Network behavior analysis plays on both the security and network operations sides of IT by collecting and analyzing network flow telemetry via Netflow, sFlow, JFlow, etc., to identify and remediate the cause of anomalous activity, such as traffic spikes, performance degradation, and communication with unexpected IP addresses that might indicate botnet activity or data exfiltration.
"The same sort of instrumentation points and same sort of measurements can be used quite effectively in both realms," says Jim Frey, research director, enterprise management, for Enterprise Management Associates.
On the security side, the addition of application awareness, through deep packet inspection, helps enterprises identify potentially malicious activity and applications, such as peer-to-peer or social networking sites, that may be banned or restricted by corporate policy. On the network side, fine-grained application awareness enables ops teams to determine if reports of "slowness" are caused by network problems or application issues, such as authorized or unauthorized video streaming, an issue with an authorized business application or a malicious program that needs to be referred to security.
"Is it the network or the application? Everyone points fingers when users report 'slowness' in something," says Joe Yeager, Lancope product manager. "It's always the networks that are blamed, but the networks are only responsible 20 percent of the time." Understanding the cause of performance issues saves organizations from throwing bandwidth capacity at what appear to be network issues but may be related to applications or a faulty DNS server.