What Is Network Traffic Analysis?
According to Gartner: Network Traffic Analysis (NTA) is an emerging category of security product that uses network communications as the foundational data source for detecting and investigating security threats and anomalous or malicious behaviors within that network.
The practice of gathering network data, analyzing it, and making decisions based on the results has been around for decades, at least since tcpdump was released in 1988. This new category of product, however, is just now being defined.
Gartner's inaugural Market Guide for Network Traffic Analysis, published February 28 2019, describes the capabilities they consider foundational for NTA products as well as a list of representative vendors in the space: download a complimentary copy now.
Benefits of Network Traffic Analysis by Feature
Here are the key features we believe every network traffic analyzer needs to include, and what makes them important for security operations with an emphasis on enterprise security:
- Real-time network data analysis - To provide accurate detection, investigation, and response capabilities within a timeframe where they're actually usable, every NTA product needs to conduct analytics and deliver answers in real time, at scale.
- Complete east-west transaction visibility - For a network traffic analyzer to provide high-fidelity insight into threat behaviors, it needs to be able to see and analyze the actual contents of the network conversations. That means full L2-L7 visibility, application protocol decoding, and decryption of modern cryptographic standards (TLS 1.3). Legacy providers have focused on NetFlow or NetFlow-like metrics that show which devices are communicating and the volume of their conversations. This is coarse, low-fidelity data that can't provide much insight compared to full visibility inside actual transactions.
- Safe, controlled decryption to eliminate dark space - Over 70% of web traffic is encrypted now, and that number is rapidly rising. Inside enterprise networks, the amount of traffic being encrypted is also rapidly rising toward 100%. While encryption is vital for protecting sensitive data, it also creates blind spots for security teams. One of the core purposes of NTA tools is to provide complete visibility, which means the ability to decrypt traffic for analysis without compromising that data's security is a crucial, foundational feature for every NTA product.
- Baselining and anomaly detection - Every NTA product will need the ability to model the baseline behavior of device and user activity, and compare new observations against those baselines. Behavioral analytics are the best way to get actionable insight out of network data, as opposed to the signature-based models emphasized in other security product categories.
Deploying a Network Traffic Analysis Product
NTA products analyze network traffic and those that analyze packet data typically deploy as an a physical or virtual appliance and receive a copy of network traffic (through port mirror or network tap) from a core switch in the data center, if deployed on premises. This provides the product with the east-west traffic within the data center—also called lateral communications. Other network appliances such as firewalls and IDS/IPS products focus on north-south traffic crossing the perimeter in and out of the environment, but NTA products focus on the "juicy middle" inside the data center, which has historically been dark space for Security Operations teams.
In cloud environments, the deployment is a little different because public cloud providers to date have not provided traffic mirroring functionality. To get the traffic, NTA products deploy software that forwards raw or processed traffic to a virtual appliance that is hosted in the same availability zone to minimize data transfer costs. As public cloud infrastructure and manageability mature, you should expect to see mirroring capabilities similar to ERSPAN feature on Cisco switches.
Network Traffic Analysis Resources
Gartner's Market Guide on Network Traffic Analysis is the most definitive to-date resource on the NTA category, and we highly recommend giving it a read.
However, as always, defining a new category is a collaborative project among research firms, vendors, and users themselves. The opportunity exists now to define this category with the highest standards and most rigorous requirements, and to set a new direction for a security market that has long been glutted with hype and vaporware.
To learn more about NTA for enterprise security specifically, check out the six-minute video on this blog for details on the visibility gaps we believe NTA is uniquely able to fill.
And finally, to see how ExtraHop Reveal(x) delivers network traffic analysis for the enterprise at a scale unmatched by any other vendor in the space—with complete, real-time decryption of SSL/TLS 1.3 encrypted traffic—go here.