The business of network behavior analysis

When it comes to network security, what you don’t know can definitely hurt you.

For Dan Lukas, lead security architect at Aurora Health Care in Milwaukee, his fear of the unknown keeps him motivated to protecting the healthcare organization’s resources, which supports about 30,000 users, 13 hospitals, 175 pharmacies and 125 clinics throughout Wisconsin.

“People may think they know what’s going on inside their network, but often they don’t,” Lukas says.

Recently, Lukas says his hub-and-spoke network fell victim to a spybot virus exploiting a Microsoft Server Service vulnerability, which “could allow an attacker who successfully exploited this vulnerability to take complete control of the affected system,” according to a Microsoft Security Bulletin. A mobile user connected his infected laptop to the network, which kicked off the virus. Yet Lukas says the damage was minimal, because he had technology in place to detect the traffic changes.

About a year ago, Lukas deployed StealthWatch appliances from network behavior-analysis vendor Lancope, to get a better read on traffic out to the edge of Aurora’s distributed network in a way he felt an intrusion-prevention system could not. The technology helps him see in real time what is traversing his net and spot unknown traffic and new traffic patterns that could represent a threat.

“StealthWatch helps us see the state of the union, so to speak, right now — and not just the bad stuff. It also works to set application baselines and performance analysis,” Lukas says. “We have things that jump on our network that we don’t always have all the information on in terms of how they work, so we needed a way to spot them without necessarily knowing about them in advance.”

Another layer of security

Network behavior-analysis systems promise to add another layer of security to corporate networks by watching traffic for changes in typical actions. The systems typically perform a benchmark of traffic behavior and monitor for changes. Then if, for example, a relatively unused server begins to propagate many requests, the anomaly-detection system might suspect the host could be falling victim to a worm. Or if enterprise application traffic deemed content-sensitive starts to use Port 80 — the port left open on firewalls for Internet traffic — the products could send an alert about a possible breach of compliance policies.

Companies such as Arbor Networks, GraniteEdge Networks, Lancope, Mazu Networks and Q1 Labs offer products that perform this type of traffic-monitoring and behavior analysis of known and unknown threats. Cisco also offers this type of technology, though its MARS (Monitoring Analysis and Response System) performs network anomaly detection and can interpret signals and alerts from IPS gear and react by sending policies to routers and switches.

Tools for monitoring traffic for potential breaches are becoming a staple in most security managers’ arsenal. According to Gartner, by the end of 2007, 25% of companies will employ such tools as part of their network security strategy.