NETWORK TRAFFIC CHALLENGE
As organizations evolve their infrastructure based on digital transformation efforts, networks are increasingly becoming more complex and operating in hybrid multi-cloud environments. This has led to a larger threat landscape with more security gaps. Threat actors can more easily perform reconnaissance, lateral movement, communicate with external systems, and deliver malicious payloads or exfiltrate data. Log data, endpoint solutions, and other telemetry are not suited to exposing these kinds of attack patterns or abnormal activity that are part of an overall active attack campaign.
CAPABILITIES OF GURUCUL’S NETWORK TRAFFIC ANALYSIS SOLUTION
Gurucul Network Traffic Analysis (NTA) solution provides security teams with deeper insight into traffic traversing their network to empower them with actionable, real-time decisions to identify, contain and resolve incidents. NTA tools provide much more situational awareness than relying on log data, endpoint telemetry and other sources. Combining these with other datasets better provides the full scope of the attack campaign.
- Analyze raw network packet traffic in real-time such as NetFlow, and other specific network protocols of interest to an organization
- Monitor and analyze north-south and east-west network traffic for both external and internal threats
- Detect attacks using a combination of tools – machine learning, behavior analysis, indicators of compromise, and retrospective analysis
- Model normal network traffic and highlights anomalous traffic
- Identify C2 communications
- Record and analyze raw traffic data for detecting and isolating attacks, during advanced threat hunting scenarios, and forensic investigations post-attack
- Support complex network topologies, including SD-WAN
- Deconstruct and examine application layer traffic such as DNS, email, web, etc.
- Integrate with cyber threat intelligence feeds
THE BENEFITS OF A NETWORK TRAFFIC ANALYSIS SOLUTION
Detect known threats, unknown malware, and zero-days in real-time, powered by out-of-the-box threat content and a trained machine learning engine.
Detect unusual lateral movement and command & control (C2) communication.
Reduce false positives through automated correlation and advanced analytical models.
Uncover APT/Stealth attacks dormant between attack stages.
WHY GURUCUL?
The Gurucul Network Traffic Analysis solution provides visibility into unknown and undetected network threats based on risky abnormal behavior. Gurucul machine learning based NTA uses entity models to create behavior baselines for every device and machine on the network based on network flow data such as: source and destination IPs/machines, protocol, bytes in/out, etc. It also supports leveraging DHCP logs to correlate IP specific data to machines and users.
NTA comes with pre-packaged ML models pre-configured and tuned to run on high frequency network data streams to detect real-time anomalies and to risk rank threats.
NTA USE CASES
Detect Traffic To/From Unusual Geo Locations
Gurucul extracts context from any log family containing IP address fields to detect “geographically undesirable” traffic indicative of the following scenarios:
- Account sharing – security policy violations
- Account takeover – login through compromised credentials
- VPN usage – circumvention of network controls
Expose DNS Tunneling
Gurucul can uniquely detect traffic to unusual DNS Servers and surges in outbound DNS queries. It performs comprehensive DNS packet inspection. Standard detection mechanisms only look at DNS length.
Identify Unknown IoT Devices
Gurucul monitors activities from all network devices and detects unauthorized use of non-registered devices to access the network. NTA also discovers unknown or unseen devices or services on the network so you can remove or disable them.
Internal and External Threat Monitoring
Gurucul NTA provides an effective understanding of real time network and application traffic. This includes monitoring complex cloud, hybrid or on premise architectures with east and west network traffic, which can help identify attacker lateral movement and spreading of an infection across resources. In addition, Gurucul NTA is effective at monitoring north and south traffic for command and control activity to external malicious hosts that could be for downloading more malware, sharing encryption keys for ransomware or even externally monitoring current ransomware status, and data exfiltration.
FAQs
What is network traffic analysis?
Network traffic analysis is the process of capturing, reviewing, and analyzing network traffic data to identify patterns, anomalies, and trends. It involves monitoring and examining the data flowing through a network, including the communication between devices, the types of protocols used, the amount of data transferred, and the source and destination of the traffic.
What is the purpose of network traffic analysis?
The purpose of network traffic analysis is to identify potential security threats, performance issues, and operational inefficiencies. It can help network administrators detect and prevent unauthorized access, malware infections, and other malicious activities. It can also help optimize network performance by identifying bottlenecks, network congestion, and other issues that affect network speed and reliability.
What are the methods of traffic analysis?
Network traffic analysis tools can range from simple packet sniffers to complex software applications that use machine learning and artificial intelligence techniques to identify and categorize network traffic. These tools can provide valuable insights into network behavior and help organizations maintain a secure and efficient network infrastructure.
