Network Traffic Analysis (NTA)

In-Depth Analysis of Network Traffic to Identify Malicious Payloads, Lateral Movement, and Anomalous Communications
.

BUSINESS CHALLENGE

As organizations evolve their infrastructure based on digital transformation efforts, networks are increasingly becoming more complex and operating in hybrid multi-cloud environments. This has led to a larger threat landscape with more security gaps. Threat actors can more easily perform reconnaissance, lateral movement, communicate with external systems, and deliver malicious payloads or exfiltrate data. Log data, endpoint solutions, and other telemetry are not suited to exposing these kinds of attack patterns or abnormal activity that are part of an overall active attack campaign.

.

CRITICAL CAPABILITIES

Gurucul Network Traffic Analysis (NTA) provides security teams with deeper insight into traffic traversing their network to empower them with actionable, real-time decisions to identify, contain and resolve incidents. NTA also provides much more situational awareness than relying on log data, endpoint telemetry and other sources. Combining these with other datasets better provides the full scope of the attack campaign.

  • Analyze raw network packet traffic in real-time such as NetFlow, and other specific network protocols of interest to an organization
  • Monitor and analyze north-south and east-west network traffic for both external and internal threats
  • Detect attacks using a combination of tools – machine learning, behavior analysis, indicators of compromise, and retrospective analysis
  • Model normal network traffic and highlights anomalous traffic
  • Identify C2 communications
  • Record and analyze raw traffic data for detecting and isolating attacks, during advanced threat hunting scenarios, and forensic investigations post-attack
  • Support complex network topologies, including SD-WAN
  • Deconstruct and examine application layer traffic such as DNS, email, web, etc.
  • Integrate with cyber threat intelligence feeds
.

KEY BENEFITS

Detect known threats, unknown malware, and zero-days in real-time, powered by out-of-the-box threat content and a trained machine learning engine.

Detect unusual lateral movement and command & control (C2) communication.

Reduce false positives through automated correlation and advanced analytical models.

Uncover APT/Stealth attacks dormant between attack stages.

.

WHY GURUCUL?

Gurucul provides visibility into unknown and undetected network threats based on risky abnormal behavior. Gurucul machine learning based NTA uses entity models to create behavior baselines for every device and machine on the network based on network flow data such as: source and destination IPs/machines, protocol, bytes in/out, etc. It also supports leveraging DHCP logs to correlate IP specific data to machines and users.

NTA comes with pre-packaged ML models pre-configured and tuned to run on high frequency network data streams to detect real-time anomalies and to risk rank threats.

.

TOP USE CASES

Detect Traffic To/From Unusual Geo Locations

Detect Traffic To/From Unusual Geo Locations

Gurucul extracts context from any log family containing IP address fields to detect “geographically undesirable” traffic indicative of the following scenarios:

  • Account sharing – security policy violations
  • Account takeover – login through compromised credentials
  • VPN usage – circumvention of network controls
Expose DNS Tunneling

Expose DNS Tunneling

Gurucul can uniquely detect traffic to unusual DNS Servers and surges in outbound DNS queries. It performs comprehensive DNS packet inspection. Standard detection mechanisms only look at DNS length.

Identify Unknown IoT Devices

Identify Unknown IoT Devices

Gurucul monitors activities from all network devices and detects unauthorized use of non-registered devices to access the network. NTA also discovers unknown or unseen devices or services on the network so you can remove or disable them.

Internal and External Threat Monitoring

Internal and External Threat Monitoring

Gurucul NTA provides an effective understanding of real time network and application traffic. This includes monitoring complex cloud, hybrid or on premise architectures with east and west network traffic, which can help identify attacker lateral movement and spreading of an infection across resources. In addition, Gurucul NTA is effective at monitoring north and south traffic for command and control activity to external malicious hosts that could be for downloading more malware, sharing encryption keys for ransomware or even externally monitoring current ransomware status, and data exfiltration.

Gurucul extracts context from any log family containing IP address fields to detect “geographically undesirable” traffic indicative of the following scenarios:

  • Account sharing – security policy violations
  • Account takeover – login through compromised credentials
  • VPN usage – circumvention of network controls

Gurucul can uniquely detect traffic to unusual DNS Servers and surges in outbound DNS queries. It performs comprehensive DNS packet inspection. Standard detection mechanisms only look at DNS length.

Gurucul monitors activities from all network devices and detects unauthorized use of non-registered devices to access the network. NTA also discovers unknown or unseen devices or services on the network so you can remove or disable them.

Gurucul NTA provides an effective understanding of real time network and application traffic. This includes monitoring complex cloud, hybrid or on premise architectures with east and west network traffic, which can help identify attacker lateral movement and spreading of an infection across resources. In addition, Gurucul NTA is effective at monitoring north and south traffic for command and control activity to external malicious hosts that could be for downloading more malware, sharing encryption keys for ransomware or even externally monitoring current ransomware status, and data exfiltration.

.

RESOURCES