threats in encrypted traffic.
Drawbacks of Traditional Approaches
Identifying threats contained within encrypted network traffic poses a unique set of challenges. For years, the common approach has been to decrypt the traffic, analyze it using devices such as next-generation firewalls (NGFWs), and then re-encrypt it. However, that approach isn’t always practical for a variety of reasons.
Privacy is a major consideration. The whole point of encryption is to protect sensitive data — decryption increases the risk that the data will be exposed. The process of decrypting, analysis and re-encryption can also seriously impact network performance. An NSS Labs study found that this overhead caused an 81 percent performance degradation for NGFWs.
Even with decryption, traditional security tools are ineffective at detecting threats in encrypted traffic. According to Cisco, it takes companies between 100 and 200 days, on average, to detect an attack because 80 percent of security systems do not recognize or prevent threats within encrypted traffic. And the problem is only going to get worse —Gartner believes that more than 80 percent of enterprise web traffic will be encrypted by the end of 2019.
Identify, Analyze and Report
Cisco takes a different approach with the security features built into DNA. Cisco Encrypted Traffic Analytics (ETA) uses a combination of local analysis engines combined with a cloud-based platform to analyze encrypted traffic without requiring decryption.
Network traffic has certain characteristics, known as metadata, that can be extracted without decrypting the data packets. Cisco focuses on four elements — the length in bytes of the packets, the elapsed time between the arrival of the packets, the distribution of bytes, and data such as a hostname or URL that might point to a command-and-control server. Application-specific integrated circuits extract the metadata without impacting network performance.
Any traffic that seems suspicious is flagged for additional evaluation by Cisco’s StealthWatch monitoring solution, which applies machine learning and statistical modeling for deeper analysis. Traffic that’s identified as malicious is reported to the Cisco’s DNA Center network management software to ensure that it’s blocked throughout the entire network. Additionally, Cisco uses machine learning algorithms to train ETA to search for new vulnerabilities and adapt to changing ones.
The security features within Cisco DNA offer a compelling new approach to identifying encrypted malware without compromising privacy or degrading network performance. As a Cisco Gold Certified Master Security Specialized Partner, Cerium is recognized as having the highest level of expertise with Cisco security solutions. Give us a call to learn more about protecting your organization from attacks hiding in encrypted traffic.