back caretBlog

Of Fables and False Alerts

Network Traffic Analysis vs. Intrusion Prevention Systems

Welcome to our ongoing series of blogs comparing Network Traffic Analysis (NTA) products to traditional security solutions including SIEM and IDS. Read Gartner's Market Guide for Network Traffic Analysis for more details about the category.

From the boy who cried wolf to Chicken Little (or Henny Penny), stories about false alerts have been around since at least the days of Aesop. The lesson in those fables is just as valuable today as it was way back then.

False alerts have negative consequences, whether you're a boy herding sheep, a frightened fowl, or a security professional protecting the modern enterprise.

For all the good they can do, Intrusion Prevention Systems (IPS) and their thousands of signature-based detections have a bad habit of misidentifying benign behavior as malicious and sounding false alerts. Those false positives waste security analysts' time and they can lead to alert fatigue, increasing the likelihood that a deserving alert goes uninvestigated and allows a preventable breach to occur.

Network Traffic Analysis (NTA) products give security teams the tools they need to accurately identify and investigate malicious behaviors, plus trigger automated responses to legitimate threats with a far lower rate of false positives than IPS products.

How NTA Works

Network Traffic Analysis (NTA) platforms inspect real-time network communications to accurately detect and investigate threats, anomalous behaviors, and risky activity from layer two through layer seven.

NTA products provide more conclusive insights into security events and forensic-level evidence SecOps teams can use to understand and report the exact scope of incidents. NTA products do this by analyzing every transaction and reconstructing every conversation on the network through full-stream reassembly.

Fueled by rich wire data, NTA products use advanced machine learning to identify anomalous behaviors and security events, trigger automated investigations, fire contextualized alerts, and in some cases help execute automated responses through integrations with firewalls, SOAR products, and other in-line response solutions.

How IPS Works

Located behind the firewall, Intrusion Prevention System sensors are placed in the line of direct communication between information senders and receivers. IPS products use a database of pre-programmed signatures to identify specific exploits in much the same was as their precursor, the IDS, or Intrusion Detection System. In fact, IPS and IDS products often work together.

What IPS Can Do

Intrusion Prevention Systems can use their pre-programmed exploit-facing signatures to fire alarms to administrators, remove malicious packets, block access from offending source addresses, and reset connections.

What IPS Can't Do

With their propensity for firing false alerts, Intrusion Prevention Systems can't always help SOC teams separate signal from noise. IPS products can also have a hard time detecting new or evolving threats because new signatures must be developed, a time-intensive process requiring human intervention. This potential gap in the time between identifying new threats and creating unique signatures can give rapidly innovating attackers the head start they need to stay a step or two ahead of security. An IPS product can also struggle to analyze encrypted data without help from decryption tools.

What NTA Can Do

Enterprise Network Traffic Analysis security platforms quickly decode dozens of protocols and extract thousands of machine learning features to pinpoint late-stage attack behaviors with context and evidence for confident action.

Because NTA products use machine learning to create predictive behavior models rather than simply relying on signatures as a baseline for detection, they can find never-before-seen security threats and detect low-and-slow tactics, techniques, and procedures that signature-based systems often miss.

If you're already using an IPS product, NTA platforms provide richer data that can shorten the time to detect threats and reduce the number of false alerts.

Continue Exploring NTA for Enterprise Security

Want to see how a real security breach plays out as it's detected, investigated, and resolved using network traffic analysis? Check out this blog post walking through our investigation into a fake Postman Chrome Extension.

Network traffic analysis can also make it a lot easier to follow the CIS Top 20 Critical Security Controls—read this white paper to learn more.

Related Blogs

Sign Up to Stay Informed