Cisco has switched on latent features in its recent campus and office routers and switches, plus a cloud service, that together make it possible to detect the fingerprints of malware in encrypted traffic.
Switchzilla has not made a dent in transport layer security (TLS) to make this possible. Instead, as we reported in July 2016, Cisco researchers found that malware leaves recognisable traces even in encrypted traffic. The company announced its intention to productise that research last year and this week exited trials to make the service – now known as Encrypted Traffic Analytics (ETA) - available to purchasers of its 4000 Series Integrated Service Routers, the 1000-series Aggregation Services Router and the model 1000V Cloud Services Router 1000V. The tech was already turned on in the Catalyst 9000 last year: the new release brings it to more users.
Cisco's devices can’t do the job alone: users need to sign up for Cisco’s StealthWatch service and let traffic from their kit flow to a cloud-based analytics service that inspects traffic and uses self-improving machine learning algorithms to spot dodgy traffic.
Some of the techniques used to spot malware’s activities aren’t super-sophisticated: Cisco looks at unencrypted handshake packets for known dodgy destinations, searches for things like self-signed certificates and other signs of either sloppiness or slippery intentions.
The cloud service does the heavier lifting, with over 400 “classifiers” hunting for signs of malware at work.
To make the magic happen, Cisco users have to send metadata - parsed NetFlow data - to Switchzilla's cloud. By doing so, they'll get the ETA service and help it to improve by feeding it more data for its algorithms to consume and learn from.
The new tool has applications beyond defence, as it can also detect the encryption applied to traffic. That’s a useful function for organisations that must encrypt traffic to stay on the right side of industry or government regulations. Cisco has therefore geared up to sell ETA as a compliance tool as well as a malware-spotter.
ETA is already present in IOS XE 16.6 and Cisco says 50,000 of its customers have hardware capable of accessing the service today. They'll just need to turn it on and start sending telemetry to Cisco's cloud.
The company’s also contemplated taking the tech beyond its hardware, with ETA as a service and ETA on fabrics already contemplated by Cisco suits. ®