With encryption, cloud computing, new DevOps processes and the proliferation of IoT devices, the enterprise network has unquestionably changed. The “new network” in many ways is not just a network anymore. It is APIs into SaaS and serverless workloads; virtual or cloud taps on AWS and Azure; and yes, it is also the traditional tap or span traffic on on-premise networks. So, it should come as no surprise that these efforts are forcing security approaches to evolve as well, bringing advanced network traffic analysis to the forefront.
Growing network complexity creates a fog that limits visibility and prevents security teams from implementing effective threat detection and response capabilities against today’s threats. In addition, security teams need access to not just the traditional north-south traffic direction, but also visibility at the core, between offices, within the data center etc.
How do We Improve Network Visibility?
At Awake we believe that the key to improving visibility lies in embracing these challenges. This new network still sees everything and offers a ground-truth of data that can serve as a solid foundation for security efforts. Unlike logs or end-point agents, network tracks can’t be deleted, and the technology can’t be disabled. Threat actors cannot “unsend” a packet and they cannot avoid the artifacts that their actions create. The network also has a memory, allowing for both real-time and retrospective detection.
But today’s advanced network traffic analysis looks quite different from your parents’ network detection and response. Our new white paper, “The Advent of Advanced Network Traffic Analysis and Why it Matters,” takes a closer look at this evolution, its driving factors and the challenges encountered along the way. By looking at how network security has evolved, we can gain new clarity as to the best path forward for security teams.
A Brief History of Advanced Network Traffic Analysis
The bird’s-eye view is this: beginning as network intrusion detection systems (IDS), older network models were focused on detecting known malware. IDS, however, was found lacking as attackers began to deploy malware variants, and signature-based solutions became synonymous with false positives.
Next came sandboxes, which used a combination of static and dynamic analysis to surface unknown malware. Unfortunately, the effectiveness of sandboxes triggered innovative attackers to branch away from malware altogether. Threat actors began using phishing and other techniques to steal legitimate credentials, which are then used to penetrate an organization.
This is how network traffic analysis (NTA) was born—shifting from identifying the ‘known bad’ to establishing a baseline for ‘known good’, then flagging anomalies in that baseline. NTA has shown great promise, but its behavioral analytics and anomaly detection have their challenges too. Networks and user behaviors legitimately change all the time, so these systems also tend to be noisy and require a fair amount of care and feeding to keep them going. Security teams that have bought into these solutions struggle with sustainably keeping down costs while seeing the ongoing value.
Advanced NTA Today
Recent advances in network processing, analytics and security research are now ushering in a new era of advanced network traffic analysis that reach tremendous gains on traditional network security, delivering on something we call malicious intent detection. While modern attacks are often designed to blend in with business-justified behaviors, advanced NTA helps analysts identify malicious intent and unravel threat actors’ well-disguised attacks—a threat hunting activity previously reserved for only the most sophisticated analysts. Through techniques like encrypted traffic analysis and entity tracking, advanced NTA solutions democratize and streamline this process, eliminating the challenges that have plagued the first-generation of NTA solutions.
If you’re interested in learning more about how advanced NTA works, check out the full white paper, or shoot us a note at [email protected][.]com. We’re happy to discuss how advanced NTA fits in with your security architecture.
By Rudolph Araujo