When the Results are as Good if not Better, Why Bother with Packet Capture in NTA?
By Gilad Peleg, CEO of SecBI
Gartner Analyst, Anton Chuvakin wrote “The escalating sophistication of threats requires organizations to use multiple sources of data for threat detection and response. Network-based technologies enable technical professionals to obtain quick threat visibility across an entire environment without using agents.”
Network Traffic Analysis (NTA) is a critical component in the war against cyberattacks, enabling corporations to detect malicious communications and resolve IT infrastructure issues. NTA also gives enterprises a clear advantage of ubiquitous monitoring across all platforms and systems, without the limitations found in localized software-based solutions. Nothing comes close to the comprehensive level of information in a valuable format obtained from network traffic when using NTA to provide analysts with the ability to quickly detect malicious activity and respond proactively.
However, traditional (or what we will call legacy NTA) NTA solutions based on packet capture require large investments of time and money to get up and running with their required installations of special sensors. Furthermore, legacy NTA solutions typically require outside personnel for their daily operation to achieve useful results. Alternatively, NTA solutions that use log analysis and metadata eliminate this overhead, while providing equal if not better insight into potential cyberattacks without the need for high cyber expertise from analysts.
SecBI’s next-generation NTA is based on field-proven technology that detects the types of cyberattacks that are growing in number and sophistication. SecBI’s “Autonomous Investigation” technology provides a faster and more effective solution than hunting through individual packets. As SecBI is deployed on top of Level 7 gateways, SSL termination is already completed, eliminating the challenge of encrypted data. Encryption makes looking at the tiny variances in nuances of communication, distribution, frequency, and many other features that differentiate between encrypted malicious traffic and legitimate benign traffic impossible, limiting the effectiveness of packet-based NTA.
There are differences among NTA solutions. SecBI’s metadata solution, using unsupervised machine learning, is more scalable than packet capture, yet provides the same, if not better data quality. It is deployed and up-and-running within hours and comes with a lower total cost of ownership than any other NTA product on the market. The cost differences result primarily from SecBI using logs from existing network infrastructure and not requiring additional professional services.
In short, although network traffic analysis (NTA) is critical in the detection of cyberattacks, legacy packet capture NTA solutions can be overly costly for organizations (particularly large, geographically dispersed organizations) in terms of additional storage, processing and hardware appliance requirements and is handicapped by the growing use of encryption.
When using an NTA solution based on logs, enterprises and organizations benefit from better visibility into its network behavior, due to SSL/TLS encryption issues, allowing for the detection of all malicious activity from external attackers without any of the additional hardware requirements and time lags to implementation. In conclusion, SecBI’s Autonomous Investigation technology using log-based Level 7 metadata enables NTA-as-a-software to provide the market’s most effective, and affordable NTA solution.
For a comparison among types of NTA solutions, click here.