Cisco boosted its IOS network operating system, integrating technology designed to spot malware activity in encrypted...
traffic. The company has incorporated the capability in the version of IOS that runs on Catalyst 9000 switches and ASR and ISR routers.
The integration makes it possible for companies using the hardware to subscribe to Cisco's Encrypted Traffic Analytics (ETA), which the vendor made available for testing in June 2017. Cisco ETA is scheduled to be generally available Jan. 10.
The hardware support for Cisco ETA puts "meat on the bones of the initial announcement," said Brad Casemore, an analyst at IDC. Cisco chose the right products for ETA because they are designed for enhanced security capabilities.
How Cisco ETA works
The Cisco ETA technology incorporated in IOS XE makes it possible for the hardware to generate ETA metadata and export it with additional telemetry to the vendor's Stealthwatch Enterprise Edition Flow Collector, Brian Ford, technical marketing engineer in the Cisco security business group, said this week in a blog post. Stealthwatch collects flow records about network events, so they can be analyzed for malware activity.
Stealthwatch sends the ETA metadata and telemetry to Cisco's cloud-based Cognitive Threat Analytics service, which examines the data, formulates risk scores for events and sends them to the customer's Stealthwatch Management Console.
ETA gathers metadata from traffic without decrypting the packet flow. The nondecryption technique, which involves Cisco-developed machine learning, is meant to preserve a company's data privacy, Ford said.
ETA looks for signs of malware in three features of encrypted data, according to Cisco. They include the first data packet from a new network connection, the sequence of packet lengths and times, and the byte distribution across the payloads of the packets.
Attackers expected to adapt
Some security experts have told TechTarget searching for malware activity in encrypted traffic can lead to a cat-and-mouse game with cybercriminals. As attackers become familiar with detection methods, "they will likely try to modify their encrypted traffic to blend in and remove the features that machine learning models rely on for detection," said Nick Bilogorskiy, senior director of threat operations at Cyphort Inc.
Security is a significant piece of Cisco's strategy to generate half its revenue from software and services by the fiscal year 2020. Cisco's fiscal year runs from August to the following July.
In the first quarter of the current fiscal year, which ended Oct. 28, Cisco reported security revenue rose 8% year over year. The company expects security and software-based networking initiatives to help drive a projected revenue increase of 1% to 3% in the current quarter. The growth would end an eight-quarter streak of revenue declines.