Gartner predicts that by 2020, 63 million new devices will be connecting to enterprise networks every second. But while enterprise mobility and Internet of Things (IoT) enable new opportunities, each new user and device that connects to the network increases the management complexity and the potential attack surface. End-to-end network visibility is essential to ensuring that no security breaches from vulnerable network endpoints go undetected. By integrating security solutions natively into the network infrastructure, businesses can keep their networks secure and scale effectively.
The demands of a growing population combined with a rapidly changing competitive environment are creating new challenges for IT. An increasing number of employees work from outside the office, frequently using guest Wi-Fi and non-corporate devices to access the same network that manages the company’s critical data. In addition to enterprise mobility challenges, IT teams also need to manage connection requests for an increasing number of IoT devices. Printers, security cameras, coffee machines… thousands of new devices with little or no security architecture need to be added to the network. Cisco expects the percentage of IP traffic coming from non-PC devices to grow from 47 percent in 2015 to 71 percent by 2020.
As the number of connections to the network grows exponentially, without an automated way to be able to segment user and device groups to manage security policies, the business puts itself at a high risk of an attack. But all network security threats have something in common: The Network. The enterprise network provides a unique contextual viewpoint on anything targeting the vulnerable end-points. The only way to address the increasing challenges and be able to scale to be integrating security by default into the network infrastructure.
In addition to a growing number of mobile users and devices, IT teams face another important trend. Encryption. More and more network traffic is encrypted as people and businesses try to keep their data private and secure as it travels through the network. By 2019, Gartner believes, more than 80 percent of enterprise web traffic will be encrypted.
But as encrypted traffic continues to grow giving us greater privacy and security, it also creates an additional challenge for IT teams. They now have to address a massive influx of traffic that they cannot look inside without decryption technology. The hackers have quickly learned to use data encryption to their benefit to conceal delivery, command and control activity, as well as data exfiltration. Thanks to encryption, they can now break into the network and stay undetected for months. According to Cisco, it takes companies on average between 100 and 200 days to detect an attack because 80 percent of security systems do not recognize or prevent threats within SSL traffic. With a rising number of data protection laws, including the General Data Protection Regulation, it is becoming critical for enterprises to be able to detect and isolate an attack as quickly as possible. An average cost of a security breach is currently $3.62 million globally.
Until now, the common way to manage encrypted traffic was to decrypt it and analyse it using devices such as next-generation firewalls. However, this process takes time and requires adding additional devices to the network. As the attacks become increasingly sophisticated and the threat landscape continues to evolve, it becomes clear that a holistic security solution is needed capable of detecting and isolating threats – even those hidden in encrypted traffic.
To address this challenge, Cisco worked together with the Advanced Security Research Group to develop solutions that are capable of creating isolated virtual networks for different user groups and analysing encrypted traffic for malwares without decrypting it.
Cisco introduced Cisco Software-Defined Access, the industry’s first single network fabric across LAN and WLAN that automates access policies to make sure the right policies are applied to any user or device across the network independently of IP address. With Cisco SD-Access, in just a few minutes, IT is able to create a new policy to allow or deny access between user groups (IoT devices, developers, marketing teams etc.) adding an extra level of security through network segmentation.
To address the challenges of data encryption, the team worked on using the meta data (TLS handshake metadata, DNA contextual flow and the HTTP headers of HTTP-contextual flows) generated by the network to run it through security analytics tools, Cisco Stealthwatch. Cognitive analytics, Cisco’s cloud solution then analyses the data and runs it through the full database of all known malwares (Cisco Threat Grid). Machine learning is then applied to detect abnormal behavior patterns. The resulting technique, called Encrypted Traffic Analytics (ETA), involves looking for telltale signs in the features of encrypted data to detect malwares, without bulk data decryption. In experiments based on real-world data, Cisco was able to achieve over 99% accuracy with 0.01% false positives (only 1 false positive for every 10,000 TLS connections) seen.
Encrypted Traffic Analytics provides numerous benefits:
Cisco Encrypted Traffic Analytics functionality is now integrated by default into the new Catalyst® 9000 switches and Cisco 4000 Series Integrated Services Routers with the advanced security analytics of Cisco Stealthwatch. Thanks to the new programmable ASIC UADP 2.0, these complex analytics can be performed directly on the switches which before required additional equipment.