NTA is used for a wide range of tasks:
Detection of ransomware activity;
Tracking data leaks/suspicious internet activity;
File access control on file servers or MSSQL databases;
Tracking user activity on the network;
Inventory of devices, servers and services running on the network;
Detecting the root cause of network traffic peaks;
Providing real-time dashboards;
Create reports on network activity for any period of time.
How to choose an NTA solution?
When choosing an NTA for your organization, remember:
You must have devices that collect information about the operation of the network. Most often, the network already has routers and switches that supply statistics on traffic flows for NTA.
The ideal source of data on flows are deep traffic analysis devices, since they not only collect statistics of IT metrics in the NTA, but can also recognize attacks with the functionality of the attack detection system, analyze protocol metadata in detail, see the transmitted files and send them to the sandbox for analysis. You need to decide which traffic fragments are critical to make sure your tools cover everything you need.
You need to know whether NTA uses agent-based software or not. Also be careful and don’t try to monitor too many data sources and don’t keep logs for too long.
You need to know what data the tool collects and stores. To analyze events, it is important to collect historical data, but not all NTA tools save them. You need to clearly understand what data is most important to you in order to find the best option for your needs and budget.
Some DPI tools capture and save all packets, which increases the quality of detection and the convenience of incident analysis and threat hunting. This also affects the price of devices, as the cost of data storage increases and the analysis functionality expands. In addition, you will need to spend more time to learn how to work with them: after all, there are many analysis modules in such devices, including Machine Learning and others. Other tools take on more of the “heavy lifting” by capturing complete packets, extracting important details and metadata for each protocol. This method of metadata extraction significantly reduces the amount of data, but at the same time retains readable and useful details that are suitable for both network and information security specialists.
Let’s summarize the results
NTA is a modern method of detecting malware, anomalies of various types, also used to maximize network performance and prevent attacks. Along with the aggregation of logs, UEBA and endpoint data, network traffic is the main element of a comprehensive visibility and security analysis for rapid threat detection and their subsequent elimination. When choosing an NTA solution, keep in mind the existing “blind spots” in your network and the data sources from which you need information. By integrating NTA as a layer to your Security Information and Event Management (SIEM) solution, you will get even more data about your environment and your users.