5 Things To Know About Cisco's Encrypted Traffic Analytics System
Partners can leverage ETA to help customers understand 'how they can have more efficient security' and will be able to build out a larger practice with larger deal sizes, says Cisco executive Prashanth Shenoy.
Cisco Systems has made available a new feature and cloud service that the company said can detect malware in encrypted traffic across the company's entire portfolio.
Dubbed Encrypted Traffic Analytics, or ETA, the system uses a combination of data and telemetry to detect threats in encrypted traffic wherever it's coming into the network. To make it happen, the San Jose, Calif., company said it has struck a careful balance between providing security while maintaining privacy.
ETA was introduced last June and became available this week across the Cisco portfolio of routers and switches, including its Catalyst portfolio, which is the cornerstone of the company's ambitious intent-based networking efforts. The only prerequisite is that users sign up for Cisco's StealthWatch security service. From there, the system uses analytics and machine learning to spot suspect traffic.
"It's the industry's only solution that has the capability to find threats in encrypted traffic without need for decryption," said Prashanth Shenoy, Cisco vice president of marketing, enterprise networks, IoT and developer platform. "In two years, 80 percent of traffic will be encrypted. That requires us to look at this in a holistic manner. We need to embed security in every part of the network, classify the traffic in terms of what is normal and what is malicious, and allocate the right personnel to the right threat."
Here are five things to know about the Cisco ETA offering.
ETA works by generating additional telemetry from routers and switches specific to encrypted data. The system doesn't decrypt the data, but compares characteristics of that data with known threats. The system then uses statistical analysis to gauge the probability of an anomaly being a real threat. That task is aided by supervised and unsupervised machine learning in the cloud, which allows the system to recognize features that are very likely to have encrypted malware in them. "It turns out there's very noticeable differences, even in the same pattern. It's difficult for bad actors to pretend they're something they're not in that pattern," said Sandeep Agrawal, Cisco StealthWatch analytics manager.
The Partner Play
ETA could be a big new practice area for Cisco partners. A partner with a strong consulting practice can put ETA in front of customers as part of a seamless networking sale, according to Shenoy. Partners can help customers understand "how they can have more efficient security," he added. In the process they'll build out a larger practice and deal sizes will increase, Shenoy said. All of the capabilities of ETA are part of a subscription, available to customers running Cisco infrastructure. ETA is free to customers that already have Cisco routers and StealthWatch. Customers that don't have StealthWatch have to buy it in order to get ETA.
One of the biggest benefits, according to the company, is that ETA preserves the privacy of legitimate traffic. It does this by not relying on decryption. Instead, ETA analyzes encrypted traffic by investigating observable features of the data through passive monitoring. Suspicious data is then selectively decrypted or blocked and Cisco's intent-based networking is used to redirect anything suspicious. The process helps companies, especially large enterprises with the delicate balancing act they perform between privacy and security. "It's a hard problem to solve in most organizations," Shenoy said. "You lose customer data, privacy and confidentiality when you decrypt. So, you don't decrypt, but neither choice is a good choice. How do you provide security while maintaining privacy? It's a problem that is only going to get more severe."
ETA is also tackling the problem of compliance standards for encrypted traffic. The system identifies encryption quality instantly from every network conversation and provides visibility to guarantee compliance with encryption protocols. The system knows what's being encrypted and what isn't, meaning enterprises can trust their business is being protected. Users can see ETA's cryptographic assessments on StealthWatch, and can send them to third-party tools for monitoring and auditing of encryption compliance.
ETA operates at high speeds, and Cisco says its modern networking architecture and operating system have laid the foundation for those increased speeds. The company's IOS-XE operating system allows it to roll out advanced capabilities like ETA across its entire enterprise portfolio. ETA initially was available only on Cisco's new campus switches, as well as Catalyst 9300 and 9400 series switches, according to Shenoy. Now, however, it has been made available to platforms meant for branch offices, WAN and the cloud, including ISR 4000 Series routers, the new 1000 series routers and ISRv on ENCS 5000 series routers. It also is available on ASR 1000 series routers and CRS 1000V cloud services routers.