Welcome to our ongoing series of blogs comparing Network Traffic Analysis (NTA) products to traditional security solutions including SIEM and IPS. Read Gartner's Market Guide for Network Traffic Analysis for more details about the category.
Enterprise security. For some people, those words conjure up images of red-shirted crew members about to be zapped by creatures beefing with the United Federation of Planets. For others, enterprise security means finding ways to protect ever-expanding attack surfaces of their corporate networks and revenue-generating applications.
If you've landed here, you're probably at least in the latter group and interested in discovering how network traffic analysis (NTA) solutions, a fast-growing category of network detection and response, stack up against intrusion detection systems (IDS) — so let's boldly go a little deeper.
Network traffic analysis platforms analyze network communications to detect and investigate threats, anomalous behaviors, and risky activity like unmanaged honeypots in production environments. Intrusion detection systems monitor the perimeter of networks for intruders and can fire alerts if they detect an attack.
How NTA Works
Network traffic analysis platforms inspect real-time wire data from all network communications, including encrypted communications (learn why decryption is crucial for SecOps here), from layer two through layer seven. NTA products use a far richer data source than just NetFlow, which is a useful, but now mostly legacy data source for network security.
By analyzing every transaction and reconstructing every conversation on the network through full-stream reassembly, NTA products can provide more conclusive insights into security events, and forensic-level evidence that SecOps teams can use to understand and report the exact scope of incidents.
Fueled by rich wire data, NTA products use advanced machine learning to identify anomalous behaviors and security incidents, trigger automated investigations, fire alerts, and in some cases trigger automated responses through integrations with firewalls, SOAR products, and other in-line response solutions.
How IDS Works
Although younger than a certain space-themed TV show referenced earlier, a traditional intrusion detection system is pretty old-school tech by modern enterprise standards. Located behind the firewall, IDS products were created to detect vulnerability exploits in a target application or computer by comparing observations against a database of known malicious threats, similar to the way antivirus software detects malware. IDS threat databases must be constantly (and manually) updated, and IDS products only provide surface level insight into perimeter attacks with little to no investigation or response capabilities.
While a good IDS is still an important part of the Security Operations team's tool set, it covers only a limited range of the capabilities needed for proactive enterprise security.
What IDS Can Do
Intrusion detection systems serve as a listen-only monitoring tool, which means they can detect suspicious behaviors based on programmable signatures, plus provide data packets and fire alerts.
What IDS Can't Do
Intrusion detection systems are primarily focused on north-south traffic and detecting threats at the perimeter. They mostly lack visibility into internal traffic, meaning if even one attacker gets inside the network, the IDS is no longer any use for detecting them. Beyond that, IDS products usually can't detect new or evolving threats outside of their database of signatures, so rapidly innovating attackers can stay one step ahead with ease. In a sense, IDS is always fighting the previous war rather than the current one. IDS also cannot execute automated investigations or responses and requires a human administrator or partner platform such as an intrusion prevention system (IPS) to take action.
What NTA Can Do
Network traffic analysis security platforms do what they say on the tin: enable network-based detection and response. NTA products can quickly decode dozens of protocols and extract thousands of machine learning features to pinpoint late-stage attack behaviors with context and evidence. Because NTA uses machine learning to create predictive behavior profiles rather than relying on signatures as a baseline for detection, it can find previously unseen security threats and detect low-and-slow tactics, techniques, and procedures that signature-based systems often miss.
Continue Exploring NTA for Enterprise Security
Want to see how a real security breach plays out as it's detected, investigated, and resolved using network traffic analysis? Check out this blog post walking through our investigation into a fake Postman Chrome Extension.
Network traffic analysis can also make it a lot easier to follow the CIS Top 20 Critical Security Controls—read this white paper to learn more.