The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
You can use the Encrypted Visibility Engine (EVE) to identify client applications and processes using Transport Layer Security (TLS) encryption. EVE provides more visibility into the encrypted sessions without decryption. Based on EVE’s findings, administrators can enforce policy actions on the traffic within their environments. You can also use the EVE to identify and stop malware.
Administrators can leverage and adjust EVE’s threat score to block malicious encrypted traffic. If the probability that the incoming traffic is malicious, then based on the threat score, you can configure EVE to block the connection.
A large corporate network uses Snort 3 as its primary intrusion detection and prevention system. In a rapidly evolving threat landscape, adoption of robust network security measures is necessary and important. The security team uses EVE to enhance encrypted traffic inspection without the need to implement full man-in-the-middle (MITM) decryption. The EVE technology uses fingerprints of known malicious processes to identify and stop malware. Network administrators must have the flexibility to configure EVE’s block traffic thresholds to block potentially malicious connections, which are based on their configured block thresholds.
You must be running management center 7.4.0 or later, and the managed threat defense must also be 7.4.0 or later.
Ensure that you have a valid Intrusion Prevention System (IPS) license and Snort 3 is the detection engine.
EVE analyzes the incoming traffic and gives a verdict on the probability of incoming traffic being malware or not.
If EVE detects incoming traffic to be malware with a certain level of confidence, you can configure EVE to block that traffic.
The packets are first checked for malware probability or threat score, and the threat score is compared with the block threshold that you have set.
If the threat score is higher than the configured threshold, EVE blocks the traffic.
If the threat score is lesser than the configured threshold, EVE takes no action.
This procedure shows how to block potentially malicious traffic, based on the EVE threat confidence score of 90 percent or higher.
|
Step 1 |
Choose . |
||
|
Step 2 |
Click Edit ( |
||
|
Step 3 |
Choose Advanced Settings from the More drop-down arrow at the end of the packet flow line. |
||
|
Step 4 |
Click Edit ( 
|
||
|
Step 5 |
In the Encrypted Visibility Engine page, enable the Encrypted Visibility Engine (EVE) toggle button. |
||
|
Step 6 |
Enable the Block Traffic Based on EVE Score toggle button. Any incoming traffic that is a potential threat is blocked by default. 
|
||
|
Step 7 |
Use the slider to adjust the threshold for blocking based on EVE threat confidence. This ranges from Very Low to Very High. In this example, the slider is set to Very High. 
|
||
|
Step 8 |
For further granular control, enable the Advanced Mode toggle button. Now, you can assign a specific EVE Threat Confidence Score for blocking traffic. The default threshold is 99 percent. |
||
|
Step 9 |
In this example, change the block threshold to 90 percent.
|
||
|
Step 10 |
Click OK. |
||
|
Step 11 |
Click Save. |
Deploy configuration changes. See Deploy Configuration Changes.
|
Step 1 |
To verify the block action, choose . You can also view the events from the Unified Events viewer. |
|
Step 2 |
If you have configured EVE to block traffic, the Reason field shows Encrypted Visibility Block. 
|
|
Step 3 |
The following is an example of the Encrypted Visibility Process Name as test_malware, Encrypted Visibility Threat Confidence as Very High, and Encrypted Visibility Threat Confidence Score as 90 percent. 
|
For detailed conceptual information, see the Encrypted Visibility Engine for Snort 3 chapter in this guide or the content in the following link:
) next to the access control policy you want to edit.
Feedback