Network Traffic Analysis (NTA) monitors network availability and activity. It can identify anomalies, including security and operational issues. It uses network communications to detect and investigate security threats as well as malicious or anomalous behaviors within the network. It uses a combination of behavioral modeling, machine learning, and rule-based detection. This helps to create a baseline that reflects an organization’s normal network behavior. It continuously analyzes flow records and/or network telemetry, then alerts your security team to a potential threat when irregular activities or traffic patterns are detected in the network.
PeerSpot offers a report on Network Traffic Analysis containing feedback from our user community. If you are interested in learning more, check out the free report here.
Enterprises are increasingly facing multiple network monitoring challenges, like tracking, monitoring, and improving network performance. Addressing these challenges with an NTA solution helps an organization avoid various network monitoring challenges with proactive strategies. PeerSpot real users of Network Traffic Analysis note the advantages of this type of solution for their organizations and clients.
1) Monitoring traffic and detecting network vulnerabilities
It is important for organizations to monitor access, especially for file servers, databases, or devices on a network. This monitoring provides insight into who is accessing your network and why. The Chief Security Officer at a large university discusses the importance of monitoring devices on their network with Arista NDR, “We have TAPs in our network, and they see all traffic, whether it's a managed device or it's a student going to Netflix. We obviously filter out a lot of the traffic that's not relevant to a security appliance. It's one of the key values for a university environment. We've got just as many, if not more, unmanaged devices on our network than we do managed devices. When I think about lateral movement, where folks are talking and whether folks are talking to machines they shouldn't be talking to, the ability to track both managed and unmanaged devices really helps in giving us peace of mind that we're in good shape.” He goes on to discuss why this network tracking matters to the university, “That tracking of managed and unmanaged devices provides really good context. Even if the device is unmanaged, we still have some insight into who they were, what they were doing, what services they accessed. Generally speaking, we can correlate and figure out that it was, for example, a particular student doing something. In a corporate environment, they would likely have a lot fewer unmanaged devices, but it really provides that insight into who people are and where they are going.”
2) Detects malicious activity
Ignoring network traffic often means that attacks, which might have been easily remediated, go undetected. Rogue users, devices, and processes are not the only security threats to a network, but are also the cause of network slowdowns and outages. Detecting and eliminating security threats is crucial to a network’s accessibility and organization’s operations. A real user from the PMO department at a large communications service provider describes their NTA use case for Cisco Secure Network Analytics, “It is used for network protection for those segments that are not covered by the firewall. It is used for doing ransomware detection in terms of east-west traffic. A firewall can't detect that because it is mostly focused on north-south traffic. So, in the segments that are left out from the firewall, the StealthWatch network detection platform is able to see the malware that is sent to the devices.”
3) Troubleshoots network issues
An NTA solution can highlight and identify the root cause of bandwidth peaks on a network, providing trend analysis for traffic utilization. David Daniel, a Director of Information Technology at a large healthcare company, reflects how using Auvik has helped minimize end-user performance impacts, “TrafficInsights helps show where our system is experiencing performance issues, because we're using fiber optics within the data center as the backbone for everything. Whenever we're moving virtual machines, it helps isolate which ports are experiencing the most usage. We correlate the ports that are used to the host machines themselves and determine what virtual machines are reliant on the host that's using the most bandwidth, and we then see what services are impacted from there. TrafficInsights enables us to prepare ourselves to minimize end-user performance impact. We make changes based on what we see through TrafficInsights. It's a useful feature for doing exactly that. It allows us to maintain a steady level of performance within the data center.”
4) Improves visibility into internal assets
Network Traffic Analysis helps you know what assets, e.g., devices, people, policies, and vendor integrations, exist in your organization. This provides an inventory of what devices, servers, and services are running on a network. Victor Ibanez, a Commercial Director at a medium-sized tech services company, notes how one of their customers lacked internal visibility until they used Darktrace, “Based on our experience, most of the customers don't really know the size of their network. With this type of solution, we can know the complete network. We can know the real size, and how many resources are connected to the network and the internet. For example, one customer said to us, "I only have 18,000 connections on the network." We did the sizing with 18,000, and when we started the deployment, this customer had one thousand and twenty hundred connections. They didn't realize that until we arrived.”
5) Reporting and tracking network traffic data
Tied to visibility in networks is having the ability to track a user’s activity on the network through reporting. Having this type of network traffic data helps you troubleshoot, establish network benchmarks, plan for growth, and investigate network occurrences by combining all traffic statistics. A real user at a medium-sized retailer notes how valuable reporting and visibility are to them, “One of the most valuable features of Plixer Scrutinizer is the reporting, particularly how easy it is to drill down into the reports. Another valuable feature of the solution is its overall visibility.” The reviewer then explains how having Plixer Scrutinizer dashboards has affected their customer’s visibility, “My customers were using multiple tool sets, and through Plixer Scrutinizer, they were able to simplify their visibility down to one management console or one pane of glass. They're now using simplified tool sets.”
Conclusion
A good NTA solution helps understand what your security appliances can see, then offers detection and blocking capabilities. It can help define what is allowed on a network and who is allowed to access what systems. All this data should all be visible and easily tracked through a solution’s dashboards and reporting tools.
