When You Live and Die by the 1-Second Rule

Deep Learning Proves Key to Detecting Known and Unknown Threats Hiding in Encrypted Web, Network Communications

Blue Hexagon, a deep learning and cybersecurity pioneer, announced an industry-first ability to detect and stop–in real-time–both known and unknown threats hidden within encrypted SSL traffic.

On the heels of this announcement, Brilliance Security Magazine spoke with Saumitra Das, CTO at Blue Hexagon, to get his views on why this new solution is important to the security industry.

With a Ph.D. from Purdue, Saumitra says he has been “working in cyber and machine learning from the very early days. Back when it wasn’t a fad and the term wasn’t overused.”

He emphasized that “what we do in the company now couldn’t have been done even three years ago. What we bring to the market is a combination of advances in deep learning… and the fact that we have much more security data available to learn from.”

“For us, we live and die by the 1-second rule,” after that, he explained, it is often too late.

Blue Hexagon uses deep learning to enable real-time inspection of encrypted traffic without negatively affecting network speed and performance, or requiring additional devices. 

He stated that “this is the first time that something like this was available for doing threat detection on encrypted traffic that is completely unknown.”

Their announcement points out that analyst firm Gartner believes that “Through 2019, more than 80 percent of enterprise web traffic will be encrypted.”1 While encryption address privacy and legal requirements, security teams now face a challenge where they are blind to a large influx of traffic. In fact, Gartner also predicts that “During 2019, more than fifty percent of new malware campaigns will use various forms of encryption and obfuscation to conceal delivery, and to conceal ongoing communications, including data exfiltration.”

There are currently two approaches to address this problem. Security teams can decrypt the traffic and inspect it, but this approach can be a burden on threat inspection performance when performed on next-generation firewalls and usually requires additional network decryption devices. Another approach is to use machine learning to inspect Netflow metadata, but this process takes time and is unreliable.

“As more and more web traffic is encrypted, and as threat actors develop ways to hide malicious communications or payload in that traffic, it is a security imperative that organizations have the ability to identify and block those threats. The Blue Hexagon platform can now perform deep learning inspection of encrypted traffic in real-time, giving security teams visibility into threats without compromising privacy, confidentiality, or network performance,” said Nayeem Islam, CEO and co-founder Blue Hexagon. 

With the introduction of this feature, Blue Hexagon becomes the first security vendor to offer a consistent deep learning-based threat detection platform for on-premises and cloud, to detect threats in all traffic including encrypted web and network communications. More importantly, the ability to inspect threats in less than a second at greater than 99.5% efficacy enables security teams to keep pace with the onslaught of attacks. 

The Blue Hexagon proprietary Deep Learning HexNetTM architecture detects suspicious patterns that can be observed in the SSL/TLS communications during different stages of the connection. The deep learning model is trained on thousands of observations and characteristics that are used to separate a malicious encrypted tunnel from a benign communications channel. Such patterns are tightly bound to the core communication functionality of the client and server encryption process. As a result, deep learning can identify and stop attacker mal-intent and threats in these communications channels even when the channel is encrypted. In contrast to slower analytics or hunting solutions that use correlations over large volumes of data or signature mechanisms like ja3 which can be fast but result in lots of alerts, the models provide instant and accurate verdicts as it observes the connection evolution over time. Blue Hexagon’s payload analysis engine also uncovers new threats earlier than traditional engines which allows the encrypted communication model to keep learning from new mal-intent communication patterns being used by adversaries.

Examples of use cases for Blue Hexagon encrypted traffic analysis using deep learning include the following: 

  • Download of a payload over an encrypted channel from a malicious or compromised website.
  • Detection of encrypted command and control communications from a compromised endpoint from within the enterprise network. 
  • Download of a payload by a malicious entity already residing on an endpoint inside the enterprise network. This often happens in the later stages of the killchain following the initial delivery. 

Blue Hexagon is a deep learning innovator focused on protecting organizations from cyberthreats. The company’s real-time, deep learning platform is proven to detect known and unknown threats with speed, efficacy, and coverage that set a new standard for cyber defense. Blue Hexagon is headquartered in Sunnyvale, CA, and backed by Benchmark and Altimeter Capital. For more information, visit www.bluehexagon.ai or follow @bluehexagonai.