For decades, anyone analyzing network traffic concentrated
on external network traffic, known as north-south traffic, through the
perimeter via firewalls. Although
firewalls evolved to better analyze this traffic, two primary trends emerged:
1) cloud adoption was causing the perimeter to become more porous, even to the
point of extinction, and 2) as attackers gained sophistication, threats inside
the network were becoming increasingly difficult to detect. North-south traffic
analysis was no longer enough to protect an organization’s network.
What initially emerged to analyze internal network traffic, known as east-west traffic, were deep packet inspection solutions initially built for ingress/egress traffic analysis. The challenge with these inline solutions is that they were very expensive to deploy and scale, leading organizations to make strategic bets on which east-west traffic to monitor and which traffic not to monitor.
Also during this time, user and entity behavior analysis
emerged as a possible solution to insider threats. These solutions relied primarily on logs to
analyze user behavior on hosts, but did not provide deep analysis on east-west
network traffic. To gain the full value
from these solutions, they typically needed to be integrated with the security
incident and event management (SIEM) platforms, which still had limitations
when it came to detecting unknown attack behaviors.
Recognizing the limitation of existing solutions in the
market, Gartner identified a new security market known as Network Traffic
Analysis (NTA). The capabilities defined
in their Market
Guide include:
- Analyze raw network packet traffic or traffic
flows (for example, NetFlow records) in real time or near real time - Have the ability to monitor and analyze
north/south traffic (as it crosses the perimeter), as well as east/west traffic
(as it moves laterally throughout the network) - Be able to model normal network traffic and
highlight anomalous traffic - Offer behavioral techniques (non-signature-based
detection), such as machine learning or advanced analytics, that detect network
anomalies - Be able to emphasize the threat detection phase,
rather than the forensics — for example, packet capture (PCAP) analysis — phase
of an attack
Of the dozen plus vendors identified in this new market, the
pure-play NTA vendors have the best capabilities. Specifically, ExtraHop Reveal(x) delivers
complete visibility and real-time detection of rogues, insiders, and
low-and-slow attacks, with guided investigation for immediate, confident
response. Key differentiators include:
- Out-of-band, passive processing of network
traffic at scale (up to 100Gbps). Many vendors top out at 40Gbps or fewer per
appliance, which is not enough for today’s enterprises. - Instant access to application transaction
contents at Layer 7 (application details), enabling rapid detection and
investigation of suspected threats. - Real-time detection of threats based on
machine-learning driven behavioral analysis to catch unknown unknowns in ways
that rules-based detection can’t. - Decryption capabilities, including for Perfect
Forward Secrecy (PFS), providing access to concrete evidence of TTPs in use
that would otherwise escape detection by concealing themselves in genuine,
legitimate traffic.
In an emerging market, category leaders need to do it better and/or differently. In ExtraHop’s case, they do both. To learn more, visit securityweekly.com/extrahop.
