What Is Network Traffic Analysis?
Note: In May of 2020 Gartner updated their category name from Network Traffic Analysis and released their 2020 Market Guide for Network Detection and Response.
According to Gartner in 2018: Network Traffic Analysis (NTA) is an emerging category of security product that uses network communications as the foundational data source for detecting and investigating security threats and anomalous or malicious behaviors within that network.
The practice of gathering network data, analyzing it, and making decisions based on the results has been around for decades, at least since tcpdump was released in 1988. This category of product, however, is still being defined—so much so that over the last few years, network-based security solutions have evolved far beyond the original capabilities described in Gartner's inaugural Market Guide for Network Traffic Analysis, published February 28 2019.
Today, the industry has moved away from NTA as a category and towards the technology as a fundamental piece of a much more powerful set of solutions that now fall under the umbrella of network detection and response (NDR). This blog describes the differences between NTA and NDR in detail, and explains how the advent of cloud traffic mirroring in Amazon Web Services and Microsoft Azure has cemented NDR products as critical for enterprise cloud security.
Here's the TL;DR of what sets NDR apart from NTA: NDR products use NTA, but add historical metadata for investigations and threat hunting as well as automated threat response through intelligent integrations with firewalls, EDR, NAC, or SOAR platforms. Read on to understand the key features that NTA brings to the table when it comes to NDR solutions.
Benefits of Network Traffic Analysis by Feature
Here are the key features we believe every network traffic analyzer needs to include, and what makes them important for security operations with an emphasis on enterprise security:
- Real-time network data analysis - To provide accurate detection, investigation, and response capabilities within a timeframe where they're actually usable, every NTA product needs to conduct analytics and deliver answers in real time, at scale.
- Complete east-west transaction visibility - For a network traffic analyzer to provide high-fidelity insight into threat behaviors, it needs to be able to see and analyze the actual contents of the network conversations. That means full L2-L7 visibility, application protocol decoding, and decryption of modern cryptographic standards (TLS 1.3). Legacy providers have focused on NetFlow or NetFlow-like metrics that show which devices are communicating and the volume of their conversations. This is coarse, low-fidelity data that can't provide much insight compared to full visibility inside actual transactions.
- Safe, controlled decryption to eliminate dark space - Over 70% of web traffic is encrypted now, and that number is rapidly rising. Inside enterprise networks, the amount of traffic being encrypted is also rapidly rising toward 100%. While encryption is vital for protecting sensitive data, it also creates blind spots for security teams. One of the core purposes of NTA tools is to provide complete visibility, which means the ability to decrypt traffic for analysis without compromising that data's security is a crucial, foundational feature for every NTA product.
- Baselining and anomaly detection - Every NTA product will need the ability to model the baseline behavior of device and user activity, and compare new observations against those baselines. Behavioral analytics are the best way to get actionable insight out of network data, as opposed to the signature-based models emphasized in other security product categories.
Deploying a Network Traffic Analysis Product
NTA products analyze network traffic and those that analyze packet data typically deploy as an a physical or virtual appliance and receive a copy of network traffic (through port mirror or network tap) from a core switch in the data center, if deployed on premises. This provides the product with the east-west traffic within the data center—also called lateral communications. Other network appliances such as firewalls and IDS/IPS products focus on north-south traffic crossing the perimeter in and out of the environment, but NTA products focus on the "juicy middle" inside the data center, which has historically been dark space for Security Operations teams.
Network Traffic Analysis Resources
Gartner's Market Guide on Network Detection and Response is a definitive resource on the current state of this evolving category, and we highly recommend giving it a read.
However, as always, defining a new category is a collaborative project among research firms, vendors, and users themselves. The opportunity exists now to define this category with the highest standards and most rigorous requirements, and to set a new direction for a security market that has long been glutted with hype and vaporware.
To learn more about NTA for enterprise security specifically, check out the six-minute video on this blog for details on the visibility gaps we believe NTA is uniquely able to fill.
And finally, to see how ExtraHop Reveal(x) delivers network detection and response for the enterprise at a scale unmatched by any other vendor in the space—with complete, real-time decryption of SSL/TLS 1.3 encrypted traffic—go here.