TK Keanini (@tkeanini) Cisco Analytics sits down with theCUBE hosts Dave Vellante (@dvellante) and John Furrier (@furrier) live from Cisco Live EU 2019 in Barcelona Spain
#CLEUR #theCUBE #Cisco
https://siliconangle.com/2019/02/11/telemetry-and-machine-learning-provide-foundation-for-ciscos-cyberattack-defense-cleur-guestoftheweek/
Telemetry and machine learning provide foundation for Cisco’s cyberattack defense
Ransomware is so 2018.
As online criminals have realized that ransomware didn’t yield a recurring revenue stream, they have turned instead to cryptojacking, the takeover of computer networks by massive botnets to mine cryptocurrency. This land grab of networks has proven difficult to stop or even detect because cryptomining code can work in the background with hapless users not suspecting a thing.
Evidence is piling up that cryptojacking has shot up the hacking pop charts. AdGuard Software Ltd. has documented a 31-percent growth for in-browser cryptojacks and Check Point Software Technologies Ltd. noted that 40 percent of the top malware it had discovered was running cryptomining operations.
Engineers at Cisco Systems Inc. have been working on an intriguing approach to detect network attacks faster and more accurately, driven by a sense of urgency as cryptojacking grows and enterprise systems run, out of necessity, on encrypted data nearly from end to end. Dark data has made the process of detecting malware and attacks more difficult, so security researchers have to get creative.
It starts with basic economics. “If I can make it more expensive for criminals to hide and operate, then I’m doing my job,” said TK Keanini (pictured), distinguished engineer and product line chief technology officer of analytics at Cisco. “That means not only using techniques of the past, but developing new techniques.”
Keanini spoke with John Furrier (@furrier) and Dave Vellante (@dvellante), co-hosts of theCUBE, SiliconANGLE Media’s mobile livestreaming studio, during the recent Cisco Live event in Barcelona, Spain. They discussed Cisco’s plan to disrupt malicious activity, the use of data analytics to identify attacks, and the importance of DevOps and a recent new Web security protocol in defending networks. (* Disclosure below.)
This week, theCUBE features TK Keanini as its Guest of the Week.
Encryption complicates inspection
In the case of cryptojacking, the challenge is to defend against malware that is sophisticated and can command systems in multiple ways. A report by the Cyber Threat Alliance detailed how one version stole Windows credentials and then leveraged instrumentation tools to spread rapidly. Another cryptojacking investigation by Comodo Group found the use of a PowerShell script to inject malware in a running process.
The method for discovery is also complicated because enterprises have gone to great lengths to encrypt data, so decrypting it to find intrusions won’t fly.
“We have to now infer malicious activity from behavior because the direct inspection is no longer available,” Keanini said. “We came up with a technique called encrypted traffic analytics.”
Cisco’s solution is baked into what Keanini described as a “three-layered cake” whose ingredients are telemetry, analytics and analytical outcome. Taking the broader view of the network as one large sensor, routers and switches send rich telemetry or data that can be used to infer malicious activity without decryption.
Machine learning targets malware
Using machine learning to train on all of this rich data, security engineers can craft a more helpful picture of what malicious actors may be doing on the network based on the shape and the size of the metadata over time.
“I can model on that timing, and this is where machine learning comes in,” Keanini explained. “I can train on all this data and determine if the malware looks like this at minute five, minute 10, minute 15, and if I see that exact mathematically precise behavior on your network, I can infer that’s the same malware.”
How does Cisco do this without decryption? Keanini was careful not to give away too may details on this subject, but he did offer one brief explanation.
“All encrypted traffic starts out unencrypted,” he stated. “It’s a very small percentage, but everything in that startup is visible.”
Network defenders gain speed
There are two tailwinds providing some support for Keanini’s work in the security arena. One is the rise of developers building networks as code and programming operations much faster than before, also known as DevOps.
...
Watch the complete video interview below, and be sure to check out more of SiliconANGLE’s and theCUBE’s coverage of the Cisco Live event. (* Disclosure: Cisco Systems Inc. sponsored this segment of theCUBE. Neither Cisco nor other sponsors have editorial control over content on theCUBE or SiliconANGLE.)
Forgot Password
Almost there!
We just sent you a verification email. Please verify your account to gain access to
Cisco Live EU 2019 | Barcelona. If you don’t think you received an email check your
spam folder.
In order to sign in, enter the email address you used to registered for the event. Once completed, you will receive an email with a verification link. Open this link to automatically sign into the site.
Register For Cisco Live EU 2019 | Barcelona
Please fill out the information below. You will recieve an email with a verification link confirming your registration. Click the link to automatically sign into the site.
You’re almost there!
We just sent you a verification email. Please click the verification button in the email. Once your email address is verified, you will have full access to all event content for Cisco Live EU 2019 | Barcelona.
I want my badge and interests to be visible to all attendees.
Checking this box will display your presense on the attendees list, view your profile and allow other attendees to contact you via 1-1 chat. Read the Privacy Policy. At any time, you can choose to disable this preference.
