Prior to the Hubble Telescope going into orbit, astronomers could only theorize about the structure and origin of the universe. Now, with Hubble’s exponentially more powerful visibility, exciting new discoveries are a common occurrence.
In the world of cyber security, a similar breakthrough has occurred. The integration of purpose-built deep packet inspection with machine learning models is the security equivalent of the Hubble Telescope for attack detection.
Gartner has published a Market Guide (1) describing “Network Traffic Analysis, or “NTA” as “a combination of machine learning, advanced analytics and rule-based detection to detect suspicious activities on enterprise networks. NTA tools continuously analyze raw traffic and/or flow records (for example, NetFlow) to build models that reflect normal network behavior. When the NTA tools detect abnormal traffic patterns, they raise alerts. In addition to monitoring north/south traffic that crosses the enterprise perimeter, NTA solutions can also monitor east/west communications by analyzing network traffic or flow records that it receives from strategically placed network sensors.” One of the criteria for inclusion in this report is that a vendor must “offer behavioral techniques (non-signature-based detection), such as machine learning or advanced analytics, that detect network anomalies.” HPE Aruba Networks is included as a Representative Vendor for its NTA IntroSpect, which processes both packets and NetFlow.
When NetFlow Is Not Enough
As most security professionals know, NetFlow started life as an operational tool and provides less than 10 data points, mostly around ports, protocols, source and destination IPs, etc. It has only recently been adopted as a security source by products that do not have the technology to provide deep packet visibility or the analytics to leverage it. They can still claim network visibility and machine learning (ML), but the results fall far short of effective NTA. NetFlow also uses the stateless (and unreliable) UDP protocol for communication, which may be fine for operations but potentially fatal if an attack signal is missed.
Purpose-built Deep Packet Inspection feeds closely-matched machine learning models with up to 2000 different network attributes including application-layer activity. Not only are there orders-of-magnitude more information on the behavior of users, systems and devices, but also the accuracy of the machine learning produces many fewer false positives and significantly better detection.
The difference is crucial, because the advanced attacks that come from organized cybergangs or highly-trained state-sponsored military units are designed to evade detection from such well-worn techniques such as NetFlow analysis. Cyberattack 101.
IntroSpect NTA. The Power of Packets
IntroSpect NTA has been built from the ground up to collect, inspect, summarize and analyze network traffic. As part of Aruba’s portfolio of network-powered security solutions, we leverage 17 years of network experience from wired to wireless to WAN connectivity. We know how traffic flows and what content in that traffic is most important for Machine Learning-based attack detection. The Deep Packet Inspection and the analytics are designed to work together—not pasted together to check a box.
The result is we can see and detect every stage of an attack such as ransomware: from initial infection to command and control to lateral spread to initial encryption. The Supervised and Unsupervised ML models feast on the rich insights from network traffic metadata to find these attacks early in the kill chain.
Oh, by the way, instead of starting an investigation with an IP address, IntroSpect will provide user attribution so that your investigations are reduced from days and weeks to hours and minutes.
If you are thinking that Hubble-class protection is beyond your budget, the good news is that IntroSpect NTA costs no more than NetFlow-based solutions. When investing in NTA, get the best.
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties or merchantability or fitness for a particular purpose.
