After many discussions and a bit of a re-write, our new paper “Applying Network-Centric Approaches for Threat Detection and Response” is finally ready (Gartner GTP access required).
The abstract states “The escalating sophistication of threats requires organizations to use multiple sources of data for threat detection and response. Network-based technologies enable technical professionals to obtain quick threat visibility across an entire environment without using agents.”
Some of my favorite quotes are below:
- “High-maturity clients use network traffic analysis (NTA) and other network-based technologies as one of the layers in their security operations centers (SOCs), alongside endpoint-, log- and cloud-based technologies for threat visibility. Some clients use network-based technologies as their sole threat detection tool.” [A.C. – this is not so much an OMG insight, but a neat summary]
- “Deploy network-centric tools based on the use cases, focusing on detection of exfiltration, malicious command and control, and attacker lateral movement. Most organizations deploy tools on outbound (“north-south”) traffic first, and then deploy them on internal (“east-west”) traffic, next to critical assets or at key network junctions.” [A.C. – and, in a lot of ways, it depends on the vendor match to use cases, some reported “inside first” to be popular while others barely support internal sensors and focus mostly on the outbound]
- “Tune the NTA detection content as part of the deployment, and prepare to keep tuning it as part of normal operations. Despite vendor claims, NTA does require tuning. Tuning can span from grouping assets and whitelisting IPs to writing rules, adding thresholds, and tweaking statistical and machine learning models.” [A.C. – that one vendor that says ‘no tuning required, ever’ is lying …]
- “Gartner clients report using NTA for successful detection of compromised IT (and Internet of Things [IoT]) resources, data theft and, sometimes, lateral movement of an attacker inside their environments. Several clients reported high false-positive rates for many detection types utilized by NTA technologies.”
- “Years ago, network forensic tools (NFTs) sought to collect raw packets at large scale, but today’s fast networks made this approach impractical for nearly all organizations. Hence, rich metadata and file capture deliver much better investigative value — it is easier and faster to find things — at a much lower computational and storage cost.”
- “Some people associate NTA tools with ML and other novel analysis methods. For sure, nearly all NTA vendors utilize these methods today. However, the art and science of analyzing traffic for threats and anomalies goes back to 1987, when the first network anomaly detection paper was published. Modern data science and cloud computing enabled new analysis.”
Hopefully Augusto will reveal more … but not much more 🙂
Blog posts related to NTA and NDR research:
- Tricky: Will UEBA and NTA Ever Merge?
- Webinar Q&A from Modern Network Threat Detection and Response
- Is Encryption an NTA / NIDS / NFT Apocalypse?
- NTA: The Big Step Theory
- Network Anomaly Detection Track Record in Real Life?
- Endpoint Has Won, Why Bother With NTA? (by Augusto)
- Can We Have NDR, Please?
- NTA: The Other IDS?
- Next Research: Deception and Network Traffic Analysis