When mapping a defensive game plan, it helps to scout out what the other team is up to. But the unfortunate reality for IT security pros is that the next attacker could be anyone from a script kiddie to a crime syndicate to a malicious insider, and possible vectors are even more diverse. Yet the intrusion-detection and intrusion-prevention systems many enterprises employ in response to all this uncertainty suffer from the same weakness that's plagued antivirus products for years--a reliance on signatures.
Antivirus vendors realized early on that to stay competitive, they had to develop techniques to enable their products to identify suspicious traffic, even if they hadn't seen that particular activity before. The answer was heuristics and behavioral analysis methods that detect files and processes that behave in ways deemed threatening. In the network security realm, researchers and vendors such as Lancope and Mazu Networks developed systems that use behavioral analysis rather than signatures. Over the past few years, this category has matured from a niche market that was tagged with several unfortunate acronyms, including NBAD (network behavior analysis and detection) and NADS (network anomaly detection systems), before settling on NBA, or network behavior analysis.
In essence, these vendors provide the missing piece--behavioral detection--to the IDS world that antivirus vendors discovered was a necessity more than a decade ago.
Most enterprises can benefit from NBA, since most are missing security events of interest because of overwhelming bandwidth or a lack of pervasive visibility. But as with any product that interacts closely with your network and impacts security--and especially one that costs as much as most NBA systems--a proper fit is crucial.
We decided to launch a Rolling Review to help you ensure that the NBA product you're considering will integrate with your current IDS, vulnerability scanner, and security incident and event manager (SIEM) while handling your throughput needs. We've invited six vendors to send products to our University of Florida Real-World Labs. See "Network Behavior Analysis Rolling Review" for more testing details.
MAKE ROOM ON THE COURT
Pure-play NBA vendors initially focused on network security because, simply put, they were good at it. Once their systems create a baseline of what normal network behavior looks like, they can detect anomalous activities. For example, say a desktop computer whose daily actions comprise Web browsing, access to network shares, and e-mail traffic suddenly begins accepting connections on TCP port 65500 or starts communicating on UDP port 17028 with hundreds of other hosts around the world. An NBA system would fire off an e-mail to the security team about the sudden change, maybe even implement a firewall ACL or disable the switch port to prevent collateral damage.
Smelling an opportunity for expansion into a prospering space, network performance vendors including NetQoS are busily adding NBA capabilities to their product lines. While security-focused individuals and vendors claim NBA as part of a comprehensive security strategy, these network performance vendors tout the technology as a natural extension of yesterday's network management systems. For example, Steve Harriman, NetQoS's VP of marketing, says NBA is key to optimizing networks for application performance.
No matter which viewpoint you favor, enterprise IT groups are the ultimate winners: More competition in the NBA market from vendors with different perspectives means abundant new features and lower prices.