When it comes to threat detection and response, understanding network behavior really matters. According to ESG research, 87% of organizations use network traffic analysis (NTA) tools for threat detection and response, and 43% say that NTA is a “first line of defense” for detecting and responding to threats.
As cybersecurity professionals often state, “the network doesn’t lie.” Since cyber-attacks use network communications for malware distribution, command-and-control, and data exfiltration, trained professionals should be able to spot malicious activity with the right tools, time, and oversight.
Okay, so NTA is an essential tool for security analytics and operations, but what are the most important NTA capabilities for SOC personnel? ESG asked 347 cybersecurity professionals this very question, and here’s what they told us:
- 44% said that NTA tools must have built-in analytics to help analysts improve and accelerate threat detection. These analytics can be built upon machine learning algorithms, heuristics, scripts, etc. The point here is that analysts want NTA tools to crunch the data and deliver high-fidelity alerts, not a cacophony of noise.
- 44% said that NTA tools must provide threat intelligence services and/or integration to enable comparisons between suspicious/malicious network behavior and known threats “in the wild.” Threat intelligence synthesis has become critical across all security tools, exemplified by growing interest in the MITRE ATT&CK framework (MAF). Thus, threat intelligence must be instrumented into NTA tools from the start.
- 38% said that NTA tools must have the ability to monitor IoT traffic, protocols, devices, etc. This is relatively new, but I believe that IoT support will be required for all NTA tools in the enterprise within the next 12 to 18 months.
- 37% said that NTA tools must have the ability to monitor all connected network nodes and issue alerts when new network nodes are connected. In other words, security professionals want NTA tools to assume this traditional NAC capability and issue alerts when non-sanctioned devices connect.
- 37% said that NTA tools must have documented and tested integration with other types of security technologies. In my experience, NTA tools should be tightly integrated with malware sandboxes, EDR, SIEM, and as previously stated, timely and accurate threat intelligence.
- 37% said that NTA tools must offer the ability to monitor cloud traffic and report on threats and anomalies. At the recent re:Inforce 2019 conference, Amazon announced a new VPC traffic monitoring feature, providing visibility into cloud networking. This is exactly the type of continuous cloud network monitoring that users are asking for. NTA tools must be able to tap into cloud network monitoring capabilities like this across AWS, Azure, GCP, etc., to provide end-to-end network security visibility.
There are lots of great NTA tools out there, so how do you choose the one that aligns with enterprise requirements? My advice to CISOs is that they start their RFI/RFP process by making sure that NTA tools meet or exceed the top 6 capabilities described above.