Blog Post

What is Network Traffic Analysis (NTA)?

Network traffic analysis (NTA) is the process of intercepting, recording and analyzing network traffic communication patterns in order to detect and respond to security threats. NTA is an emerging technology and product category that was first recognized by Gartner.

In February 2019, Gartner published its first Market Guide for Network Traffic Analysis after beginning to track NTA as a category in late 2018. The Network Traffic Analysis Market Guide outlines what Gartner believes to be the key characteristics security and risk professionals should consider when evaluating NTA solutions. It also provides a list of representative vendors serving the market.

Shortly after publishing the NTA market guide, Gartner also issued a related report that offered advice about how “network-based technologies enable technical professionals to obtain quick threat visibility across an entire environment without using agents.” Among its key findings, this paper notes how “high-maturity” clients use NTA in their security operations center (SOC) and how some companies use network-based technologies as their only threat detection tool.

Network Traffic Analysis Tools for Security

As an emerging and quickly evolving category of security tools, NTA solutions have many different features and origins. For example, some solutions were developed as tools to monitor network performance while others were purpose-built for security. Perhaps surprisingly, this distinction is important and affects the utility of the solution to the security team. We discuss this in more detail in the Advanced Network Traffic Analysis whitepaper, but here are some of the attributes we believe to be critical components of security-first NTA tools.

  • Visibility of the “new network.” For network traffic analysis to be effective, solutions must have a deep understanding of all the business entities in an organization. With a network perimeter that’s no longer easily defined, visibility into the new network – including the data center, perimeter, core, Internet of things and operational technology networks, and those connecting cloud and SaaS resources – is essential. Only then will a solution be able to analyze every communication between every entity to provide a comprehensive view without blind spots.
  • Privacy Awareness. As privacy becomes a central part of any organization’s IT policy and stricter privacy rules are legislated across the world, security solutions need to take this shift into account. One important way to do this is through encrypted traffic analysis. With new privacy concerns, organizations will not always be able to decrypt traffic to look at payloads, and they shouldn’t have to. New methods of traffic analysis can look at attributes ranging from the communicating applications to the nature of the communication (file transfer vs. interactive shell e.g. SSH, vs. web browsing session, vs. video sharing, etc.) to identify malicious activity. Additionally, it’s important for data to never be transferred outside of a customer’s own infrastructure for analysis and/or to be used for training algorithms. Transferring sensitive, customer-identifiable information outside of an organization’s infrastructure could expose that organization to privacy and compliance issues.
  • Intelligence beyond baselining. Temporal baselining and anomaly detection have been effective in early generations of network analysis tools, but over-generalizing entities and behaviors that are constantly changing across an organization can lead to many false positives and false negatives. Modern tools should perform behavioral analytics with deeper context based on an understanding of the entities involved, behaviors of similar entities and behaviors prevalent across the enterprise. This approach provides more accurate results and also avoids the need to retrain the system when legitimate behaviors change – for example when new software is deployed or other organizational changes occur.
  • Strong integrations. Network traffic analysis is an extremely effective method for security operations teams to gain insight into managed and unmanaged devices, people, and entities. It gives SOC teams the ability to identify modern threats that blend with business-justified activity and are becoming increasingly difficult to detect. To augment this core competency, it’s important for network traffic analysis tools to maintain strong alliances with companies across the cybersecurity and technology industry including those offering SIEM systems, endpoint detection, incident response automation and orchestration, cloud platforms, and more. This will allow SOC teams to quickly use the most advanced tools to act upon critical information, and/or allow these actions to occur automatically.

Additional Resources:

For additional background and information on the emerging NTA category, Awake’s glossary of security terms is one valuable resource to explore. And of course, you can also contact us for an in-depth discussion or click through to learn more about the Awake Security Platform.