Method and apparatus for detecting malicious software using handshake information

What is claimed is: 1. A tangible, non-transitory computer-readable medium comprising computer program code, the computer program code, when executed, configured to: identify unusual behavior with respect to a handshake between a first endpoint and a second endpoint, wherein the first endpoint and the second endpoint are included in a network, wherein the unusual behavior is identified by an observer node included in the network, the observer node being inline on the network between the first endpoint and the second endpoint, the observer node being arranged to obtain communications between the first endpoint and the second endpoint, and wherein the handshake is one selected from a group including a Transport Layer Security (TLS) handshake, a Secure Sockets Layer (SSL) handshake, and a Datagram Transport Layer Security {DTLS} protocol handshake; determine whether the unusual behavior with respect to the handshake indicates presence of malicious software, wherein the computer program code configured to determine whether the unusual behavior with respect to the handshake indicates the presence of the malicious software includes computer program code configured to use at least one selected from a group including telemetry data and historical data associated with the network to determine a likelihood that the unusual behavior with respect to the handshake indicates the presence of the malicious software; and identify at least one of the first endpoint and the second endpoint as potentially being infected by the malicious software if it is determined that the unusual behavior with respect to the handshake indicates the presence of the malicious software, wherein the at least one selected from the group including the telemetry data and the historical data includes an indication of whether at least one previous connection between the first endpoint and the second endpoint that leveraged an interception proxy was successful, wherein if the at least one previous connection was successful, the presence of the malicious software is indicated. 2. An apparatus comprising: logic, the logic including a monitoring module, a detection module, and an identification module, the monitoring module being configured to monitor communications on a network by intercepting the communications between endpoints in the network, the communications on the network including handshake communications, wherein the detection module is configured to detect when the handshake communications include an unusual handshake communication, and wherein the identification module is arranged to determine when the unusual handshake communication indicates that at least one endpoint is compromised by malicious software; a processing arrangement, wherein the logic includes computer program code and wherein the processing arrangement is configured to execute the computer program code; and a data storage arrangement, the data storage arrangement being configured to store least one selected from a group including historical information associated with the network and telemetry information associated with the network, wherein the identification module is configured to use the at least one selected from the group including the historical information associated with the network and the telemetry information associated with the network to determine when the unusual handshake communication indicates that the at least one endpoint is compromised by the malicious software, wherein the at least one selected from the group including the telemetry data and the historical data includes an indication of whether at least one previous connection between the first endpoint and the second endpoint that leveraged an interception proxy was successful, wherein if the at least one previous connection was successful, the presence of the malicious software is indicated. 3. A method comprising: identifying unusual behavior with respect to a handshake between a first endpoint and a second endpoint, wherein the first endpoint and the second endpoint are included in a network, wherein the unusual behavior is identified by an observer node included in the network, the observer node being inline on the network between the first endpoint and the second endpoint, the observer node being arranged to obtain communications between the first endpoint and the second endpoint and wherein the handshake is one selected from a group including a Transport Layer Security (TLS) handshake, a Secure Sockets Layer (SSL) handshake, and a Datagram Transport Layer Security {DTLS} protocol handshake; determining whether the unusual behavior with respect to the handshake indicates presence of malicious software, wherein determining whether the unusual behavior with respect to the handshake indicates the presence of the malicious software includes using at least one selected from a group including telemetry data and historical data associated with the network to determine a likelihood that the unusual behavior with respect to the handshake indicates the presence of the malicious software; and identifying at least one of the first endpoint and the second endpoint as potentially being infected by the malicious software if it is determined that the unusual behavior with respect to the handshake indicates the presence of the malicious software, wherein the at least one selected from the group including the telemetry data and the historical data includes an indication of whether at least one previous connection between the first endpoint and the second endpoint that leveraged an interception proxy was successful, wherein if the at least one previous connection was successful, the presence of the malicious software is indicated.