Home » Data Protection » Network Security

How to Use Network Behavior Analysis Tools

Network behavior analysis tools can help tune operations as well as improve security. Here are five tips for getting the job done.

Depository Trust & Clearing Corporation (DTCC), a New York—based firm that provides clearing, settlement and information services for a variety of financial instruments including equities, corporate and municipal bonds, and government and mortgage-backed securities, evaluated several NBA vendors and reviewed market research on the technology within its security department, before selecting a product from Mazu Networks, says Neil Wasserman, vice president, Core and Smart Network Services at DTCC.

"We installed a Mazu demo and ran it through a rigorous evaluation," Wasserman says. "The product met our requirements—and the rest is history."

3. Test before broad rollout.
Experts say it's important to thoroughly test an NBA system before moving ahead with a full-scale implementation. That way, security managers can see what kind of actual reporting they will get on network activity.

"The only way to properly evaluate the tools [is] to install them in your live production network," Kindervag says. "Any other evaluation methodology, lab, etc., will not provide true results."

AirTran Airways, Orlando, Fla., a low-fare airline designed for business travelers, had vendor Lancope conduct an onsite proof-of-concept trial of its StealthWatch product before the system was rolled out broadly, says Michelle Stewart, manager of information security at AirTran. The proof-of-concept "had no impact [on] our production environment and demonstrated the effectiveness of the reporting."

During the implementation, AirTran worked closely with a Lancope engineer and deployed the system according to Lancope best practices, Stewart says.

AirTran's security team uses StealthWatch for network monitoring, reporting and forensics. The network team uses the system to troubleshoot behavior-related network issues, Stewart says. Managers can examine granular data about network behavior by zone, node and user, and collect historical data to view trends.

4. Tune NBA systems to cut down on false positives.
Experts says it's important to take the time to effectively tune NBA systems to gather relevant network data and help reduce false positives.

If an organization fails to fine-tune NBA systems adequately, it might have to contend with a lot of false-positive readings that overburden the network and security managers who need to examine all the alerts.

"We did this tuning exercise immediately upon implementation, and it proved extremely valuable," Stewart says. "After segregating our network geographically and logically into zones, we examined the behavior within our high-risk zones for volume and type of traffic. In several cases, the port/protocol information we were given from our application vendors was found to be incomplete, but by using StealthWatch we were able to properly fingerprint the application behavior."