By Bob Violino  |  Posted 03-03-2008

Networking`s New Hall Monitor


Businesses have a lot riding on their networks. The data moving between devices and facilities is the lifeblood of an enterprise, and if that information is compromised, the results could be disastrous.

One of the keys to protecting networks and systems is to know exactly what type of activity is occurring on them. Network behavior analysis, or NBA, is designed to give organizations the level of visibility they need to help ensure that security threats are identified and remedied.

NBA products analyze network traffic via data gathered from network devices, such as IP traffic flow systems, or through packet analysis. Using a combination of signature and anomaly detection, they alert security and network managers to any suspicious activity, and provide a view of network activity so administrators can analyze and respond to the activity quickly, before there's extensive damage.

The market for NBA has attracted mainstream network and security equipment providers and smaller firms. Among the vendors in the market that focus on NBA are Arbor Networks, Lancope, Mazu Networks and Q1 Labs. Companies such as Cisco Systems, CounterStorm, Internet Security Systems and Sourcefire also offer some type of NBA functionality.

NBA detects behaviors that might be missed by policy-based and signature-based security technologies, such as intrusion detection and prevention systems, firewalls, and security information and event management systems, IT advisor Gartner says. Those technologies might not detect threats that they're not specifically configured to look for.

NBA products are decision-support systems that help a knowledgeable operator interpret and react to a variety of network activities that are deemed suspicious. An experienced administrator uses the technology to address threats such as worms, unauthorized protocols and suspicious connections. Given the ability of NBA to provide this added layer of defense, Gartner recommends that organizations deploy the technology as part of a comprehensive strategy to protect enterprise networks.

There's an obvious need for improved detection of network activity, as the cost of security breaches continues to rise. According to the 12th annual Computer Security Institute Computer Crime and Security Survey--which queried 494 U.S. computer security professionals--the average annual security-related loss increased from $168,000 the previous year to about $350,000 in 2007.

Nearly one-fifth of the survey respondents who suffered one or more security incidents said they had experienced a targeted attack, which is defined as a malware attack aimed specifically at an organization or organizations within a subset of the general population. Financial fraud was the source of the greatest financial losses; computer viruses--which had been the leading cause of loss for seven consecutive years--came in second. The most prevalent security problem was insider abuse of network access or e-mail, followed by virus incidents.

Network behavior analysis can help organizations spot these kinds of activities, and demand for this technology is on the rise after a slow start in 2001, according to a report released by Gartner in late 2006. The report said that early NBA technologies evolved from products such as distributed denial-of-service protection, and these technologies competed with signature-based products to address security vulnerabilities such as worms.

At that time, vendors had to compete with marketing messages that stressed accuracy, coverage and automated response, which missed the point and value of NBA technology--providing network visibility in a decision-support context--said the report. This led to market confusion about NBA, some of which persists today.

One area in which NBA had a clear advantage over signature-based products was in addressing "zero-day" vulnerabilities. The Gartner report says NBA systems can help organizations catch such infections early and thereby limit their impact.

Now that many organizations have deployed firewall, intrusion detection/prevention, and security information and event management systems, some are considering network behavior analysis technology. Gartner projected that the NBA market revenue increased 30 percent in 2007, thanks to the security functionality and operations visibility these products provide.

"The demand is growing for more visibility into network behavior to address security and operational requirements," says Paul Proctor, research vice president at Gartner, who authored the report. "This demand is driven by the recognition that you can't completely define every event you may want to know about and program a box to tell you when something happens. Organizations need to see what's going on in their networks so that they can make good decisions regarding their level of interest in different events."

Some behaviors are recognizable only to an expert with appropriate context and visibility into network traffic, according to Proctor. "For example," he says, "the spread of a worm through the enterprise is not easily detectable with traditional mechanisms."

Ask Your CSO or CISO:
Do current security technologies (firewalls, intrusion detection/prevention systems) provide enough visibility into network activity so the organization is able to track all security breaches?

