ON THIS PAGE
Encrypted Traffic Insights Overview
Access this page from the Monitor > ATP > Encrypted Traffic menu.
Encrypted Traffic Insights (ETI) helps you to detect malicious threats that are hidden in encrypted traffic without intercepting and decrypting the traffic.
Benefits of Encrypted Traffic Insights
-
Monitors network traffic for threats without breaking the encryption of the traffic, thereby adhering to data privacy laws.
-
Erases the need for additional hardware or network changes to set up and manage the network:
-
Juniper Secure Edge provides the required metadata (such as known malicious certificates and connection details) and connection patterns to ATP Cloud.
-
The ATP Cloud provides behavior analysis and machine learning capabilities.
-
-
Provides greater visibility and policy enforcement over encrypted traffic without requiring resource-intensive SSL decryption:
-
Based on the network behaviors analyzed by ATP Cloud, the network connections are classified as malicious or benign.
-
-
Adds an additional layer of protection beyond traditional information security solutions to help organizations reduce and manage risk.
-
Ensures no latency as we do not decrypt the traffic.
Table 1 lists the information that is available on the Encrypted Traffic Insights page.
Field |
Guideline |
---|---|
External Server IP |
The IP address of the external server. |
External Server Hostname |
The host name of the external server. |
Highest Threat Level |
The threat level on the external server based on Encrypted Traffic Insights. |
Count |
The number of times hosts on the network have attempted to contact this server. |
Country |
The country where the external server is located. |
Last Seen |
The date and time of the most recent external server hit. |
Category |
Additional category information known about this server, for example, botnets, malware, etc. |
Encrypted Traffic Insights and Detection
Encrypted Traffic Insights combines rapid response and network analysis (both static and dynamic) to detect and remediate malicious activity hidden in encrypted sessions.
A staged approach of Encrypted Traffic Insights for a new TCP session is as follows:
- Known Malicious Activity—Juniper ATP Cloud provides information regarding certificates known to be associated with malware, which Juniper Secure Edge uses to immediately identify malicious traffic.
- Unknow Malicious Activity—Metadata and network connection details are collected and analyzed by Juniper ATP Cloud.
- Automated detection and Remediation—ATP events are correlated with user and device information and added to Infected Host feed.
- Host is blocked
Workflow
This section provides the workflow to perform Encrypted Traffic Insights.
Step |
Description |
---|---|
1 |
A client host requests a file to be downloaded from the Internet. |
2 |
Juniper Secure Edge receives the response from the Internet. Juniper Secure Edge extracts the server certificate from the session and compares its signature with the blocklist certificate signatures. If a match occurs, then connection is blocked. Note:
The Juniper Networks ATP Cloud feed keeps Juniper Secure Edge up to date with a feed of certificates associated with known malware sites. |
3 |
Juniper Secure Edge collects the metadata and connection statistics and sends it to the ATP Cloud for analysis. |
4 |
The ATP Cloud performs behavioral analysis to classify the traffic as benign or malicious. |
5 |
If a malicious connection is detected, the threat score of the host is recalculated. If the new score is above the threshold, then the client host is added to infected host list, The client host might be blocked based on policy configurations on Juniper Secure Edge devices. |