NBA Reveals The Bigger Picture

intrusion prevention

To protect the vulnerable space between the perimeter and the host, in the switching layer that connect desktops to the outside Internet and to each other, many security solution providers are turning to network behavior analysis (NBA) technology.

NBA's strengths lie in its ability to account for dynamic changes happening on networks and the ineffectiveness of setting static thresholds to detect attacks.

By virtue of the big-picture view of the network it provides, NBA also can detect insider threats by flagging unusual network activity, such as when a software developer connects to the source-code repository and then connects to a machine outside the network, said Paul Morville, vice president of product management at Arbor Networks, Lexington, Mass.

"NBA fills the gap between perimeter security and host security by dealing with a swath of the network that needs protecting and giving insight into what's going on there," Morville said.

Sponsored post

One of the really unique things NBA does is to baseline the notion of what constitutes "normal" activity on the network, in terms of the mix of applications and what they're doing, said Charles Kaplan, chief security strategist at Mazu Networks, an NBA vendor in Cambridge, Mass. "NBA will show you flow data that gets hooked back to the user directory, so you can provide names instead of numbers. It also provides application-specific information: For example, it can show you that it's not just traffic on port 80, but [traffic to] Yahoo Mail," Kaplan said.

Unlike IPS, which watches all the packets and relies on signatures to identify attacks, NBA can detect threats simply by scanning for activity on the network that falls outside the baseline of what's normal, said Marty Roesch, founder and CTO at Sourcefire, Columbia, Md. "Instead of looking at packets, NBA looks at network flows, or records of 'conversations' between devices on the network," Roesch said.

Another key difference is that unlike IPS, NBA can block zero-day threats because it's anomaly-based, Morville said. "With new types of attacks, NBA will see it even without knowing what it is and stop it," he said.

For solution providers, NBA is more than just another tool in the toolbox, but a technology that saves time in triangulating the source of malicious or illegal network behavior.

"NBA lets us zero in very quickly on both the problem and its source," said Chris Thatcher, director of security solutions at Forsythe Solutions Group, a nationwide integrator in Skokie, Ill.

The NBA market, which includes vendors such as Arbor Networks, Mazu Networks, Lancope, Sourcefire and Q1 Labs, is gaining momentum because it cuts down on the number of alerts generated by the security infrastructure and boosts the effectiveness of IPS and security information and event management (SIEM) systems.

NBA also increasingly is being used as a network management tool that effectively handles the spiraling complexity of network infrastructure, according to solution providers.

Reducing the amount of background generated by false positives is one of the major benefits of NBA, according to solution providers who have added it to their portfolios.

"The biggest success story with NBA that we've seen is for customers that have IPS but are overwhelmed by the amount of false positives it shoots out," said Michael Tilkian, vice president at Konsultek, a solution provider based in Elgin, Ill. "We implement NBA to verify these threats, real or not. It's definitely going to help make IPS more effective."