Close

NTA or UEBA? Why Choose?

By Larry Lunetta, VP WLAN & Security Solutions Marketing
Share Post

“Tastes great. Less filling.” That was the refrain in a classic beer advertisement that basically told consumers that they could have a great beer and still save on calories. Who doesn’t like a twofer?

Security teams are often faced with similar choices. Even with increasing budgets, the chief information security officer must constantly prioritize investments and rarely can one product deliver on multiple missions. For organizations that need to improve their ability to find and respond to attacks on the inside, the choices have been UEBA (User and Entity Behavior Analytics) or NTA (Network Traffic Analysis).

In both cases the solutions feature machine learning—an essential component in finding and responding to insider attacks before they do damage. For UEBA, the input is logs and for NTA, it is packets and flows. UEBA provides broad IT coverage and often is used to turbocharge a SIEM. NTA delivers precision real-time insights. Less filling or great taste? Packets or logs?

What Is NTA?
In the 2019 Market Guide for Network Traffic Analysis(1), Gartner acknowledged that Aruba IntroSpect delivers on both UEBA and NTA solutions. For NTA, the key attributes cited are:

  • Analyzes network traffic and/or flows
  • Detects behavioral anomalies via machine learning
  • Processes in real time or near-real time
  • Supports investigations

IntroSpect  is tuned for the NTA mission through mature deep-packet inspection that delivers rich metadata to the machine learning models to detect attacks such as ransomware. In addition, NTA is required for IoT security because “things” do not log and cannot be queried—the only way a compromise can be seen is through changes in network behavior.

Aruba IntroSpect is an “NTA Plus” solution. In addition to NTA functionality, it delivers complementary behavioral profiling via logs—from sources such as firewalls, web proxies, DNS, DHCP, etc. This is particularly helpful in the off-chance that packets or flows are not available due to network constraints, encryption, etc.

While Gartner did not make user attribution a must-have component of NTA, our customers tell us that IntroSpect’s ability to connect the user to his or her IT activity provides greatly speeds incident investigation, compared to starting with an IP address. The good news is that unlike other NTA products that are just now adding user ID to alerts, IntroSpect provides a full user profile including all devices and user IDs associated with that user along with a summary of the user’s security-relevant activity to accelerate investigations.

Network-Powered Security
Aruba has been in the recognized as a Leader in Gartner Magic Quadrant for Wired and Wireless LAN Access Infrastructure for 13 years straight.(2) In addition, Aruba is highly ranked in Gartner Critical Capabilities for the Wired and Wireless LAN Access Infrastructure.(3) Aruba received the highest score in five out of the six most prevalent use cases for enterprise networking deployments.

It’s no surprise that we are incredibly adept at using the network to detect and respond to advanced attacks. We call this “Network-Powered Security” and it means that security teams do not have to compromise when it comes to protecting their organizations.

With IntroSpect your security and networking teams will find it easier to work together to protect an exponentially increasing attack surface. Less effort, better security. That’s a twofer any CISO (and CIO) will love.

 

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties or merchantability or fitness for a particular purpose.

 (1) Gartner – Market Guide for Network Traffic Analysis, February 28, 2019 – Lawrence Orans, Jeremey D’Hoinne, Sanjit Ganguli

 (2) Aruba’s 13 years of placement includes HPE (Aruba) in the Magic Quadrant for the Wired and Wireless LAN Access Infrastructure from 2015-2018 (4 years), Aruba Networks in the same Magic Quadrant from 2012-2014 (3 years) and in the Magic Quadrant for Wireless LAN Access Infrastructure from 2006-2011 (6 years).

(3) Gartner – Critical Capabilities for Wired and Wireless LAN Access Infrastructure, August 21, 2018 – Christian Canales, Tim Zimmerman, Bill Menezes, Mike Toussaint