When it comes to network security, what you don’t know can definitely hurt you.

For Dan Lukas, lead security architect at Aurora Health Care in Milwaukee, his fear of the unknown keeps him motivated to protecting the healthcare organization’s resources, which supports about 30,000 users, 13 hospitals, 175 pharmacies and 125 clinics throughout Wisconsin.

“People may think they know what’s going on inside their network, but often they don’t,” Lukas says.

Recently, Lukas says his hub-and-spoke network fell victim to a spybot virus exploiting a Microsoft Server Service vulnerability, which “could allow an attacker who successfully exploited this vulnerability to take complete control of the affected system,” according to a Microsoft Security Bulletin. A mobile user connected his infected laptop to the network, which kicked off the virus. Yet Lukas says the damage was minimal, because he had technology in place to detect the traffic changes.

About a year ago, Lukas deployed StealthWatch appliances from network behavior-analysis vendor Lancope, to get a better read on traffic out to the edge of Aurora’s distributed network in a way he felt an intrusion-prevention system could not. The technology helps him see in real time what is traversing his net and spot unknown traffic and new traffic patterns that could represent a threat.

“StealthWatch helps us see the state of the union, so to speak, right now — and not just the bad stuff. It also works to set application baselines and performance analysis,” Lukas says. “We have things that jump on our network that we don’t always have all the information on in terms of how they work, so we needed a way to spot them without necessarily knowing about them in advance.”

Another layer of security

Network behavior-analysis systems promise to add another layer of security to corporate networks by watching traffic for changes in typical actions. The systems typically perform a benchmark of traffic behavior and monitor for changes. Then if, for example, a relatively unused server begins to propagate many requests, the anomaly-detection system might suspect the host could be falling victim to a worm. Or if enterprise application traffic deemed content-sensitive starts to use Port 80 — the port left open on firewalls for Internet traffic — the products could send an alert about a possible breach of compliance policies.