With more organizations facing a barrage of security threats — worms, viruses , zero-day attacks and even insider abuse — a new category of security tool is expected to gain traction in the enterprise in 2007: network behavior analysis. NBA tools use traffic-monitoring techniques coupled with security intelligence to spot anomalous actions within the corporate network and mitigate threats quickly.
Offered by such vendors as Arbor Networks, Lancope, Mazu Networks, Q1 Labs and Cisco (with its Monitoring, Analysis and Response System), NBA tools quickly are becoming a key component of the network security toolbox.
Analysts say the key differentiator of NBA is that it treats all threats equally — whether they are known or unknown and whether they originate outside or inside the network. Because NBA tracks behavior, not identity, it provides an added layer of security that pinpoints potential threats far more quickly and efficiently than traditional security gear.
Most companies provide inside employees with a greater level of access and trust and limit outsiders. “It’s natural to implicitly trust the members of your own group, but unfortunately, it’s bad for security, because it’s not based on rational risk analysis,” says Andreas Antonopoulos, senior vice president and founding partner of Nemertes Research. In fact, 75% of all security breaches come from network insiders, he says.
A sampling of vendors that offer NBA products
— Arbor Networks — Arbor’s core competency is distributed denial-of-service detection and prevention, and its products are used widely in carrier-class networks. It launched PeakflowX in 2004 to address the enterprise-network behavior-analysis market.
— GraniteEdge Networks — This start-up offers a promising technique called causal chaining, which links detected events together with another layer of analysis beyond traditional NBA detection.
— Lancope — StealthWatch, a veteran NBA product, provides enterprises with a hybrid network behavior-and-response system that bases actions on behavior deviations and protocol analysis.
— Mazu Networks — Mazu’s Profiler and Enforcer products work in concert to monitor for deviations and automatically respond to threats.
— Q1 Labs — QRadar provides security managers with a continuous analysis of network traffic flow, giving real-time analysis of traffic type and bandwidth consumption. Q1 offers one of the most comprehensive (and commensurately complex) systems for network behavior visibility.
“Insiders have more gripes, because they may get fired or have problems with management, so they have motive. And they have more access and more opportunity,” Antonopoulos says. “And that means problems.”
NBA is based on how the person behaves, rather than who the person is. Once the tools build a baseline of expected network behavior, they can flag anomalous traffic — no matter who or what creates it.
“NBA doesn’t separate good from bad users based on whether they’re inside or outside the perimeter,” Antonopoulos says. “It monitors everything, and if the behaviors are bad, the user must be doing something bad, regardless if they are the CFO or the janitor.”
NBA, when layered atop such traditional security gear as intrusion-detection and -prevention systems, antivirus software and firewalls, provides a clearer picture of the security posture of the network in almost real time. “NBA provides a network team with better visibility into security. It gives them more information about what’s happening on the network so that they can respond intelligently,” says Stephen Elliot, an analyst at IDC. “It offers a better method for analyzing the risk, identifying it and solving it.”
Elliot warns, however, that there is a lot of hype in the NBA market. Users need to pay close attention to not only the intellectual property behind the analytic engine that drives the tool, but also its reporting capabilities, the comprehensiveness of its correlation engine, and its ability to integrate with the security tools an enterprise already has.
“How well does it work with what you have — that’s a prerequisite,” Elliot says. “You also really need to know where the data is coming from. Can you get event-level data, vulnerability info, IP packet data, flow data? There are lots of data sources, but the question is, which ones are right for your enterprise?”
Ultimately, the key is improving an enterprise’s security response. “Secure companies are not those that do not get breached — they’re the ones who respond to breaches in an efficient and effective manner, and are able to minimize the damage caused by the breach. NBA helps ensure that level of response,” Antonopoulos says.