Encrypted Visibility Engine

The encrypted visibility engine (EVE) is used to provide more visibility into the encrypted sessions without the need to decrypt them. These insights into encrypted sessions are obtained by Cisco's open-source library that is packaged in Cisco's vulnerability database (VDB). The library fingerprints and analyzes incoming encrypted sessions and matches it against a set of known fingerprints. This database of known fingerprints is also available in the Cisco VDB.

Use the Encrypted Visibility Engine toggle button, available under the Advanced tab of the access control policy, to enable or disable EVE. In CDO 7.1, encrypted visibility engine is used to only provide more visibility into the encrypted traffic. It does not enforce any actions on that traffic.

Note

The encrypted visibility engine feature is supported only on CDO-managed devices running Snort 3. This is feature is not supported on Snort 2 devices, FDM-managed devices, or CDO.

After the Encrypted Visibility Engine toggle button is enabled and your access control policy is deployed, you can start sending live traffic through your system. You can view the logged connection events in the Connection Events page. To access the connection events, in CDO, go to Analysis > Connections > Events, and click the Table View of Connection Events tab. You can also view the connection event fields in the Unified Events viewer. In the Analysis tab, click Unified Events. TLS fingerprinting can identify the client process that initiated a connection, the OS on the client, and if the process contains malware or not.

In the Connection Events page, the following columns are added for TLS fingerprinting. Note that you must explicitly enable the mentioned columns.

  • TLS Fingerprint Process Name

  • TLS Fingerprint Process Confidence Score

  • TLS Fingerprint Malware Confidence

  • TLS Fingerprint Malware Confidence Score

  • Detection Type

For information about these fields, see the section Connection and Security Intelligence Event Fields in the Cisco Firepower Management Center Administration Guide.

You can view the analysis information in two dashboards. Under Overview > Dashboards, click Dashboard. In the Summary Dashboard window, click the switch dashboard link and select Application Statistics from the dropdown box. Select the TLS Fingerprint tab to view the following two dashboards:

  • Top TLS Fingerprint Discovered Processes—Displays the top TLS process names being used in your network and the connection count. You can click the process name in the table to see the filtered view of the Connection Events page, which is filtered by the process name.

  • Connections by TLS Fingerprint Malware—Displays the connections by the confidence levels (Very High, Very Low, and so on). You can click the malware confidence level in the table to see the filtered view of the Connection Events page, which is filtered by the confidence level.