NTA: The Big Step Theory

Let’s come back from the world where the endpoint won the detection and response wars to this one. As we are ramping up our NTA (but, really, broader NDR for network-centric detection and response) research one mystery has to be resolved.

What motivates some organizations to actually deploy NTA (usually one particular NTA vendor technology built on a large island off the coast of Europe) before any other detection and monitoring controls, and sometimes even before basic logging?

Let’s put aside the offensive jokes and appeals to the principle that “90% of people aren’t in the top 10 percentile.” Seriously, this question somehow bothered me, but I think I cracked it.

I call my explanation THE BIG STEP THEORY.

Imagine a real “Mongolian clusterluck” [no FoaaS for this one, sorry] of a network, where endpoints are unmanaged or clown-managed, switches and routers are poorly configured, nothing is segmented, changes are random, VPN users are dropped into the main LAN and nothing logs anything? In other words, not the networks that my esteemed readers’ employers have, but what other people have …

What is a single step one can take to know what the hell is going on in their IT environment? Where threats lurk? What users cause mischief in the name of “just doing their jobs”? What goes out, in and sideways?

I’d argue that it is NOT SIEM, NOT EDR, NOT NIDS or NGFW – but actually NTA.

SIEM needs several log types to be enabled (!) and collected – then correlated into a coherent picture. EDR needs agents nearly everywhere for decent visibility. NIDS will only get you attacks, unless you write other signatures.

NTA, however, will give you a passable picture of activities after you deploy just one box (typically on egress or in some other central location) that sniffs traffic. For sure, for this you need a layer 7 NTA, not the 1990s-style layer 3.

Hence, in this view, NTA represents the biggest ONE STEP jump to situational awareness from near-total unawareness.

Agreed? Other views?

P.S. A post-scriptum aimed at “all of the above” or “layered defense” crowd who always pedantically reminds us that “in security, the only correct answer is ALL OF THE ABOVE” since you need “oh so many layers of defense.” We know! However, not everybody will do this, almost nobody in smaller and mid-sized organizations will do it, and, frankly, even large enterprises won’t deploy all layers at the same time.

Bog posts related to NTA, NDR and this research:

*** This is a Security Bloggers Network syndicated blog from Anton Chuvakin authored by Anton Chuvakin. Read the original post at: