For decades, anyone analyzing network traffic concentrated on external network traffic, known as north-south traffic, through the perimeter via firewalls. Although firewalls evolved to better analyze this traffic, two primary trends emerged: 1) cloud adoption was causing the perimeter to become more porous, even to the point of extinction, and 2) as attackers gained sophistication, threats inside the network were becoming increasingly difficult to detect. North-south traffic analysis was no longer enough to protect an organization’s network.
What initially emerged to analyze internal network traffic, known as east-west traffic, were deep packet inspection solutions initially built for ingress/egress traffic analysis. The challenge with these inline solutions is that they were very expensive to deploy and scale, leading organizations to make strategic bets on which east-west traffic to monitor and which traffic not to monitor.
Also during this time, user and entity behavior analysis emerged as a possible solution to insider threats. These solutions relied primarily on logs to analyze user behavior on hosts, but did not provide deep analysis on east-west network traffic. To gain the full value from these solutions, they typically needed to be integrated with the security incident and event management (SIEM) platforms, which still had limitations when it came to detecting unknown attack behaviors.
Recognizing the limitation of existing solutions in the market, Gartner identified a new security market known as Network Traffic Analysis (NTA). The capabilities defined in their Market Guide include:
Analyze raw network packet traffic or traffic flows (for example, NetFlow records) in real time or near real time Have the ability to monitor and analyze north/south traffic (as it crosses the perimeter), as well as east/west traffic (as it moves laterally throughout the network)
Be able to model normal network traffic and highlight anomalous traffic
Offer behavioral techniques (non-signature-based detection), such as machine learning or advanced analytics, that detect network anomalies
Be able to emphasize the threat detection phase, rather than the forensics — for example, packet capture (PCAP) analysis — phase of an attack
Of the dozen plus vendors identified in this new market, the pure-play NTA vendors have the best capabilities. Specifically, ExtraHop Reveal(x) delivers complete visibility and real-time detection of rogues, insiders, and low-and-slow attacks, with guided investigation for immediate, confident response. Key differentiators include:
Out-of-band, passive processing of network traffic at scale (up to 100Gbps). Many vendors top out at 40Gbps or fewer per appliance, which is not enough for today’s enterprises.
Instant access to application transaction contents at Layer 7 (application details), enabling rapid detection and investigation of suspected threats.
Real-time detection of threats based on machine-learning driven behavioral analysis to catch unknown unknowns in ways that rules-based detection can’t.
Decryption capabilities, including for Perfect Forward Secrecy (PFS), providing access to concrete evidence of TTPs in use that would otherwise escape detection by concealing themselves in genuine, legitimate traffic.
Post by Matt Alderman (hyperlink https://securityweekly.com/2019/05/23/thwarting-the-insider-threat-with-network-traffic-analysis/ )
