Network traffic analysis (NTA) is the process of intercepting, recording and analyzing network traffic communication patterns in order to detect and respond to security threats. Originally coined by Gartner, the term represents an emerging security product category.
How Network Traffic Analysis is Different
While other network security tools such as firewalls and intrusion detection system (IDS)/intrusion prevention system (IPS) products focus on monitoring vertical traffic that crosses the perimeter of a network environment, network traffic analysis solutions are focused on all communications – whether those are traditional TCP/IP style packets, “virtual network traffic” crossing a virtual switch (or “vSwitch”), traffic from and within cloud workloads, and API calls to SaaS applications or serverless computing instances. These solutions also focus on operational technology and Internet of things (IoT) networks that are otherwise completely invisible to the security team. Advanced NTA tools are even effective when network traffic is encrypted.
The first generation of this technology focused on establishing a baseline of what’s ‘normal’ or ‘good’ and then pinpoint anomalies that could be ‘irregular’ or ‘bad.’ For example, these solutions attempt to spot anomalies such as, “This IP doesn’t normally see connections from China. Alert if any such connection occurs.” This approach has the downside of being noisy as business and IT evolves all the time for very legitimate reasons. Advanced NTA tools operate in a more intelligent manner by comparing not just to past behavior but also to other entities in the environment. Other improvements are also described in the list of key features below.
Why Network Traffic Analysis Matters
Attackers are perpetually modifying their tactics to avoid detection and frequently leverage legitimate credentials with trusted tools already deployed in a network environment, making it difficult for organizations to proactively identify critical security risks. Network traffic analysis products have emerged in response to attackers’ relentless innovation, offering organizations a realistic path forward for combatting creative attackers.
Additionally, thanks to the widespread adoption of cloud computing, DevOps processes and the IoT, maintaining effective network visibility has become a highly complex and overwhelming process. NTA products can serve as organizations’ single source of truth, identifying what is actually on the network. Networks see all and provide objective realities other data sources often struggle with.
Key Network Traffic Analysis Features
The most effective, advanced network traffic analysis solutions include the following key features:
- Broad Visibility: Whether the network communications in question are traditional TCP/IP style packets, virtual network traffic crossing from a vSwitch, traffic from and within cloud workloads, API calls to SaaS applications, or serverless computing instances, NTA tools have the ability to monitor and analyze a broad variety of communications in real-time.
- Encrypted Traffic Analysis: With over 70 percent of web traffic encrypted, organizations need an accessible method for decrypting their network traffic without disrupting data privacy implications. NTA solutions deliver on this challenge by enabling security professionals to uncover network threats by analyzing the full payload without actually peeking into it.
- Entity Tracking: NTA products offer the ability to track and profile all entities on a network, including the devices, users, applications, destinations, and more. Machine learning and analytics then attribute the behaviors and relationships to the named entities, providing infinitely more value to organizations than a static list of IP addresses.
- Comprehensive Baseline: To keep up with ever-changing modern IT environments, NTA solutions track behaviors that are unique to an entity or a small number of entities in comparison to the bulk of entities in an environment. The underlying data is available immediately and NTA machine learning baselines evolve in real-time as behaviors change. Also, with entity tracking capabilities, NTA baselines are even more comprehensive as they can understand the source and destination entities, in addition to traffic patterns. For instance, what might be normal for a workstation is not normal for a server or IP phone or camera.
- Detection and Response: Because NTA tools attribute behaviors to entities, ample context is available for detection and response workflows. This means security professionals no longer need to sift through multiple data sources such as DHCP and DNS logs, configuration management databases and directory service infrastructure in an attempt to gain comprehensive visibility. Instead, they can quickly detect anomalies, decisively track them down, determine the root cause and react accordingly.
The Consequential Promise of Network Traffic Analysis
What makes network traffic analysis technology particularly meaningful is its ability to combine its core capabilities to deliver malicious intent detection. Prior to the emergence of NTA products, intent detection was a time consuming, non-replicable process that required a high degree of skill, with security professionals struggling to express the anomalies they needed to look for in a way that could be automated through their security technology stack. For example, while it’s fairly straightforward to implement a rule such as, “Alert me if a connection occurs from a country we haven’t yet encountered,” it’s much more difficult to automate a rule like, “Alert me if anyone connects to this database server and then transfers data 2x or more the historical average volume.”
By automating the malicious intent detection process, advanced NTA solutions are reducing the skills and effort barrier that prevents many organizations from effectively protecting their most critical assets. NTA tools’ rule-based detection capability is also enabling more organizations to seek out specific attack tactics, techniques, and procedures. Because the rules themselves are easy to define and are automatically correlated across entities, time, protocols, and other relevant parameters, security professionals can look for sequences of events over weeks or months while mapping them to a known attacker kill chain or framework such as MITRE ATT&CK matrix.
Perhaps the most promising aspect of NTA solutions is the fact that they empower organizations to adapt the technology to align with the unique nuances and needs of any particular network. This allows security professionals to implement custom detection of threats that are organization-specific without requiring experienced data science teams or the need to modify training sets or algorithms.
- Network Traffic Analysis Opens the Eyes of the SOC White Paper
- Bringing the Power of Network Traffic Analysis into Splunk
- EMA Names Awake “Value Leader” in Network Security Analytics (includes a complimentary report on Network Traffic Analysis)