Protecting against perimeter breaches with Network Traffic Analysis (NTA).
How NTA may be used to detect malicious activities and behaviors that have breached your perimeter defenses !
We recently discussed (in this series) how next-generation intrusion detection system (IDS) solutions offer visibility and security of the entire network, including the network edge and beyond. And we’ve also discussed why network traffic analysis (NTA) is a key component in next-generation IDS offerings.
Perimeter security devices and solutions typically provide a barrier between internal IT networks and public networks such as the internet. Smart firewalls, subnets, border routers, and endpoint technologies all work to protect the internal network from malicious intruders.
Legacy IDS solutions have historically only protected the internal network without any integration with perimeter devices or endpoints beyond the network edge. These types of offerings are simply not practical in today’s complex network architectures which rely on public and private clouds, data centers and other remote infrastructures to function.
Next-generation IDS solutions, on the other hand, integrate easily with perimeter security, providing full visibility of the entire network, traffic, and behaviors. This comprehensive view is essential to protect against any illicit activity, and NTA is the key to enabling the necessary integrations.
How NTA protects against perimeter intrusions
Next-generation IDS offerings are designed to detect vulnerability exploits against a network, computer, or application. NTA is at the core of these solutions, and uses network test access points (TAPs) and switched port analyzer (SPAN) ports to conduct threat analysis.
The analysis is performed on a separate subnet using a copy of the network traffic stream. This ensures network performance isn’t compromised while enabling massive amounts of data to be analyzed efficiently and cost-effectively at the same time.
The perimeter remains a weak point in the network defense system, however, and cybercriminals use a variety of ways to breach the perimeter and access internal networks, including malware, phishing, and ransomware.
Phishing emails may be used to give criminals valid credentials and authorization to access data. Data and associated systems may then be held hostage through ransomware, damaged or rendered inaccessible via malware.
Research from SafetyDetective indicates the global damage from ransomware attacks is expected to reach $20 billion by the end of 2021. The downtime, damaged reputation, and data theft associated with a ransomware attack has the potential to devastate a business.
Sadly, these types of attacks may happen at any access point in today’s complex networks, including the cloud, data center or endpoints and devices connected to the internal network. Perimeter protection is simply not enough when attacks are coming from so many different points throughout the network.
A virtual, next-generation attack calls for next-generation IDS protection
One of the differentiators of NTA is that it analyzes North-South traffic (from an endpoint to the cloud) and East-West traffic (from server to server). Unwanted traffic can be detected even after the perimeter has been breached.
NTA works by automatically analyzing all network traffic and using intelligent data and machine learning to identify and mitigate the illicit activity. Most importantly, as the center of the next-gen IDS solution, NTA focuses on network behavior and behavior monitoring.
Behavior monitoring is absolutely essential to securing the entire network. Once the perimeter is breached, an intelligent holistic solution is key to pinpointing malicious attacks before they do real damage.
In addition to using machine learning and behavior analysis, NTA enables indicators of compromise and retrospective analysis. That means attacks can be stopped at the network perimeter or inside the network in the event of a breach.
Retrospective analysis also means that NTA may be used to research prior breaches or for threat hunting. Data from network connections and raw traffic data may be used to verify potential threats as well as for detecting and mitigating attacks.
Why next-generation intrusion detection system should be part of the enterprise SecOps arsenal
Perimeter security is obviously an important part of any enterprise security strategy. But it’s simply not enough of a defense against today’s sophisticated cybercriminals.
Any organization working with the cloud, outside data centers and external endpoints and devices should consider a next-generation IDS solution to complement their perimeter security.
Accedian’s Skylight powered Security solution is an excellent example of a next-generation IDS offering, providing holistic network and application monitoring across cloud environments and infrastructure. (You can see why our award-winning MSSP partner, UnderDefense, uses Accedian Skylight to build their next-generation managed security solutions).
Skylight powered Security is a subscription-based SaaS solution that is ideal for a variety of network topologies and may be easily deployed, customized and scaled.
Organizations in the market for a next-generation IDS solution would do well to consider these features when researching options. Most importantly, they should ensure the offering provides full NTA capabilities.
NTA may very well be the strongest tool in the arsenal for protecting against perimeter breaches and ensuring a malicious attack is detected and thwarted before seriously damaging a network, data and the well being of your business.
This blog post is part of a three-part series on the importance of next-generation IDS solutions for securing complex networks. Our first post discussed how next-gen IDS solutions can work effectively beyond the network edge. Our second post discussed how machine learning and intelligent data may be used to implement full network traffic analysis.
Author - Andrey Yesyev - Before joining Accedian as the Director of Cybersecurity Solutions, Andrey spent nearly 6 years at IBM as a security engineer and a threat analytics architect working on QRadar Incident Forensics and DNS Analytics projects. He was also a part of the IBM team that supports collaboration with Quad9, a secure public DNS service that was created as a collaboration between PCH, IBM, and the Global Cyber Alliance. With more than 10 years of experience in deep packet inspection and traffic analytics, Andrey placed 1st, 2nd, 3rd, and 2nd in the Network Forensic Puzzle Contest at DefCon 21, 22, 23 and 24, respectively.