When it comes to detecting and responding to cyber threats, the network is the first line of defense. Cyber criminals use network communications to establish command and control, distribute malware, exfiltrate data and more. That is why the network is one of the most important entities to be monitored with User and Entity Behavior Analytics (UEBA). It’s so important that many vendors, like Gurucul, have created a separate product to monitor network traffic. In Gurucul’s case, that product is Network Traffic Analysis. Whatever happens on the network stays on the network and the evidence in the network traffic logs is irrefutable. The network doesn’t lie. That’s what any network administrator will tell you. Network traffic patterns are invaluable in delivering the intelligence required to identify insider and external threats.
Behavior analytics provides machine learning driven insights powered by big data to root out network threats in real-time. The network will behave differently when something criminal is happening. There will be bursts of traffic, larger than normal payloads, unusual sender or receiver IP address and more. Different behavior, however, is not always an indication of criminal activity. Sometimes it’s just a software developer testing new code, or a marketing director uploading collateral to a cloud storage site. The key to determining whether unusual network behavior is criminal is behavior analytics. Behavior analytics uses entity models to create behavior baselines for every device and machine on the network based on network flow data such as: source and destination IPs/machines, protocol, bytes in/out, etc. Analytics also supports leveraging DHCP logs to correlate IP specific data to machines and users. Pre-packaged machine learning models pre-configured and tuned to run on high frequency network data streams can then detect real-time anomalies and risk rank threats. This is the value of behavior analytics.
Traditional or legacy network analytics tools depend on rules and signatures, which cannot detect unknown network threats. They don’t link together data from disparate sources so they cannot tie individual users or machines, MAC addresses, or IP addresses to anomalous activity. An advanced network traffic analysis product will pull all that information together and tie it back to a single source, one unified identity – a machine, an IP address, any type of entity that you define. It should then create a single unified risk score linking back to that identity to create a holistic view of risk.
You need to be able to define unique identities, link data to those identities and build rich context by ingesting logs, security alerts, vulnerability assessment reports, threat intelligence and access control data. A mature network traffic analysis product identifies unknown network threats using machine learning on network flows and packet data. It combines identity and network-based alerting to provide an end-to-end picture of incidents, so you know exactly what is happening on your network in real-time. It should support multiple data formats out-of-the-box, including NetFlow, firewall, Packet Capture, IDS/IPS, DHCP, DNS, formats like CEF, csv, TSV, syslog, JSON and XML. And, since the product is using existing data the NetOps team already collects, it should be relatively low overhead to deploy.
Network Traffic Analysis answers critical questions about network threats. It builds a baseline of clean, normal network activity and then compares that in real-time to operational traffic at line speed. Linking network traffic to users, however, is unique to Gurucul. We pull in the users’ access as well as their activity, along with the devices and network traffic associated with them to see a holistic picture of risk for any user or machine on your network. This enables our platform to answer the following critical questions:
Key elements of a comprehensive enterprise network traffic analysis solution include:
Gurucul offers a comprehensive network traffic analysis solution. Our platform provides an enterprise management console for SOCs, analysts, and Incident Response personnel. We use both supervised and unsupervised machine learning techniques for anomaly detection and categorization of network threats. This approach allows you to see results quickly and provides critical tuning information back to the supervised models for an even higher level of efficacy. This means your results get better over time. The platform supports complex network topologies, including Software Defined-Wide Area Network. We also provide you the ability to deconstruct and examine application layer traffic such as DNS, email, web applications, and more. We also have the built-in capability to use sandboxes, either on-premises or in vendor infrastructure, for detonation and analysis of suspicious code. And, we integrate with cyber threat intelligence feeds using industry standards like STIX, TAXII or other out-of-the-box integrations with commercial threat intelligence feeds.
Additional features include the ability to analyze raw network packets in real-time or near real-time. This allows our customers to monitor and analyze north/south traffic (as it crosses the perimeter), as well as east/west traffic (as it moves laterally throughout the network). With machine learning, we baseline normal traffic from devices and IP address and that gives us the ability to highlight anomalous and risky traffic behavior patterns. This allows you to dig in and detect network threats as they are happening as well as replay them after-the-fact for forensics.
Your network traffic analysis product should address the following key network traffic analysis use cases:
Additional general use cases for detecting network attacks include:
Let’s go into detail on a couple of these use cases to detect network threats. First up is DNS Tunneling. This is essentially DNS “packet stuffing” which involves an internal host and a malicious external host. This tactic hides encoded data in plain sight through DNS, one of the noisiest protocols on the network. DNS is designed to transport binary data with a limited character set which is usually DNS names. DNS is generally unencrypted which makes it much easier to uncover the tracks of this data camouflage technique. DNS Tunneling is used for exfiltration of data that is smaller in size (like passwords, keys, etc.). It is also used for C2 communications and leverages different DNS record types – A, TXT, etc.
Let’s compare standard DNS Tunneling detection mechanisms with Gurucul’s detection capabilities to understand Gurucul’s unique value add:
| Standard Detection Mechanisms: | Gurucul Threat Detection Differentiators: |
| Traffic to external DNS Servers | Traffic to unusual or unseen DNS Servers |
| Outbound DNS request rate | Surge in outbound DNS queries: volume-based comparison. |
| DNS request length | Comprehensive DNS packet inspection – not restricted to packet request length. We look at everything that lives in the DNS packet: TTL, authoritative records, name servers, responses, etc. |
| Context is key. Gurucul links multiple log sources. We trace an IP’s journey from the entrance VPN connection to MAC traversal to DHCP and finally to its newly acquired dynamic IP address. |
The next use case we’ll look at is network traffic to/from unusual geographic locations. This use case detects anomalies in VPN data, authentication data, and flow data. Gurucul network traffic analysis comes with the ability to enrich geographic data from IP addresses. We provide ISP information, latitude, longitude, city, country and everything else there is to know about a particular IP address. Geographically anomalous network traffic scenarios include:
Gurucul network traffic analysis extracts context from any log family containing IP address fields. Let’s compare standard geographically anomalous network traffic detection mechanisms with Gurucul’s detection capabilities to understand Gurucul’s unique value add:
| Standard Detection Mechanisms: | Gurucul Threat Detection Differentiators: |
| Data is usually enriched at the source | All enrichment is done within the application |
| No user context | User and device context |
| No lifecycle tracking | Dynamic entity lifecycle tracking from the time the entity is created all the way until the lease is released. |
| Gurucul chains multiple scenarios so you don’t get siloed alerts. What you have is cohesive chained data that you can use by stitching different resources or applications together. |
When it comes to detecting network threats, you must have the right network tools and techniques in place. With a UEBA solution, cybersecurity professionals can spot malicious network activity before hackers can gain a foothold. The best practice is to combine network behavior with user and entity behavior to deliver rich context for network traffic analysis. Gurucul defines unique identities – users and/or entities – and links all data elements to those identities.
For more information, read our whitepaper, “Network Traffic Analysis is the Next-Generation Defense Against Modern Threats.”
You can also view our webinar on demand, “Detecting Malicious Traffic on Your Network.”
Prev: ABCs of UEBA: M is for Machine Learning Next: ABCs of UEBA: O is for OUTLIER