Select your Interests!
add
Upload your photo
Uploading..
OR
Connect via Twitter
Connect via Linkedin
EDIT PASSWORD
Share
Forgot Password
Almost there!
We just sent you a verification email. Please verify your account to gain access to
Cisco Live EU 2019 | Barcelona. If you don’t think you received an email check your
spam folder.
In order to sign in, enter the email address you used to registered for the event. Once completed, you will receive an email with a verification link. Open this link to automatically sign into the site.
Sign in to gain access to Cisco Live EU 2019 | Barcelona
Please sign in with LinkedIn to continue to Cisco Live EU 2019 | Barcelona. Signing in with LinkedIn ensures a professional environment.
Are you sure you want to remove access rights for this user?
Details
Manage Access
email address
Community Invitation
TK Keanini, Cisco | Cisco Live EU 2019
TK Keanini (@tkeanini) Cisco Analytics sits down with theCUBE hosts Dave Vellante (@dvellante) and John Furrier (@furrier) live from Cisco Live EU 2019 in Barcelona Spain
#CLEUR #theCUBE #Cisco
https://siliconangle.com/2019/02/11/telemetry-and-machine-learning-provide-foundation-for-ciscos-cyberattack-defense-cleur-guestoftheweek/
Telemetry and machine learning provide foundation for Cisco’s cyberattack defense
Ransomware is so 2018.
As online criminals have realized that ransomware didn’t yield a recurring revenue stream, they have turned instead to cryptojacking, the takeover of computer networks by massive botnets to mine cryptocurrency. This land grab of networks has proven difficult to stop or even detect because cryptomining code can work in the background with hapless users not suspecting a thing.
Evidence is piling up that cryptojacking has shot up the hacking pop charts. AdGuard Software Ltd. has documented a 31-percent growth for in-browser cryptojacks and Check Point Software Technologies Ltd. noted that 40 percent of the top malware it had discovered was running cryptomining operations.
Engineers at Cisco Systems Inc. have been working on an intriguing approach to detect network attacks faster and more accurately, driven by a sense of urgency as cryptojacking grows and enterprise systems run, out of necessity, on encrypted data nearly from end to end. Dark data has made the process of detecting malware and attacks more difficult, so security researchers have to get creative.
It starts with basic economics. “If I can make it more expensive for criminals to hide and operate, then I’m doing my job,” said TK Keanini (pictured), distinguished engineer and product line chief technology officer of analytics at Cisco. “That means not only using techniques of the past, but developing new techniques.”
Keanini spoke with John Furrier (@furrier) and Dave Vellante (@dvellante), co-hosts of theCUBE, SiliconANGLE Media’s mobile livestreaming studio, during the recent Cisco Live event in Barcelona, Spain. They discussed Cisco’s plan to disrupt malicious activity, the use of data analytics to identify attacks, and the importance of DevOps and a recent new Web security protocol in defending networks. (* Disclosure below.)
This week, theCUBE features TK Keanini as its Guest of the Week.
Encryption complicates inspection
In the case of cryptojacking, the challenge is to defend against malware that is sophisticated and can command systems in multiple ways. A report by the Cyber Threat Alliance detailed how one version stole Windows credentials and then leveraged instrumentation tools to spread rapidly. Another cryptojacking investigation by Comodo Group found the use of a PowerShell script to inject malware in a running process.
The method for discovery is also complicated because enterprises have gone to great lengths to encrypt data, so decrypting it to find intrusions won’t fly.
“We have to now infer malicious activity from behavior because the direct inspection is no longer available,” Keanini said. “We came up with a technique called encrypted traffic analytics.”
Cisco’s solution is baked into what Keanini described as a “three-layered cake” whose ingredients are telemetry, analytics and analytical outcome. Taking the broader view of the network as one large sensor, routers and switches send rich telemetry or data that can be used to infer malicious activity without decryption.
Machine learning targets malware
Using machine learning to train on all of this rich data, security engineers can craft a more helpful picture of what malicious actors may be doing on the network based on the shape and the size of the metadata over time.
“I can model on that timing, and this is where machine learning comes in,” Keanini explained. “I can train on all this data and determine if the malware looks like this at minute five, minute 10, minute 15, and if I see that exact mathematically precise behavior on your network, I can infer that’s the same malware.”
How does Cisco do this without decryption? Keanini was careful not to give away too may details on this subject, but he did offer one brief explanation.
“All encrypted traffic starts out unencrypted,” he stated. “It’s a very small percentage, but everything in that startup is visible.”
Network defenders gain speed
There are two tailwinds providing some support for Keanini’s work in the security arena. One is the rise of developers building networks as code and programming operations much faster than before, also known as DevOps.
...
Watch the complete video interview below, and be sure to check out more of SiliconANGLE’s and theCUBE’s coverage of the Cisco Live event. (* Disclosure: Cisco Systems Inc. sponsored this segment of theCUBE. Neither Cisco nor other sponsors have editorial control over content on theCUBE or SiliconANGLE.)
