detect threats in encrypted traffic without decryption...
TRANSCRIPT
Detect threats in encrypted traffic without decryption, using network based security analytics
Sarav Radhakrishnan, Distinguished Engineer
BRKCRS-1560
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Spark
Questions? Use Cisco Spark to chat with the speaker after the session
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
How
cs.co/ciscolivebot#BRKCRS-1560Cisco Spark spaces will be available until July 3, 2017.
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Agenda
• The Problem Statement
• The Research
• The Solution
• The Demo
• The Conclusions
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
I am a Distinguished Engineer, been in Cisco for 18 years.
I work in Cisco’s Enterprise Networking group, and is focused on advanced network security research and development. I was intimately involved in the development of the Catalyst 3850 platform and Cisco’s QoS strategy across several platforms. I have 8 approved patents and is driving new innovations in the IoT security space. He’s also looking into newer initiatives related to Blockchain, LiFi etc.
Sarav [email protected]
Distinguished Engineer
By Way of Introduction …
The Problem Statement
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-1560 7
Encrypted Traffic is increasing
Volume of encrypted traffic increased
21% 40% from 2015 2016 (90%
year over year)
Gartner Predicts - 80% of all the web
traffic will be encrypted by 2019
77% of all requests to Google servers are encrypted (in Feb 2016)
97% of Youtube traffic is encrypted
SSL/TLS encrypted traffic grew 90% year
over year from July 2015 to July 2016.*
* Source: NSS Labs
2015
40%
2016
75%
2019
21%
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Straight line
Projection
16%
20% 19%
22%23% 23%
25%27%
30%
34%
41%
10%
20%
30%
40%
0%
FY05 FY06 FY07 FY08 FY09 FY10 FY11 FY12 FY13 FY14 FY15 2017 2019
60%
Extensive deployment of encryption
Percent of the IT budget earmarked for encryption
50%
BRKCRS-1560 8
Enterprises are embracing encryption
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 9BRKCRS-1560
But…the Threat Actors are also leveraging encryption
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Uninspected Encrypted Traffic Threats
Employees’ web browsing over HTTPS
• Malware Infection
• Channel with command and control server
• Data Exfiltration
Employees on an internal network connecting
securely to DMZ servers
• Lateral expansion from infected hosts
Threat Vectors Opened by Encrypted Traffic
10BRKCRS-1560
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 11BRKCRS-1560
An Example of a Recent Attack!
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 12BRKCRS-1560
Additional Threat Vectors in the Enterprise
Phishing
Email Link
Email attachment
Malware on
Personal device
Social Media Site with Malware1
Initial CompromiseMalware Propagation2
Botnet creation /
Privilege Escalation3
DDoS Attack /
Data Exfiltration4
Perimeter Security
ineffective
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Users, Devices and Things are Coming onto the Network Securing these Devices is Hard
Sensors
Badging System
HVAC
Lighting
SecurityCameras
Fire Alarm System
Unsophisticated Devices
Limited security & crypto capabilities,
prone to hacks
Endpoint Identity
No support for standard authentication
mechanisms
BonjourAudioVideo
Health-care
Printer
s
Laptops/Pc
s
Mobile
ITUsers
No
n-I
T
IoT device Proliferation
IT
BRKCRS-1560 13
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Impact of an Attack
BRKCRS-1560 14
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ETA
15BRKCRS-1560
Network Requirements from Security
Before
Malware & Threat Detection through behavioral analytics
Rapid threat containment through automated incident response
Reduce Attack Surface by Segmentation,
Access Control & Encryption
Software
Defined
Access
During After
NaaE
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
• End to end confidentiality
• Channel integrity during inspection
• Adapts with encryption standards
Malware in Encrypted Traffic
Is the payload within the TLS session
malicious?
16BRKCRS-1560
Visibility and Malware Detection without Decryption
• Audit for TLS policy violations
• Passive detection of Ciphersuite vulnerabilities
• Continuous monitoring of network opacity
Cryptographic Compliance
How much of my digital business uses strong
encryption?
