Network behavioral analysis (NBA) solutions monitor and analyze network flow data—NetFlow, cflowd, Jflow—from devices like Cisco IOS or Juniper routers. The analysis of this data yields critical information about the behavior of traffic on your network and helps you make decisions on security, bandwidth capacity and optimal usage of your network infrastructure.

Challenges for Network Behavioral Analysis
When correlated with other important security data from hosts and devices on the network, network flow data greatly enhances your ability to pinpoint and react to security events and noncompliance with regulations, standards and best practices (compliance gaps). Non-malicious yet unauthorized activity by an internal individual is also more readily identified. Thus, like the other data analysis components of an integrated security and compliance platform, the principal challenge for NBA solutions is to help mitigate a security event or compliance gap in a timely fashion through seamless integration with the end-to-end correlation of all key security and compliance data.

Consider a typical “low and slow” breach in which an attacker remains undetected once they have compromised an organization’s systems by progressing slowly with minimal activity to evade detection from existing defenses like IPS and device security. The timely detection of a “low and slow” attack has proven especially elusive because it requires the collection of data from multiple sources. Specifically, log, asset, configuration, vulnerability, performance and network flow data can each reveal different aspects of an attack. The following table outlines the typical steps involved in this type of attack and the data source that would reveal each step’s activity.

A Typical “Low and Slow” Attack

Attack step:	Attacker action:	Action revealed in:
1. Probe	Runs port scans seeking targets with known vulnerabilities.	Log data
2. ID entry point	Identifies a target system with a known vulnerability.	Log data
3. Access	Brute-forces access to the system with multiple failed logins preceding the successful login.	Log data
4. Admin privilege	Escalates to Admin/Root or created a new account with Admin privilege.	Asset data
5. Config change	Disables logging.	Configuration data
6. Exploit vulnerability	Creates a buffer overflow that spikes performance by exploiting a vulnerability.	Vulnerability & Performance data
7. Rogue app	Installs a back door to the system.	Asset data
8. Data theft	Steals confidential data.	Flow data

Thus, the primary challenge for NBA analytics is to integrate with the end-to-end correlation of multiple types of data which enables more timely security event and compliance gap mitigation. As shown in the table above, network flow data reveals anomalous network behavior that may accompany data theft and, in so doing, greatly enhances the accuracy and speed of detecting and stopping breaches when correlated with other log, asset, performance and configuration data. Log data by itself is insufficient for achieving such targeted, efficient and timely security incident detection.

As a component of an integrated enterprise security and compliance management platform, NBA analytics must also meet other key challenges such as:

• Building baselines of network traffic behavior for comparative analysis. The ability to build baselines of typical network traffic between devices that generate network flow data is essential to the detection of the kind of anomalous behavior that often accompanies unauthorized data transfers and other attacks.
  

• Dashboards for quick viewing of network flows. These dashboards can be customized to allow your security, network or audit teams to quickly view the devices and the network data that are most important to them and to reduce risk by quickly zeroing in on critical network assets to pinpoint anomalous behavior.

Network Behavioral Analysis Using SecureVue
As shown in the example attack above, an effective enterprise security management platform must collect and correlate all important network and device data automatically, 24x7, and in real time to gain the comprehensive picture of the state of the infrastructure required to detect a typical network attack. SecureVue collects and correlates network flow data from all devices on the network that generate network flow data. These network behavioral analytics reveal potentially anomalous network behavior that, in turn, suggests unauthorized data access or other ongoing attacks. NBA, however, is only one of SecureVue’s analysis components. The SecureVue difference is that network behavioral analysis is integrated into the end-to-end correlation function, providing SecureVue customers with the ability to react more effectively to issues by analyzing and correlating more than just log and event data.

Besides offering network behavioral analysis that is integrated with its end-to-end correlation, SecureVue also meets the other key challenges for NBA solutions:

• SecureVue builds baselines of typical network traffic and behavior with its Flow Profiler that includes important details such as top destinations, top applications, top protocols, top sources and more. Such baselines are necessary to detect anomalous behavior.
  

• SecureVue delivers the ability to create dashboards which allow you to view network flow records on selected Cisco IOS or Juniper cflowd devices that you need to supervise frequently to ensure the availability of critical system and network resources.

In the end, SecureVue meets all these challenges. On top of that, SecureVue is the only integrated security and configuration management platform delivering end-to-end correlation of all important data, including NBA data.

Discover why Network World wrote, “eIQnetworks has the broadest range of capabilities we have seen in one integrated product”. Download whitepapers, datasheets, case studies and more from the eIQ Resource Center today. When you are ready, don’t hesitate to test drive a free evaluation copy of SecureVue to see how it can simplify management, boost efficiency, and enable easy audit reporting for your organization.