With the multitude of network security vendors and products, finding the most powerful and diverse technologies while staying within budget can be a chore. Many solutions monitor traffic flows and watch for patterns matching a pre-defined signature; others sniff traffic and perform deep packet inspection to detect such threats as worm propagation and SQL injections. A relatively new, more dynamic solution has been evolving in the enterprise network security world that is raising the bar on threat detection. Network Behavior Analysis (NBA) systems go beyond the process of signature and policy-based detection to give administrators insight into previously untraceable activities.
Network Behavior Analysis
devices learn about normal network operation and record a history of traffic patterns. Like an intrusion-prevention system (IPS), they watch for worms, botnets and denial-of-service attacks by comparing packet data to pre-defined signatures. What sets them apart from past security tools is their ability to keep track of which devices communicate and how. If a computer in the engineering department starts pulling files from a server in the accounting department and that behavior hasn’t been observed before, the NBA device would trigger an alarm for further investigation. A typical IPS may detect a guest laptop scanning ports on several endpoints, but won’t raise any alarms if that guest laptop is invoking a man-in-the-middle attack with a downstream device. Sending NetFlow, sFlow, Syslog and/or SNMP trap information from devices to an NBA solution can detect slight changes, such as an unexplainable ARP table update, and immediately alert staff when such a threat is detected. If an attack aims at collecting information from a system, it will usually try to retransmit that information to a remote host. That sort of activity would be instantly recognized by an NBA solution and propagated to network management. Roles can be assigned to devices, giving NBA more insight into the expected behavior of endpoints.
While traffic flow information from routers and switches can provide much insight into network traffic patterns, deploying NBA in the core of your network and mirroring traffic into the devices is the best way to get a full bird’s eye view of network behavior. NetFlow, sFlow and RMON record and maintain traffic statistics, but inspecting the actual packets, bit-by-bit, can uncover advanced threats and provide protection from Zero Day attacks. Most NBA solution vendors support traffic capturing and it should be utilized to fully take advantage of the product’s abilities. Be sure to choose a solution that is scalable to your environment and offers traffic capture on interfaces with enough bandwidth to efficiently collect all data. Keep in mind that many security solutions’ inspection throughput is often less than the hardware bandwidth, so fully investigate a solution prior to implementation.
The most advanced feature of network behavior analysis devices is their ability to autonomously learn the network’s behaviors, an approach not found in other network security solutions. This extra layer of monitoring can close many gaps in your security net, increase response speed to threats and provide a great tool for network governance and compliance. Top current solutions are Cisco Systems’ MARS, Arbor Networks’ Peakflow X, Lancope’s Stealthwatch, Mazu Networks’ Profiler and Q1 Labs’ QRadar. With price tags above $100k, these solutions are purely aimed for enterprise networks with requirements (and budgets) for advanced security and compliance monitoring.