Ask Your CFO:
Will the budget allow for NBA systems that improve visibility of network activities and enhance security? 



After organizations successfully deploy firewalls and intrusion detection/protection systems--with appropriate processes for tuning, analysis and remediation--they should consider using NBA to identify network events and behaviors that are not detectable via other techniques.

"Intrusion detection and prevention systems can only identify behaviors that can be explicitly defined by a set of known patterns signatures," Proctor says. In contrast, NBA "uses a combination of detection mechanisms, including deviations from observed behavior baselines, to detect interesting events that are not easily defined through signatures."

Intrusion detection/prevention systems must be tuned appropriately, "but they are treated by many organizations essentially as 'set it and forget it' mechanisms," Proctor says. "An NBA system must be configured and analyzed by an expert with appropriate context to understand and interpret the information.

"The major challenge is tuning them and establishing appropriate response workflow. The major benefit is getting information and visibility that you can't get through any other toolset."

Failure to fine-tune NBA devices adequately can result in a lot of false positive readings, which bogs down network and security managers as they look into alerts that pose no risks to the organization. However, when used properly, this technology has a huge impact on an enterprise's ability to see what's really going on with its networks. Organizations that have implemented NBA say they are gaining greater visibility into their networks.

The City University of New York, the largest urban university system in the United States, began using the Mazu Profiler NBA system from Mazu in November. Each of 20 college IT operating entities within the university has installed a combination of the Profiler and one or more sensors that monitor network traffic and provide statistics to the Profiler appliance for aggregation and analysis.

The Profiler NBA analyzes network traffic and behavior in real time, letting CUNY security managers know exactly what's happening on the university-wide network. "Because we operate on a somewhat open environment and with the requirement of academic freedom, we didn't have some of the usage controls that might be in place in the private sector," says Carl Cammarata, CUNY's chief information security officer. "We thought NBA could provide a level of control that would help us understand what is going on in the networks in each of the 20 entities, while not interfering with open research and academic freedom."

By learning more about network behavior, university managers are better able to understand what they must do to improve security at the individual colleges. "Once we learned more about the network, we could help the colleges diagnose and identify security incidents if and when they arose," Cammarata says.

CUNY's deployment of NBA, which took place over six months, was successful largely because Mazu proactively ensured that the university implemented the technology correctly. "It was truly a collaboration between Mazu, college CIOs and university administration," Cammarata says. "Mazu worked with us from an architecture and deployment perspective," including fine-tuning the NBA Profiler appliances to ensure that they collected the data the university needed and to avoid false positives.

The NBA technology has helped CUNY cut in half the time it takes to understand and respond to potential security situations, Cammarata says. Now the colleges have insight into normal and abnormal network activity--something they never had before--allowing them to anticipate problems faster than ever.

Although each separate entity at the university manages its own network data from the NBA systems, the technology has provided CUNY with some badly needed security cohesiveness, he says.

"NBA was as much about a technology solution to a problem as it was about standardizing on some type of security technology and increasing awareness of security concepts at the university," Cammarata says. "For years, most of the entities operated independently, and there was no formal security community, no cohesive security plan and very little standardization. NBA has helped us significantly in forming this security community."

Ask your CSO or CISO:
Will an NBA system work well with our existing firewalls and intrusion detection/prevention systems?

Ask your operations team:
How quickly can we set up training programs for users of NBA systems?




XanGo, a Lehi, Utah, maker of health beverage products, is another company that has boosted its network security with an NBA implementation. About 18 months ago, the privately owned company began using Sourcefire's 3D enterprise threat management suite. Components of the suite include intrusion prevention, vulnerability management, network access control and NBA.

Sourcefire's intrusion protection software provides vulnerability-based intrusion prevention built on Snort, a standard intrusion protection tool. It uses a rules-based language--a combination of signature, protocol and anomaly-based inspection methods--to examine packets for attacks such as worms, Trojans, port scans, buffer overflow attacks, spyware, denial-of-service attacks and zero-day attacks.

