Why It's Okay to Be Underwhelmed by Cisco ETA
Cisco recently announced the term “intent-based networking” in a press release that pushes the idea that networks need to be more intuitive. One element of that intuition is for networks to be more secure without requiring a lot of heavy lifting by local network security professionals. And a featured part of that strategy is Cisco ETA:
"Cisco's Encrypted Traffic Analytics solves a network security challenge previously thought to be unsolvable," said David Goeckeler, senior vice president and general manager of networking and security. "ETA uses Cisco's Talos cyber intelligence to detect known attack signatures even in encrypted traffic, helping to ensure security while maintaining privacy."
I’m always intrigued (and quite often amused) by the claim that an unsolvable problem has been solved. So, let’s dig into how Cisco ETA is constructed:
We welcome Cisco’s steps to build metadata extraction natively into the network and applaud their efforts to apply machine learning to it to detect threats. This is something that we’ve been deploying into customer networks for years, and we have seen the benefits that it can provide when done right (and wrong – since we’ve certainly had our stumbles along the way). Maybe not surprisingly—this stuff is hard—Cisco’s initial steps into this space are a bit underwhelming.
There are undoubtedly some novel approaches in the feature selection and machine learning techniques employed in Cisco ETA. But the overall idea of using session metadata to create precise signatures for malware communications feels like a rewind, taking us back to the release of the first signature-based IDS, circa 1995. Assuming it is successful with the current generation of malware, it will take little time for malware developers to change their encrypted communications in easy ways that evade this form of detection. The changes the attackers would make are pretty obvious:
And then the cat-and-mouse game begins again. Except now Cisco will need to collect large volumes of samples in an attempt to retrain ETA. And then the attackers can quickly break it again.
Unlike most machine learning applications, cyber security involves matching wits with an intelligent adversary who will adjust to the defender’s capabilities. For this reason, our application of machine learning against network-extracted metadata focuses on finding durable patterns of behavior that would require fundamental changes in attacker methodologies to counter.
One example is External Remote Access, a model that Vectra shipped over two years ago to find the fundamental pattern of humans controlling systems from outside the network. It works independent of the attacker’s tool, and whether or not the traffic is encrypted. Last year when ShadowBrokers leaked the nOpen RAT, the Vectra model detected attempts to use it without any changes required. Turns out that inventing entirely new attack methodologies is much harder than changing superficial patterns of communication.
Deploying ETA won’t be simple or cheap either. ETA will require either an upgrade to new network switches or the deployment of flow sensors. Switches are a revenue mainstay and profit generator for Cisco, so tying new security functionality to switching doesn’t come as a surprise. Upgrades take time and are disruptive, and in this case all that money will likely deliver 1990s-level security functionality.