Gartner Blog Network


Our “Applying Network-Centric Approaches for Threat Detection and Response” Paper Publishes

by Anton Chuvakin  |  March 19, 2019  |  2 Comments

After many discussions and a bit of a re-write, our new paper “Applying Network-Centric Approaches for Threat Detection and Response” is finally ready (Gartner GTP access required).

The abstract states “The escalating sophistication of threats requires organizations to use multiple sources of data for threat detection and response. Network-based technologies enable technical professionals to obtain quick threat visibility across an entire environment without using agents.”

Some of my favorite quotes are below:

  • “High-maturity clients use network traffic analysis (NTA) and other network-based technologies as one of the layers in their security operations centers (SOCs), alongside endpoint-, log- and cloud-based technologies for threat visibility. Some clients use network-based technologies as their sole threat detection tool.” [A.C. – this is not so much an OMG insight, but a neat summary]
  • “Deploy network-centric tools based on the use cases, focusing on detection of exfiltration, malicious command and control, and attacker lateral movement. Most organizations deploy tools on outbound (“north-south”) traffic first, and then deploy them on internal (“east-west”) traffic, next to critical assets or at key network junctions.” [A.C. – and, in a lot of ways, it depends on the vendor match to use cases, some reported “inside first” to be popular while others barely support internal sensors and focus mostly on the outbound]
  • “Tune the NTA detection content as part of the deployment, and prepare to keep tuning it as part of normal operations. Despite vendor claims, NTA does require tuning. Tuning can span from grouping assets and whitelisting IPs to writing rules, adding thresholds, and tweaking statistical and machine learning models.” [A.C. – that one vendor that says ‘no tuning required, ever’ is lying …]
  • “Gartner clients report using NTA for successful detection of compromised IT (and Internet of Things [IoT]) resources, data theft and, sometimes, lateral movement of an attacker inside their environments. Several clients reported high false-positive rates for many detection types utilized by NTA technologies.”
  • “Years ago, network forensic tools (NFTs) sought to collect raw packets at large scale, but today’s fast networks made this approach impractical for nearly all organizations. Hence, rich metadata and file capture deliver much better investigative value — it is easier and faster to find things — at a much lower computational and storage cost.”
  • “Some people associate NTA tools with ML and other novel analysis methods. For sure, nearly all NTA vendors utilize these methods today. However, the art and science of analyzing traffic for threats and anomalies goes back to 1987, when the first network anomaly detection paper was published. Modern data science and cloud computing enabled new analysis.”

Hopefully Augusto will reveal more … but not much more 🙂

As always, PLEASE PROVIDE YOUR FEEDBACK to the paper via http://surveys.gartner.com/s/gtppaperfeedback

Blog posts related to NTA and NDR research:

Category: detection  network  network-forensics  nta  

Anton Chuvakin
Research VP and Distinguished Analyst
8 years with Gartner
19 years IT industry

Anton Chuvakin is a Research VP and Distinguished Analyst at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio


Thoughts on Our “Applying Network-Centric Approaches for Threat Detection and Response” Paper Publishes


  1. Ron says:

    I wonder if there are also insights in this paper about the negative impact on NTA caused by commercial cloud useages and the increase in encrypted traffic?



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.