Minding the Network Behavior

Can products such as Lancope’s Stealthflow spot security problems and network bottlenecks?

If your weekday mornings are similar to mine, you or someone on your staff reads a network intrusion detection (IDS) report. Every morning, a report hits my mailbox that shows unusual (and often usual) activity on my network segments, and every once in a while that report triggers a walk down the hall to visit a machine and perform remediation.

Those reports look at traffic passing through a parameter-filtering device. For an open environment, that arrangement works just fine. However, for environments that are not open, knowing more about the traffic on your network can be essential for both security and compliance.

One way to get this information is a process called network behavior analysis (NBA) which analyzes summaries of the packets traveling through your network. The traffic is compared to a baseline; abnormalities and suspicious traffic generate alerts and reports.

NBA provides a global view of network traffic usable by both network operations and security teams. NetOps quickly spots traffic bottlenecks and outages, reducing response time and manual labor to identify and fix problems. Security teams get a leading-edge indicator of potential breaches, compromises, and policy violations which can trigger automatic or manual investigation or remediation efforts.

The process starts in the network’s switches and routers, which send a metadata summary of each data packet traversing the device. The metadata, called flows, are UDP datagram packets. The flow overhead, which travels over the same network as all other packets, is usually 5 to 10 percent of the normal network. The flow is usually directed at some collection device(s) which also performs the analysis. How this is handled varies from company to company and product to product.

The specifics of the flow vary between switches. For example, Cisco usually generates 1:1 flow-to-data packets, and additional information from the data packet can be included in the flow. Juniper, without an optional hardware accelerator, produces a flow for a sampled packet at a usual rate (such as one in a hundred data packet).

Major players in the space include Arbor Networks, GraniteEdge Networks, Lancope, Mazu Networks, and Q1 Labs. Even Cisco is in the field with its MARS (Monitoring Analysis and Response System) options. The scope and specifics vary between players. Most products come as an appliance with browser-based interfaces. Most can consolidate collections from multiple appliances into a single world view. Almost all can feed a security information manager (SIM)/security event manager (SEM) to provide a common trigger-point for NetOps and security teams.

Obviously, current network infrastructure is important. No one throws out switches just to run these products. If the network is already running at over 70 percent capacity, the additional strain may slow business tasks. The investment, which can run more than $100,000, means only geographically diverse, medium-sized companies/institutions or any large enterprise/institution that has a network with sufficient complexities will reap sufficient benefits. Consider 1,000 endpoints as the entry level.

IDS: After the Fact

Network behavior analysis systems are different from, but complementary technologies to, intrusion detection systems. Adam Powers, chief technical officer of Lancope, which makes StealthWatch, highlights the difference with an example that anyone with a phone and a teenager readily understands—the hundred-dollar-plus phone bill.

Says Power, “It’s the end of the month and the phone bill comes in. The bill is normally $130 and this one is $680, so you scan through the call details and find 27 1-900 calls on a specific date and you recall your 16-year-old had a sleepover that night. You’ve got the bill, a good indication of what caused the charges, and who is responsible.”

Basically, that’s an IDS, an after-the-fact analysis of individual events. By feeding some type of security event manager (SEM) / security information manager (SIM), operations departments can get near real-time analysis and alerts of individual events. Usually, however, most oversight is reaction and based on noticing exceptional events.

An IDS falls short when only looking at abnormalities in non-exceptional events. For example, an authorized user normally sips a few hundred bytes from a database every couple minutes; but when that changes to several gigabytes of files in an hour, there may be a notebook that’s getting loaded up and that activity can be a signal of a possible policy violation (taking database information off-premises) or a compromised-host attack.

An IDS may log the event but because the transaction is normally permitted, the heavy usage may not trigger an alarm. A NBA system would note the increased traffic and generate an almost real-time event. That could trigger an operations and/or security alert of the activity. Because sixty-odd percent of corporate data loss is due to insider actions, depending on parameter devices such as firewalls for such events would leave the security team clueless.

Phil Hochmuth, senior analyst at Yankee Group, said of NBA, “For a long time, NBA was just an operational function, figuring out what was talking to what or looking for bottlenecks. NBA has evolved into presenting the overall picture of the network but especially in terms of security identifying potential attacks and misuse of network resources.”

Hochmuth also notes that various NBA vendors have different orientations, so some products are more oriented to NetOps needs, some to security, and some vendors striking an effective middle-ground.

For many of us, our IDSs and firewall reports give us enough security intelligence to react and plan. For medium and large enterprises and institutions, particularly those with complex networks and need deep analysis, firewalls and IDSs are not adequate. For those at such installations, a hard look at a network behavior analysis system makes absolute sense.