The network is the heart and soul of your IT infrastructure, and its performance defines the user experience. Key to ensuring this performance is spotting security issues that disrupt its workings. This blog discusses two interrelated approaches: network behavior analysis (NBA) and anomaly detection. In fact, NBA is encompassed within a good anomaly detection system (ADS).
“Network behavior analysis (NBA) is a network monitoring program that ensures the security of a proprietary network. NBA helps in enhancing network safety by watching traffic and observing unusual activity and departures of a network operation,” explained Techopedia. “Network behavior analysis monitors the inside happenings of an active network by collecting data from many data points and devices to give a detailed offline analysis. It is constantly watching the network, marking known and unknown activities, new and unusual patterns and indicating potential threats by flagging. The program also checks and accounts for change in bandwidth and protocol being used during communication. This is particularly applicable in finding a potentially dangerous data source or website. The duty of a network behavior analysis program is to reduce the labor and time expended by network administrators in detecting and resolving network issues. It is thus an enhancement to protect the network along with firewalls, antivirus software and spyware detection tools.”
NBA is critical to network root cause analysis – which is essential to quickly restoring network performance. “Network behavior analysis (NBA) helps you detect root cause of security problems and issues or potentially unsafe activities that are happening inside your own network. One of the ways how NBA helps is by reducing your mean time to respond to detected anomalies and potential security incidents. By reducing your time to respond (or troubleshoot root cause) you make sure that the impact of the event is minimized, the chances of responding in appropriate (regulatory defined) way are increased and the amount of resources you need to allocate (or spend) for mitigation is minimal,” explained the Flowmon Business Benefits of Network Behavior Analysis blog. “In the end, without some form of automated and proactive 24/7 analysis and alerting system it simply becomes impossible to maintain and ensure “minimal business operational requirements” for your organization. You have to ask yourself, how can you really ensure availability and efficiency of your critical business systems if you don’t know what is happening inside your network in the first place? If you don’t have eyes inside your network, it is impossible.”
IT understands that network defense involves a rich tapestry of tools beginning with a firewall and other forms of perimeter security such as Intrusion Detections Systems (IDS) and Intrusion Prevention Systems (IPS). These perimeter solutions, experts believe, account for some 90% of the IT security budget. Hackers know the perimeters these days tend to be tight so they have found other routes. Today three quarters of attacks are not against the perimeter, but increasingly go after remote end points that attach to the core network to access data and applications. This makes network protection and attack detection a far more complex endeavor.
Network security is all about defense in depth. We just talked about the importance of firewalls, but there is another network security fundamental – antivirus/anti-malware. Your endpoints and network are not safe if you don't have both of these protections in place. In the case of antivirus, the protections are based upon signatures that define known attacks and identify and block them. The problem is that zero-day attacks are so new that there is no signature and these can skate right past your AV protections. Another issue is that antivirus protects endpoints but it's not in and of itself network security.
Gartner believes an NBA is the clear next security step. "After you have successfully deployed firewalls and intrusion prevention systems with appropriate processes for tuning, analysis and remediation, you should consider NBA to identify network events and behavior that are undetectable using other techniques,” said Paul Proctor, VP at Gartner.
The folks behind the Flowmon ADS agree. “The answer to this challenge recommended by respected authorities such as Gartner is a proactive detection and mitigation of network anomalies and undesirable behavior provided by Network Behavior Anomaly Detection. NBAD solutions permanently observe network traffic, analysing communication to seek anomalies and reveal suspicious behavior. This enables a response to yet unknown security threats undetectable by other technologies,” argued our Network Behavior Analysis and Anomaly Detection page.
As Gartner indicates, Network Behavior Analysis (NBA) is an essential part up your defense in-depth arsenal and bridges the gap between end point and perimeter protection by residing within the network. An NBA does not rely upon signatures to detect attacks but instead analyzes network behavior to spot things that are out of the ordinary and indicative of an attack. Not only that the NBA spots where the unusual behavior is occurring and what systems are involved.
With an NBA, IT is alerted to a hacker incursion and can respond quickly. This is due to in-depth monitoring and analysis of the entire network. “The rise of unknown malware compromising internal systems, devastating DDoS attacks, APTs and threats bypassing traditional security have changed the IT security landscape. Building perimeter walls and relying on signature-based solutions is not enough anymore. Only a detailed awareness of network behavior and a proactive fight against cyber threats can give control over the IT environment back to administrators,” argues Flowmon’s Network Behavior Analysis and Anomaly Detection page.
Today, IT often relies on legacy IT security systems, mainly perimeter security and endpoint protection. “However, they dismiss the significant infrastructure located between these two areas. In the world where threats have more opportunities than ever to bypass traditional solutions and sneak in, where 70% of attacks come from an internal network, this approach is not enough anymore. How do you secure your systems and data from ever changing threats that bypass traditional solutions?,” the Network Behavior Analysis and Anomaly Detection page argues.
Network Behavior Analysis, which can be provided via Flowmon ADS, is easy to deploy. Much can be learned from network telemetry data (IPFIX/NetFlow), which comes from routers, switches and other network devices.
The idea is to first collect and analyze this network telemetry data. To harness the data, IT defines the network size and the IP addresses of services such as DNS or DHCP. With all this in hand, the Network Behavior Analysis system creates baselines automatically and gets to work monitoring and detecting anomalies.
A bit of AI magic can kick in through machine learning, where the NBA/ADS learns the traffic characteristics of each user and all the network services, and dissects the difference between normal and abnormal behavior. Being adaptive, baselines change based on behavior.
Flowmon ADS and Network Behavior Analysis help IT determine what is abnormal activity on your network, reports these anomalies and detects intrusions and attacks not visible by standard approaches so IT can respond fast and minimize financial impact.
“Flowmon delivers to businesses an advanced security intelligence based on NBAD technology. Its Flowmon Anomaly Detection System (ADS) is a powerful tool trusted by CISO and security engineers globally providing them with dominance over modern cyber threats. The solution utilizes sophisticated algorithms and machine learning to automatically identify network anomalies and risks that bypass traditional solutions such as firewall, IDS/IPS or antivirus,” the Network Behavior Analysis and Anomaly Detection explained.
Flowmon ADS also includes reputation databases which help spot communication with known attackers, command control domains, botnets, peer-to-peer network, spammers and more.
Learn more about anomaly detection on the Network Behavior Analysis and Anomaly Detection page.
Doug Barney was the founding editor of Redmond Magazine, Redmond Channel Partner, Redmond Developer News and Virtualization Review. Doug also served as Executive Editor of Network World, Editor in Chief of AmigaWorld, and Editor in Chief of Network Computing.
Let our experts teach you how to use Sitefinity's best-in-class features to deliver compelling digital experiences.
Learn MoreSubscribe to get all the news, info and tutorials you need to build better business apps and sites