After organizations successfully deploy firewalls and intrusion detection/protection systems--with appropriate processes for tuning, analysis and remediation--they should consider using NBA to identify network events and behaviors that are not detectable via other techniques.
"Intrusion detection and prevention systems can only identify behaviors that can be explicitly defined by a set of known patterns signatures," Proctor says. In contrast, NBA "uses a combination of detection mechanisms, including deviations from observed behavior baselines, to detect interesting events that are not easily defined through signatures."
Intrusion detection/prevention systems must be tuned appropriately, "but they are treated by many organizations essentially as 'set it and forget it' mechanisms," Proctor says. "An NBA system must be configured and analyzed by an expert with appropriate context to understand and interpret the information.
"The major challenge is tuning them and establishing appropriate response workflow. The major benefit is getting information and visibility that you can't get through any other toolset."
Failure to fine-tune NBA devices adequately can result in a lot of false positive readings, which bogs down network and security managers as they look into alerts that pose no risks to the organization. However, when used properly, this technology has a huge impact on an enterprise's ability to see what's really going on with its networks. Organizations that have implemented NBA say they are gaining greater visibility into their networks.
The City University of New York, the largest urban university system in the United States, began using the Mazu Profiler NBA system from Mazu in November. Each of 20 college IT operating entities within the university has installed a combination of the Profiler and one or more sensors that monitor network traffic and provide statistics to the Profiler appliance for aggregation and analysis.
The Profiler NBA analyzes network traffic and behavior in real time, letting CUNY security managers know exactly what's happening on the university-wide network. "Because we operate on a somewhat open environment and with the requirement of academic freedom, we didn't have some of the usage controls that might be in place in the private sector," says Carl Cammarata, CUNY's chief information security officer. "We thought NBA could provide a level of control that would help us understand what is going on in the networks in each of the 20 entities, while not interfering with open research and academic freedom."
By learning more about network behavior, university managers are better able to understand what they must do to improve security at the individual colleges. "Once we learned more about the network, we could help the colleges diagnose and identify security incidents if and when they arose," Cammarata says.
CUNY's deployment of NBA, which took place over six months, was successful largely because Mazu proactively ensured that the university implemented the technology correctly. "It was truly a collaboration between Mazu, college CIOs and university administration," Cammarata says. "Mazu worked with us from an architecture and deployment perspective," including fine-tuning the NBA Profiler appliances to ensure that they collected the data the university needed and to avoid false positives.
The NBA technology has helped CUNY cut in half the time it takes to understand and respond to potential security situations, Cammarata says. Now the colleges have insight into normal and abnormal network activity--something they never had before--allowing them to anticipate problems faster than ever.
Although each separate entity at the university manages its own network data from the NBA systems, the technology has provided CUNY with some badly needed security cohesiveness, he says.
"NBA was as much about a technology solution to a problem as it was about standardizing on some type of security technology and increasing awareness of security concepts at the university," Cammarata says. "For years, most of the entities operated independently, and there was no formal security community, no cohesive security plan and very little standardization. NBA has helped us significantly in forming this security community."
Ask your CSO or CISO:
Will an NBA system work well with our existing firewalls and intrusion detection/prevention systems?
Ask your operations team:
How quickly can we set up training programs for users of NBA systems?