Encrypted Traffic Analytics
The Research
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Normal Behavior
Endpoint Internet
. . .
BRKCRS-1560 18
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Malicious Behavior
Endpoint Internet
. . .
?
BRKCRS-1560 19
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Encrypted Traffic Analytics – Cisco Research
Known
Malware Traffic
Known
Benign Traffic
Extract Observable
Features in the Data
Employ Machine
Learning techniques
to build detectors
Known Malware
sessions detected
in encrypted traffic
with 99% accuracy
“Identifying Encrypted Malware Traffic with Contextual Flow Data” AISec ’16 | Blake Anderson, David McGrew (Cisco Fellow)
BRKCRS-1560 20
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 21BRKCRS-1560
Sequence of Packet Lengths and Times
Malware Behavior Network Behavior
Communication with command
control server
Sequence of packet lengths
Write to the disk Time interval between packet
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Initial Data Packet
TLS field (in ClientHello) Inference
Offered Cyphersuites Browsers prefer heavy weight
and more secure encryption
algorithms,
Mobile applications prefer
efficient encryption
Extensions
ClientHello
ServerHello/Certificate/
ServerHelloDone
ClientKetExchange/ChangeCipherSpec/
Finished
ChangeCipher/Finished
Application Data
Client: I support crypto
Server: I support that crypto, and I’m me
Client: Take this secret and let’s encrypt
Server: Your secret looks good, let’s encrypt
Client/Server: encrypted data
BRKCRS-1560
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Attempts to collect a user's online banking data and sends out information to a control server – known for keylogging and data
exfiltration
BRKCRS-1560 23
Case Study: Bestafera
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Bestafera
Self-Signed Certificate
Data Exfiltration
C2 Message
Google Search
Initial Page LoadPage Refresh
Autocomplete
Behavioral Patterns w.r.t. Packet Lengths/Times
BRKCRS-1560 24
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
TLS ClientHello Possible Clients True Client
(v: 1.0.1r)
TLS Client Fingerprinting (Bestafera)
BRKCRS-1560 25
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Why This Approach is Successful
26BRKCRS-1560
(v: 1.0.1r)
(v: 52.0)
+
+
=
=
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Applying ML (Packet Length/Time Data Features)
219b
Dir: >
1336b
Dir: <
134b
Dir: >… 186ms 157ms 42ms …
Packets Times
219 -1336 134 37 186 157 42 153… …
𝑝𝑙0 𝑝𝑡0𝑝𝑙1 𝑝𝑙20 𝑝𝑡1 𝑝𝑡20
BRKCRS-1560 27
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
{ECDHE/
RSA}:
{AES256/
CBC}:
SHA
{ECDHE/
ECDSA}:
{AES256/
CBC}:
SHA
{DHE/
RSA}:
{AES256/
CBC}:
SHA
…ec_
points_
formats
elliptic_
curves
Session
TicketHeartbeat
0 1 1 0 0 1 0 0 1 0 1 1 0 1
Cipher suites Extensions
𝑐𝑠0 𝑐𝑠1 𝑐𝑠175 𝑒𝑥𝑡0 𝑒𝑥𝑡1 𝑒𝑥𝑡20
… …… …
Applying ML (TLS Data Features)
BRKCRS-1560 28
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Applying ML (Classification)
Model*: 𝑓 𝐱 where 𝑓 ∶ 𝐱 → {malware, benign}
𝑙𝑎𝑏𝑒𝑙𝐱 = malware if 𝑓(𝐱) ≥ 0benign otherwise
Decision Surface in 2 Dimensions
*Examples of 𝑓(∙) : Deep NN, Random Forest,
Logistic Regression
BRKCRS-1560 29
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
In Summary…
• The Sequence of Packet Lengths and Times (SPLT) provides:
»a behavioral profile of the application/user
• The cipher suites and extensions in the ClientHello (TLS) suggest:
»the library the application/user is using to talk TLS
• Combining both views has improved accuracy while reducing false positives
30BRKCRS-1560
What are we building to enable this solution?
