Here is a funny one: does pervasive traffic encryption KILL Network Traffic Analysis (NTA) dead?
Well, OK, not truly “kill it dead,” but push it back to 2002 when it was called “N-BAD” [“a coincidence? I think not”] and was solely Layer-3/flow/netflow-based. Back then, it was considered either a niche security technology or a luxury with a market of barely any millions [this of course excludes non-security focused traffic monitoring that Gartner calls NPMD].
We’ve been asking different people this question in different forms and we’ve heard very different things (all quotes below are made up, these are genericized versions of the things we’ve heard):
- “Yes, network encryption and especially TLS 1.3 will doom content inspection. Do not buy NTA, the boxes will be doorstops soon” [some say that TLS 1.3 only kills NFT and not NTA due to making stored data decryption dramatically harder if at all possible; cert pinning makes both hard, but you can work around it]
- “No… SSL/TLS is old hat, and much of our internal traffic (East – West) remains plaintext – so NTA will work here for many years” [a very past-looking view, but much of IT is in the past, so perhaps OK?]
- “Well, we only do flow-based ‘NTA’ anyway because of some privacy mumbo-jumbo, so encryption does not make it any worse.” [this is a fairly sane view, but this is akin to saying “return to 2002 won’t harm us since we in fact live in 2002”]
- “In fact, we can analyze encrypted traffic data by using a tamed, but proprietary vendor magic unicorn or open–source (JA3)” [TRUE] and “It works as well as plaintext analysis” [100% FALSE!]
From the above list, the path #4 is the most exciting to watch, of course. I am really curious how far we can go with analytics, data science and machine learning to try to glean security-relevant insight from encrypted and shallow data.
So, what can we conclude? You can:
- Keep fighting the MitM / decryption battles and you will win some and lose some, but will eventually lose the war. Will it be in 2021 or 2030? No idea when, but it will happen.
- Push hard for your vendor to improve encrypted data analytics and the level of insight derived from flow-/header-level traffic data – but be aware of the hard limits of this path.
- Accept that NTA will deliver less in the future due to disappearance of most (but not all) layer-7/content visibility.
- Stick to the endpoint and toss your NTA out of the window (example).
Blog posts related to NTA, NDR and this research:
- NTA: The Big Step Theory
- Network Anomaly Detection Track Record in Real Life?
- Endpoint Has Won, Why Bother With NTA? (by Augusto)
- Can We Have NDR, Please?
- NTA: The Other IDS?
- Next Research: Deception and Network Traffic Analysis
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.