Network Traffic Intelligence for Cyber Security Incident Response

Network Traffic Analysis (NTA) uses a combination of advanced analytics, machine learning, and rule-based detection to identify suspicious activities throughout the network. NTA tools analyze raw traffic such as packet data or flow data to build models that reflect normal network behavior. When NTA tools detect abnormal traffic patterns, they raise alerts. In addition to monitoring north-south traffic, most NTA solutions can also monitor east-west traffic, as well as cloud-native traffic. In the last year NTA has garnered a lot of attention and recently emerged as a category on Gartner’s “Hype-Cycle for IT Performance Analysis” where cPacket Networks was named as a key vendor.

NTA solutions assist security operation (SecOps) professionals in the detection of targeted attacks that have not been seen in the past. Although helpful, these tools have no or limited blocking ability because they are not deployed inline. But, they are effective in shortening the incident response window and reducing the dwell time of malware. Many NTA solutions can also be implemented to detect suspicious activity in cloud environments. Additionally, the role of network traffic intelligence has increased to supplement the effectiveness of security tools resulting in increased collaboration between SecOps and NetOps teams.

The Rise of Network Traffic Analysis & Digital Transformation

With the constantly changing technology landscape to help solve everyday problems comes the opportunity for vulnerabilities and new types of exploits and attacks on the network. Although digital transformation is a great thing and opens the door for new possibilities, it also attracts those who thrive on being malicious. Network attacks impact endpoints such as laptops and cell phones, data centers where precious data and business applications reside, and the enterprise network that connects everything.

While endpoints and the data center have mostly static data or data-at-rest, the enterprise network is the favorite spot for attackers to intrude due to data-in-motion that can be intercepted, and for being an entry point to the data-at-rest world. With the increasing types and number of attacks and resources available to black hats, attacks are therefore inevitable.

With most corporate networks still using security approaches from years past and unable to properly detect and mitigate network issues, legacy security approaches favor attackers due to their loopholes. Attackers are becoming smarter and more sophisticated and, with enough time, money, and persistence, they can overcome the strongest defense. It’s no longer a matter of if but when you will face a network attack.

The Blind Network and the Cost of Cybercrime

One of the reasons why vulnerabilities keep popping up despite so much spend on new security tools, is that the fundamental layer that feeds the security tools is usually disorganized. What I mean by that is that the network traffic and data is scattered all over the place and has several “blind spots”. This results in data islands, tool sprawl, and lack of correlation – that is – connecting the dots. As the organization grows, the problem compounds.

Business risk due to increased traffic blindness is real. This blindness can result in downtime, due to performance or functionality issues or security attacks.

Accenture recently came out with their “Ninth Annual Cost of Cybercrime Study” report stating that “the cost to companies due to malware increased 11 percent, to more than US $2.6 million per company, on average, and the cost due to malicious insiders — defined as employees, temporary staff, contractors and business partners — jumped 15 percent, to US $1.6 million per organization, on average.”

Establishing a Proactive Network Monitoring Practice

Too often companies read these stats and say “This can’t happen to me”, but it does and it’s expensive. Network downtime blocks the connectivity to many business applications simultaneously and the loss multiplies. For a company hit with a security attack, the cost can be astronomical when you add up investigation costs, legal costs, insurance costs, costs for network changes, upgrades and new tools, cost of lost business, valuation, and even reputation. It doesn’t matter the size of the company, all companies are prone to an attack.

Unfortunately, when a business is attacked, there are some typical weaknesses on top of the vulnerabilities which further delay the containment and response to the incident. For example, the organization is initially in shock since they thought “this can never happen to me”. They lack the required data to run forensics since they never invested in visibility solutions or established a proactive network monitoring practice.

Network Visibility is Critical to Fixing the Root Cause

Starting with fixing the fundamentals, such as visibility into the network traffic, is crucial for building a stronger security posture. Before you keep investing more in security tools, evaluate if you have a strong network visibility foundation to support your security posture.

