Despite massive investment in firewalls, intrusion prevention and antivirus, enterprise networks continue to be plagued by internal misuse and attack. For seven years straight, insider abuse and virus outbreaks have topped the CSI/FBI Computer Crime and Security Survey. Network operations center staff, already overwhelmed by security perimeter alerts, just can't afford to battle internal threats the same old way. Perhaps it is time to consider a new approach: Network Behavior Analysis (NBA).
Why deploy Network Behavior Analysis?
NBA, also known as Network Behavior Anomaly Detection, describes a relatively new field of products that employ passive observation and profiling to spot traffic spikes, atypical usage and policy violations. Conventional intrusion prevention system solutions like Snort and Intrusion.com defend your network's perimeter through in-line traffic inspection, signature detection and real-time blocking. However, NBA solutions watch what's happening inside your network, aggregating flow data from many points to support offline behavioral analysis, relationship profiling, anomaly identification and human-assisted "soft touch" remediation.
By operating passively, NBA avoids latency or becoming a performance bottleneck. By monitoring traffic flows inside your network, NBA can detect employee use of forbidden protocols and behind-the-firewall connections of infected laptops and removable storage. By comparing current behavior with past behavior, NBA can spot zero-day attacks and worm outbreaks for which signatures and patches have not yet been deployed. By taking a long-term view, NBA not only supports defense-in-depth -- but it also enables capacity planning and compliance reporting.
Adding NBA to your network
Emerging NBA solutions may vary in terminology and interfaces, but all distribute sensor appliances (aka monitors or collectors) throughout your internal network, at high-traffic intersections. NBA sensors are usually connected to LAN taps or switch mirror (SPAN) ports. Some collect raw packets; others collect flow records from network switches and routers. For example, most NBA products can consume NetFlow and/or sFlow records that document the IP address, port, protocol and interface of each traffic stream passing through a router or switch.
Sensors relay observations to a central analyzer appliance (aka manager or controller). The analyzer creates a baseline of your network, observing client/server exchanges, the protocols they use, data rates, time of day and other metrics. Once this baseline has been established, the analyzer watches for variances -- for example, a rate spike that could indicate a worm outbreak, or an unusual peer-to-peer protocol being sent over port 80 to bypass firewall rules. Most analyzers can be configured with zone-based policies that spot violations -- for example, otherwise permissible traffic being exchanged between systems in different workgroups, defying data compartmentalization rules.
When anomalous behavior is detected, analyzers generate alerts. Role-based consoles let operators view alerts, visualize real-time service and user activity, and generate detailed reports for incident investigation or compliance reporting. As they do not operate in-line, NBA products are not designed to persistently auto-block intrusions. But some NBA products can take stop-loss actions, like adding a temporary access control list (ACL) to your router, switch, or firewall to quarantine the apparent source of a high-impact worm.
Choosing the right NBA appliance
What should you look for in an NBA solution?
- Consider where to deploy NBA sensor appliances throughout your network. Sensors that gather raw packets can be expensive in very large networks -- you may want to start by creating "security zones" around high-value assets. Gathering flow records from routers and switches leverages your existing network infrastructure to provide broader NBA coverage with fewer sensors.
- Check sensor compatibility with your existing network at the physical, data link and network layers, including NetFlow and sFlow versions, support for proprietary flow protocols, number/type of LAN ports, and verified-interoperable network devices. For some products, different observation methods require different sensor models.
- Match NBA sensors and your central analyzer to your network size. For example, Mazu Network Inc.'s Profiler is sold in three configurations, based on number of monitored hosts (from 2,500 to 400,000) and observed flows (from 100K to 1M flows per minute.) For large offices, consider regional analysis or regional flow data aggregation.
- The analyzer is the heart and soul of any NBA. Take a hard look at how threats are detected, how the baseline adjusts over time, how zones and policies are configured, and how alerts are reported. For example, an NBA should automatically learn who normally talks to whom, along with how often and when they talk. If your business tends to have very busy periods, will the NBA generate false positives? How quickly will it adjust when the busy period ends? How accurately does it model relationships between your systems, and how accurately can it pinpoint the root cause of an outbreak?
- NBA products are evolving at the human/system interface: expanding integration with NMS and SIM systems, providing customizable views optimized for each person's job and catering to compliance reporting. For example, can your NBA add ACLs to your router, switch or firewall -- or coordinate that action through your NMS? Can it tie alerts to individual users by consulting your authentication systems? How long is data retained for ad hoc queries and historical reporting?
- As with any security system, look for encrypted/authenticated management interfaces, platform hardening and high-availability. Extend this care to all flow data sources leveraged by your NBA. Use your NBA not only to spot surges and flows that should not be there, but also to detect dropouts and absence of traffic that should be there.
Finding an NBA appliance
Some IPS vendors (e.g., Sourcefire Inc. in Columbia, Md.) are now adding NBA features to their product lines, complementing in-line defenses. Behavior analysis techniques are also creeping into SIM products (e.g., Enterasys Networks Inc. in Andover, Mass.). But many analysts consider NBA to be a distinct category, differentiated by location, role and focus. NBA appliances available today include the following:
About the author
Lisa Phifer is vice president of Core Competence Inc., a consulting firm specializing in network security and management technology. Phifer has been involved in the design, implementation and evaluation of data communications, internetworking, security and network management products for nearly 20 years. She teaches about wireless LANs and virtual private networking at industry conferences and has written extensively about network infrastructure and security technologies for numerous publications. She is also a site expert to SearchMobileComputing.com and SearchNetworking.com.
