Blog post

Our “Applying Network-Centric Approaches for Threat Detection and Response” Paper Publishes

By Anton Chuvakin | March 19, 2019 | 2 Comments

network forensicsnetworkdetectionNTA

After many discussions and a bit of a re-write, our new paper “Applying Network-Centric Approaches for Threat Detection and Response” is finally ready (Gartner GTP access required).

The abstract states “The escalating sophistication of threats requires organizations to use multiple sources of data for threat detection and response. Network-based technologies enable technical professionals to obtain quick threat visibility across an entire environment without using agents.”

Some of my favorite quotes are below:

  • “High-maturity clients use network traffic analysis (NTA) and other network-based technologies as one of the layers in their security operations centers (SOCs), alongside endpoint-, log- and cloud-based technologies for threat visibility. Some clients use network-based technologies as their sole threat detection tool.” [A.C. – this is not so much an OMG insight, but a neat summary]
  • “Deploy network-centric tools based on the use cases, focusing on detection of exfiltration, malicious command and control, and attacker lateral movement. Most organizations deploy tools on outbound (“north-south”) traffic first, and then deploy them on internal (“east-west”) traffic, next to critical assets or at key network junctions.” [A.C. – and, in a lot of ways, it depends on the vendor match to use cases, some reported “inside first” to be popular while others barely support internal sensors and focus mostly on the outbound]
  • “Tune the NTA detection content as part of the deployment, and prepare to keep tuning it as part of normal operations. Despite vendor claims, NTA does require tuning. Tuning can span from grouping assets and whitelisting IPs to writing rules, adding thresholds, and tweaking statistical and machine learning models.” [A.C. – that one vendor that says ‘no tuning required, ever’ is lying …]
  • “Gartner clients report using NTA for successful detection of compromised IT (and Internet of Things [IoT]) resources, data theft and, sometimes, lateral movement of an attacker inside their environments. Several clients reported high false-positive rates for many detection types utilized by NTA technologies.”
  • “Years ago, network forensic tools (NFTs) sought to collect raw packets at large scale, but today’s fast networks made this approach impractical for nearly all organizations. Hence, rich metadata and file capture deliver much better investigative value — it is easier and faster to find things — at a much lower computational and storage cost.”
  • “Some people associate NTA tools with ML and other novel analysis methods. For sure, nearly all NTA vendors utilize these methods today. However, the art and science of analyzing traffic for threats and anomalies goes back to 1987, when the first network anomaly detection paper was published. Modern data science and cloud computing enabled new analysis.”

Hopefully Augusto will reveal more … but not much more 🙂

As always, PLEASE PROVIDE YOUR FEEDBACK to the paper via

Blog posts related to NTA and NDR research:

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed


  • Ron says:

    I wonder if there are also insights in this paper about the negative impact on NTA caused by commercial cloud useages and the increase in encrypted traffic?