Continued from Page 1
ETA Is Really an Ecosystem of Products
An organization can set up ETA to examine some or all flows. For example, an organization that needs to approve content or application use for some individuals may require some data flows to be decrypted. For those flows, the organization would use the device-in-the-middle approach over the ETA method. But, for many other flows, ETA will provide a scalable, cost-effective way to examine encrypted data flows for malware.
ETA is actually an ecosystem play, consisting of Cisco switches, NetFlow collectors, and cloud computing.
To enable the significant processing power required to collect/compute the meta data ETA uses, Cisco has developed a new ASIC for its Catalyst switches (9300 series) to give them the CPU cycles required for generating these new data elements. Some Cisco ISR devices with a lower port count do not require the new ASIC as the existing processing power is sufficient.
Once the switch computes the ETA parameters, it places them into a standard NetFlow stream for forwarding to Cisco Stealthwatch servers, which, among other things, collect and analyze the ETA data to detect anomalies. Cisco has coupled Stealthwatch with its cloud-based Cognitive Threat Analytics engine for correlating traffic with global threat behaviors to identify infected hosts, breaches, and suspicious traffic.
Why Should We in the Communications Space Care about ETA?
Although research has been ongoing for a number of years with respect to identifying content in encrypted data flows, Cisco's ETA represents a leap forward in commercializing this technology and putting it to a constructive use. Perhaps in the future we'll see development of an ETA-like mechanism to do malicious threat detection in encrypted SIP flows, which is critical to our industry.
This could possibly be done in the session border controller so that SIP traffic no longer needs to be decoded/re-encoded to traverse the network boundary. Almost all IP-based voice and video calls, as well as IM/presence flows, are encrypted, yet they continuously go through this decrypt/encrypt cycle. While I'm not aware of significant malware hiding in encrypted SIP flows at this point, given the prolific nature of voice, video, and chat, it is likely lurking out there in the wild and may one day spring upon us. It will be useful to have techniques like ETA and others available to safeguard these flows.
In summary, ETA is being put to use for a good purpose: detecting malicious data in encrypted flows. However, similar encrypted data analytics techniques can be a bit nefarious. For example, it has been reported that third parties can identify which Netflix videos you may be watching even though the video stream is encrypted. This can give tons of personal preference information to intermediary network providers or anyone running such algorithms on switches/routers through which Netflix data traverses. You can easily imagine that encrypted YouTube and other videos available on cloud-based servers may also be fingerprinted.
I think we should all be aware that this technology exists, and understand that like most technologies, it can be used for really great purposes, like ETA, and it may also be exploited for less honorable reasons.
