Cisco released its product, Encrypted Traffic Analytics (ETA), which enables detecting malware in encrypted traffic via the SSL/TLS protocols, without the need to decrypt it. Servers or devices in proxy mode that had replaced the original certificates with their own, were previously mainly used for this purpose. However, this method could introduce certain traffic delays and interfere with user privacy.
How does Encrypted Traffic Analytics work?
The solution detects malware using machine learning and statistical modelling. For this purpose, it collects, e.g.:
- statistics generated by the Netflow protocol,
- length of analysed packages,
- information contained in TLS ClientHello messages.
Currently, ETA requires the Cisco Stealthwatch application in order to process data and is compatible only with Catalyst 9000 switches and ISR 4000 series routers.
Source: https://blogs.cisco.com/security/detecting-encrypted-malware-traffic-without-decryption
—
Do you need cybersecurity solutions for your company – contact us.