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ETA
Data
Features
Outcomes
Network
Exporters of Netflow
SPLTIDP
ETA Enhanced Analytics
CryptographicCompliance
Encrypted MalwareDetection
Analytics
srcIP, dstIP, srcPort, dstPort, prot, startTime, stopTime, numBytes, numPackets, IDP, SPLT
Sequence of Packet Lengths and Times
The SPLT field gives us visibility beyond the first packet of the encrypted flows.
Initial Data Packet
The first packets of any connection contain valuable data about the content.
BRKCRS-1560 32
Encrypted Traffic Analytics – Building Blocks
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 33BRKCRS-1560
Enhanced analytics and machine learning
Global-to-local knowledge correlation
Higher PrecisionFaster InvestigationLeveraged Network
Enhanced NetFlow from Cisco’s newest switches
Cognitive
Analytics
Encrypted
Traffic
Exporters
Stealthwatch
Collector(s)
Malware
detection and
cryptographic
compliance
Encrypted Traffic Analytics Technical Solution Overview
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Flow Collector(s)
CTA
Stealthwatch
SMC
CTA alerts embedded in SMC
cognitive.cisco.com
SMC is the single pane of glass
providing aggregate malware
detection that is cloud enabled
Enhanced Network as a Sensor and Enforcer Rapidly Mitigate Malware and Vulnerabilities in Encrypted Traffic
pxGrid
Cisco ISE
Mitigation Action
Context Information
Enhanced Netflow with
Encrypted Traffic Analytics
BRKCRS-1560 34
• Advanced Network Telemetry
• Stealthwatch
• Cognitive Analytics
• Availability
Solution Architecture
• Advanced Network Telemetry
• Stealthwatch
• Cognitive Analytics
• Availability
Solution Architecture
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Encrypted
TrafficNon-Encrypted
Traffic
Industry’s first network with ability to find threats in encrypted traffic without decryptionAvoid, stop or mitigate threats faster then ever before | Real-time flow analysis for better visibility
Enhanced Network as a Sensor
BRKCRS-1560 37
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Flow Monitoring
Exporter Collection Analysis StorageObservation
Observation
Observation
srcIP, dstIP, srcPort, dstPort, prot, startTime, stopTime, numBytes, numPackets
BRKSEC-2809 38
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Enhanced Telemetry
Exporter Collection Analysis StorageObservation
Observation
Observation
srcIP, dstIP, srcPort, dstPort, prot, startTime, stopTime, numBytes, numPackets
New Data Features
39
Flow Record
▹ SrcAddr : 15.15.1.3
▹ DstAddr : 216.58.220.1
▹ SrcPort: 52621
▹ DstPort: 443
▹ Protocol: TCP (6)
▹ Octets: 88
▹ Packets: 28
▹ Type 44941 (SPLT): Value (hex bytes): 00 b4 00 e3 …
▹ Type 44940 (IDP): Value (hex bytes) : 00 b4 00 a2 …
BRKCRS-1560
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Catalyst 9300 Family enables enhanced network as a sensor with ETARapidly mitigate malware and vulnerabilities in encrypted traffic
StealthWatch®
pxGrid
MitigationISEMachine learning
with enhanced
behavior analytics
Encrypted Traffic
Analytics
• Industry’s most pervasively deployable
solution for Encrypted Traffic Analytics
• Complements other encrypted traffic
management solutions
Network
telemetry based
(no decryption)
Line-rate
performance
Investment
optimization
Simplified
management
Globally
correlated
threat intel
BRKCRS-1560 40
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Catalyst 9300 ETA Implementation
• UADP 2.0 copies 10 packets of the flow to
software
• Software calculates the SPLT and identifies
the right IDP to be sent to the collector
• The ETA records are sent once for the life
time of the flow
• The size of the SPLT per flow – 40 bytes [10
packets * 2 bytes for lengths * 2 bytes for
times]
• No Data path performance impact – only
copied packets sent to software
• Number of flows – 2000 flows per second per
