NEW TECH: ‘Network Traffic Analysis’ gets to ground truth about data moving inside the perimeter

Digital transformation is all about high-velocity innovation. But velocity cuts two ways.

Related: Obsolescence creeps into perimeter defenses

DevOps Connect:DevSecOps @ RSAC 2022

Yes, the rapid integration of digital technologies into all aspects of commerce has enabled wonderful new services. But it has also translated into an exponential expansion of the attack surface available to cyber criminals.

This has led us to the current environment in which security threats are multiplying even as network breaches grow costlier and more frequent.

However, a newly-minted security sub-specialty —  christened Network Traffic Analysis, or NTA, by Gartner — holds some fresh promise for getting to the root of the problem. I had the chance to sit down at RSA 2019 with ExtraHop Networks, a Seattle-based supplier of NTA systems.

ExtraHop’s CISO Jeff Costlow walked me through what’s different about the approach NTA vendors are taking to help companies detect and deter leading-edge threats. For a drill down, give a listen to the accompanying podcast. Key takeaways:

NTA’s distinctions

Software development today routinely occurs at high velocity in order to build the digital services we can’t live without. Modular microservices, software containers and orchestration tools get spun up, using open source components; all of this mixing and matching occurs in the internet cloud, keeping things moving right along.

The inevitable security gaps that get created as part of this highly dynamic process have been getting short shrift, in deference to shipping deadlines. It’s not as though legacy security vendors are asleep at the wheel; they’ve been applying machine learning and AI to the output of SIEMs, firewalls, intrusion detection and other traditional security products designed to filter and detect malicious traffic directed at, and coming through, the perimeter.


By contrast, NTA systems direct a blend of machine learning, advanced-analytics and rule-based detection to the task of continuously analyzing the raw traffic moving to-and-fro inside the network perimeter.

The underlying principle of NTA technology is simple and straight forward. “The network really is where all the relevant data resides,” Costlow told me. “You can get to the ground truth by extracting the metadata about the data that’s traveling on the network . . . you can draw a lot of inferences and pull a lot of analytics out of that information.”

Postman clone

Recently, ExtraHop was monitoring the metadata flowing through its own network when it discovered an anomalous connection that was rather quietly sending data outbound at a low rate.

Follow up forensics revealed the data in question to be Chrome browser histories that had been collected by a malicious Chrome browser extension, called Postman. This malicious Postman extension was a spoofed clone of the legitimate Postman app, a very popular Chrome extension used by software developers for testing and real-time editing of the API requests embedded in newly created apps.

“Postman is a convenient, developer-centric tool that has existed for a long time,” Costlow said.

ExtraHop analysts determined that the malicious Postman clone had been available for download at the official Play Store for about two months, and in that time had been downloaded and installed, some 27,000 times. Google subsequently removed the Postman clone from Play Store.

“So this was very much targeted at developers,” Costlow said. “It had a special little back door; every time you browsed, it would send some of the data that you browsed off to a home base.” This could give an attacker intelligence about code repositories and other tips about the structure of our engineering environment.

Practicing restraint

Imposter apps and browser extensions masquerading as legit tools represent a clear and present risk that companies must account for. NTA technologies have a clear potential to help catch this type of subtle data exfiltration, and the momentum ExtraHop has generated in the past couple of years, suggest that the practice of applying NTA systems to improving security is catching on. The company is in a rapid growth phase, with revenues surpassing $100 million in 2018, bolstered by 10X growth in cybersecurity, and its employee headcount has grown to over 400, with plans to add 150 more in 2019.

Meanwhile, we continue to take browser extensions, in particular, for granted. They have come into common, everyday use. We use them to extend the functionality of our web browsers, for things like developer tools, adware blockers, or tools to browse through CRM applications, like, for instance.

We’re blissfully ignorant of the fact that threat actors see browser extensions as an opportunity to slip malicious code past state-of-the-art perimeter defenses. An important step to reversing this trend lies with each user. It is left up to each individual, for now, to get proactive about not being victimized.

“Understanding the data that you have, and the applications that you’re using, and understanding how you can use these tools and in a manner that protects you and others is a key,” Costlow says.

Agreed. Reduce your digital footprint. Practice restraint, for your own good, and for the good of the people and organizations you associated with. Talk more soon.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

*** This is a Security Bloggers Network syndicated blog from The Last Watchdog authored by bacohido. Read the original post at: