What's happening on the enterprise network-or more to the point, what's occurring on the network that should not be-is a major concern of security executives. If someone is trying to hack in, or a virus or worm is spreading, or a denial-of-service attack is underway, there might be evidence of these types of activities before they become a major problem.
Network behavior analysis (NBA) technology helps organizations detect and stop suspicious activity on corporate networks in a timely manner-possibly preventing, or at least limiting, serious damage from attacks. NBA is designed to give security managers a level of network visibility they need in order to make sure security threats are quickly identified and remedied.
The products analyze network traffic through data gathered from devices such as IP traffic flow systems, or via packet analysis. They use a combination of signature and anomaly detection to alert security and network managers of any activity that appears to be out of the norm, providing a view of the network that lets managers analyze activity and respond before there's damage to systems and data.
"A key benefit of NBA systems is the [network] visibility that they provide," says Lawrence Orans, research director at Gartner, who leads the firm's NBA coverage. Orans says this visibility helps in two areas: network operations (for example, troubleshooting and performance) and security (i.e. malware monitoring and detecting unwanted applications).
NBA can be used to detect behavior that might be missed by other security technologies such as intrusion prevention systems (IPS), firewalls and security information and event management (SIEM) systems, according to Gartner. Those technologies might not identify threats that they are not specifically configured to look for. Gartner says NBA is suitable as a complementary technology to intrusion detection and prevention software, which is effective for addressing network attacks that can be positively identified.
Vendors addressing the network behavior analysis market include many of the broader, established network and security companies as well as niche players that specialize in the technology. Those that focus specifically on NBA are Arbor Networks, Lancope, Mazu Networks and Q1 Labs. Companies including Cisco Systems, Internet Security Systems (part of IBM), NetFort Technologies, Sourcefire and Securify (to be acquired by Security Computing) also offer products with some type of NBA capabilities.
Among the common functionality and features of behavior analysis systems are the use of network flow data to identify suspicious behavior on the network and where it's coming from; mitigation to stop malicious activity and fix network problems; and reports on all network configurations and user behavior.