Welcome to our ongoing series of blogs comparing Network Traffic Analysis (NTA) products to traditional security solutions including IPS and IDS. Read Gartner's Market Guide for Network Traffic Analysis for more details about the category.
Security Operations Centers often place Security Information and Event Management (SIEM) products at the center of their approach to protecting the enterprise and there are valid reasons for their popularity.
SIEM products shine at generating compliance reports. They can also be effective at early detection if threats violate a SIEM's set of preconfigured rules. Some SIEM vendors are introducing artificial intelligence for automatic rule generation, anomalous behavior detection, and advanced statistical analysis, but those tools are in their early stages and it's unclear if they provide benefits not found in existing SIEM products.
Despite their popularity, SIEM products also have significant drawbacks. They use log data, which limits their visibility and can leave you vulnerable to east-west corridor attacks. They're also difficult and expensive install, configure, manage, and scale, which could prevent them from being a proactive solution to future security challenges.
Even if you're already using a SIEM product or are considering adding one to your security suite, a Network Traffic Analysis (NTA) product is a crucial part of the SOC toolset. NTA products provide complete visibility and are scalable in ways no other category of product, including SIEM, can reach. NTA platforms also use proven advanced machine learning to identify anomalous behaviors and security incidents, trigger automated investigations, fire contextualized alerts, and help execute automated responses through integrations.
How NTA Works
NTA products analyze every transaction and reconstruct every conversation on the network through full-stream reassembly of rich wire data. NTA's forensic-level evidence and conclusive insights into security events gives SecOps teams the context they need to understand and report the exact scope of incidents.
How SIEM Works
A SIEM product collects log data generated on an enterprise's technology infrastructure, including host systems and applications, analyzes that data and provides views and filtering for analysts, and shares that information with security tools such as antivirus filters and firewalls.
What SIEM Can Do
SIEM products got their start as compliance management tools more than a decade ago. In recent years, the demand for more security measures has driven SIEM products toward security operations centers. SIEM products can create reports on incidents and events, including malware and other malicious activity. If analysis determines activities violate pre-determined rulesets, a SIEM product can fire alerts.
What SIEM Can't Do
SIEM products historically require a lot of work to configure and use, and they rely on logs that were also configured and are not self-adapting. There are preconfigured products available, but they're more expensive and more prone to false alerts. Because they simply aggregate logs and can fire context-free alerts, knowing how to best respond can be a struggle for SIEM users. It can also be difficult to add new data feeds to SIEM products and track existing feeds easily.
What NTA Can Do
Advanced NTA security platforms extract thousands of machine learning features and quickly decode dozens of protocols to pinpoint late-stage attack behaviors with enough context and evidence for analysts to take confident action.
NTA products are also deadly threat hunters because they use machine learning to create predictive behavior profiles to locate previously unseen security threats and detect low-and-slow tactics, techniques, and procedures.
If you already use a SIEM product, adding NTA can reduce your security spend and increase your visibility, alert context, and ability to quickly respond to legitimate threats.
Continue Exploring NTA for Enterprise Security
Want to see how a real security breach plays out as it's detected, investigated, and resolved using network traffic analysis? Check out this blog post walking through our investigation into a fake Postman Chrome Extension.
Network traffic analysis can also make it a lot easier to follow the CIS Top 20 Critical Security Controls—read this white paper to learn more.