How to use network behaviour analysis tools

Network behaviour analysis (NBA) technology should help you detect and stop suspicious activity on corporate networks well ebfore it becomes an issue for the organisation.


What's happening on the enterprise network-or more to the point, what's occurring on the network that should not be-is a major concern of security executives. If someone is trying to hack in, or a virus or worm is spreading, or a denial-of-service attack is underway, there might be evidence of these types of activities before they become a major problem.

Network behaviour analysis (NBA) technology helps organisations detect and stop suspicious activity on corporate networks in a timely manner-possibly preventing, or at least limiting, serious damage from attacks. NBA is designed to give security managers a level of network visibility they need in order to make sure security threats are quickly identified and remedied.

The products analyze network traffic through data gathered from devices such as IP traffic flow systems, or via packet analysis. They use a combination of signature and anomaly detection to alert security and network managers of any activity that appears to be out of the norm, providing a view of the network that lets managers analyze activity and respond before there's damage to systems and data.

"A key benefit of NBA systems is the [network] visibility that they provide," says Lawrence Orans, research director at Gartner, who leads the firm's NBA coverage. Orans says this visibility helps in two areas: network operations (for example, troubleshooting and performance) and security (i.e. malware monitoring and detecting unwanted applications).

NBA can be used to detect behaviour that might be missed by other security technologies such as intrusion prevention systems (IPS), firewalls and security information and event management (SIEM) systems, according to Gartner. Those technologies might not identify threats that they are not specifically configured to look for. Gartner says NBA is suitable as a complementary technology to intrusion detection and prevention software, which is effective for addressing network attacks that can be positively identified.

Vendors addressing the network behaviour analysis market include many of the broader, established network and security companies as well as niche players that specialise in the technology. Those that focus specifically on NBA are Arbor Networks, Lancope, Mazu Networks and Q1 Labs. Companies including Cisco Systems, Internet Security Systems (part of IBM), NetFort Technologies, Sourcefire and Securify (to be acquired by Security Computing) also offer products with some type of NBA capabilities.

Among the common functionality and features of behaviour analysis systems are the use of network flow data to identify suspicious behaviour on the network and where it's coming from; mitigation to stop malicious activity and fix network problems; and reports on all network configurations and user behaviour.

Orans says some NBA vendors are enhancing their products by adding identity capabilities. "Specifically, some vendors have added the ability to map a user [identification] to an IP address," he says. "This provides the benefit of quickly identifying a user who is responsible for anomalous or malicious traffic." So, instead of being notified that a particular IP address is exhibiting anomalous behaviour, a manager can know exactly which user in the organisation is conducting the anomalous behaviour.

"This is especially valuable for forensic analysis," Orans says. "If you are using an NBA system to analyse a breach that occurred in the past-maybe three months ago-then it is often difficult to map the IP address, which is assigned dynamically, to a user. It's difficult unless your NBA system can do it for you.

Before deploying NBA, security managers need to figure out which system is a good fit for their network and how best to use the technology. Here are five tips on evaluating, purchasing and implementing NBA offerings.

1. Before putting in NBA, first deploy intrusion prevention technology.

"NBA systems are best for organisations that have already implemented IPS systems" and are looking for more visibility into their network and network traffic, Orans says. "NBA is not something that you do before IPS or instead of IPS. It is done afterward because it provides visibility."

After successfully deploying IPS and firewalls with appropriate processes for tuning, analysis and remediation, consider adding behaviour analysis to identify network events and behaviour that are undetectable using other techniques, Orans says. He notes that the size of an organisation does matter when it comes to NBA.

"NBA is for large enterprises, it's not for SMEs," Orans says. "The expertise and experience level needed to tune an NBA solution and interpret its results is beyond most SMB network and security professionals."

2. Conduct a thorough analysis prior to selecting a vendor's offering.

It might sound obvious, but NBA systems can cause more harm than good if they're not carefully selected based on the needs of the organisation, existing network components, level of in-house expertise, etc.

When evaluating NBA systems, make sure they meet the organisation's requirements for analysis and reporting, and can be integrated with existing networks. Also, consider how easy or difficult the system is to calibrate and use.

Find your next job with computerworld UK jobs