Four ways network traffic analysis benefits security teams

The march towards digital transformation and the increasing volume of cyberattacks are finally driving IT security and network teams towards better collaboration. This idea isn’t new, but it’s finally being put into practice at many major enterprises.

Network traffic analysis and security

The reasons are fairly straightforward: all those new transformation initiatives – moving workloads to the cloud, pursuing virtualization or SD-WAN projects, etc. – create network traffic blind spots that can’t easily be monitored using the security tools and process designed for simpler, on-premise traditional architectures. This result is a series of data and system islands, tool sprawl and lack of correlation. Basically, there is lots of data, but little information. As the organization grows, the problems compound.

For a company hit with a cyber attack, the final cost can be astronomical as it includes investigation and mitigation costs, costs tied to legal exposure, insurance hikes, the acquisition of new tools, the implementation of new policies and procedures, and the hit to revenues and reputation.

Size doesn’t matter – all companies are vulnerable to an attack. To improve organizational security postures in this new hybrid network environment, Security Operations (SecOps) and Network Operations (NetOps) teams are becoming fast friends. In fact, Gartner has recently changed the name of one of their market segments from “Network Traffic Analysis” to “Network Detection and Response” to reflect the shift in demand for more security-focused network analysis solutions.

Here are four ways that network data in general and network traffic analysis in particular can benefit the SecOps team at the Security Operations Center (SOC) level:

1. Enabling behavioral-based threat detection

Signature-based threat detection, as found in most antivirus and firewall solutions, is reactive. Vendors create signatures for malware as they appear in the wild or license them from third-party sources like Google’s VirusTotal, and update their products to recognize and protect against the threats.

While this is a useful way to quickly screen out all known dangerous files from entering a network, the approach has limits. The most obvious is that signature-based detection can’t catch new threats for which no signature exists. But more importantly, a growing percentage of malware is obfuscated to avoid signature-based detection. Research by network security company WatchGuard Technologies found that a third of all malware in 2019 could evade signature-based antivirus, and that number spiked to two-thirds in Q4 2019. These threats require a different detection method.

Network traffic analysis (also known as network detection and response, or NDR) uses a combination of advanced analytics, machine learning (ML) and rule-based detection to identify suspicious activities throughout the network. NDR tools consume and analyze raw traffic, such as packet data, to build models that reflect normal network behavior, then raise alerts when they detect abnormal patterns.

Unlike signature-based solutions, which typically focus on keeping malware out of the network, most NDR solutions can go beyond north-south traffic to also monitor east-west traffic, as well as cloud-native traffic. These capabilities are becoming increasingly important as businesses go virtual and cloud-first. NDR solutions thus help SecOps detect and prevent attacks that can evade signature-based detection. To function, these NDR solutions require access to high-quality network data.

2. Providing data for security analytics, compliance and forensics

The SecOps team will often need the network data and behavior insights for security analytics or compliance audits. This will usually require network metadata and packet data from physical, virtual and cloud-native elements of the network deployed across the data center, branch offices and multi-cloud environments.

The easier it is to access, index and make sense out of this data (preferably in a “single pane of glass” solution), the more value it will provide. Obtaining this insight is entirely feasible but will require a mix of physical and virtual network probes and packet brokers to gather and consolidate data from the various corners of the network to process and deliver it to the security tool stack.

NDR solutions can also offer the SecOps team the ability to capture and retain network data associated with indicators of compromise (IOCs) for fast forensics search and analysis in case of an incident. This ability to capture, save, sort and correlate metadata and packets allows SecOps to investigate breaches and incidents after the fact and determine what went wrong, and how the attack can be better recognized and prevented in the future.

3. Delivering better network visibility for better security automation

Qualified security professionals are rare, and their time is extremely valuable. Automating security tasks can help businesses resolve incidents more quickly and free up time for the SecOps team to focus on more important tasks. Unfortunately, visibility and automation only work as well as the quality and granularity of the data – and both too little and too much can be a problem.

Too little data, and the automated solutions are just as blind as the SecOps team. Too much data, in the form of a threat detection system that throws out too many alerts, can result in a “boy who cries wolf” scenario with the automated responses shutting down accounts or workloads and doing more harm than good.

Missing data, too many alerts or inherent blind spots can mean that the machine learning and analytical models that NDR relies on will not work correctly, producing false positives while missing actual threats. In the long run, this means more work for the SOC team.

The key to successful automation is to have high-quality network data to enable accurate security alerts, so responses can be automated.

4. Decreasing malware dwell time

NDR solutions typically have little to no blocking ability because they are generally not deployed inline (although that choice is up to the IT teams). But even so, they are effective in shortening the incident response window and reducing the dwell time of malware by quickly identifying suspect behavior or traffic. Results from NDR tools can be fed into downstream security tools that can verify and remediate the threats.

Malware dwell time has been steadily decreasing across the industry; the 2019 Verizon Data Breach Investigation Report (DBIR) found that 56% of breaches took months or longer to detect, but the 2019 Verizon Data Breach Investigation Report2020 DBIR found that 81% of data breaches were contained in days or less. This is an encouraging statistic and hopefully SecOps teams will continue partnering with NetOps to reduce it even further.

The benefits of network detection and response or network traffic analysis go far beyond the traditional realm of NetOps. By cooperating, NetOps and SecOps teams can create a solid visibility architecture and practice that strengthens their security posture, leaving organizations well prepared if an attack takes place.

Full network visibility allows security teams to see all the relevant information through a security delivery layer, use behavioral-based or automated threat detection methods, and be able to capture and store relevant data for deep forensics to investigate and respond to any incident.