While not as widely deployed as many entrenched security technologies, network behavior analysis is opening many eyes to the true risks permeating corporate networks.
Businesses have a lot riding on their networks. The data moving between devices and facilities is the lifeblood of an enterprise, and if that information is compromised, the results could be disastrous.
One of the keys to protecting networks and systems is to know exactly what type of activity is occurring on them. Network behavior analysis, or NBA, is designed to give organizations the level of visibility they need to help ensure that security threats are identified and remedied.
NBA products analyze network traffic via data gathered from network devices, such as IP traffic flow systems, or through packet analysis. Using a combination of signature and anomaly detection, they alert security and network managers to any suspicious activity, and provide a view of network activity so administrators can analyze and respond to the activity quickly, before there's extensive damage.
The market for NBA has attracted mainstream network and security equipment providers and smaller firms. Among the vendors in the market that focus on NBA are Arbor Networks, Lancope, Mazu Networks and Q1 Labs. Companies such as Cisco Systems, CounterStorm, Internet Security Systems and Sourcefire also offer some type of NBA functionality.
NBA detects behaviors that might be missed by policy-based and signature-based security technologies, such as intrusion detection and prevention systems, firewalls, and security information and event management systems, IT advisor Gartner says. Those technologies might not detect threats that they're not specifically configured to look for.
NBA products are decision-support systems that help a knowledgeable operator interpret and react to a variety of network activities that are deemed suspicious. An experienced administrator uses the technology to address threats such as worms, unauthorized protocols and suspicious connections. Given the ability of NBA to provide this added layer of defense, Gartner recommends that organizations deploy the technology as part of a comprehensive strategy to protect enterprise networks.
There's an obvious need for improved detection of network activity, as the cost of security breaches continues to rise. According to the 12th annual Computer Security Institute Computer Crime and Security Survey--which queried 494 U.S. computer security professionals--the average annual security-related loss increased from $168,000 the previous year to about $350,000 in 2007.
Nearly one-fifth of the survey respondents who suffered one or more security incidents said they had experienced a targeted attack, which is defined as a malware attack aimed specifically at an organization or organizations within a subset of the general population. Financial fraud was the source of the greatest financial losses; computer viruses--which had been the leading cause of loss for seven consecutive years--came in second. The most prevalent security problem was insider abuse of network access or e-mail, followed by virus incidents.
Network behavior analysis can help organizations spot these kinds of activities, and demand for this technology is on the rise after a slow start in 2001, according to a report released by Gartner in late 2006. The report said that early NBA technologies evolved from products such as distributed denial-of-service protection, and these technologies competed with signature-based products to address security vulnerabilities such as worms.
At that time, vendors had to compete with marketing messages that stressed accuracy, coverage and automated response, which missed the point and value of NBA technology--providing network visibility in a decision-support context--said the report. This led to market confusion about NBA, some of which persists today.
One area in which NBA had a clear advantage over signature-based products was in addressing "zero-day" vulnerabilities. The Gartner report says NBA systems can help organizations catch such infections early and thereby limit their impact.
Now that many organizations have deployed firewall, intrusion detection/prevention, and security information and event management systems, some are considering network behavior analysis technology. Gartner projected that the NBA market revenue increased 30 percent in 2007, thanks to the security functionality and operations visibility these products provide.
"The demand is growing for more visibility into network behavior to address security and operational requirements," says Paul Proctor, research vice president at Gartner, who authored the report. "This demand is driven by the recognition that you can't completely define every event you may want to know about and program a box to tell you when something happens. Organizations need to see what's going on in their networks so that they can make good decisions regarding their level of interest in different events."
Some behaviors are recognizable only to an expert with appropriate context and visibility into network traffic, according to Proctor. "For example," he says, "the spread of a worm through the enterprise is not easily detectable with traditional mechanisms."
Ask Your CSO or CISO:
Do current security technologies (firewalls, intrusion detection/prevention systems) provide enough visibility into network activity so the organization is able to track all security breaches?
Ask Your CFO:
Will the budget allow for NBA systems that improve visibility of network activities and enhance security?