stack number
• No HA implications as every stack member
will send out records independently
Software
Data Path
Copy 10 packets
to software
Enhanced
Netflow Export
UADP 2.0
Software
Data Path
Copy 10 packets
to software
Enhanced
Netflow Export
UADP 2.0Stack Interface
BRKCRS-1560 41
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Deployment modes
42BRKCRS-1560
Wireless - Fabric Based
deployments – Cat 9300
Wired – Fabric as well as non-Fabric
Deployments (at Access switch) –
Cat 9300
Network element that will collect and export ETA fields
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Catalyst 9300 ETA – Wired Mode
Switch(config)#et-analytics
Switch(config-et-analytics)#ip flow-export destination 10.109.16.213 2838
Switch(config-et-analytics)#inactive-timeout 10
Switch (config)#interface gigabitEthernet 1/0/1
Switch (config-if)#et-analytics enable
Enabling ETA on the switch
Switch#show platform software et-analytics global
ET-Analytics Global state
=========================
All Interfaces : Off
IP Flow-record Destination: 10.108.16.213:2838
Inactive timer: 10
ET-Analytics interfaces:
GigabitEthernet1/0/1
ET-Analytics VLAN:
None
Verifying the configuration
BRKCRS-1560 43
Switch (config)#interface gigabitEthernet 1/0/1
Switch (config-if)#no et-analytics enableDisable ETA on the interface
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Verifying the exports Catalyst 9300 ETA
Switch# show flow monitor etta-mon cacheCache type: Normal (Platform cache)
Cache size: 10000
Current entries: 4
Flows added: 6
Flows aged: 2
- Inactive timeout ( 15 secs) 2
IPV4 DESTINATION ADDRESS: 15.15.15.35
IPV4 SOURCE ADDRESS: 72.163.128.140
IP PROTOCOL: 17
TRNS SOURCE PORT: 53
TRNS DESTINATION PORT: 12032
counter bytes long: 128
counter packets long: 1
timestamp abs first: 06:23:24.799
timestamp abs last: 06:23:24.799
interface input: Null
interface output: Null
Verifying that the exports on happening from the switch
BRKCRS-1560 44
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Verifying the exports Catalyst 9300 ETA
Switch#show platform software fed switch active fnf et-analytics-flow-dumpET Analytics Flow dump
=================
Total packets received (27)
Excess packets received (0)
(Index:0) 72.163.128.140, 15.15.15.35, protocol=17, source port=53, dest port=12032, flow done=u
SPLT: len = 2, value = (25600,0)(128,0)
IDP: len = 128, value = 45:0:0:80:f0:6c:0:0:f9:11:
(Index:1) 72.163.128.140, 15.15.15.35, protocol=17, source port=53, dest port=32356, flow done=u
SPLT: len = 2, value = (59649,0)(128,0)
IDP: len = 517, value = 45:0:2:5:c3:1:0:0:f9:11:
(Index:2) 15.15.15.35, 72.163.128.140, protocol=17, source port=12032, dest port=53, flow done=u
SPLT: len = 2, value = (10496,0)(128,0)
IDP: len = 69, value = 45:0:0:45:62:ae:40:0:40:11:
(Index:3) 15.15.15.35, 72.163.128.140, protocol=17, source port=32356, dest port=53, flow done=u
SPLT: len = 2, value = (10496,0)(128,0)
IDP: len = 69, value = 45:0:0:45:62:ad:40:0:40:11:
BRKCRS-1560 45
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
ISE / AD
WLC
DNAC
SD-AccessFabric
BB
Policy
Abstraction and
Configuration
Automation
C
Fabric enabled WLC:
WLC is part of LISP control plane
VXLAN from the AP
Carrying hierarchical policy segmentation starting
from the edge of the network
Optimized Distributed Data Plane
Fabric overlay with Anycast GW + Stretched subnet
VLAN extension with no complications
All roaming are Layer 2Fabric enabled AP:
AP encapsulates Fabric
SSID traffic in VXLAN
CAPWAP
Cntrl plane
VXLAN
Data plane
LISP
Cntrl plane
VXLAN
(Data Plane)
SD-Access Wireless Architecture
Automation
DNAC simplifies the Fabric deployment,
Including the wireless integration component
Centralized Wireless Control Plane
WLC still provides client session management
AP Mgmt, Mobility, RRM, etc.