Another component, real network awareness, provides NBA, network access control and vulnerability assessment capabilities. Real network awareness delivers a continuous, real-time view of what's happening on a network and identifies potential vulnerabilities on network devices. It monitors communications behavior among endpoints on a network, baselining traffic, watching for deviances from typical traffic levels or connection patterns and alerting administrators to these changes, according to Sourcefire.

One of the primary drivers for adopting the security technologies was to meet the requirements of the Payment Card Industry Data Security Standard, or PCI DSS, because many XanGo customers purchase products over the Internet using credit cards. (PCI DSS is a set of standards created by the PCI Security Standards Council to provide guidelines that help companies prevent credit card fraud and identity theft.)

Aside from helping with standards compliance, managers at XanGo thought NBA could enhance overall security at the company. "We also wanted to adopt good business practices and do what we could to protect company information and the personal information of our consumers," says Brandon Greenwood, manager of network operations and security.

XanGo has deployed NBA sensors at its main office in Lehi and two remote offices, and it plans to install more sensors later this year. Greenwood says NBA gives the company more insight into network activity than it had before. "We have seen instances where a user might be infected with a botnet" that could trigger a denial-of-service attack, Greenwood says. "NBA will allow us to see certain activities that say there's obviously something going on with the network." As a result, XanGo has been able to prevent security breaches on its network.

Regulatory compliance and a desire to improve network security drove another organization, the Weill Cornell Medical College in New York, to adopt NBA technology. The center, which is a health-care and teaching facility, deployed an NBA system called Peakflow X from Arbor Networks in 2006.

Weill Cornell wanted to improve its network visibility, boost security and ensure compliance with regulations such as the Health Insurance Portability and Accountability Act. "NBA gives us a peek into the network that we never had before," says Benjamin Nathan, associate director of security and identity management.

The network is accessed by some 20,000 users, including medical students and health-care professionals. It provides access to the Internet, e-mail, voice over IP telephony, video and other applications.

Peakflow X leverages IP flow technology embedded in routers and switches to provide visibility into the network on a real-time, historical basis. Using IP flow data, the system conducts network analyses to determine normal behavior and automatically alerts managers to any abnormalities. The system provides a granular view into what hosts are doing on the network.

Prior to using NBA, Weill Cornell managers had extremely limited visibility into network activity and were reactive in dealing with network vulnerabilities. Weill Cornell used packet analyzers in multiple locations, but they didn't provide adequate views of network behavior. Not only was it difficult to provide robust security against the latest vulnerabilities, but there was no reliable way to perform historical analyses of network activity or plan network capacity.

With greater visibility into network behavior, Weill Cornell reduced network problem resolution times from days to minutes. The medical college also reduced bandwidth upgrade costs by eliminating noncritical traffic on wide area network circuits.

Using NBA let Weill Cornell detect three times the number of unauthorized network intrusions and attempted intrusions than it was able to detect prior to the implementation. Now, when Weill Cornell security managers detect suspicious network behavior, they can block it quickly. "We investigate everything that could potentially be malicious," Nathan says.

One big advantage of the NBA system is that it can be updated to track the latest security threats. Arbor Networks added a new packet inspection feature to Peakflow X after the initial implementation, which gave Weill Cornell the more granular view of network usage that it wanted.

The biggest challenge of using the NBA system was tweaking the rules to reduce the number of false positives. "That's a manual process and it's time-consuming," Nathan says. But the effort was worthwhile, as it resulted in essential security improvements.

Ask your IT director:
How many network users are there in all locations in the organization, including remote offices?

Ask your CSO:
Can we gather data to show the ROI of NBA systems

Implementation Tips

  • Before considering NBA, deploy firewalls and intrusion detection/prevention systems with appropriate processes for tuning, analysis and remediation.
  • Work closely with the NBA vendor and make sure that any technical network architecture issues are addressed up front.
  • Ensure that the people who will use the system and interpret the data are properly trained.
  • Take the time to adequately tune the systems to gather relevant network data and help cut down on false positives.