Don’t let the encrypted traffic turn into security risk. Gain a scalable visibility of threats in encrypted traffic when preserving privacy and with no impediment to latency.
Encrypted Traffic Analysis is a method of malware detection and cryptographic assessment of secured network sessions, which does not rely on decryption.
This improves visibility of encrypted traffic while remaining scalable and causing no impediment to latency nor violation of privacy. While the number of malware campaigns hiding in encrypted traffic grows massively, ability to detect malicious SSL traffic becomes crucial for ensuring compliance and demanded level of protection.
The Flowmon solution addresses this need and offers the necessary insight while remaining scalable, easily integrable and, most importantly, respectful of privacy.
Flowmon Encrypted Traffic Analysis collects network traffic metadata in IPFIX format using passive probes and enriches it with TLS protocol information (among others). These attributes of the encrypted session between clients and servers are available regardless of the client’s physical location or whether the server runs in the cloud or datacenter.
This provides a wealth of insight about the traffic and allows for the identification of out-of-date SSL certificates, policy non-compliant certificates, encryption strength and old TLS versions that may contain faults or vulnerabilities. Furthermore, a machine learning engine uses this data to perform behavior analysis and anomaly detection to identify malware and other threats.
This approach does not violate privacy, nor does it degrade performance. It provides insightful analytics regardless of the volume. Moreover, since the data is stored in an aggregated form, it saves a considerable amount of storage space without impeding information fidelity.
JA3 fingerprinting is an effective way of detecting malicious threats or at least to spot an indicator of compromise (IoC). This method combines these five parameters of TLS communication: version, ciphers, extensions, elliptic curves and its formats and produces a MD5 hash. This is our JA3 fingerprint. Interestingly, this is enough to identify various clients. For example, "e7d705a3286e19ea42f587b344ee6865" is the JA3 fingerprint for a standard TOR client.
TLS JA3 Fingerprint records in Flowmon
This method is very much in the field of signatures, and thus Flowmon utilizes reliable blacklists and whitelists. Beside others, it is an important part of encrypted traffic analytics which allows you to find outliers and other oddities in your network. Find out more about the use cases at our dediacated blog.