As you maneuver the security market, prepare yourself for a new acronym: NTA. Short for Network Traffic Analysis, Gartner has officially defined this category with a new Market Guide.
I know, your first question is: "Do we really need another category?" Well, yes, because existing tools haven't done a good job of detecting attacks once a bad actor has established a foothold on a compromised host. Accurately identifying the late-stage attack activities that cross the network is critical to detecting attacks targeting databases, critical services, and core infrastructure. Here's Gartner:
"Enterprises should strongly consider NTA to complement signature-based and sandboxing detection methods. Many Gartner clients have reported that NTA tools have detected suspicious network traffic that other perimeter security tools had missed."*
OK, so what is NTA? This is Gartner's official definition:
"Network traffic analysis (NTA) uses a combination of machine learning, advanced analytics and rule-based detection to detect suspicious activities on enterprise networks. NTA tools continuously analyze raw traffic and/or flow records (for example, NetFlow) to build models that reflect normal network behavior. When the NTA tools detect abnormal traffic patterns, they raise alerts. In addition to monitoring north/south traffic that crosses the enterprise perimeter, NTA solutions can also monitor east/west communications by analyzing network traffic or flow records that it receives from strategically placed network sensors."
Until you download and read the report, here are some key takeaways:
The NTA segment has been climbing the hype cycle for several years, encouraging many vendors to try and claim space. To help you evaluate vendors, we suggest you take the shiny object test. In the guide, Gartner suggests you assess the following factors, in their words:
- "Scalability — Does the solution have the capacity to analyze the amount of traffic in your environment?
- Workflow — Does the vendor provide tools natively and workflow guidance to assist in responding to its alerts? Does the vendor integrate with SOAR tools?
- Pure-Play Versus NTA as a Feature — Is it more sensible to implement NTA as a feature from another technology vendor (for example, SIEM), or do you require a more full-featured, pureplay NTA solution from one of the vendors analyzed in this Market Guide?"
Investigation and response are innovation zones.
The authors forecast the market direction in 2019 moving toward incident response through workflows and threat hunting. Per the Gartner report, "Responding to more-complex and targeted attacks is primarily about attack investigation and threat hunting, and NTA solutions should develop their capabilities in these areas."
We agree that encouraging accurate response—we call it "guided investigation"—can really help offset the shortage of skilled SOC analysts by empowering more junior analysts to tackle more of the investigative process. As an example, here's a short video of an investigation using Reveal(x), or you can drive your own demo of a live attack or a data breach and see prescriptive next steps and 1-click access to authoritative evidence. We are also fans of using network insights and operating out-of-band to do effective threat hunting.
Without an effective model for decryption, encryption can mean the end of visibility for security. SSL/TLS decryption wasn't an inclusion requirement for the Market Guide, but Gartner documents any capability for each vendor, underscoring the criterion. Multiple recent reports show broad adoption of encryption for internal networks and data centers, with aggressive plans to get to the latest TLS 1.3 standard with Perfect Forward Secrecy.
ExtraHop has no shortage of content on this topic, but perhaps start with this fun video on what you can't see without decryption, this primer on embracing encryption, or this walkthrough of encryption auditing with a network traffic analysis tool.
Of course, there are a few topics that we will continue to "discuss" with Gartner, such as the limitations of flow data and the need for Layer 7 content visibility. We see these as essential capabilities for an effective SOC that join scalability and decryption as criteria for enterprise-worthy NTA.
*Gartner, Market Guide for Network Traffic Analysis, 28 February 2018, Lawrence Orans, Jeremy D'Hoinne, Sanjit Ganguli
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.