Scattered traffic results in many escape routes and a lack of a central processing and distribution of traffic to security tools. This may result in a loss of critical information. Don’t forget about the lack of traffic capture and retention mechanisms which may prevent you from going back and recreating a situation to investigate. Adding to the compounding issues is the lack of tools and practices for forensics analysis for intercepting and responding to an attack. Therefore, it is important to understand that effective defense requires network visibility to eliminate network blind spots.

With Network Traffic Analysis, the Network is No Longer Just NetOps’ Business

In the context of NTA, the network is no longer just NetOps’ business, rather it’s becoming a service to SecOps. NetOps is expected to deliver network traffic level intelligence to SecOps for behavioral analysis and network data recording, search, and analysis capabilities for deep forensics. There are at least four types of Network-as-a-Service as illustrated below.

cPacket Networks provides the complete visibility stack covering all layers of the network visibility services regardless of the deployment type – physical, virtual, or cloud:

  • high-resolution packet-data acquisition using the cTAP series
  • real-time monitoring and packet data processing using the cVu series packet broker+
  • storing and analyzing packet data using the cStor series capture devices
  • correlating, alerting, and presenting the analytics in a single-pane-of-glass fashion using cClear series dashboards

To find out more about how cPacket can help increase your network visibility and the security posture, watch our on-demand webinar:
Network-as-a-Service for Security Delivery & Incident Response

3 Step Process for Effective Visibility Architecture Based on the NTA Framework

Now that we understand the network services and the visibility model, let’s map those into a simple 3 step process for building an effective visibility architecture based on the NTA framework.

Step 1 is to simplify, consolidate, and deliver the network traffic to the security tools such that no blind spots are left. This means bringing the network traffic to a central location by feeding through an “intelligent monitoring fabric” such as cPacket cVu series packet broker+. cVu intelligent monitoring fabric stands out and beats any network packet broker out there in terms of feature advantage, performance advantage, and price advantage.

Under the hood, cVu has a distributed architecture to process packets at the port level rather than a central contention point like other packet brokers. This enables lossless data delivery to security tools even when you turn on more smart features. cVu has 2-in-1 capabilities to provide many value-added statistics at the port level that are generally provided by a separate tool. And its integration with the cPacket capture solution adds other network services that are usually not available by other packet broker vendors.

Step 2 is adding a network traffic capture solution such as cPacket cStor series – hanging off the monitoring fabric or multiple capture points in strategic locations along traffic paths. The cStor series adds the capability to capture and retain network data associated with security IOCs for fast forensics search and analysis capabilities in case of an incident.

Step 3 is exporting the packet data in case of an incident, searching the indexed data in the fastest possible way using our proprietary technology, and making sense out of it. For NTA, cPacket cStor is integrated and qualified for plug-n-play with leading security tools such as Awake Security, Blue Coat, Cisco, Corelight, Palo Alto Networks, and Vectra AI.

It should be clear by now that visibility in this end-to-end hybrid environment requires innovative tools and techniques. cPacket provides you all the necessary components and capabilities across the hybrid environment for complete end-to-end visibility that feeds into SecOps and NetOps workflows.

Now that we have reviewed the key strategies and solution layers to address the challenges of building a “SecOps-Aware NetOps” infrastructure and a solid network visibility architecture, imagine if an attack takes place. You will be well prepared and ready. You have full network visibility in place so you can see everything. You are organized and you have solutions in place to capture any relevant information for deep forensics to intercept and respond. If you don’t want to be the person summoned by the CISO into the war room on a weekend – invest in network visibility!

Watch our on-demand webinar Network-as-a-Service for Security Delivery & Incident Response to learn how you can design a highly integrity data/traffic delivery framework and gain full network visibility.

About The Author

Nadeem Zahid
Vice President Product Management & Marketing

Nadeem has spent more than 23 years in the IT industry in various leadership roles with companies like Alcatel-Lucent, Cisco Systems, Brocade, Juniper Networks, Extreme Networks, LiveAction and tFinery. He is a prolific author with published books and articles on product management, networking and cloud.