Same operational advantages of CUWN
LISP control plane Management
WLC integrates with LISP control plane
WLC updates the CP for wireless clients
Mobility is integrated in Fabric thanks to LISP CP
BRKCRS-1560 46
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Catalyst 9300 ETA – Fabric Enabled Wireless Mode
Switch(config)#et-analytics
Switch(config-et-analytics)#ip flow-export destination 10.109.16.213 2838
Switch(config-et-analytics)#inactive-timeout 10
Switch(config)#vlan configuration 71
Switch(config-vlan-config)#et-analytics enable
Switch(config-vlan-config)#end
Enabling ETA on the VLAN
Switch#show platform software et-analytics global
ET-Analytics Global state
=========================
All Interfaces : Off
IP Flow-record Destination: 10.108.16.213:2838
Inactive timer: 10
ET-Analytics interfaces:
none
ET-Analytics VLANs:
71
Verifying the configuration
BRKCRS-1560 47
Switch (config)#vlan configuration 71
Switch (config-if)#no et-analytics enableDisable ETA on the VLAN
• Advanced Network Telemetry
• Stealthwatch
• Cognitive Analytics
• Availability
Solution Architecture
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Stealthwatch: Collects Netflow and other telemetry
Stealthwatch: Insider Threat Visibilityusing your own Network Devices
Security Enterprise
Networking
Switches and Routers:Produces Netflow
Security for the network• Traffic Behavioral Analytics
• Visibility, Monitoring and Protection
• Maximize network investment
AnalyzeMonitor RespondDetect AnalyzeMonitor Detect Respond
Baseline and summarize
all traffic
Auto-detect targeted
attacks
Provide forensics trail Mitigate and Enforce (FWs
ACLs, ISE & Trustsec)
NaaS
BRKCRS-1560 49
• Advanced Network Telemetry
• Stealthwatch
• Cognitive Analytics
• Availability
Solution Architecture
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cognitive Threat Analytics
CTA identifies the threats with layers of anomaly detection and classification
used to identify, prioritize and describe difficult-to-find threats
AnomalousWeb requests
ThreatIncidents
MaliciousEvents
Anomaly
detectionTrust
modeling
Event
classification
Relationship
modeling
10Brequests
per day
50Kincidents
per day
BRKCRS-1560 51
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
• CA models and uses up to 20 features of 150 million of malicious, risky or otherwise security-relevant servers.
• These features are used as input for CA algorithms inside the engine.
• The features include domain data, whois data, TLS certificate data, usage statistics and behavioral data for each server
Image: http://census2012.sourceforge.net/images.html
Global Risk Map
BRKCRS-1560 52
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Stealthwatch with Cognitive Analytics
Obtain additional visibility and
context into global and local traffic
Utilize machine learning for
continuous analysis and detection of
Command & Control communications
Encrypted
Traffic Analytics
Advanced
Threat Detection
Extended Visibility and
Behavioral Analytics
Detect threats that have bypassed
existing security controls
Identify insiders exfiltrating data
to legitimate cloud services
Pinpoint malicious patterns
in encrypted traffic
Compromised host detection
speeds incident response
BRKCRS-1560 53
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Extended Visibility and
Behavioral Analytics
Advanced Threat Detection
Encrypted Traffic AnalyticsWeb Proxy
Cognitive
Analytics
Stealthwatch
Management
Console
Stealthwatch
Flow Collector
Proxy Data
Cisco Stealthwatch with Cognitive Analytics
BRKCRS-1560 54
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 55BRKCRS-1560
CTA’s inspection of encrypted traffic
Global risk map Initial Data PacketSequence of Packet Lengths
and Times
Who’s who of the Internet’s dark side
Make the most of the unencrypted fields
Identify the content type through the size and timing
of packets
Broad behavioral information
about the servers on the
Internet.
