After many discussions and a bit of a re-write, our new paper “Applying Network-Centric Approaches for Threat Detection and Response” is finally ready (Gartner GTP access required).
The abstract states “The escalating sophistication of threats requires organizations to use multiple sources of data for threat detection and response. Network-based technologies enable technical professionals to obtain quick threat visibility across an entire environment without using agents.”
Some of my favorite quotes are below:
- “High-maturity clients use network traffic analysis (NTA) and other network-based technologies as one of the layers in their security operations centers (SOCs), alongside endpoint-, log- and cloud-based technologies for threat visibility. Some clients use network-based technologies as their sole threat detection tool.” [A.C. – this is not so much an OMG insight, but a neat summary]
- “Deploy network-centric tools based on the use cases, focusing on detection of exfiltration, malicious command and control, and attacker lateral movement. Most organizations deploy tools on outbound (“north-south”) traffic first, and then deploy them on internal (“east-west”) traffic, next to critical assets or at key network junctions.” [A.C. – and, in a lot of ways, it depends on the vendor match to use cases, some reported “inside first” to be popular while others barely support internal sensors and focus mostly on the outbound]
- “Tune the NTA detection content as part of the deployment, and prepare to keep tuning it as part of normal operations. Despite vendor claims, NTA does require tuning. Tuning can span from grouping assets and whitelisting IPs to writing rules, adding thresholds, and tweaking statistical and machine learning models.” [A.C. – that one vendor that says ‘no tuning required, ever’ is lying …]
- “Gartner clients report using NTA for successful detection of compromised IT (and Internet of Things [IoT]) resources, data theft and, sometimes, lateral movement of an attacker inside their environments. Several clients reported high false-positive rates for many detection types utilized by NTA technologies.”
- “Years ago, network forensic tools (NFTs) sought to collect raw packets at large scale, but today’s fast networks made this approach impractical for nearly all organizations. Hence, rich metadata and file capture deliver much better investigative value — it is easier and faster to find things — at a much lower computational and storage cost.”
- “Some people associate NTA tools with ML and other novel analysis methods. For sure, nearly all NTA vendors utilize these methods today. However, the art and science of analyzing traffic for threats and anomalies goes back to 1987, when the first network anomaly detection paper was published. Modern data science and cloud computing enabled new analysis.”
Hopefully Augusto will reveal more … but not much more 🙂
Blog posts related to NTA and NDR research:
- Tricky: Will UEBA and NTA Ever Merge?
- Webinar Q&A from Modern Network Threat Detection and Response
- Is Encryption an NTA / NIDS / NFT Apocalypse?
- NTA: The Big Step Theory
- Network Anomaly Detection Track Record in Real Life?
- Endpoint Has Won, Why Bother With NTA? (by Augusto)
- Can We Have NDR, Please?
- NTA: The Other IDS?
- Next Research: Deception and Network Traffic Analysis
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.