The increase in regulatory levels, multiplication and diversification of security risks force organizations to make extensive use of traffic encryption. But more and more hackers use encryption to camouflage their malware attacks and threats. Datanet can help you overcome this deadlock with the new Cisco ETA technology and make your investment in security solutions more profitable.
In 2019, 80% of web-based traffic will be encrypted (according to Gartner). The estimate will be almost surely confirmed, especially under the pressure of adopting the new General Data Protection Regulation (GDPR), which introduces clear requirements for data protection and integrity, encryption being one of the most recommended solutions.
The dark side of encryption
There is also the other side of the coin – the intensive use of this method of securing traffic generates important risks. The same Gartner analysts predicts that, in 2019, more than half of the malware campaigns launched by hackers will use various encryption methods to hide their threats. There is already a lot of evidence in this respect, the most notorious example being the Zeus botnet, which uses SSL cryptographic protocol to update itself after the first phase of infection (via mail). The method used by Zeus has become popular fast and, currently, more and more malware campaigns use SSL for encrypted communication with command and control servers outside of organizations.
Although the “Zeus Recipe” is known, the success rate of this type of campaign remains incredibly high. The phenomenon can be explained, however, if we take into account that there are still quite a few companies that consider encrypted traffic as a guarantee of data confidentiality and compliance with requirements in force. Subsequently, they do not take any measure of inspecting encrypted data streams.
Weak points of traditional methods
Traditional method of analysis, based on the decryption of traffic, are not very “friendly”. Typically, Man-in-the-Middle (MITM) techniques are commonly used, such as Next-Generation Firewall (NGFW), Secure Web Gateway (SWG), or Intrusion Prevention System solutions for intercepting traffic, decrypting, analyzing and re-encrypting it. But this technique has a number of important limitations:
- increases critical data exposure by decryption (even when traffic is re-encrypted immediately, information may be compromised by recovering locally stored data in temporary files);
- decreases network performance (according to NSS Labs, decryption and retrieval of SSL traffic in NGFW, SWG or IPS equipment generates a significant decrease in throughput and increases latency in network transactions);
- calls for additional equipment along with increased traffic volumes.
Under these circumstances, the natural question is: what remains to be done with encrypted traffic? Without it you cannot run your business, but traditional methods are not very effective. Cisco’s response to these highly contemporary challenges is the new Encrypted Traffic Analytics (ETA) security technology, a more efficient and faster solution than traditional methods, which does not alter the integrity of encryption, thus eliminating the risk of compromising legitimate data traffic.
Launched in June last year, ETA is currently combining the capabilities of the new Catalyst 9000 switches and the Cisco 400 ISR router series, with the advanced security and analysis features of the Stealthwatch solution.
In order to detect the potential threats from encrypted traffic, ETA analyzes a number of specific parameters:
- Initial Data Packet (IDP);
- Sequence of Packet Lengths and Times (SPLT);
- distribution of bits at the load level of data packets within the stream;
- parameters of TLS cryptographic protocol.
Using these elements and the telemetry data provided by NetFlow (v9) data streams, Stealthwatch monitors and ensures visibility over all network traffic and Web traffic, thus reducing incident response time.
Stealthwatch uses advanced analysis mechanisms and machine learning technologies to determine behavioral patterns based on which – by adding contextual information (DNS feeds, HTTP headers, etc.) – automatically detects, in real-time, abnormal network events that carry a potential risk. When identifying a data stream with risk potential, ETA automatically redirects it to be blocked or decrypted.
Using these advanced analysis mechanisms, ETA eliminates the need to decrypt all traffic and re-encrypt it. As a result, network performance decreases disappear, along with data exposure risks. Furthermore, ETA also ensures compliance requirements on the encryption side, with Stealthwatch automatically reporting, for example, cases where specific TLS policies are not met.
Six months after launch, Cisco ETA was already used by over 50,000 customers. And, most likely, the adoption pace accelerated in the first half of 2018, with Cisco announcing the availability of ETA technology in new products (ASR 1000 Series, 4000 Series ISRs, 1000 Series Routers, Cloud Services Router 1000V, etc.).
ETA’s market success is ensured by the efficiency that the new technology demonstrates in detecting malware encrypted traffic. In March, Miercom, a company specializing in enterprise solutions testing, released a report assessing Cisco performance on the security area. According to the report, ETA detected:
- 60% of threats in less than 5 minutes;
- 72% in under 15 minutes;
- 98% in less than one hour;
- 100% in maximum 3 hours.
Enhanced protection across the organization
Stealthwatch is not only a component of ETA technology, but a stand-alone solution that generates added value by integrating with other applications, such as the Cisco Identity Services Engine authentication and control system with Cisco Advanced Malware Protection for Endpoints, Cisco Umbrella, etc. (You can find out here what are the savings ensured by integrating Cisco solutions and what are the gains at operational level.)
The listed solutions are designed to be integrated into a unified security architecture, and Datanet Systems can help you quickly cushion and capitalize your investments in Cisco technology, being the main partner of this company in Romania and having the largest team of Cisco certified security professionals locally.
For more information, please contact email@example.com