When it comes to enterprise networks, organizations can never have too much security. If the information moving across these networks is compromised, stolen, damaged or misused, the results could range from lost revenue to regulatory fines to public outrage — depending on what type of information is involved.
To really gain insight into how secure their data networks are, organizations need to know what’s actually happening on the networks. Network behavior analysis (NBA) systems are designed to help organizations gain greater visibility into network activity so they can more easily detect anomalies that might indicate malicious or suspicious actions.
NBA systems work by analyzing network traffic patterns through data gathered from network devices such as IP traffic flow systems or via packet analysis. They alert managers whenever there’s any type of suspicious activity, and enable managers to analyze and respond to such activity before any major harm is done to data or systems.
There has been s teady growth of interest in NBA technology, but it remains a small market, says Lawrence Orans, research director at Gartner. “We don’t anticipate a ‘hockey stick’ curve in NBA interest any time soon,” Orans says. “Overall, the demand is driven by a need for more visibility in the network.”
According to Gartner, NBA can be used to detect network behavior that might not be detected by other security technologies such as firewalls, intrusion prevention software, and security information and event management (SIEM) systems. Gartner says those technologies might not identify certain threats unless they are specifically configured to look for them.
Gartner research recommends that organizations should implement firewalls and intrusion detection/intrusion prevention (IDS/IPS) systems before investing in NBA systems.
The potential benefits of NBA come in two primary areas: security and network operations, Orans says. The security benefits include monitoring networks for malware. NBA detects unauthorized reconnaissance scanning by attackers looking for prospective targets. The systems can also detect infected devices that are spreading worm traffic through a network, unauthorized applications and rogue Web servers. They can monitor guest access to the network and generate audit-trail reports.
Operations benefits include improved network troubleshooting, Orans says. NBA can help administrators reduce the time they need to resolve network problems. The products also help identify real threats versus network performance issues, and can detect bandwidth-consuming downloads that can affect performance.
One of the biggest challenges of using NBA systems is the possibility of getting false positives, which can result in administrators spending lots of time chasing down alerts that turn out to be nothing problematic. One way to help minimize the false positives is to effectively configure and fine-tune the systems before putting them into production on the network.
Orans says there is a common misconception that NBA systems can enable automated response capabilities to contain attacks and protect against threats. In reality, he says, most administrators are reluctant to enable automated responses because of the high potential for false positives
