Assessing Network Analysis and Visibility Solutions For Zero Trust

The rising trend of zero trust implementation is a direct reaction to increasingly sophisticated cyberattacks. Zero-trust principles foster more effective threat detection because they reject the notion that security happens at the perimeter and that all network traffic is legitimate traffic.

Forrester Research has long been a proponent of zero-trustsecurity, starting in 2009 when former analyst John Kindervag advocated for the security model in No More Chewy Centers: Introducing The Zero Trust Model Of Information Security. The concept was built around the idea that security professionals must "eliminate the idea of a trusted network." To support the idea, Forrester and Kindervag advocated for the use of network analysis and visibility (NAV) solutions which, according to the 2016 report, included "network discovery tools, tools that analyze flow data, tools that dissect packet captures, tools that look at network metadata, and tools used for network forensic examination."

According to a recent report, Now Tech: Network Analysis and Visibility (NAV), Q4 2021, NAV is now defined as "A category of security solutions that deploy passively in networks to analyze network traffic in order to detect threats using behavioral and signature-based approaches, discover and establish relationships between assets, provide flow analysis." In addition to packet capture and forensics capabilities, Forrester's definition of NAV also includes solutions that "integrate with other control points to remediate detected threats."

The recent Forrester report defines and categorizes NAV solutions to help organizations better evaluate and implement network-facing security for the purposes of boosting zero-trust principles. The report offers an overview of 32 current NAV providers, encompassing a wide range of products and vendors with varying functionality.

What is Network Analysis and Visibility?

While all NAV products support network visibility and post-compromise threat detection, NAV solutions offer a diverse set of functions, which Forrester defines and breaks down into four functionality segments: Point solutions, NAV plus, Security analytics platforms, and NAV as a feature.

• Point solutions are standalone solutions that don't rely on integrations to function and use passing sensors to collect network data but require a SIEM or other analytics platform for enriched insights.
• NAV plus solutions natively pull data from network and endpoint sources and correlate detections from different sources.
• Security analytics platforms use sensors that are similar to point and NAV plus solutions, but pull data from multiple sources to analyze and correlate data.
• NAV as a feature solutions collect and analyze data as part of a larger platform, such as a native XDR platform.

Assessing NAV Solutions for Zero Trust

Forrester goes deeper into NAV capabilities by rating the capabilities of each of the four NAV segment functionality across 15 capabilities, with added advice on how to implement NAV solutions for zero-trust policies. Threat detection being central to zero-trust security, each segment received a high segment functionality rating in threat detection.

For product integrations, Forrester recommends that "Practitioners should choose NAV products that make it easy to integrate into their security tech stacks both utilizing built-in, native integrations and robust APIs for organizations that would prefer to build their own integrations."

For correlated telemetry from other sources and integrations with other security tooling, NAV-as-a-feature solutions received a high segment functionality rating for those capabilities, with NAV plus receiving a moderate one. Forrester rates point solutions as low segment functionality in these capabilities, but adds that "Point products still have a place within organizations as they often excel at the capabilities they provide."

Forrester stresses that "Practitioners should expect their NAV solution to deliver both behavioral- and signature-based detections that are continuously updated by the vendor." They also advise that organizations should "require NAV products to map to common frameworks such as MITRE ATT&CK and D3FEND." Forrester rates point solutions, NAV plus, and NAV-as-a-feature products as having high segment functionality in these capabilities. NAV-as-a-feature has moderate segment functionality in framework mapping compared to Point and NAV plus solutions and security analytics which have a high segment functionality.

Forrester also recommends choosing solutions that allow for forensic investigation and threat hunting, saying that "NAV products should deliver more than threat detection by offering insights into network traffic such as asset discovery and application mappings and dependencies." For asset discovery capabilities, point solutions and NAV plus have a high segment functionality. NAV plus also has a high segment functionality in remediation capabilities.

Finding Value in NAV Solutions

Forrester offers insight into how NAV products function broadly across the four segment functionalities, and a list of 32 vendors to help organizations select and assess vendors based on their zero-trust security goals.

While adding network-based solutions is an investment for many organizations, Forrester re-enforces the value that organizations gain as a solution to challenges such as the "struggle to make sense of or justify the voluminous networking logs they've ingested into their security analytics platform or SIEM." Forrester also suggests retiring old toolsets, including "replacing intrusion detection systems (IDS), massive network log ingestion, and other systems or processes that require significant time, effort, and cost to manage."

By understanding how NAV products function broadly across the four outlined solution categories, plus following Forrester recommendations for retiring old toolsets, security teams can both add value and improve workflows on their path to zero trust.