Network Traffic Analysis (NTA) Forum

Rony_Sklar
IT Central Station
Jan 13 2021

There are so many NTA tools available. Do you have a recommendation for which tool is best for a large enterprise? 

Are there any lesser known products that can meet the needs of a large company? 

reviewer1266459FortiAnalyzer can give good reports on enterprise wide traffic analysis.
Dawid Van Der MerweFirst question should be, do have have a specific requirement or business need you need to address? From there you need to look at the solutions and how they answer your questions. There are quite a few solutions out there, but the type of data they ingest and the type of data they present will determine if it is the solution for you. Typically a SPAN or Monitor port should only really be used for troubleshooting purposes, so I always recommend either making use of Netflow or taps/packet brokers (Keysight/Ixia/Cubro/etc.). Also SPAN/Monitor ports can add some issues to your environment or data - especially if you are trying to support voice/video environments. Once you have identified that, you need to know if the solution can handle the data - 1Gb/5Gb/10Gb/50Gb/100Gb etc. I can recommend the following solutions, but it will all depend on what your need is and what your budget is: Colasoft Capsa Sintrex Flow Module ExtraHop Reveal(x) Netscout nGeniusOne VoipMon - for voice only There are even a few free options (ntopng for one) that can give you some basic insight - and it might be a great place to start if you are new to NTA.
VinodYadav
Senior Manager at Cyfuture India Pvt Ltd
Dec 24 2020

I'm a Senior Manager at a large Tech Services Company. I want to do Analysis of my Network. Any suggestions of NTA tools to look at?

Lucas DelmarcelYou will definitly need a continous monitoring system for your SIEM-operations. Stealthwatch, Vectra and Bricata are along my favourites. If you are looking for ISE-integration I can recommend Stealthwatch, it's also pretty much into behavior-monitoring while it gives a complete insight on network data and potential threads. Stealthwatch' integration with the Cisco ecosystem is just superb, ofcourse since it's a Cisco-product. Vectra and Bricata are surely worth considering. Both are more into displaying raw data as it is, offering great data-tuning options and are very intelligent with thread-prevention and monitoring.  I personally think you're better off with NDR instead of IPS systems anyway.
Rony_Sklar
IT Central Station

What are the most important criteria to keep in mind when choosing an NTA tool?

Nicholas Arraje1. Visibility, ability to provide deep insight into all of the network traffic.  2. Analytic engines, the ability to use multiple detection engines like ML-based, Zeek, Suricata, etc.  3. Scale, ability to address policy requirements for N/S and E/W deployments on-prem or in the cloud along with scaleable retention (weeks/months) for PCAP or network metadata.   4. Any and all NTA solutions need to be able to ingest threat intel and be able to integrate easily into SOAR and SIEM solutions.  5. It needs to fit with budget!
Rony_Sklar
IT Central Station

What are features to take into account when choosing an NTA tool? 

Dawid Van Der MerweTypically I ask what information is it that I need to solve a problem or adhere to compliance. It is with that information that you can start directing the conversation. It is also important to establish your budget, but be open to adjusting if see that you might have underestimated the environment. Some of the questions that need to be considered: -Am I looking for WAN or LAN traffic analysis? -Do I have encrypted environments or tunnels traversing certain areas? -Do I require the top talkers and related information, or do I require various response times (network, server, application, microservice)? -Do I have SDWAN implemented and can I leverage off of the vendor for certain views? -Will I be making use of Netflow/SFlow/etc. or live packet analysis or both? -Will I require visibility equipment like taps and packet brokers to aggregate and feed traffic to multiple sources? -What is the difference between port mirroring (port span) vs tap/packet broker feeds? -Is it all on-prem or multi-cloud (vTaps)? -Is the solution capable of managing the potential load, 5Gbps, 10Gbps, 100Gbps? -What compliance do I need to adhere to (PCI/POPI/etc.), thus I require limited captures, packet slicing/hashing, etc.? -Do I require ML/AI for behavioral analysis? -Do I have the staff to manage the solutions properly or do I require a service with the solution?
Ariel Lindenfeld
Sr. Director of Community
IT Central Station

Let the community know what you think. Share your opinions now!

