Network traffic analysis tools must include these 6 capabilities

When it comes to threat detection and response, understanding network behavior really matters. According to ESG research, 87% of organizations use network traffic analysis (NTA) tools for threat detection and response, and 43% say NTA is a “first line of defense” for detecting and responding to threats. (Note: I am an ESG employee.)  

As cybersecurity professionals often state, “the network doesn’t lie.” Since cyber attacks use network communications for malware distribution, command and control, and data exfiltration, trained professionals should be able to spot malicious activity with the right tools, time, and oversight.

[ Learn why fake network traffic is on the rise and how to counter it | Sign up for CSO newsletters! ]

OK, so NTA is an essential tool for security analytics and operation. But what are the most important NTA capabilities for security operation center (SOC) personnel? ESG asked 347 cybersecurity professionals this very question, and here’s what they told us:

• 44% said NTA tools must have built in analytics to help analysts improve and accelerate threat detection. These analytics can be built upon machine learning algorithms, heuristics, scripts, etc. The point here is that analysts want NTA tools to crunch the data and deliver high-fidelity alerts – not a cacophony of noise.
• 44% said NTA tools must provide threat intelligence services and/or integration to enable comparisons between suspicious/malicious network behavior and known threats “in the wild.” Threat intelligence synthesis has become critical across all security tools exemplified by growing interest in the MITRE ATT&CK framework (MAF). Thus, threat intelligence must be instrumented into NTA tools from the start.
• 38% said NTA tools must have the ability to monitor internet of things (IoT) traffic, protocols, devices, etc. This is relatively new, but I believe IoT support will be required for all NTA tools in the enterprise within the next 12 to 18 months.
• 37% said NTA tools must have the ability to monitor all connected network nodes and issue alerts when new network nodes are connected. In other words, security professionals want NTA tools to assume this traditional NAC capability and issue alerts when non-sanctioned devices connect.
• 37% said NTA tools must have documented and tested integration with other types of security technologies. In my experience, NTA tools should be tightly integrated with malware sandboxes, EDR, SIEM, and as previously stated, timely and accurate threat intelligence.
• 37% said NTA tools must offer the ability to monitor cloud traffic and report on threats and anomalies. At Amazon’s recent re:Inforce conference, Amazon announced a new VPC traffic monitoring feature, providing visibility into cloud networking. This is exactly the type of continuous cloud network monitoring that users are asking for. NTA tools must be able to tap into cloud network monitoring capabilities like this across Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), etc. to provide end-to-end network security visibility.

There are lots of great NTA tools out there, so how do you choose the one that aligns with enterprise requirements? My advice to CISOs is that they start their RFI/RFP process by making sure that NTA tools meet or exceed the top six capabilities described above.