Cisco can now sniff out malware inside encrypted traffic

This is Switchzilla’s kit-plus-cloud plan in action

By Simon Sharwood, APAC Editor

Posted in Networks, 11th January 2018 08:32 GMT

Cisco has switched on latent features in its recent campus and office routers and switches, plus a cloud service, that together make it possible to detect the fingerprints of malware in encrypted traffic.

Switchzilla has not made a dent in transport layer security (TLS) to make this possible. Instead, as we reported in July 2016, Cisco researchers found that malware leaves recognisable traces even in encrypted traffic. The company announced its intention to productise that research last year and this week exited trials to make the service – now known as Encrypted Traffic Analytics (ETA) - available to purchasers of its 4000 Series Integrated Service Routers, the 1000-series Aggregation Services Router and the model 1000V Cloud Services Router 1000V. The tech was already turned on in the Catalyst 9000 last year: the new release brings it to more users.

Cisco's devices can’t do the job alone: users need to sign up for Cisco’s StealthWatch service and let traffic from their kit flow to a cloud-based analytics service that inspects traffic and uses self-improving machine learning algorithms to spot dodgy traffic.

Some of the techniques used to spot malware’s activities aren’t super-sophisticated: Cisco looks at unencrypted handshake packets for known dodgy destinations, searches for things like self-signed certificates and other signs of either sloppiness or slippery intentions.

The cloud service does the heavier lifting, with over 400 “classifiers” hunting for signs of malware at work.

To make the magic happen, Cisco users have to send metadata - parsed NetFlow data - to Switchzilla's cloud. By doing so, they'll get the ETA service and help it to improve by feeding it more data for its algorithms to consume and learn from.

The new tool has applications beyond defence, as it can also detect the encryption applied to traffic. That’s a useful function for organisations that must encrypt traffic to stay on the right side of industry or government regulations. Cisco has therefore geared up to sell ETA as a compliance tool as well as a malware-spotter.

ETA is already present in IOS XE 16.6 and Cisco says 50,000 of its customers have hardware capable of accessing the service today. They'll just need to turn it on and start sending telemetry to Cisco's cloud.

The company’s also contemplated taking the tech beyond its hardware, with ETA as a service and ETA on fabrics already contemplated by Cisco suits. ®

Sign up to our NewsletterGet IT in your inbox daily

42 Comments

More from The Register

Google's PHP API client has XSS vulnerability

Patch promised

Another week, another Cisco-security-kit-needs-a-patch story

Probing last week's ASA and Firepower flaws found another DDOS to deter

Cisco stre...tches vulnerability disclosure timeline out to 90 days

Big vendors patch bugs nearly as quick as open source coders

Cisco, Google, sitting in a tree, C-L-O-U-D-I-N-G

HyperFlex learns to talk Kubernetes for consistent hybrid cloud merriment

Ugly, perfect ten-rated bug hits Cisco VPNs

Patch your Adaptive Security Appliance and Firepower Threat Defense code before they're utterly p0wned

Cisco to release patches for Meltdown, Spectre CPU vulns, just in case

Switchzilla is investigating a whole bunch of products

Cisco throws everything it has at containers, hybrid cloud

Container Platform hooks Kubernetes to all the Borg's bits

Poison ping pong prompts patch from Cisco

Switchzilla has fixes for appliances, voice portal, Nexus switch OS

Cisco plugs command-injection hole in WebEx Chrome, Firefox plugins

Make sure you've updated if you're using Windows

Judges dismisses majority of Cisco's 'insane' IP defence against Arista

Switch antitrust case rumbles on