Network Behavior Analytics
Identify Unknown Network Threats Using Machine Learning on NetFlow and Packet Data
Defending against cyberattacks grows more complex. The attack surface continues to grow due to cloud computing, IoT, and BYOD. Network Operations and Security Operations teams need every advantage they can get for detecting and responding to cyber threats as early as possible. That’s why Network Behavior Analytics is so critical.
Organizations tend to rely on network monitoring tools for monitoring the health of the network. These tools detect and report failures of devices or connections. However, they cannot fix issues nor can they identify unknown threats.
The real pain point is the inability to conclusively tie data generated by disparate sources to the network data, such as application and platform event logs, DLP, malware detection, vulnerability data, threat intelligence feeds, HR user profiles, access entitlements, etc.
Network Behavior Analytics is a Proactive Approach
Gurucul’s approach to network monitoring is proactive. Gurucul uses machine learning analytics to provide visibility into unknown and undetected threats based on risky abnormal behavior.
Security professionals are familiar with network analytics – analysis of network data to identify trends and patterns. Network Behavior Analytics (NBA) builds on this approach by adding the critical element of predicting and detecting behaviors indicative of security incidents. While NBA is not a new concept, modern NBA technology adds big data and machine learning to be more powerful and accurate.
Gurucul NBA focuses on network behavior patterns attributed to all entities (i.e., machine ids, IP addresses, etc.) within the network. It is particularly powerful for spotting new, unknown malware, zero-day exploits, and attacks that are slow to develop, as well as identifying rogue behavior by insiders (or those using legitimate insider’s credentials). For example, NBA can detect endpoint malware missed by software dependent on signatures and known patterns.
The Gurucul Network Behavior Analytics Solution
The Gurucul NBA solution is part of the Gurucul User and Entity Behavior Analytics (UEBA) platform. It focuses on identifying unknown network threats using advanced machine learning algorithms on network flows and packet data.
Gurucul NBA uses entity models to create behavior baselines for every device and machine on the network based on network flow data such as: source and destination IPs/machines, protocol, bytes in/out, etc. It also supports leveraging DHCP logs to correlate IP specific data to machines and users.
The solution comes with pre-packaged machine learning models pre-configured and tuned to run on high frequency network data streams to detect real-time anomalies and to risk rank threats. Get real-time network behavior anomaly detection at scale with Gurucul NBA.
Network Behavior Combined with User and Access Context
Gurucul combines network behavior with user and entity behavior to deliver rich context. Gurucul defines unique identities (users and/or entities) and links all data elements to those identities. This enables security teams to quickly discover:
- Which device triggered the incident?
- Which systems are being connected to or from at what frequency?
- What transactions were performed?
- How much data was transferred?
- Who was using the device?
- What else did the user access on the network?
- Is the behavior of this device normal and expected, relative to its peers?
Most Comprehensive Feature Set
Gurucul Network Behavior Analytics eliminates the need for dedicated network monitoring. It is distinguished by the following capabilities:
Scalable Solution Architecture
Gurucul’s Big Data architecture is built to ingest and analyze high volume transactional data — both structured and unstructured. This not only allows for quicker searching, but also faster analytics and longer data retention for e-discovery and forensics. It’s an open choice as to which data lake to use — Hadoop, Cloudera, Hortonworks, etc. You can choose a preferred or existing data lake, or use Gurucul’s Hadoop data lake for free.
Data Ingestion and Data Linking
Gurucul has a metadata-driven data format, which allows the system to map to any data source – online or offline, internal or external, on-premise or in the cloud – to pull information into the data lake, regardless of the format of the data. The more data sources and the more data ingested, the better, as this broadens the view of the activities and behaviors by putting them in context and increases the learning ability of the machine learning engine.
Gurucul’s data analytics engine uses machine learning rather than rules, which allows the system to perform network traffic anomaly detection without having to anticipate and define parameters for them in advance. The machine learning engine is built on top of more than 1400 data models out-of-the-box and customers have the capability to fine tune existing models and create their own models.
Comparison to Peer Groups
Another way that Gurucul evaluates risk is to compare one user’s or entity’s behavior to that of his or its peer group. For example, a particular endpoint might be communicating with an unknown external IP address. This behavior is suspicious but perhaps not enough to declare it to be high-risk activity. An analyst can check to see if other devices belonging to that same workgroup are also reaching out to the same IP address. If so, then perhaps there is a legitimate business reason for this communication. If not, then it might appear that the endpoint is infected and is communicating with a Command & Control server. Peer group assessment is one more way of evaluating network behavior anomaly detection risk.
For More Information, Read Our Whitepaper,
“Network Behavior Analytics is the Next-Generation Defense Against Modern Threats.”