Network Traffic Analysis (NTA)

Network Traffic Analysis (NTA) was first created and defined by Gartner as an emerging category of security solutions that use network communications as the foundational data source for detecting and investigating security threats and anomalous or malicious behaviors within that network.

NTA was named one of the top 11 emerging technologies in 2017 by Gartner. As the technology is maturing, security vendors are delivering a variety of solutions that directly utilize NTA or integrate NTA as part of an overall threat protection solution platform.

On February 28 2019, Gartner published its first market guide for NTA. In this report, it has provided an overview of the NTA technology landscape, has set the market direction and analyzed corresponding products from leading vendors. This is the first and most critical guide on the NTA market since the category was first created a few years ago.

Here, we will first go over the key functionalities and elements of NTA technology. In the second part, we will discuss some major functionalities of the NTA platform from Hillstone Networks.

What is NTA?

NTA technology itself has been around for a while. It has been widely used in network monitoring and traffic analysis; it can help provide comprehensive visibility of the entire network to gain insights into network operations and performance, among other things.

As it turns out, today, cyber criminals, casual or professional hackers and other sponsored organizations are using more and more advanced techniques and tools to stage cyberattacks; these are more targeted, persistent and sophisticated attacks and their goals often involve stealing useful user credentials, critical business data and other information for monetary purposes. Legacy threat attack detection and prevention mechanisms and technologies which are usually deployed at network perimeters using static, signature rules based mechanisms are becoming insufficient to fend off these sophisticated attacks.

With advancements in cloud computing, as well as data mining and analytical techniques driven by AI and machine learning, a wide range of new network security technologies are emerging that have proven to be more effective — in conjunction with other legacy security techniques — to detect, prevent and respond to more advanced threat attacks. One of them is NTA.

Instead of checking static pattern signatures and policy rules, NTA continuously monitors and collects network traffic and other packet data information. Over a period of time, it can form a baseline for traffic and use the baseline to represent normal traffic patterns and behaviors of applications and services inside the corporate network. More importantly, these also represent the normal behaviors of the users that are accessing these applications and services. In other words, network traffic is closely related to the user conduct that generates these traffic patterns.

Once the baselines are established, new traffic from the same traffic flows are checked against the baseline and network traffic is analyzed based on mathematical or machine learning algorithms. Consequently, abnormal traffic and application services patterns, which indicate the abnormal behavior of corresponding users, can be detected and comprehensive analysis can be presented visually to security analysts and admins. Proper actions can be taken to eliminate or mitigate any potential damages.

The Anatomy of NTA

A typical NTA platform usually consists of these key elements:

  • Traffic Collector
  • Different type of network traffic such as traffic logs and pcaps are collected, parsed, normalized and forwarded to the data storage module. Usually there are protocol decoding functionalities in the collector modules. Collectors can be physical appliances or software agents installed on the end user devices. Collectors are usually deployed in tapping mode to minimize impact to normal business operations.

  • Traffic Data Storage
  • Formalized traffic data are stored in one or multiple databases in either a centralized or distributed manner. Traffic logs or metadata can be queried and searched flexibly and efficiently. Typically, data is stored for a prolonged period of time which can be used for threat detection, threat hunting and forensic evidencing purposes.

    Since the amount of traffic logs usually are very large, there are requirements for database capacities and query efficiencies. Modern technologies like Hadoop and Elasticsearch stacks are commonly used to store and retrieve traffic data in the distributed architecture. For NTA to be effective, it is crucial to collect traffic logs for the entire protected network over sufficient lengths of time. This is critical in traffic correlation analysis and also for comprehensive threat hunting capabilities.

  • Traffic Analysis Engine
  • These are the work horses of NTA. There are many analytical techniques that can be applied ranging from simple statistical analysis to much more complicated machine learning based algorithms. The goal is to identify the applications and services whose traffic patterns exceed the derivation thresholds from the established baselines.

  • Output Module
  • As the results of traffic analysis, logs and alerts are generated, they are presented visually in the user interface for security analysts and admins to take mitigation actions, such as pushing firewall policies, blocking suspicious hosts or performing traffic control associated with compromised hosts.

NTA technology is critical to cyber security. It provides an effective and powerful tool to gain insights of real time network and application traffic, especially east and west network traffic, which is often associated with lateral traffic movement and data exfiltration after an attacker breaches the corporate network. This is critical in detecting post-breach threats, as well as those unauthorized activities from inside the corporate network, whether done intentionally or unintentionally, by corporate employees.

Hillstone delivers on and helps you understand and act on network traffic analysis

In Gartner’s NTA Market Guide, the Server Breach Detection System (sBDS) from Hillstone Networks was selected by Gartner as the leading product after comprehensive reviews.

The sBDS platform integrates multiple threat detection engines such as Intrusion Prevention System (IPS) and antivirus. Without decrypting SSL/TLS traffic, layer 7 traffic metadata are collected and baselines are established during what is called the learning mode. Subsequently, real time traffic is continuously monitored and analyzed during what is called the detection mode. Using advanced mathematical algorithms to identify deviations from normal activity, any abnormal activities can be effectively detected and flagged. sBDS also integrates with Hillstone Next Generation Firewalls to add blocking capabilities.

In addition, Hillstone’s NTA solution has self-adaptive capabilities. Any false positives or known exceptions such as holidays and vacations periods can be marked and applied to the future relearning and analysis either manually or automatically. The Hillstone NTA solution primarily targets the data center, with many dashboards focused on this use case. It can be deployed inside the corporate network as well as near protected server farms or host groups.

Hilstone’s NTA solution is part of the full Hillstone Networks security and risk mitigation platform, delivering layered protection that allows enterprises to detect abnormal user and application behavior, thereby protecting enterprises from attacks, especially insider threats.