Network traffic analysis tools are not new; in fact, they have been around for a long time and can be considered a mature sector within cyber security. In this article, I will highlight some of the major differences of NDR, as well as other relevant tools.
Traditional network traffic analysis is more or less aligned with network traffic monitoring, commonly seen in next generation firewall devices. However, traffic monitoring is still pretty much centered on basic 5-tuples information, extracted from netflow and other protocols. Built on top of the 5-tuple information stack, statistical based traffic accounting and analysis can be performed.
For example, we can group and filter on source and or destination IP address, source and or destination port number or services. Still based on the 5-tuple information, we can calculate the total number of packets, total number of bytes, total number of flows, etc. We can calculate the amount of packets, bytes, flows, application type from a specific source or destination IP address, and so on. We can visualize corresponding traffic from different angles to provide network or security admins comprehensive views of traffic status on interfaces, networks and applications.
On the other hand, NDR works on a much more than just statistical, 5-tuple based analysis framework. In additional to traffic metadata, powered by AI and ML learning, NDR can conduct much more sophisticated traffic pattern analysis. For example, packet size distribution; inter packet arrival time distribution; entropy of packet payloads; among others. It can also conduct behavioral analysis using ML algorithms. For example, the normal baseline traffic load during a given monitoring time period; derivation of certain application traffic to its normal baseline; specific time frame for an anomaly; it can pull in other contextual information of the host machine and user data. These behavioral characteristics can be correlated and eventually sketch out the tracks for the suspicious behavior or even potential threat attacks in progress.
Another related technology is SIEM. SIEM works on logs; it collects logs generated from network and security infrastructures such as firewall devices, host machines, servers and applications and analyzes these logs using traditional statistical based sorting, grouping, filters etc.. It can also use more advanced analytical tools such as NLP to perform deeper and more comprehensive analysis on the logs, detect abnormal or malicious activities and subsequently fire out alerts.
SIEM is a mature technology that has been around for a long time; it is an essential tool in security operation centers. In the last few years, SIEM vendors have expanded on traditional SIEM products and augmented it with threat detection and incident response capabilities. And they’ve given it a new name: next generation SIEM.
SIEM and NDR can be complimentary to each other. Adding network traffic analysis to existing SIEM infrastructure can help gain contextual application information. It also enables real time, behavioral analytics for applications, thereby enabling quick and effective threat hunting. Because of this, SIEM vendors are integrating NDR into their SIEM solutions to provide end to end security operation and threat detection, further enhancing and enriching behavioral based analysis and threat hunting capabilities.
Nowadays, no individual technology has proven to be sufficient enough to fend of the ever growing sophisticated cyberattacks. More and more technologies are converging and integrating to deliver a stronger and more effective cyber defense.
Hillstone Networks Recognized in Gartner 2020 Market Guide for Network Detection and Response* for its sBDS Solution. Learn more about Hillstone Server Breach Detection System (sBDS) , please download whitepaper or watch our on-demand webinar now.
*: Gartner, Market Guide for Network Detection and Response, Lawrence Orans, Jeremy D’Hoinne, Josh Chessman, June 11, 2020