NBA: Your last line of defense

Network behavior analysis tools can block zero-day threats

There’s a new weapon in the security arsenal that monitors network traffic and issues real-time alerts when it spots unusual or suspicious behavior on the network.

Network Behavior Analysis (NBA) tools fill the void left by static security products such as firewalls, which simply enforce pre-existing policies, and intrusion-detection/prevention systems (IDS/IPS), which detect and block attacks based on known signatures.

Read a story on how NBA's work.

NBA tools are constantly monitoring and analyzing network traffic, looking for that zero-day attack, for that client machine that’s been turned into a spambot, for that server containing sensitive information that’s trying to connect to the Internet at 3 a.m.

“NBAs focus on abnormal behaviors without necessarily designating them good or bad. In this way, NBAs can be considered the last line of defense to client networks. We foresee the demand for NBA functionality will grow through 2010, as organizations look for technology to fill the gaps in their comprehensive enterprise monitoring,” says Paul Proctor, research vice president at Gartner.

“It’s another layer in the security model,” says Brandon Greenwood, network operations and security manager at Xango, a company that makes a nutritional supplement in Lehi, Utah. “For us the problem was not only a compliance initiative, but also a best practice that needed to be addressed as part of a defense-in-depth architecture.”

Xango selected an NBA from Sourcefire to help secure 750 users located at multiple sites throughout the world. Greenwood says the Sourcefire products were easy to install and pricing was reasonable: starting at $30 per host, before a volume discount.

Greenwood says the NBA tool has picked up security vulnerabilities that an IDS/IPS would not see. For example, a user installs an FTP service on a server that is not sanctioned for FTP services. The NBA device sees the control traffic and fires off an alert. “Before the user can even transfer data, I have been on the phone with them making sure that the service is really needed there and, if so, that the proper change management steps are taken to get the service up,” Greenwood says.

I can see for miles

AirTran Airways deployed Lancope’s StealthWatch in April, says Michelle Stewart, manager of data security for the Orlando airline. “It has given us complete visibility into what people are doing on the network and provided us accountability of their actions. It also shows how WAN traffic is shared among http, filesharing, and applications. This visibility makes it a lot easier for non-network engineers to see traffic to and from credit card kiosks and reservations centers.”

According to Stewart, AirTran has a distributed network that supports operations in 55 airports and a handful of campuses. The initial reason for pursuing NBA was compliance with PCI Data Security Standards, but the tool has proven to be an effective addition to the company’s security defenses.

In one specific instance, Stewart adds, AirTran detected "attempted" remote access activity, by whom and on which computer; something AirTran could not previously track.

“Complete visibility allows customers to get ahead of the problems before they become a serious issue,” says Paul Stamp, principal analyst at Forrester Research. “Difficult behaviors to detect, such as walk-in worms, configuration failures, and spiteful insider attacks are prime examples of an NBA’s efficiency."

He adds, "After firewalls and appropriate processes for tuning, analysis and remediation are deployed; it’s left to the NBA tools to identify these threats. With NBA technology, a clearer visibility into ‘normal’ is automatically computed and available, but it also alerts users when the ‘abnormal’ occurs.”

While NBA tools are typically first deployed for security or compliance reasons, customers are also finding that these products allow IT to get a better handle on things like application performance. In some sense, NBA products are beginning to morph into sophisticated network management tools.

“Application visibility has always been a distinguishing feature for our product, QRadar,” says Tom Turner, vice president of marketing at Q1 Labs. “QRadar began its life as a pure-play NBA product using flows to provide visibility to network and security operations staffs. Over time, we realized that our architecture for collecting, storing, processing and analyzing flow data, also notably contributed to the same disciplines we applied to log and event data.”

Q1 Labs has released v.5 of QRadar, which essentially merges the worlds of security information management (SIM) and NBA. The product applies the contextual information from network flows to the event streams that come from security devices. The end product produces finely prioritized and accurate data that is useful to both security and network operations personnel.

Similarly, NitroSecurity’s NitroView is “specifically targeted at improving visibility into all areas of information security,” says Eric Knapp, senior product marketing manager. “Network behavior is an important thing to visualize because networks are often thought of in terms of topologies, but all other relevant data needs to be visualized as well.”

NitroView collects data from multiple sources and normalizes it, so it can be "visualized together". All of this data can be viewed in graphs, pie charts, distribution graphs and/or topology graphs.

False sense of security

According to Proctor, NBA systems can suffer from high false-positive rates unless good behavior can be effectively modeled. Factors that can affect network behavior modeling include the number of possible behaviors, number of event types, strength and consistency of the environment and of the network activity, reliability of the bad behaviors, and user skills and experience.

“As with all solutions of this type, there are false positives,” says Sourcefire customer Jason L. Stradley, director of security architecture at TransUnion in Chicago. “Dealing with false positives successfully is based on several components. First is to have a platform that can learn certain things on its own and combine that with a capability of being taught other things by an operator. The other components are not technological, but procedural.”

Jason Stradley, director of security architecture at TransUnion in Chicago, uses a Sourcefire tool for network behavior analysis.

In order to get the most out of any security monitoring solution, adds Stradley, organizations must have a process to analyze all events, including false positives. Then, they must have the discipline to work with the system to tune it. When an event causes an alert to be generated by the system, it’s very likely that event will be something outside of the norm and it should be investigated as soon as possible. Without this organizational discipline, implementation of any product will fail.

Yankee Group Analyst Phil Hochmuth says the key to NBA products is that they don’t address threats, per se; they address anomalies in network traffic that deviate from standard behavior patterns.

“An obvious example: if a PC is infected by a worm, and a flood of port-scanning traffic suddenly comes from that machine, NBA can identify and alert IT staff, regardless of the specific worm on that PC. A more subtle example: if a server’s IP address makes contact with an unknown IP address outside the enterprise, NBA can detect this too, because it’s already built a baseline of normal network behavior for that server.”

Proctor adds, “Network behavior analysis fills the gaps left by policy- and signature-based point solutions such as firewalls, intrusion-detection systems, intrusion-prevention systems, and security information and event management that miss threats for which they are not specifically configured to detect. NBA technologies are decision-support systems that provide visibility to a knowledgeable operator who can interpret, investigate and appropriately respond to a variety of suspicious activities on the network.”

Sartain is a freelance writer in Utah. She can be reached at

Copyright © 2007 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022