What is Network Traffic Analysis?

Defining Network Traffic Analysis

Gartner defines Network traffic analysis (NTA) as the following: Network traffic analysis uses a combination of machine learning, advanced analytics and rule-based detection to detect suspicious activities on enterprise networks. NTA tools continuously analyze raw traffic and/or flow records (for example, NetFlow) to build models that reflect normal network behavior. When the NTA tools detect abnormal traffic patterns, they raise alerts. In addition to monitoring north/south traffic that crosses the enterprise perimeter, NTA solutions can also monitor east/west communications by analyzing network traffic or flow records that it receives from strategically placed network sensors.

Why is Network Traffic Analysis Important?

Advanced attacks are designed to evade traditional preventative and detection techniques. Network traffic analysis solutions (which can also be referred to as network detection and response) provide a sound method for identifying threats traversing through the network as well as through cloud traffic. One key attribute of network traffic analysis solutions is the coverage across all ports and protocols to ensure full visibility.

There are a multitude of detection techniques that network traffic analysis solutions leverage, including supervised and unsupervised machine-learning techniques, deep packet and deep session inspection, malware detection, sandboxing, asset inventory, and more.

Beyond detection, organizations also use NTA solutions to help investigate and mitigate an incident. To this end, network traffic analysis tools that are integrated with endpoint detection and response solutions can offer substantial improvements in speeding alert investigation and resolution. A good example of this is automatically validating that a detected threat via network traffic has in fact compromised an endpoint or multiple endpoints in the environment, and then having the ability to automatically take an action, such as isolating that impacted endpoints from the network.

Network traffic analysis solutions can also collect and store rich metadata that can be easily searched for deeper investigation and hunting efforts. The value of the metadata is that it is easy to query, facilitates faster investigations and is much more cost-effective than storing full PCAPs.

Examples of metadata that can be collected are the:

WHO
domain user, webmail user, FTP user, email address, device ID, organization name

WHAT
filenames, SHA256, MD5, content tags, malware name, malware type

WHEN
from present day/time to as far back as you want to store data

WHERE
source, destination, country, IP address, organization, url, domain

HOW
protocols, applications, file type, user agent, custom protocols, obfuscated files and scripts

Eliminate Blind Spots with Network Traffic Analysis

Learn More

What are the Key Aspects of a Network Traffic Analysis Solution?

A robust Network traffic analysis solution should:

  • Provide visibility across all ports and all protocols
  • Bi-directionally scan all network traffic to reveal network and application protocols, files, and content via sensors that can be placed at the gateway, internally, in the cloud, and at both the email and web gateways
  • Conduct real-time analysis of raw network packet traffic or traffic flows
  • Monitor and analyze north/south traffic and as east/west traffic
  • Differentiate between normal and anomalous network and cloud traffic
  • Leverage machine learning and analytics to detect network traffic anomalies
  • Provide rich metadata that enables retrospective detection and analysis going back many months
  • Profile TLS encrypted traffic based on metadata and certificates, determining human browsing versus machine traffic, and leveraging data science models to detect hidden threats
  • Consolidate “Like” alerts and the related context and evidence to speed alert triage
  • Help automate relevant response actions based on what has been detected