During the past couple of years, Network Behavior Analysis (NBA) has made its way into the security mainstream. Many companies have found NBA’s flow-based approach to be more effective, easier to manage and less expensive than traditional, perimeter-based security solutions, such as firewalls, antivirus and intrusion detection/prevention systems (IDS/IPS). Recently, NBA capabilities have been expanded to offer network optimization and identity tracking solutions, which add value to both the original NBA solution and existing ID management tools.
Typical identity management software facilitates access control, authentication and creation of user names and passwords. NBA tools maximize this investment by collecting, monitoring and reporting on this data in the context of overall network activity. In other words, the system is able to correlate user identity with network traffic and host behavior, providing network administrators with detailed, actionable intelligence when network bottlenecks or potential threats arise. In addition, this knowledge allows administrators to significantly improve audit controls and assure regulatory compliance by linking the event directly to an individual user.
To accomplish this level of visibility, NBA solutions with identity tracking capabilities – in this case StealthWatch IDentity-1000 – continuously monitor active users on the network and track all new user logins and logouts. This data translates into database entries, which are then used for a general log and for detailed security reports. At any point, an IT manager can research who was logged in during a certain timeframe. An NBA solution combined with user identity tracking capability quickly identifies a problem, proposes a solution and tells the IT department which users are involved. Quarantine and remediation efforts are streamlined by the immediate identification of the responsible party.
Utilizing NetFlow and sFlow – two types of Flow data that are supported by routers and switches and originally designed for network monitoring and recently enhanced for security and network optimization – NBA systems provide the data needed to effectively control and manage network usage. The result? Real-time, unprecedented views of network usage and routes of even the most complex networks.
While the benefits of NBA systems stand strong on their own, the technology becomes even more impressive when compared to traditional perimeter security systems such as firewall, antivirus and intrusion detection/protection systems (IDS/IPS), all of which rely on attack signatures to detect problems. In fact, compared to traditional security measures, NBA typically results in an 80 percent savings of time, cost and complexity. They are not able to analyze encrypted traffic across a virtual private network (VPN) or trusted link, nor are they able to act against attacks that originate from inside the enterprise, such as: Rogue wireless devices, So-called zero-day attacks, for which attack signatures have not been defined, Unauthorized remote control or peer-to-peer activity, Trojans or worms introduced via laptops, email or flash-based storage devices (e.g., USB drives), Known attacks for which signatures have not been activated.
The reasons for this lack of performance are simple. Internal networks and network segments run at very high line speeds, or feature highly segmented and/or highly switched topologies. While it is possible to deploy large numbers of perimeter defense devices for each segment, each application or appliance can become yet another chokepoint that severely limits network performance – and still fails to stop threats that originate from within that segment. Policy distribution and administration tasks grow exponentially, and the cost of purchasing and managing so many hardware agents and software devices becomes enormous.
Conversely, NBA systems are easy to install, usually up and running at full capacity within hours of installation. Because they do not require attack signatures to detect issues, these systems also excel at producing real-time views of the entire network’s security and performance profile, instantly recognizing unexpected network traffic and the reason behind it.
In fact, one well known network security consultant said, “I got my password at 11:56. At 12:30, I get a call alerting me that someone on my network is acting as a zombie, sending spam from the company. I looked at my old headers and nmap the system – nothing. I remember that I just got my StealthWatch NBA box, which I’d only configured with an IP address. I punch in the questionable IP address and boom, up comes the status: receiving traffic on a proxy port and sending traffic on a SMTP port. Problem confirmed. Elapsed time? 30 seconds.”
Detecting security and network performance issues in real-time is critical to organizations aiming to sustain productive workforces. While defending the perimeter is important, failing to view the entire organization – including internal and peripheral threats – can be detrimental in time, lost productivity and hard costs. By comparison to other tools, network behavior analysis and response systems represent a far simpler, less expensive and more effective means to protecting and optimizing a network.