How Cisco Uses Machine Learning for Encrypted Traffic Analytics

Cisco makes its Encrypted Traffic Analytics offering generally available in an effort to respect privacy, while still helping organizations stay secure.

Cisco ETA

Encrypted traffic doesn't always mean secure traffic, but how can an organization understand what's going on with encrypted traffic without decrypting the data? That's the goal of Cisco's Encrypted Traffic Analytics offering, which became generally available on Jan. 10.

Cisco announced ETA as a preview technology in June 2017 as part of the company's wider intent-based networking initiative. ETA was initially only available for early field trials on a limited set of Cisco campus switches. Cisco is now making it generally available for all of its customers across multiple switch and routing platforms, including the Catalyst 9300 and 9400, ISR 4000 and 5000, and ASR 1000, as well as the Cloud Services Router 1000V.

"We're now making a new type of threat telemetry available to a big community of users," TK Keanini, principal engineer and product line CTO for analytics at Cisco, told eWEEK

Keanini explained that among the capabilities that ETA provides is the ability to detect malware hidden in encrypted traffic without the need to first decrypt the data traffic. In addition to being able to detect risks, ETA can also help to enable cryptographic compliance, he added.

"Customers will be able to understand how much of their digital business is in the clear and how much is encrypted," Keanini said. 

Using encryption alone, however, is not enough for cryptographic compliance. There are multiple well-documented security issues with older encryption protocols, such as Secure Sockets Layer (SSL) version 3. To that end, Cisco ETA also provides information on what version of encryption protocols is being used, as well as cryptographic ciphers.

How It Works

Encrypted data, using SSL/TLS is just that—it's encrypted, meaning that it can't be read without being decrypted. Cisco ETA works to understand the risk of an encrypted data stream without violating the encrypted trust boundary by using an innovative machine learning-based approach to finds threats.

Cisco ETA starts by inspecting the initial data packet (IDP) in an encrypted data stream, which is actually unencrypted, Keanini said. "We get the first data packet of every session and we get it in its entirety," he said. "The first packet includes all of the negotiation parameters for the actual application session, and it's all sent in the clear."

IDP provides a "gold mine" of metadata, according to Keanini. On top of the information that comes from the IDP, Cisco uses a technique called Sequence of Packet Lengths and Times (SPLT) to gain further visibility.

"All of this data when fed into machine learning can be used to classify connections with really high fidelity," he said.

The machine learning classification is linked with Cisco's Global Risk Map, which can provide further correlation into potential threats and what might be going on with a given encrypted connection. Looking forward, Keanini said Cisco will continue to develop the ETA technology to provide more machine learning insights from encrypted traffic.

"There is a lot that we'll be exploring in the future," he said.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.