It's never been more critical for network and security managers to acquire a deep insight into the traffic flowing through their networks.
Whether it's because of increased regulatory demands, the emergence of more-targeted attacks or the latest stealth techniques employed by malware authors, they have to identify and block traditional attacks and spot the malicious traffic and new attacks that fly below the radar of traditional firewalls, intrusion-detection and -prevention systems, and anti-malware technologies.
To stop malicious activity, the security technologies most widely deployed - anti-virus software, IDS/IPSes and firewalls - depend on lists of known patterns or static rule sets. Although these signature-based defence systems are essential components of any security arsenal, organisations would benefit from being able to identify the stealthy and sophisticated attacks such systems miss. Increasingly popular are network behaviour analysis (NBA) systems, which study and learn normal network flows so they can identify anomalous and potentially malicious traffic, even when there's no signature or a rule set to block it.
Generally, NBA technologies build a baseline of the normal activity for each host connected to the network by capturing Ethernet frames during the initial weeks of deployment (and whenever a new host is added to the network). The information collected from hosts and network gear includes such behavioural indicators as how many SYNs a device sends and receives, its normal rates of bits and packets per second, the total number of bytes sent during a 24-hour period, and the ports and services each host offers on the network.
From this baseline, the NBA system constructs profiles of dozens of different attributes and acceptable system behaviours, and establishes tolerance levels. Then, whenever a device's activity breaches an established tolerance level, the system alerts network and security managers. For instance, when a host receives 20,000 TCP SYNs in a five-minute period, or when a Web server that's been using only Port 80 suddenly opens an FTP session, managers might want to know about this kind of abnormal activity.
Besides behavioural baselining, NBA systems use pattern matching to identify traffic that's behaving badly. After all, the system doesn't need to learn certain activities - scanning activity from an unauthorised host, for example - to know they are bad. The same is true for certain internal connections to the Internet. An NBA system would identify call-back channels from an internal host out to a botnet controller because they're unique on the network.
Together, pattern matching and behavioural analysis identify anomalous traffic and alert administrators for further investigation. Over time, the system becomes more accurate because the baseline information is fed back to the algorithms, which in turn grow more intelligent from the historical information they add to their analysis.
Once a history of network data and traffic behavioural analysis has been established, network administrators can use that repository to spot and correct upcoming service interruptions before they affect overall network performance. In fact, intelligence gathered by the NBA system lets administrators see the impact of any unexpected network event from anywhere within their network.
What's more, information about host integrity and network usage and performance can be customised for each administrator's individual responsibilities. This reduces the amount of time needed to diagnose and separate security-related network events from performance- and architecture-related events, thereby expediting network-performance capacity planning and streamlining resource management.
In addition, NBA technology provides a range of reports focused on the network's operation, such as its top talkers, interface use statistics and visual representations of historical network traffic.
NBA tools also can help consolidate the deployment of network security and performance-monitoring tools at remote offices. In a large, distributed environment where dozens or even hundreds of separate sites are connected through MPLS, the typical approach would be to deploy software agents to all hosts, which is expensive and nearly impossible to manage and maintain, or to deploy IDS/IPS sensors at each location, which also is costly. If IDS/IPS and related security applications are deployed at core data centres and NBA technology is installed at remote sites, there's little need to deploy expensive appliances and software-based agents at remote locations.
What's fascinating about NBA technologies is that they're so versatile; in addition to being able to identify stealthy and previously unseen attacks, they have network operations, troubleshooting and capacity-planning capabilities. How you decide to use NBA is limited only by your needs and your imagination.
Adam Powers is the CTO of Lancope.