Network Traffic Analysis
Identify Unknown Network Threats Using Machine Learning on NetFlow and Packet Data
Defending against cyberattacks grows more complex. The attack surface continues to expand due to cloud computing, IoT, and BYOD. Network Operations and Security Operations teams need every advantage they can get for detecting and responding to cyber threats as early as possible. That’s why Network Traffic Analysis is so critical.
Organizations tend to rely on network monitoring tools for checking the health of the network and identifying cybersecurity threats. These tools detect and report failures of devices or connections. However, they cannot fix issues nor can they identify unknown threats.
The real pain point is the inability to conclusively tie data generated by disparate sources to the network data – such as application and platform event logs, DLP, malware detection, vulnerability data, threat intelligence feeds, HR user profiles, access entitlements, etc. – to improve network security.
Network Traffic Analysis is a Proactive Approach
Gurucul’s approach to network monitoring is proactive. Gurucul uses machine learning analytics to provide visibility into unknown and undetected threats based on risky abnormal behavior.
Security professionals are familiar with network analytics – analysis of network data to identify trends and patterns. Network Traffic Analysis (NTA) builds on this approach by adding the critical element of predicting and detecting behaviors indicative of security incidents. While NTA is not a new concept, modern NTA technology adds big data and machine learning to be more powerful and accurate. That allows organizations to identify what “normal” network traffic behavior looks like so that they can also spot malicious network traffic.
Gurucul Network Traffic Analysis focuses on network behavior patterns attributed to all entities (i.e., machine ids, IP addresses, etc.) within the network. It is particularly powerful for spotting new, unknown malware, zero-day exploits, and attacks that are slow to develop, as well as identifying rogue behavior by insiders (or attackers using legitimate insider’s credentials). For example, Gurucul NTA can detect endpoint malware missed by software dependent on signatures and known patterns.
The Gurucul Network Traffic Analysis Product
Gurucul NTA uses entity models to create behavior baselines for every device and machine on the network based on network flow data such as: source and destination IPs/machines, protocol, bytes in/out, etc. It also supports leveraging DHCP logs to correlate IP specific data to machines and users.
This network traffic analysis product comes with pre-packaged machine learning models pre-configured and tuned to run on high frequency network data streams to detect real-time anomalies and to risk rank threats. Get real-time network behavior anomaly detection at scale with Gurucul NTA.
Network Behavior Combined with User and Access Context
Gurucul combines network behavior with user and entity behavior to deliver rich context for network traffic analysis. Gurucul defines unique identities (users and/or entities) and links all data elements to those identities. This enables security teams to quickly discover:
- Which device triggered the incident?
- Which systems are being connected to or from at what frequency?
- What transactions were performed?
- How much data was transferred?
- Who was using the device?
- What else did the user access on the network?
- Is the behavior of this device normal and expected, relative to its peers?
Most Comprehensive Feature Set
Gurucul Network Traffic Analysis eliminates the need for dedicated network monitoring. It is distinguished from other network traffic analysis tools by the following capabilities:
Scalable Solution Architecture
Gurucul’s Big Data architecture is built to ingest and analyze high volume transactional data — both structured and unstructured. This not only allows for quicker searching, but also faster analytics and longer data retention for e-discovery and forensics. It’s an open choice as to which data lake to use — Hadoop, Cloudera, Hortonworks, etc. You can choose a preferred or existing data lake, or use Gurucul’s Hadoop data lake for free.
Data Ingestion and Data Linking
Gurucul has a metadata-driven data format, which allows the system to map to any data source – online or offline, internal or external, on-premise or in the cloud – to pull information into the data lake, regardless of the format of the data. The more data sources and the more data ingested, the better, as this broadens the view of the activities and behaviors by putting them in context and increases the learning ability of the machine learning engine.
Gurucul’s data analytics engine uses machine learning rather than rules, which allows the system to perform network traffic anomaly detection without having to anticipate and define parameters for them in advance. The machine learning engine is built on top of more than 2000+ data models out-of-the-box and customers have the capability to fine tune existing models and create their own models.
Comparison to Peer Groups
Another way that Gurucul evaluates risk is to compare one user’s or entity’s behavior to that of his or its peer group. For example, a particular endpoint might be communicating with an unknown external IP address. This behavior is suspicious but perhaps not enough to declare it to be high-risk activity. An analyst can check to see if other devices belonging to that same workgroup are also reaching out to the same IP address. If so, then perhaps there is a legitimate business reason for this communication. If not, then it might appear that the endpoint is infected and is communicating with a Command & Control server. Peer group assessment is one more way of evaluating network behavior anomaly detection risk.
Next-Generation Defense Against Modern Threats
ABCs of UEBA:
N is for NETWORK
Detecting Malicious Traffic on your Network
If You Connect It, Protect It