Network detection and response delivers the most comprehensive insight into hidden threats and empowers incident responders to act with confidence. Network traffic analysis is a core technology for detecting hidden threats, but there are several decision criteria that you are likely to consider, including the ones below.
Read the summarized table below to learn how vendors stack up to these requirements.
Network Traffic Analysis is a new market, with many vendors entering since 2016. Gartner analyzed the key NTA vendors to be considered by security and risk management leaders. You can download the Gartner Market Guide for Network Traffic Analysis here.
Network metadata contains vital descriptors of the data itself to create a searchable index in real time and at a fraction of the size of full packet captures. Metadata as a source is the right data type, but used alone it lacks indicators of compromise that show analysts where to hunt.
Security-enriched network metadata
Enrichment techniques, used to identify data such as host ID and beaconing, are employed to augment network metadata. This data cocktail is essential to quickly identify threat activity in security event messages and conduct more conclusive incident investigations.
NetFlow is network performance monitoring data remarketed for security. It shows connections that were made but does not show what these connections were used for. Network detection requires details, such as whether an SMB connection was used to authenticate a user, mount a share or execute code. NetFlow does not provide these details, rendering it blind to network visibility and incapable of detecting threats.
Full packet captures
Network packets provide deep network visibility but are difficult and expensive to scale. The sheer amount of packets causes slow search performance that makes incident investigations frustratingly painful.
There are numerous techniques for creating algorithms that are capable of learning and adapting over time. Broadly speaking, we can organize these algorithms into one of three categories: Supervised, unsupervised and reinforcement learning.
Machine learning is the technique, not the objective. This is critically important as more tools leverage and advertise machine learning for threat detection. Unlike Vectra, other vendors use a small subset of machine learning algorithms to solve a problem. Specific attacker behaviors require different applications of machine learning.
You can read more about deep learning in our dedicated blog post about neural networks and deep learning.
Just like no single algorithm can solve every problem, no single method can find every threat. Vendors who apply a single algorithmic approach run the risk of drowning a few good detections in a massive flood of false positives. Conversely, machine learning is overkill when a simple list of indicators of compromise (IoCs) could suffice, such as detecting known malicious IP or URL addresses.
Deciding where to focus an analyst's time and how to respond requires an understanding of the assets impacted and the risk to your business. You want your vendor’s solution to roll up a chain of events into single incidents.
To understand the severity of an attack, analysts need to connect the dots of related attacker behaviors to expose the relationship between hosts across internal detections, external advanced command-and-control detections, and connectivity to common command-and-control infrastructures.
It is imperative to prioritize the risk level of hosts, including workloads, servers and IoT. This ensures that analysts are responding to the highest risks first to reduce the total cost and risk of a breach.
The goal should be to reduce the workload so an analyst can focus on the events that matter most. Part of that means providing human-readable outputs from machine learning algorithm detections, including PCAP and guidance on what a detection means and what next steps an analyst should take to verify and respond.
As attackers perform reconnaissance and move laterally from host to host in a network, their behaviors need to be correlated across all involved hosts and detections to present a view of the entire attack campaign.
Data center and cloud security goes beyond virtualization or perimeter detection and needs to include the underlying infrastructure and low-level tools used to manage workloads. You may want to consider a technology that provides threat detection that extends from the application layer down to the underlying hardware.
For example, a port knocking detection may reveal servers that are compromised by a rootkit, which could reside below the physical operating system itself. In addition, monitoring and detecting the improper use of low-level management protocols such as IPMI and iDRAC are critical.
Normally used by administrators for infrastructure-lights-out management of server hardware, these protocols are increasingly targeted by attackers because they open a persistent backdoor into the virtual environment, yet are not logged and are rarely monitored by security.
Not every attack is the same and not every response should be the same. An AI platform should provide intelligence to existing infrastructure to reduce the time to respond. More importantly, you should expect an AI platform to enable the correct response.
You should expect integration to be simple and straightforward. A complex deployment will erode any benefits you hoped to gain. Integration can occur through APIs, outbound events or automation platforms that provide standardization between products.
Vectra delivers a complete platform for network detection and response with Cognito Detect, Cognito Recall and Cognito Stream. Vectra has the longest tenure and greatest investment in the development of AI for detecting attacker behaviors as well as collecting and enriching metadata for threat hunting and incident investigations.
Darktrace saves a limited amount of metadata (less than two weeks based on packet volume) and cannot send metadata to data lakes using existing Zeek (Bro) tooling and does not allow you to build custom queries with tools like Elasticsearch.
ExtraHop saves a finite amount of full PCAPs (e.g., hours to days depending on packet volume) and cannot send PCAPs to data lakes, use existing Zeek (Bro) tooling or build custom queries with tools like Elasticsearch.
Stealthwatch saves on-demand PCAPs (full PCAP is not supported), which significantly limits threat hunting and incident investigations. Stealthwatch cannot send PCAPs to a data lake, use your existing Zeek tooling or build custom queries with tools like Elasticsearch.