Top 8 Network Traffic Analysis (NTA) Tools
DarktraceCisco StealthwatchVectra AIAwake Security PlatformPlixer ScrutinizerSolarWinds NetFlow Traffic AnalyzerExtraHop Reveal(x)Iris Session Analyzer
The product offers us a very good user interface and we've found the network visibility to be very good so far.
Darktrace is very flexible.
We find that Stealthwatch can detect the unseen.
Overall, the implementation is very good.
It has helped us to organize our security. We get a better overview on what is happening on the network, which has helped us get quicker responses to users. If we see malicious activity, then we can quickly take action on it. Previously, we weren't getting an overview as fast as we are now, so we can now provide a quicker response.
The query language that they have is quite valuable, especially because the sensor itself is storing some network activity and we're able to query that. That has been useful in a pinch because we don't necessarily use it just for threat hunting, but we also use it for debugging network issues. We can use it to ask questions and get answers about our network. For example: Which users and devices are using the VPN for RDP access? We can write a query pretty quickly and get an answer for that.
We didn't experience any bugs.
It helps us determine what is going on with our Internet and who is hogging it all up. If we get a real high throughput or a throughput that's going over and getting dropped fairly quickly, we can tell who (or what device) is consuming that traffic.
For managing the traffic, it provides you a response about whether the traffic is down, up, or heavy, which is a very powerful feature. It has a good response time. We have been using this solution for many years, and we don't have any problem with this solution.
We had useful information within the hour of deployment. The ability to trace back for historical analysis, as well as the behavioral analysis done with the security information, puts the user in a position to make an informed decision to mitigate the performance or security incidents. Regarding the security incidents, Reveal (x) is able to create incident cards that guide your teams through the incidents and gives you the option to delve into the transaction detail to potentially view payloads as well.
The feature that I have found the most useful is the decode of packets. It gives us a variety of information that helps us in figuring out what to look at. The networks are getting really complex, and without the information that we get from Iris Session Analyzer, we couldn't do our job. Its graphical user interface is also very easy to use and intuitive.
What is NTA?
Network Traffic Analysis is a type of security product that uses network communications to detect and investigate security threats and malicious or anomalous behaviors within the network. NTA uses a combination of behavioral modeling, machine learning, and rule-based detection to create a baseline reflecting what the organization’s normal network behavior looks like. They then continuously analyze flow records and/or network telemetry, and alert your security team to a potential threat when irregular activities or traffic patterns are detected in the network.
Other network security tools, like firewalls and IDS/IPS (intrusion detection system/intrusion prevention system) products monitor vertical traffic crossing the perimeter of your network environment. NTA solutions focus on all communications, as well as on operational technology and Internet of things (IoT) networks that otherwise would not be seen by your security team. Advanced NTA tools can even be effective when the network traffic is encrypted.
NTA solutions are generally automated, and can analyze all of the devices or entities that make up your network, including switches, routers, and firewalls. Visibility extends to smart devices, roaming users, data centers, and branch offices. No matter where you are, you can get an idea of who is using your network, how they are accessing it and from where, and what they are doing.
Once an NTA solution ascertains what normal behavior looks like on your network, it can alert your security team to anomalous behavior, providing the extended visibility necessary for the security incident to be mitigated.
NTA can attribute a malicious behavior to a specific IP address and can also perform forensic analysis to figure out how the threat has moved and what other devices might be affected. This results in a faster response time and more expeditious prevention of spread and/or resolution of the issue.
NTA vs. NDR
Noticeably absent from the term “Network Traffic Analysis” is the word “response.” Network-based solutions should be able to not only investigate and detect threats, but also respond rapidly and effectively. There has been a recent shift in terminology to refer to NDR, or “network detection & response,” which uses NTA but then goes one step beyond, with automated threat response and threat-hunting, using intelligent integration with firewalls, NAC, SOAR, or EDR platforms.
Benefits of Network Traffic Analysis
Benefits of NTA include:
Broad Visibility: NTA tools can monitor and analyze a broad range of communication types, including traditional TCP/IP-style packets, traffic from (or within) cloud workloads, serverless computing instances, and API calls to SaaS apps.
Encrypted Traffic Analysis: Most (more than 70% of) web traffic is encrypted. NTA products offer an accessible method for decrypting network traffic that won’t disrupt data privacy implications. They are able to do this by analyzing the data without actually looking at it.
Comprehensive Baseline: Modern IT environments are constantly changing. NTA tools track behaviors that are unique to a particular entity or to a small number of entities in comparison to the rest of the entities in the environment. As behaviors change, their machine learning baselines are able to evolve in real time. Baselines are even more comprehensive now, due to entity-tracking capabilities, which allow them to understand not only traffic patterns but source and destination entities as well. (For example, normal workstation activity would not be normal activity for a camera.)
Entity Tracking: NTA solutions allow you to track and profile every entity on a network - from devices to users to applications and destinations. Behaviors and relationships are then attributed to each of these entities, which is much more valuable than just a list of IP addresses.
- Detection and Response: Because behaviors are attributed to specific entities, there is plenty of context for detection and response workflows. This means security professionals no longer need Instead of having to sift through multiple data sources, security professionals can quickly detect anomalies, track them down, and react accordingly.
What to Look for in an NTA Solution
There are two basic kinds of NTA tools: flow-based tools and DPI (deep packet inspection) tools. Within these, there will be options for historical data storage, software agents, and intrusion detection systems.
Consider the following things when deciding what NTA solution is right for you:
1. Availability of flow-enabled devices. Not all devices are capable of generating the kind of flows required by NTA tools. In contrast, DPI tools accept raw traffic that is vendor independent and found on every network through any managed switch. Network routers and switches don’t require any kinds of special modules or support.
2. The data source: Packet data and flow data come from different sources. Not all NTA tools can collect both. So decide on your priorities before deciding. And then be strategic in choosing what to monitor. Don’t take on too many sources too quickly.
3. Historical data vs. real-time. While historical data can be critical to analyzing past events, not all NTA tools retain this data over time. Have a clear idea of which kind of data is most important to you.
4. Is the software agent-based or agent-free?
5. Full packet capture, complexity, and cost. When looking at DPI tools, consider the cost and expertise required for those that capture and retain all packets versus one that extracts only the critical details and metadata.