When you hear about Network Traffic Analysis (NTA) for the first time, you probably think of classic network monitoring first, but Network Traffic Analysis goes much further than that.
While classic IDS / IPS solutions in network monitoring focus on cross-network traffic, network traffic analysis includes precise monitoring of all traffic in your own network in real time with a special focus on threat hunting, even if the monitored traffic is encrypted should act and you cannot check the content.
Both attackers and malware have to communicate via the network, which in turn means that even if you cannot detect attackers and malware yourself, you can see their traffic.
Network Traffic Analysis: Das Netzwerk lügt nicht
Network analysis is essentially about intercepting and examining data packets in order to draw conclusions about the information they contain from the recurring patterns of communication.
The general rule is: the more data packets that have been intercepted or monitored, the more proper conclusions can be drawn about the content of a message flow.
Network Traffic Analysis in itself is not a new concept. With the advent of radio devices at the latest, the military has dealt with it, by analyzing radio connections depending on, for example, patterns of how often radio is carried out, who is radioing with whom, who started a radio connection. It also deals with how long radio links lasted in order to draw conclusions about chains of command, troop movements, intentions, preparations, plans and identities.
Network traffic analysis is also closely related to cryptanalysis, and in modern applications of network traffic analysis, social network analysis (SNA) is also used.
Network Traffic Analysis: Welcome to the Jungle
Well-functioning network monitoring has always been a demanding task. With the arrival of smartphones, tablets, IoT, cloud computing, XaaS and With the progressive networking of all available devices, including toasters and coffee machines, maintaining effective network monitoring without blind spots is like the proverbial forest that you cannot see for the trees.
With attackers who are constantly developing new procedures, adapting their old ones, as well as using regularly used services such as programs within the company in order to move as undiscovered in the network as possible, the classic approaches of monitoring such as IDS / IPS and common endpoint protection solutions come to its limits when it comes to proactively detecting potentially problematic abnormal traffic or behavior.
Here is a short example:
For an IDS or IPS system, it is easy to write a rule that says, “If connections to the Tor network are attempted, I will do X:”.
It looks different if you want to implement rules in a meaningful way, such as: “Strike if twice as much data flow from the file server in period X as the 2-week average.”
Network Traffic Analysis as eyes of the network
Tools and systems that try to implement network traffic analysis technically today (Network Detection and Response, or NDR for short) try to close this gap between time and knowledge.
By identifying road users within the network communication, the relationship between them and assigning their typical behavior to them, the detection of malicious intentions should be automated as far as possible.
This, in turn, should enable IT security personnel to implement tailor-made threat detection rules for the respective company in order to simplify threat hunting for them and also to fuel incident response workflows.
SIEM vs NDR a new player joined the SOC
Operating a Security Operation Center (SOC) is now synonymous with Security Information and Event Management (SIEM ) Product to use. It’s the backbone of the SOC, and emerging NDR products won’t change that either. Much more, they will become the second essential pillar of the SOC in the coming years.
SIEM is based primarily on the collected logs that were configured on the monitored devices. NDRs that use network traffic analysis through a lot of machine learning are independent of this. If SIEM represents the skeleton of a SOC, then NDRs become the muscles of the SOC through Network Traffic Analysis.