• United States




The time for network behavior analytics has come

Jun 07, 20185 mins
AnalyticsNetwork SecuritySecurity

Once considered the eminent domain of networking teams, network telemetry data is becoming a requirement to provide security analytics with a more complete view of enterprise threats.

Abstract trend lines graphing change and transformation.
Credit: Thinkstock

In the days when organizations defended the network perimeter tooth and nail, they relied on a myriad of technologies, tools and procedures. Specialized skills were required to configure and manage this trifecta. Meanwhile, an equal measure of superhuman knowledge and skills was required to manage the health and performance of the network.

Advanced tool sets were created to monitor the intricate internal workings of networks. The data captured by these tools was often held very close to the vest by secretive brotherhoods of network managers. Making it nearly impossible for IT or security teams to get access to precious networking data feeds in order to analyze activity occurring across the enterprise computing environment.

Network data is security intelligence

Occasionally, as downstream recipients of data which exposed network infrastructure misconfigurations or problems, security teams were forced to engage in thorny conversations with their network peers, like this one: “Umm, we think your networking devices may not be configured properly.” Response: “How dare you?”

The advent of new analytical tool sets which can root out security risks by detecting anomalous activities through the use of artificial intelligence and machine learning requires the most complete collection of aggregated data available. Including data from networking tools and devices. For example, network flow content has evolved over the last few years, from providing basic hard-coded information elements to a more flexible model which has made newer NetFlow data far more meaningful and valuable for security monitoring purposes.

So while organizations have performed siloed network monitoring for years to understand and solve traditional challenges, such as “has network penetration occurred,” “can we optimize traffic flows,” etc., mounting security threats now demand that we step up to what is being called network behavior analytics.

Achieving greater visibility

With so much more activity taking place on enterprise networks than ever before thanks to the cloud, bring your own device (BYOD) and the internet of things (IoT), the attack surface has expanded exponentially. In fact, it has reached the point where traditional tools like firewalls, intrusion detection systems (IDS) and SIEMs are no longer capable of keeping pace with the increased level of vulnerabilities present in our networks.

Network behavior analytics, on the other hand, has the potential to provide the visibility into threats that are not detected by traditional networking tools and equipment. Unlike approaches designed to detect specific network or endpoint intrusions, network behavior analytics monitors network traffic flows to establish a baseline of normal activity, and then looks for anomalies.

As with any form of analytical modeling, a single behavioral shift is usually not sufficient to warrant an investigation, yet multiple behavioral anomalies should raise alarms. Network behavioral analytics looks to detect changes across multiple activity data sources and link these to other threat indicators. By modeling incoming data against unique behaviors, suspicious activity can be accurately detected, risk scored and alerted on to invoke further investigation or remediation actions.

Identifying the man-in-the-middle

Let’s consider a couple of use cases to illustrate the benefits of network behavior analytics.

Man-in-the-middle attacks, which involve compromising the secure communication between two parties, is a good one. A typical man-in-the-middle attack takes place when an adversary makes independent connections with each victim and then relays messages between them, making them believe they are communicating directly with each other.

One of the most popular and frequent forms of man-in-the-middle attacks involves unencrypted public wireless networks. In this scenario, an attacker within reception range injects her/himself between unwitting Wi-Fi users and the Wi-Fi service provider to send false information to one or both parties, distribute malware-ridden advertisements, etc.

With the massive number of wireless devices in use and the ubiquity of public Wi-Fi networks, it’s a recipe for disaster. Especially since many free Wi-Fi networks are fraught with security issues and should be used with extreme caution.

Network behavior analytics can be used to monitor network traffic patterns and root out the details related to the who/what/where/when of activity. This can be accomplished by creating risk profiles and machine learning models that can identify rogue DHCP, SSH or TLS traffic associated with man-in-the-middle attacks in near real-time.

Shedding light on user account threats

Another example is the use of network behavior analytics to detect credential misuse by a particular account that has successfully authenticated to a number of different nodes on a network. Traditional approaches for defending against this type of threat have focused on monitoring the network for failed and repeated login attempts by rogue user accounts – commonly known as brute force attacks.

A new approach, using network behavior analytics, is more fine-grained. First, a machine learning model is used to establish a baseline for the average number of hosts a user account authenticates to on a daily basis. When anomalies to this baseline are detected, a risk score is assigned to them based on several factors including number of excessive logins, whether it is a regular, privileged or domain administrator account, the business criticality of the hosts being accessed, and more.  This same model could be used to detect and alert on behavior typically associated with compromised accounts.

As with any analytics-driven system, the reliability of network behavior analytics is determined by the quality and completeness of data ingested from upstream sources. Without no perimeter to defend, security and networking teams need to pool their data sources to support the common goal of neutralizing attacks before any significant damage is done. This can be accomplished by using all the IT telemetry at their disposal.


Leslie K. Lambert, CISSP, CISM, CISA, CRISC, CIPP/US/G, former CISO for Juniper Networks and Sun Microsystems, has over 30 years of experience in information security, IT risk and compliance, security policies, standards and procedures, incident management, intrusion detection, security awareness and threat vulnerability assessments and mitigation. She received CSO Magazine’s 2010 Compass Award for security leadership and was named one of Computerworld’s Premier 100 IT Leaders in 2009. An Anita Borg Institute Ambassador since 2006, Leslie has mentored women across the world in technology. Leslie has also served on the board of the Bay Area CSO Council since 2005. Lambert holds an MBA in Finance and Marketing from Santa Clara University and an MA and BA in Experimental Psychology.

The opinions expressed in this blog are those of Leslie K. Lambert and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.