Blue Hexagon, a deep learning and cybersecurity pioneer, announced an industry-first ability to detect and stop–in real-time–both known and unknown threats hidden within encrypted SSL traffic.
Analyst firm Gartner believes that, “Through 2019, more than 80 percent of enterprise web traffic will be encrypted.” While encryption addresses privacy and legal requirements, security teams now face a challenge where they are blind to a large influx of traffic.
In fact, Gartner also predicts that, “During 2019, more than fifty percent of new malware campaigns will use various forms of encryption and obfuscation to conceal delivery, and to conceal ongoing communications, including data exfiltration.”
There are currently two approaches to address this problem. Security teams can decrypt the traffic and inspect it, but this approach can be a burden on threat inspection performance when performed on next-generation firewalls and usually requires additional network decryption devices.
Other solutions use signature mechanisms like JA3 or machine learning to identify anomalies over large volumes of data but these solutions can be unreliable and result in lots of false positives.
Overcoming both of these challenges, Blue Hexagon uses deep learning to enable real-time inspection of encrypted traffic without negatively affecting network speed and performance, or requiring additional devices.
“As more and more web traffic is encrypted, and as threat actors develop ways to hide malicious communications or payload in that traffic, it is a security imperative that organizations have the ability to identify and block those threats.
“The Blue Hexagon platform can now perform deep learning inspection of encrypted traffic in real-time, giving security teams visibility into threats without compromising privacy, confidentiality, or network performance,” said Nayeem Islam, CEO and co-founder of Blue Hexagon.
With the introduction of this feature, Blue Hexagon becomes the first security vendor to offer a consistent deep learning-based threat detection platform for on-premises and cloud, to detect threats in all traffic including encrypted web and network communications.
More importantly, the ability to inspect threats in less than a second at greater than 99.5% efficacy enables security teams to keep pace with the onslaught of attacks.
Blue Hexagon’s proprietary Deep Learning HexNet™ architecture detects suspicious patterns that can be observed in the SSL/TLS communications during different stages of the connection. The deep learning models are trained on thousands of observations and characteristics that are used to separate a malicious encrypted tunnel from benign communications channel.
Such patterns are tightly bound to the core communication functionality of the client and server encryption process. As a result, deep learning can identify and stop attacker mal-intent and threats in these communications channels, even when the channel is encrypted.
In contrast to slower analytics or hunting solutions that use correlations over large volumes of data, or signature mechanisms like JA3 which can be fast but result in lots of alerts, the Deep Learning HexNext models provide instant and accurate verdicts as they observe the connection evolution over time.
Blue Hexagon’s payload analysis engine also uncovers new threats earlier than traditional engines which allows the encrypted communication models to keep learning from new mal-intent communication patterns being used by adversaries.
Examples of use cases for Blue Hexagon encrypted traffic analysis using deep learning include the following:
- Download of a payload over an encrypted channel from a malicious or compromised website.
- Detection of encrypted command and control communications from a compromised endpoint from within the enterprise network.
- Download of a payload by a malicious entity already residing on an endpoint inside the enterprise network. This often happens in the later stages of the killchain following the initial delivery.