Network traffic analysis tools should include these 6 features

When it comes to threat detection and response, understanding network behavior is very important. According to ESG research, 87% of enterprises use network traffic analysis (NTA) tools for threat detection and response, and 43% say NTA is a “first line of defense” in detecting and responding to threats. threat. (Note: I am an employee of ESG.)

As cybersecurity professionals often say, “the network doesn’t lie.” Since cyberattacks use network communications for malware distribution, command and control, and data exfiltration, trained professionals must be able to detect malicious activity with the right tools, time, and oversight. .

OK, so NTA is an essential tool for security analysis and operation. But what are the most important NTA capabilities for Security Operations Center (SOC) personnel? ESG asked 347 cybersecurity professionals this question, and here’s what they told us:

  • 44% said NTA tools should have built-in analytics to help analysts improve and accelerate threat detection. These analyzes can be based on machine learning algorithms, heuristics, scripts, etc. The point here is that analysts want NTA tools to analyze the data and deliver high-fidelity alerts – not a cacophony of noise.
  • 44% said NTA tools should provide threat intelligence and/or integration to enable comparisons between suspicious/malicious network behavior and known threats “in the wild”. Threat intelligence synthesis has become essential for all security tools, exemplified by the growing interest in the MITER ATT&CK Framework (MAF). Thus, threat intelligence should be integrated into NTA tools from the start.
  • 38% said NTA tools must have the ability to monitor traffic, protocols, devices, etc. of the Internet of Things (IoT). It’s relatively new, but I think IoT support will be required for all of the company’s NTA tools within the next 12 months. 18 months.
  • 37% said NTA tools should have the ability to monitor all connected network nodes and issue alerts when new network nodes are connected. In other words, security professionals want NTA tools to assume this traditional NAC capability and issue alerts when unauthorized devices connect.
  • 37% said NTA tools should have documented and tested integration with other types of security technologies. In my experience, NTA tools need to be tightly integrated with malware sandboxes, EDR, SIEM, and as mentioned earlier, accurate and timely threat intelligence.
  • 37% said NTA tools should provide the ability to monitor cloud traffic and report threats and anomalies. At Amazon’s recent re:Inforce conference, Amazon announced a new VPC traffic monitoring feature, providing visibility into cloud networking. This is exactly the kind of continuous cloud network monitoring that users are asking for. NTA tools must be able to leverage cloud network monitoring capabilities like this on Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), etc. to provide end-to-end visibility into network security.

There are many quality NTA tools, so how do you choose the right one for your business requirements? My advice to CISOs is that they begin their RFI/RFP process by ensuring that NTA tools meet or exceed the six core capabilities outlined above.

Copyright © 2019 IDG Communications, Inc.

Charles J. Kaplan