Cisco Encrypted Traffic Analytics (ETA) now works with the majority of the company’s enterprise routing platforms including its branch office routers. The security technology can detect malware in encrypted traffic without decryption.
The move extends the technology to about 50,000 additional customers, according to Cisco.
ETA is part of Cisco’s intent-based network initiative, called network intuitive, which the company began rolling out last year. When it announced ETA in June 2017, it only supported Cisco’s latest campus switches, the Catalyst 9300 and 9400 series.
As of today, ETA works with Cisco’s Integrated Services Routers (ISR), branch office router, Aggregation Services Routers (ASR 1k), and Cloud Services Routers (CSR).
This will allow companies to extend threat detection across the entire enterprise, said Cisco’s TK Keanini, principle engineer in the company’s advanced threat group.
“The branch is the big news,” said Keanini. “Branch security is almost an afterthought because it is so expensive — there are so many of them [branch offices]. With ETA, the routers themselves are sending the telemetry up to Stealthwatch and then using cloud analytics to devise some of the outcomes.”
Stealthwatch is Cisco’s cloud-based behavior analytics and network visibility tool.
The ETA technology works like this: First, it examines the initial data packet of the connection. Next, it examines the sequence of packet lengths and times using machine learning to find patterns. And finally, it leverages Talos, Cisco’s threat intelligence.
“All three of these work in concert with each other to make up the hit song Encrypted Traffic Analytics,” Keanini said. “Any threats, when they show up on the network, are going to show up in one of these three buckets.”
One of the benefits of ETA is that it maintains privacy of legitimate traffic because it identifies threats even in encrypted traffic without decrypting it. At the company’s launch event in June, David Goeckeler, senior vice president and general manager of networking and security, said Cisco is the only vendor that can do this. “This is a revolutionary breakthrough,” Goeckeler said.
Additionally, the technology can help companies meet compliance standards around encrypted traffic, Keanini said. It provides visibility into what is — and isn’t — encrypted on the network. This cryptographic assessment is displayed in Stealthwatch and can be exported via APIs to third-party tools for monitoring and auditing of encryption compliance.
It also moves Cisco closer to a fully autonomous network.
“The architecture and the way ETA was implemented speaks volumes to the network intuitive — it is the network itself that is telling you whether it’s secure or not,” Keanini said. “The routers and switches are providing not just networking telemetry, but now security telemetry.”