Data Centre

Networks

Cisco can now sniff out malware inside encrypted traffic

This is Switchzilla’s kit-plus-cloud plan in action

By Simon Sharwood

42 SHARE

Cisco has switched on latent features in its recent campus and office routers and switches, plus a cloud service, that together make it possible to detect the fingerprints of malware in encrypted traffic.

Switchzilla has not made a dent in transport layer security (TLS) to make this possible. Instead, as we reported in July 2016, Cisco researchers found that malware leaves recognisable traces even in encrypted traffic. The company announced its intention to productise that research last year and this week exited trials to make the service – now known as Encrypted Traffic Analytics (ETA) - available to purchasers of its 4000 Series Integrated Service Routers, the 1000-series Aggregation Services Router and the model 1000V Cloud Services Router 1000V. The tech was already turned on in the Catalyst 9000 last year: the new release brings it to more users.

Cisco's devices can’t do the job alone: users need to sign up for Cisco’s StealthWatch service and let traffic from their kit flow to a cloud-based analytics service that inspects traffic and uses self-improving machine learning algorithms to spot dodgy traffic.

Some of the techniques used to spot malware’s activities aren’t super-sophisticated: Cisco looks at unencrypted handshake packets for known dodgy destinations, searches for things like self-signed certificates and other signs of either sloppiness or slippery intentions.

The cloud service does the heavier lifting, with over 400 “classifiers” hunting for signs of malware at work.

To make the magic happen, Cisco users have to send metadata - parsed NetFlow data - to Switchzilla's cloud. By doing so, they'll get the ETA service and help it to improve by feeding it more data for its algorithms to consume and learn from.

The new tool has applications beyond defence, as it can also detect the encryption applied to traffic. That’s a useful function for organisations that must encrypt traffic to stay on the right side of industry or government regulations. Cisco has therefore geared up to sell ETA as a compliance tool as well as a malware-spotter.

ETA is already present in IOS XE 16.6 and Cisco says 50,000 of its customers have hardware capable of accessing the service today. They'll just need to turn it on and start sending telemetry to Cisco's cloud.

The company’s also contemplated taking the tech beyond its hardware, with ETA as a service and ETA on fabrics already contemplated by Cisco suits. ®

Sign up to our NewsletterGet IT in your inbox daily

42 Comments

More from The Register

Google Play Store spews malware onto 9 million 'Droids

How did these get through the net?

Windows 10 or Cisco Advanced Malware Protection: Pick one

Redmond warns that the malware tool doesn't play nice with the latest upgrade

Apache Hadoop spins cracking code injection vulnerability YARN

Loose .zips sink chips 2: Electric Boogaloo

Cisco sneaks hardcoded secret root backdoor into vid surveillance kit

Who watches the watchers? Anybody who has the login

If at first you don't succeed, you may well be Cisco: WebEx patch needs its own patch

Updated Switchzilla has a second go at fixing videoconferencing app's 'I'm the captain, now' hole

From 'WebEx' to 'WebExec' to 'WTF, my PC!' Cisco rapped in chat app security flap

Patch your vid conferencing software to stop malware, users nabbing admin rights

UK white hats blacklisted by Cisco Talos after smart security code stumbles

Cisco gracefully says it won't charge for the privilege

Thanksgiving brings together Apple's Siri and Google Assistant

A divided tech nation embraces, uncomfortably

We're two weeks into 2019, and an email can potentially knacker your Cisco message box – plus other bugs to fix

Process data, crash, restart, process data, crash, restart...

Cisco and AWS hop into bed for steamy hybrid Kubernetes action

Mixing up on-premises and cloudy containers