ABOZAID MOHAMEDNetwork Performance, bandwidth utilisation, data flow speed, Bottlenecks, nodes issues, network medium issues, segmentation efficiency, distributed network requirement as a solution, multicast required as a solution or re design it.
Wim CoenenIt depends what your environment is. We have very good experiences with two solutions. When you're using Cisco Networking, their Stealthwatch solution (also part of their EA, a full NBA/ADS* solution) does a very good job and gets more and more integrated in their Networking, Security and Admission Control solutions. When you are looking for a less expensive solution, we have very good experiences with Flowmon, a spin off from the University of Brno (Tsjech Republic) and a very mature NBA/ADS* solution as well. In NL Flowmon is successfully in use by education, healthcare, finance and transportation. *NBA/ADS: Network Behavior Analysis / Anomaly Detection System.
reviewer1310022Modern Security Operations teams have access to vast amounts of data, but this has not translated into greater effectiveness. The goal of NTA is to not only eliminate blind spots with unprecedented visibility, but to also cut through the noise of alerts with high-fidelity behavioral analytics. In addition, it should dramatically reduces the time required to take action, from days to seconds, through automated investigations. To achieve these goals, NTA takes advantage of new machine learning and network traffic analytics technology. At its core, NTA which should be powered by an open, programmable, and extensible real-time streaming analytics platform and cloud-based behavioral analytics for full layer-7 visibility. NTA shave Analytics and Investigation platform for the enterprise.NTA real-time analytics and machine learning to every network transaction to cut through the noise and deliver concrete answersMuch like SIEM, NTA turned logs into operational insights, NTA turns network data into real-time situational intelligenceNTA technology is often used by Security and IT Ops teams to support key initiatives like Security, App Service Delivery, and IT Modernization
Rony_Sklar
IT Central Station

AI has been introduced into many cybersecurity tools. How has this improved the efficacy of these tools? Are there any drawbacks?

reviewer1259193Efficiency has definitely improved, tool sets that I’m familiar with are becoming more accurate with alerts and identifying the unusual. This was never the case a few years ago, where signature and full packet inspection was the only real method of reactive detection. AI has definitely pushed user behaviour to a new level which was nearly impossible to accurately baseline previously. Of course with any developed technology lots of modelling and testing has to be completed but let’s not forget AI has been talked around a long while but until recently it’s not really been that useful. As for drawbacks it I haven't noticed many, any false positive is I suppose a drawback but generally I only see this as a logical step in an ever changing environment. Having said all that no one ever relies on a single technology and the key is to test, test and yes more tests. I for one always have a red team type exercise, the scale dependant on the company, this gives a great indication on your defences and how we can improve. This is then supported with table tops with technical teams to ensure repeatable actions are followed. Users will always be the key and having a well educated and robust user awareness programme is also paramount.
reviewer1310022Modern Security Operations teams have access to vast amounts of data, but this has not translated into greater effectiveness. The goal of NTA is to not only eliminate blind spots with unprecedented visibility, but to also cut through the noise of alerts with high-fidelity behavioral analytics. In addition, it should dramatically reduces the time required to take action, from days to seconds, through automated investigations. To achieve these goals, NTA takes advantage of new machine learning and network traffic analytics technology. At its core, NTA which should be powered by an open, programmable, and extensible real-time streaming analytics platform and cloud-based behavioral analytics for full layer-7 visibility. NTA shave Analytics and Investigation platform for the enterprise.NTA real-time analytics and machine learning to every network transaction to cut through the noise and deliver concrete answersMuch like SIEM, NTA turned logs into operational insights, NTA turns network data into real-time situational intelligenceNTA technology is often used by Security and IT Ops teams to support key initiatives like Security, App Service Delivery, and IT Modernization
Rony_Sklar
IT Central Station

Why should businesses invest in NTA tools?