What is NTA? Network Traffic Analysis is a type of security product that uses network communications to detect and investigate security threats and malicious or anomalous behaviors within the network. NTA uses a combination of behavioral modeling, machine learning, and rule-based detection to create a baseline reflecting what the organization’s normal network behavior looks like. They then continuously analyze flow records and/or network telemetry, and alert your security team to a potential threat when irregular activities or traffic patterns are detected in the network.
Other network security tools, like firewalls and IDS/IPS (intrusion detection system/intrusion prevention system) products monitor vertical traffic crossing the perimeter of your network environment. NTA solutions focus on all communications, as well as on operational technology and Internet of things (IoT) networks that otherwise would not be seen by your security team. Advanced NTA tools can even be effective when the network traffic is encrypted.
NTA solutions are generally automated, and can analyze all of the devices or entities that make up your network, including switches, routers, and firewalls. Visibility extends to smart devices, roaming users, data centers, and branch offices. No matter where you are, you can get an idea of who is using your network, how they are accessing it and from where, and what they are doing.
Once an NTA solution ascertains what normal behavior looks like on your network, it can alert your security team to anomalous behavior, providing the extended visibility necessary for the security incident to be mitigated.
NTA can attribute a malicious behavior to a specific IP address and can also perform forensic analysis to figure out how the threat has moved and what other devices might be affected. This results in a faster response time and more expeditious prevention of spread and/or resolution of the issue.
Noticeably absent from the term “Network Traffic Analysis” is the word “response.” Network-based solutions should be able to not only investigate and detect threats, but also respond rapidly and effectively. There has been a recent shift in terminology to refer to NDR, or “network detection & response,” which uses NTA but then goes one step beyond, with automated threat response and threat-hunting, using intelligent integration with firewalls, NAC, SOAR, or EDR platforms.
Benefits of NTA include:
There are two basic kinds of NTA tools: flow-based tools and DPI (deep packet inspection) tools. Within these, there will be options for historical data storage, software agents, and intrusion detection systems.
Consider the following things when deciding what NTA solution is right for you:
1. Availability of flow-enabled devices. Not all devices are capable of generating the kind of flows required by NTA tools. In contrast, DPI tools accept raw traffic that is vendor independent and found on every network through any managed switch. Network routers and switches don’t require any kinds of special modules or support.
2. The data source: Packet data and flow data come from different sources. Not all NTA tools can collect both. So decide on your priorities before deciding. And then be strategic in choosing what to monitor. Don’t take on too many sources too quickly.
3. Historical data vs. real-time. While historical data can be critical to analyzing past events, not all NTA tools retain this data over time. Have a clear idea of which kind of data is most important to you.
4. Is the software agent-based or agent-free?
5. Full packet capture, complexity, and cost. When looking at DPI tools, consider the cost and expertise required for those that capture and retain all packets versus one that extracts only the critical details and metadata.