Gartner recently released its Market Guide for Network Traffic Analysis (NTA), an invaluable tool for organizations looking to assess and compare the wide variety of Network Traffic Analysis solutions on the market. Modern organizations have seen a massive expansion of their cyber terrain as they have had to contend with a higher number of cloud services, distributed devices, more network traffic and additional endpoints. As the cyber terrain has grown, organizations have had to evolve their defensive strategies, moving from perimeter-focused security to more comprehensive strategies that emphasize holistic visibility of the cyber terrain.
In this blog, we will discuss what makes for a good NTA solution, why we believe Fidelis Security was selected as a Representative Vendor for Network Traffic Analysis, and what differentiates the Fidelis platform from other NTA solutions.
What is Network Traffic Analysis?
With such a wide range of products describing themselves as “Network Traffic Analysis” solutions, it is first important to realize not all NTA is created equal. Because of this, it is useful to establish a working definition; Gartner defines Network Traffic Analysis (NTA) as a solution that “uses a combination of machine learning, advanced analytics and rule-based detection to detect suspicious activities on enterprise networks.” According to the Gartner NTA Market Guide, a Network Traffic Analysis vendor must:
- Analyze raw network packet traffic or traffic flows (for example, NetFlow records) in real time or near real time
- Have the ability to monitor and analyze north/south traffic (as it crosses the perimeter), as well as east/west traffic (as it moves laterally throughout the network)
- Be able to model normal network traffic and highlight anomalous traffic
- Offer behavioral techniques (non-signature-based detection), such as machine learning or advanced analytics, that detect network anomalies
Be able to emphasize the threat detection phase, rather than the forensics — for example, packet capture (PCAP) analysis — phase of an attack
What to Look for When Buying an NTA Solution
In the NTA Market Guide, Gartner emphasized the growing importance of Detection and Response capabilities in an NTA solution. Remember, at the end of the day, it’s more than just analytics… it’s tying in that understanding of the network traffic as part of your overall detection and response capability. As cyber attackers continue to innovate and evolve their capabilities (increasingly with the help of adversarial machine learning), early detection and response remains one of the most effective strategies for defending enterprises against malicious actors. Unfortunately, cyber attacker dwell time is currently measured in terms of months instead of hours or days – this provides attackers with ample time to collect information, move throughout the network and damage or exfiltrate enterprise data.
Cyber attackers typically leverage multiple tactics to evade security tools, but in doing so they also create more opportunities for analysts to find them. Leading network traffic analysis (NTA) technology captures, processes, and analyzes network traffic to detect and investigate data that may indicate a cyber-attack. Typical network traffic analysis solutions use a combination of machine learning, advanced analytics and rule-based detection to detect suspicious activities on enterprise networks.
Detection
In order to remedy the current dwell time situation, organizations need better options for both automated and manual detection. Ultimately, this is a visibility issue for organizations – many lack the holistic visibility of their cyber environment that is needed to detect threats in cyber relevant time. Ideal network traffic analysis solutions should aim to provide organizations with deep visibility into their own cyber terrain, as well as all the tactics and techniques that attackers use to infiltrate networks, expand control, and entrench themselves.
Response
Similar to detecting threats, responding to threats effectively ultimately boils down to how much information you have at your disposal. Network Traffic Analysis solutions should therefore prioritize giving incident responders the tools they need to quickly make risk-based decisions. Having visibility from the network and cloud traffic to endpoint activity is a must to understand the who, what, when, where, and how — in addition to possessing the tools and automation needed to resolve issues as quickly as possible.
What Sets Fidelis Apart?
We believe Fidelis Security is noted as a Representative Vendor for providing the above capabilities and much more, including bi-directional visibility across all ports and protocols, the ability to retrospectively detect and analyze rich metadata against the latest threat intelligence, consolidating similar alerts and evidence to speed alert triage, profile TLS encrypted traffic, and seamlessly integrate with Fidelis Endpoint® to automate response actions.
Key benefits of the Fidelis platform include:
- Mapping attacker TTPs to the MITRE ATT&CK™ framework for improved alert visualization and ease-of-use
- Gaining bi-directional visibility of all network traffic (including TLS) across all ports and protocols
- Inspecting content multiple levels deep to detect malicious activity and data loss
- Visualizing the network terrain with an interactive map of device communication prioritized by risk
- Detecting anomalous behavior with powerful supervised and unsupervised machine-learning models
- Aggregating alerts, context, and evidence for faster threat investigation and analysis, and reduced alert fatigue
- Knowing your environment by automatically profiling and classifying all networked IT assets
- Risk scoring with behavioral and historical analytics, plus policy and alert management.
- Automating response via integration with Fidelis Endpoint®
Download your free copy of the 2019 Gartner Market Guide for Network Traffic Analysis.