The rapid rise in encrypted traffic is changing the threat landscape. As more businesses become digital, a significant number
of services and applications are using encryption as the primary method of securing information. Encrypted traffic has
increased by more than 90 percent annually
Encryption technology has enabled much greater privacy and security for enterprises and individuals that use the Internet to
communicate and transact business online. Mobile, cloud, and web applications rely on well implemented encryption
mechanisms that use keys and certificates to ensure security and trust. However, businesses are not the only ones to benefit
from encryption. Threat actors have leveraged these same benefits to evade detection and to secure their malicious
activities.
Traditional flow monitoring, as implemented in the Cisco® Network as a Sensor (NaaS) solution and through the use of
Flexible NetFlow (FNF), provides a high-level view of network communications by reporting the addresses, ports, and byte
and packet counts of a flow. In addition, intraflow metadata, or information about events that occur inside of a flow, can be
collected, stored, and analyzed within a flow monitoring framework. This data is especially valuable when traffic is
encrypted, because deep-packet inspection is no longer viable. This intraflow metadata, called Encrypted Traffic Analytics
(ETA), is derived by using new data elements or telemetry that is independent of protocol details, such as the lengths and
arrival times of packets within a flow. These data elements have the property of applying equally well to both encrypted and
unencrypted flows.
ETA focuses on identifying malware communications in encrypted traffic through passive monitoring, the extraction of
relevant data elements, and supervised machine learning with cloud-based global visibility