How Network Traffic Analysis Can Help in Meeting Security Goals
Network traffic analysis is a fast-rising class of security tools that promises actionable insights from an under-appreciated but integral part of your existing IT infrastructure: your network. Analysts and industry thought leaders are bringing focus to this emerging category as its value becomes more clear, making it something security leaders will need to understand and at least consider in 2019.
There are several justifications for this attention. As perimeter protections fade in relevance, the network itself becomes more important as the connective tissue between cloud, virtual and on-premises infrastructure and services. While agents and logs fall prey to attacker counteractions, network data can be collected passively so the attacker can’t see or corrupt its evidence. And network detection and response hasn’t been optimized yet, so there are substantial untapped veins of contextual and productivity improvements for almost any security operations program.
Being anointed as a category can help security teams formalize requirements and allocate budget, but is an analyst checklist good enough? Before a company jumps on the bandwagon, they should ask three questions:
- Why don’t we have this covered already?
- Is this a priority or a nice-to-have in 2019?
- What tools and spending can we replace?
‘Don’t We Do This Already?’
Per Gartner’s definition of network traffic analysis (sourced at the firm’s June Security and Risk Management Summit), qualified providers must either analyze raw network traffic packets or traffic flows to detect suspicious activities and raise alerts. Fine, you may do that already. What’s different is that this analysis is now occurring in real (or nearly real) time. Your old packet capture tool, besides requiring packet-savvy analysts, is primarily geared to forensic analysis, mining after the fact rather than within an active scoping/containment/mitigation workflow.
And traffic flows can illustrate patterns in data, but often won’t let security analysts drill down to see specific transactions. Some offer L7 application visibility, but most restrict visibility to packet headers and metadata as a way to keep up with high traffic volumes. Restricted content visibility means analysts can’t distinguish legitimate from malicious traffic.
So packets only are too slow, and flows only are too limited. Agent-based tools offer unreliable help because many systems aren’t permitted to have agents (including databases, IoT, embedded systems), and agents are one of the first targets of a successful compromise.
‘Is This a Priority or a Nice-to-Have?’
Every analytics tool claims it delivers new, must-have value, powered by a full ration of buzzwords. Most of them are shiny objects—attractive to look at but tedious to dust when they sit on the shelf for too long. Network traffic analysis products won’t be right for everyone, but will be genuinely useful for specific security goals for 2019 including:
- Increased visibility and detection of insider threat and post-compromise attack behavior. Most businesses don’t have much telemetry coming from database servers, application servers, DNS or DHCP servers. Logs and agents are routinely compromised in the early stages of an attack, silencing other common internal data sources. So more is needed to see privilege escalation, reconnaissance, lateral movement and data exfiltration behaviors affecting data centers, containers, cloud and service components. When attackers look much like accredited insiders, anyone could be an insider threat. Look at critical assets and services and what will (and should) be interacting with them to determine how to get the visibility with performance you need.
- Focus on proactive risk reduction and hunting. Maturing organizations are looking beyond the reactive considerations of threat detection to limit the attack surface and better prepare for attacks. Your programs might include pen testing, red/blue teams and more aggressive hygiene habits (such as monitoring for expiring certificates, deprecated cipher suites and unapproved protocol usage). Network traffic analysis tools give you definitive evidence of activities and anomalies that need mitigation and remediation, as well as attack activities that need containment. Consider which systems and risks are a monitoring priority for the company.
- End-to-end or data center encryption. Adopting encryption will make it even harder to understand what is happening in the east-west corridor of internal traffic. A comprehensive plan should include decryption of L7 application traffic and its contents so a security analyst can look within approved traffic to identify undesirable activities, as well as pinpoint unapproved use of encryption, which may be malware or tunneling. There’s hot debate around middleboxes, TLS session key management and privacy concerns, and “shiny object” vendors don’t have much experience meeting enterprise and regulatory requirements. Be sure to ask the right questions to get the complete answer from vendors in this space.
‘What Can I Replace in my Budget?’
In search of potential funding (as well as reduced complexity), it’s a good idea to consider which products aren’t providing value and might be time to retire. Candidates start with that packet capture system—is there a better approach than storing every packet, especially if you don’t really use them? Some other possibilities when reducing complexity are tools for discovery and classification of rogue devices on your network, flow-only based analytics and analytics that operate on top of your SIEM based on log data. Looking at OPEX, there are likely storage costs available from jettisoning these products. In addition, by pre-processing network evidence before handing it to the SIEM, it’s possible to reduce the stranglehold of storage fees a SIEM vendor often charges.
2019: Is it Your Year of Network Traffic Analysis?
You will likely see an explosion of network traffic analysis products in 2019. The benefits can be material and satisfying. But be sure to look beyond the basic features to understand if the capabilities deliver value given each company’s unique hybrid infrastructure and traffic volumes, align security team priorities and work to consolidate the tool footprint of your security program.