Detecting threats in encrypted traffic
Thought Leadership, Security
Encrypted traffic has nearly doubled year over year, with almost 50 percent of websites using HTTPs in 2016. And Gartner predicts that 80 percent of web traffic will be encrypted by 2019 to keep Internet users safer.
At the same time, 41% of security breaches use encryption to evade detection (Ponemon Institute). And the vast majority of organizations do not rely on a solution being able to detect malicious content in encrypted traffic.
Traditional flow monitoring provides a high-level visibility of network communications. These intraflow metadata can be collected, stored, and analyzed, being especially valuable when traffic is encrypted.
A completely new approach
It is important to monitor encrypted network traffic for threats and malware, but to do so in a way that maintains the integrity of the encryption. As deep-packet-inspection is not applicable in terms of privacy, previous approaches have relied on observable metadata gathered from the flow.
But our Cisco fellows Blake Anderson and David McGrew have completely changed the game by considering a “data omnia” approach. As you can read on this report, they develop supervised machine learning models based on a large set of sandbox malware samples and a unique and diverse set of network flow data features. These include TLS metadata, DNS contextual flows, and HTTP headers from the same source IP address within a 5 minute window.
By correlating these metadata between malicious and benign traffic on millions of flows, they accurately classified malicious network flows. And without the need for bulk decryption. In experiments based on real-world data, the results were outstanding: over 99% accuracy with 0.01% false positives. Just one false positive for every 10,000 TLS connections seen. The data data omnia approach really worked.
The solution: Encrypted Traffic Analytics
Last week Cisco unveiled one of the most significant announcements within Enterprise Networks in the last decade: The Intuitive Network, a new generation of intent-based networking infrastructure. And the new capability is a relevant part of this vision.
Combined with the advanced security analytics of Cisco Stealthwatch, this innovative functionality -Encrypted Traffic Analytics- is available on the new Catalyst 9000 switches and Cisco 4000 Series Integrated Services Routers. With high accuracy. And at a high-speed without slowing the traffic down.
For the first time, the network can identify and mitigate malware communication in encrypted traffic. Just applying new artificial intelligence models to analyze metadata traffic patterns.
Leading the network firewall market
I’m sure you’ll hear a lot more about Encrypted Traffic Analytics in the next few months. In the meantime, I’m also proud to amplify that Cisco Security has been recently awarded as the leader in the network firewall market by Frost & Sullivan.
As Frost & Sullivan comments, Cisco NGFWs provide value in two ways: through superior threat defense that stops more threats and enables consolidation, by replacing multiple point products (firewall, IPS, and malware sandbox). And lowering operational costs by providing simplified management options for multiple customer segments.
We deliver several physical and virtual Cisco Firepower firewalls, ASA 5500-X models, and Cisco Meraki UTMs for diverse use cases and network environments, including SMBs, branch offices, enterprise networks, and data centers. This complete approach has allowed Cisco to lead the NGFW market, capturing nearly 19 percent market share.
Backed by state-of-the-art threat intelligence and machine learning algorithms, only Cisco can turn the network into an end-to-end sensor and enforcer that detects, contains, and prevents emerging, sophisticated security threats while maintaining privacy.