Insights Into Technology: Network Behavior Analysis
Adam Powers
July 1, 2008
I
t’s never been more critical for network and security managers to attain deep
insight into the traffic flowing throughout their networks. Whether it’s increased regulatory
demands, the trend toward more targeted attacks or the latest stealth techniques employed by
malware authors, IT departments must be able to identify and block traditional attacks as well as
malicious traffic and entirely new attacks.
The most widely deployed security technologies – anti-virus, intrusion detection/prevention
systems and firewalls – all depend on lists of known patterns or static rule sets to stop malicious
activity.
While these conventional defenses are essential to any company’s security plan,
organizations benefit from identifying stealthy and sophisticated attacks often missed by
signature-based systems. A popular way to detect these attacks is through Network Behavior Analysis
(NBA), which aims to study and learn normal network behavior so the system can identify anomalous
and potentially malicious traffic that could hurt the entire network.
NBA technologies build a baseline of normal network activity for
each host connected to the network
By employing NetFlow™, sFlow® or native traffic flow from the network infrastructure, the
NBA system collects information, including behavioral indicators such as normal rates of bits and
packets per second; the total number of bytes during a 24-hour period; and what ports and services
each host offers on the network.
From this baseline, the NBA system constructs profiles of different attributes and
acceptable system behaviors to establish tolerance levels. Then, whenever the activity of a device
breaches an established tolerance level, network and security managers are alerted. For example,
when a Web server that has been using only port 80 suddenly opens an FTP session, you’ll want to
know about it.
How NBA complements signature-based security technologies and
consolidates network traffic monitoring tools
NBA not only strengthens security by filling the gaps left open by signature-based products,
but also replaces homegrown, open source and proprietary network traffic monitoring point products.
The historical network data and traffic behavioral analysis provides the real-time insight that
network admins must spot and correct upcoming service interruptions – before they affect overall
network performance.
In fact, intelligence gathered by the NBA enables admins to see the impact of any unexpected
network event from anywhere within their network. This information can be customized for the
individual responsibilities of each admin.
This cuts into time needed to diagnose and separate security-related events from performance
and architectural-related network events, thereby accelerating network performance capacity
planning and streamlining resource management. NBA technology also provides a range of network
operation-focused reports like the network’s top talkers, interface utilization statistics and
visual representations of historical network traffic.
NBA displaces the need for expensive appliances and software agents
at remote sites
NBA tools also can help consolidate the deployment of network security and
performance-monitoring tools at remote offices. In a large distributed environment, as is the case
with a dozen separate sites connected through MPLS, the typical approach either is to deploy
software agents to all the hosts at those remote sites or deploy IDS/IPS sensors at each location.
By deploying IDS/IPS and related security applications at the core data centers and enabling
NBA at the remote sites, there’s little need to deploy expensive appliances and software-based
agents at each remote location.
How you decide to use NBA is limited only by your needs and imagination.
Adam Powers is CTO of Lancope.