What Is Network Traffic Analysis?

Your network is a rich data source. Network traffic analysis (NTA) solutions--also referred to as Network Detection and Response (NDR) or Network Analysis and Visibility (NAV)--use a combination of machine learning, behavioral modeling, and rule-based detection to spot anomalies or suspicious activities on the network. 

What does an NTA solution do?

NTA solutions continuously analyze network telemetry and/or flow records (like NetFlow). They use a combination of machine learning and behavioral analytics to generate a baseline that reflects what normal network behavior looks like for the organization. When abnormal traffic patterns or irregular network activities are detected, these tools alert your security team to the potential threat.

In addition to monitoring north-south traffic that crosses the enterprise perimeter, NTA solutions monitor east-west communications by analyzing network traffic or flow records.

Why do you need an NTA solution?

NTA solutions can analyze all the entities or devices that make up your network--whether they are managed or unmanaged. NTA solutions ingest telemetry from multiple network devices like routers, switches, and firewalls to determine what "normal" behavior for these devices looks like and how parts of your network are being accessed and by whom.

Everything touches the network, so this visibility extends all the way from headquarters to branch offices, data centers, roaming users, and smart devices. Whether you are on-premises, in the cloud, or some combination, NTA solutions can give you much needed visibility and context into what is happening on your network.

How does NTA improve your security?

Once an NTA solution determines what normal behavior on your network looks like, it can alert your organization when anomalous behavior occurs. By alerting your security team to suspicious activity early on--whether the threat is coming from outside or inside your network--NTA solutions can provide the extended visibility you need to mitigate the security incident.

Network traffic analysis can attribute the malicious behavior to a specific IP and also perform forensic analysis to determine how the threat has moved laterally within the organization--and allow you to see what other devices might be infected. This leads to faster response in order to prevent any business impact.

What to look for in an NTA solution

Unified visibility driven by context

Visibility helps your security team better understand the entities connected to the network. However, having greater visibility into your network is only part of the solution. NTA should also provide you with proper context, such as knowing which users are on your network, what devices they are interacting with, where they are accessing the network from, what kind of data they are sharing, etc. This level of context-driven visibility is critical for security teams when forming a risk management strategy and developing mitigation steps, like implementing network segmentation for zero trust.

As organizations transition to the cloud, NTA solutions should be able to monitor the entire digital enterprise--from the private network to multiple cloud environments. 

Advanced threat detection

An NTA solution should be able to immediately and with high accuracy detect advanced threats that might have bypassed the perimeter--or even originated within the business--using multiple analytical techniques like behavioral modeling and machine learning. It should also be infused with threat intelligence to correlate a local threat to a global campaign, so that security teams can respond effectively.

With the recent rise in encrypted traffic, and with over 70 percent of malware expected to be encrypted, an NTA solution should be able to analyze encrypted traffic for threats. This also helps ensure the cryptographic compliance that many organizations need to meet. NTA solutions can help detect threats such as command and control attacks, ransomware, DDoS attacks, illicit cryptomining, unknown malware, as well as insider threats.

Integrations for accelerated response

The combination of context-driven enterprise-wide visibility and advanced analytical techniques results in accelerated threat response. Every attack begins with some early signs of suspicious activity, such as unusual remote access, port scanning, use of restricted ports or protocols, etc.

Continuous network traffic analysis can pinpoint this behavior as well as identify where the threat originated, who the target is, and where the threat has spread laterally. This in turn allows security analysts to take more immediate remediation actions. NTA solutions should also be able to integrate with existing security controls so that you can extend investigation and response across the network, endpoints, cloud, and applications.