In-Depth

Beyond Firewalls and IPS: Monitoring Network Behavior

Large enterprises are deploying network behavior analysis tools to supplement firewalls and IPS to block unknown types of attacks and catch stealthy attacks in progress.

• By Mathew Schwartz
• 02/07/2006

How well do your network defenses block unknown types of attacks or catch stealthy attacks in progress? For combating previously discovered attacks and exploits at the network level, companies employ firewalls and intrusion prevention and detection systems (IPS/IDS). Such tools, however, won’t stop previously unseen types of attacks, (including new viruses, worms, and exploits of not-yet-disclosed vulnerabilities) or catch many attacks already in progress.

Hence companies need to add network defenses against unknown attacks. “Companies can’t afford to learn about security breaches after they’ve already cascaded throughout the entire enterprise,” notes Ameet Patel, a former senior IT executive at JPMorgan Chase & Co. and also the former head of its strategic technology advisory group, LabMorgan. That’s why “CIOs and CSOs are demanding actionable intelligence to help their security teams determine if an attack is underway, and what resources are being affected in real time,” regardless of whether or not the exact type of attack has been seen before.

While it’s extremely difficult to pull information from a variety of network devices and build a picture of current network activity, new network behavior analysis (NBA) tools can help. These tools pull data from a variety of sources—including actual network packets, plus firewalls, IDS, and IDP logs—then apply signatures to look for known attacks, while using algorithms to detect unknown attacks, and related events.

Paul Proctor, research vice president of security and risk at Gartner Inc. in Stamford, Conn., predicts NBA tools—which supplement firewalls and intrusion prevention systems—will soon become a must-have for many companies. “By year-end 2007, 25 percent of large enterprises will employ NBA as part of their network security strategy.”

Current NBA vendors include Arbor Networks, GraniteEdge Networks, Lancope, Mazu Networks, and Q1 Labs. “Cisco’s MARS product also provides NBA,” notes Proctor, and some products will also help detect and block distributed denial of service (DDOS) attacks, capabilities he characterizes as “a subset of NBA functionality.”

Adding NBA to Network Defenses

NBA picks up where other security defenses leave off. In most enterprise networks, for example, firewalls enforce security policies, while IDS and IPS automatically block known-bad activities. Some enterprises also use security information and event management (SIEM) software to help correlate events, looking for evidence of attacks. All of these products together, however, “cannot block or even detect every possible problem on the network,” says Proctor.

In general, firewalls, and IDS/IPS are good at blocking “the bull in the china shop attacks, but not at mitigating more low and slow attacks,” says Steve O’Brian, vice president of product management and marketing for GraniteEdge Networks.

Unknown attacks are another concern. As GraniteEdge president Ross Ortega notes, “A zero-day worm is going to waltz right past a firewall, which just has a signature.” Other hard-to-detect attacks include worms brought into an enterprise by laptop users, attacks made using actual users’ real credentials, targeted attacks, and the activities of malicious insiders.

So Proctor recommends considering NBA as a supplement to existing, layered network defenses—firewalls, IDS/IDP, and SIEM (if used)—“to identify network events and behavior that are undetectable using other techniques.”

How NBA Works

After generating a baseline of typical network activity, NBA tools then detect anomalous behavior, which security analysts might not otherwise notice. Since attacks may span hours or days, NBA tools also help identify which systems the attack affected—something firewalls and IDS/IDP alone can’t do.

Furthermore, NBA tools correlate anomalies, reducing the amount of information security analysts must study. “Take a large enterprise that has 2,000 or 3,000 anomalies occurring everyday,” says O’Brian. “We will crunch those down into a dozen or two chains that have some linkage and pattern. We shrink the quantity of information that has to be dealt with by an analyst so they don’t have a quantity overload.”

While NBA gathers information and crunches data, that’s where its job ends. “Fundamentally, they are a window into the behavior of a network and require a knowledgeable operator to interpret their output,” notes Procter.

In fact, he explicitly advises companies to not deploy NBA tools to automatically block attacks—even though such devices can effectively detect zero-day or stealth attacks—simply because of the potential for too many false positives.

“This isn’t unlike the early versions of intrusion detection systems, which weren’t reliable enough to enable automated responses,” he says. “In addition, NBA automated response mechanisms are usually implemented as access control list policy pushes to network devices, which Gartner does not recommend, because this method is not sustainable in a large enterprise. In this light, NBA is best used to detect, investigate, and manually address suspected incidents and problems.”

Deploying NBA

Which types of companies are the best fit for NBA technology? “Certainly the businesses that we see as the best matches are ones where they have really high-valued assets that they’re trying to protect,” says O’Brian. “So, for example, we’ve dealt with companies from the financial industry, utility companies, but we’ve also targeted some technology companies who have an incredible amount of IP [intellectual property], who just find they’re victims of people trying to obtain that IP through breaches.”

Another rationale for deploying NBA is to help prevent time-consuming and costly cleanup efforts after virus, worm, or other malware outbreaks. For example, “one company reported implementing NBA after the Nimda worm hit its enterprise, penetrating 70 percent of its servers, and it took four days for the company to resolve the worm issue. After implementing NBA, the company was hit by the Mytob virus. The NBA system discovered Mytob on five PCs within a few minutes of the first infection, and network administrators manually blocked ports to contain the virus,” says Procter. “This is a typical success story with NBA, in which it provides early warning and investigation to isolate the problem, but it isn’t used for automated response.”

Related Articles:

  Q&A: The 2006 Threat Landscape
  Case Study: Virtual Patches Defend Web Applications