Self-Signed Certificate
Data Exfiltration
C2 Message
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Layer 1
CTA
Anomaly
detection
Trust
modeling
Layer 2
Event
classification
Entity
modeling
CTA
Layer 3
Relationship
modeling
CTA
50Kincidents
per day
10Brequests
per day
Te
lem
etr
y
Fe
atu
res
Threat
CorrelationInternet
Scrapers
Incid
en
ts
Thre
at
Conte
xt
ETA
specific classificationThreatGrid
Global Risk Map
Cognitive Analytics with ETA
BRKCRS-1560 56
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 57BRKCRS-1560
Cognitive – Cloud based machine learning
All three elements reinforce each other inside the analytics engine using them.
Global Risk
Map
Initial Data Packet
Sequence of Packet Lengths and Times
Machine
Learning and
Analytics
Engine
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKCRS-1560 58
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Encrypted Traffic Analytics: Example Incident
BRKCRS-1560 59
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cognitive Analytics: Confirmed Threats
BRKCRS-1560 60
• Advanced Network Telemetry
• Stealthwatch
• Cognitive Analytics
• Availability
Solution Architecture
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Solution Elements, Licensing and PackagingWhat does the customer buy?
Solution Element Software version License
Enterprise Switches - C9300 IOS-XE 16.6.1 (GA, July) Included in DNA Advantage license
/ C1 Advanced
Stealthwatch v6.9.2 (Sept) Uses existing flow licenses
*Branch Routers (ASR1K, ISR4K, CSR) available for PoC with 16.6.1, GA in 16.7.1 (Nov’17)
C9400, C9500 (future)
Solution FCS – Late summer with Stealthwatch v6.9.2
BRKCRS-1560 62
Demo
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cryptographic ComplianceHow much of my digital business is in the clear versus encrypted?
BRKCRS-1560 64
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Filter Flows by TLS/SSL/Clear
BRKCRS-1560 65
Conclusion
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Conclusion
• Encrypted Traffic Analytics leverages the power of network based telemetry and cloud based analytics to:
• Detect malware in encrypted traffic without decryption
• Do a cryptographic audit of the network
• Enhances Cisco’s Network-as-a-Sensor capability by collecting threat centric metrics from the network
• Helps in reducing the time to detect malware significantly
• Integrates with Network-as-an-Enforcer to mitigate the threat
BRKCRS-1560 67
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Credits
• David McGrew, Cisco Fellow
• Blake Anderson, Technical Leader
• Udayan Palekar, Senior Product Manager
• TK Keanini, Principal Engineer
• Martin Rehak, Principal Engineer
• Sandeep Agarwal, Product Manager
• +whole bunch of engineers who made this possible
68BRKCRS-1560
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Other Sessions on Encrypted Traffic Analytics
• World of Solutions
• Enterprise Networking & Security Booths
• Breakout Sessions• BRKSEC-2809 Deciphering Malware's Use of TLS (without Decryption)
• INSSEC-1013 Hidden Figures: Securing What You Cannot See
• BRKSEC-2047 Operationalizing Advanced Threat Solutions
• BRKSEC-2026 Building Network Security Policy Through Data Intelligence
• BRKSEC-3014 Security Monitoring with Stealthwatch: The Detailed Walkthrough
• BRKSEC-3106 Detecting Threats with Advanced Analytics
• Devnet Sessions• DEVNET-1218 Understanding Encrypted Traffic Using "Joy" for Monitoring and Forensics
• DEVNET-1215 DevNet Workshop - An Introduction to Monitoring Encrypted Network Traffic with "Joy"
BRKCRS-1560 69
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 gift card.
• Complete your session surveys through the Cisco Live mobile app or on www.CiscoLive.com/us.
Complete Your Online Session Evaluation
Don’t forget: Cisco Live sessions will be available for viewing on demand after the event at www.CiscoLive.com/Online.
Thank you