What Is Network Traffic Analysis?
According to Gartner: Network Traffic Analysis (NTA) is an emerging category of security product that uses network communications as the foundational data source for detecting and investigating security threats and anomalous or malicious behaviors within that network.
The practice of gathering network data, analyzing it, and making decisions based on the results has been around for decades, at least since tcpdump was released in 1988. This new category of product, however, is just now being defined. Gartner plans to release a Market Guide for Network Traffic Analysis within the next few months to highlight required capabilities and vendors in the network traffic analytics space.
Benefits of Network Traffic Analysis by Feature
Here are the key features every network traffic analyzer will need to include, and what makes them important:
- Real-time network data analysis - To provide accurate detection and investigation capabilities within a timeframe where they're actually usable, every NTA product needs to conduct analytics and deliver answers in real time, at scale.
- Complete east-west transaction visibility - For a network traffic analyzer to provide high-fidelity insight into threat behaviors, it needs to be able to see and analyze the actual contents of the network conversations. That means full L2-L7 visibility, application protocol decoding, and decryption of modern cryptographic standards (TLS 1.3). Legacy providers have focused on NetFlow or NetFlow-like metrics that show which devices are communicating and the volume of their conversations. This is coarse, low-fidelity data that can't provide much definitive insight compared to full visibility inside actual transactions.
- Safe, controlled decryption to eliminate dark space - Over 70% of web traffic is encrypted now, and that number is rapidly rising. Inside enterprise networks, the amount of traffic being encrypted is also rapidly rising toward 100%. While encryption is vital for protecting sensitive data, it also creates blind spots for security teams. One of the core purposes of NTA tools is to provide unprecedented visibility, which means the ability to decrypt traffic for analysis without compromising that data's security is a crucial, foundational feature for every NTA product.
- Baselining and anomaly detection - Every NTA product will need the ability to model the baseline behavior of device and user activity, and compare new observations against those baselines. Behavioral analytics are the best way to get actionable insight out of network data, as opposed to the signature-based models emphasized in other security product categories.
Deploying a Network Traffic Analyzer
NTA products analyze network traffic and those that analyze packet data typically deploy as an a physical or virtual appliance and receive a copy of network traffic (through port mirror or network tap) from a core switch in the data center, if deployed on premises. This provides the product with the east-west traffic within the data center—also called lateral communications. Other network appliances such as firewalls and IDS/IPS products focus on north-south traffic crossing the perimeter in and out of the environment, but NTA products focus on the "juicy middle" inside the data center, which has historically been dark space for Security Operations teams.
In cloud environments, the deployment is a little different because public cloud providers to date have not provided traffic mirroring functionality. To get the traffic, NTA products deploy software that forwards raw or processed traffic to a virtual appliance that is hosted in the same availability zone to minimize data transfer costs. As public cloud infrastructure and manageability mature, you should expect to see mirroring capabilities similar to ERSPAN feature on Cisco switches.
The Future of Network Traffic Analysis
The forthcoming Gartner Market Guide on Network Traffic Analysis will provide some clarity and direction to this nascent category. However, as always, defining a new category is a collaborative project among research firms, vendors, and users themselves. The opportunity exists now to define this category with the highest standards and most rigorous requirements, to deliver unprecedented visibility, definitive insights, and immediate answers to SecOps teams, and to set a new direction for a security market that has long been glutted with me-toos and vaporware.
Watch this space, as we'll plan to license and publish Gartner's NTA Market Guide as soon as it becomes available.
For more about how Network Traffic Analysis is poised to supercharge the Security Operations Center, we spoke with seasoned Security Analyst Eric Ogren of 451 Research. Watch the recorded webinar for frontline insights into this emerging category, including how it works, potential vendors in the space, and what to look out for in the near future!
This is a companion discussion topic for the original entry at https://www.extrahop.com/company/blog/2018/what-is-network-traffic-analysis-nta/