Home » Data Protection » Network Security

How to Use Network Behavior Analysis Tools

Network behavior analysis tools can help tune operations as well as improve security. Here are five tips for getting the job done.

Orans says some NBA vendors are enhancing their products by adding identity capabilities. "Specifically, some vendors have added the ability to map a user [identification] to an IP address," he says. "This provides the benefit of quickly identifying a user who is responsible for anomalous or malicious traffic." So, instead of being notified that a particular IP address is exhibiting anomalous behavior, a manager can know exactly which user in the organization is conducting the anomalous behavior.

"This is especially valuable for forensic analysis," Orans says. "If you are using an NBA system to analyze a breach that occurred in the past—maybe three months ago—then it is often difficult to map the IP address, which is assigned dynamically, to a user. It's difficult unless your NBA system can do it for you.

Before deploying NBA, security managers need to figure out which system is a good fit for their network and how best to use the technology. Here are five tips on evaluating, purchasing and implementing NBA offerings.

1. Before putting in NBA, first deploy intrusion prevention technology.
"NBA systems are best for organizations that have already implemented IPS systems" and are looking for more visibility into their network and network traffic, Orans says. "NBA is not something that you do before IPS or instead of IPS. It is done afterward because it provides visibility."

After successfully deploying IPS and firewalls with appropriate processes for tuning, analysis and remediation, consider adding behavior analysis to identify network events and behavior that are undetectable using other techniques, Orans says. He notes that the size of an organization does matter when it comes to NBA.

"NBA is for large enterprises, it's not for SMBs," Orans says. "The expertise and experience level needed to tune an NBA solution and interpret its results is beyond most SMB network and security professionals."

2. Conduct a thorough analysis prior to selecting a vendor's offering.
It might sound obvious, but NBA systems can cause more harm than good if they're not carefully selected based on the needs of the organization, existing network components, level of in-house expertise, etc.

When evaluating NBA systems, make sure they meet the organization's requirements for analysis and reporting, and can be integrated with existing networks. Also, consider how easy or difficult the system is to calibrate and use.

"Think of all the devices you need to collect flows from," says John Kindervag, senior analyst, security and risk management, at Forrester Research in Cambridge, Mass. "Will they all support sending flows? Will enabling flows on the device negatively impact its performance?"