The business of network behaviour analysis
You can't spot abnormal behaviour until you know what's normal.
By Denise Dubie, Network World | Network World US | Published: 00:00, 29 September 2006
When it comes to network security, what you don't know can definitely hurt you.
For Dan Lukas, lead security architect at Aurora Health Care, his fear of the unknown keeps him motivated to protecting the healthcare organisation's resources, which supports about 30,000 users, 13 hospitals, 175 pharmacies and 125 clinics throughout Wisconsin.
"People may think they know what's going on inside their network, but often they don't," Lukas says.
Recently, Lukas says his hub-and-spoke network fell victim to a spybot virus exploiting a Microsoft Server Service vulnerability, which 'could allow an attacker who successfully exploited this vulnerability to take complete control of the affected system,' according to a Microsoft Security Bulletin. A mobile user connected his infected laptop to the network, which kicked off the virus. Yet Lukas says the damage was minimal, because he had technology in place to detect the traffic changes.
About a year ago, Lukas deployed StealthWatch appliances from network behaviour-analysis vendor Lancope, to get a better read on traffic out to the edge of Aurora's distributed network in a way he felt an intrusion-prevention system could not. The technology helps him see in real time what is traversing his net and spot unknown traffic and new traffic patterns that could represent a threat.
"StealthWatch helps us see the state of the union, so to speak, right now -- and not just the bad stuff. It also works to set application baselines and performance analysis," Lukas says. "We have things that jump on our network that we don't always have all the information on in terms of how they work, so we needed a way to spot them without necessarily knowing about them in advance."
Another layer of security
Network behaviour-analysis systems promise to add another layer of security to corporate networks by watching traffic for changes in typical actions. The systems typically perform a benchmark of traffic behaviour and monitor for changes. Then if, for example, a relatively unused server begins to propagate many requests, the anomaly-detection system might suspect the host could be falling victim to a worm. Or if enterprise application traffic deemed content-sensitive starts to use Port 80 -- the port left open on firewalls for Internet traffic -- the products could send an alert about a possible breach of compliance policies.
Companies such as Arbor Networks, GraniteEdge Networks, Lancope, Mazu Networks and Q1 Labs offer products that perform this type of traffic-monitoring and behaviour analysis of known and unknown threats. Cisco also offers this type of technology, though its MARS (Monitoring Analysis and Response System) performs network anomaly detection and can interpret signals and alerts from IPS gear and react by sending policies to routers and switches.
Tools for monitoring traffic for potential breaches are becoming a staple in most security managers' arsenal. According to Gartner, by the end of 2007, 25 percent of companies will employ such tools as part of their network security strategy.
"This technology provides a clearer window into potential security threats on a network," says Stephen Elliot, a senior analyst with IDC. "The vendors today layer on added intelligence about how to respond to the threats, who's affected, what's infected, and the technology provides more visibility into the state of network security.
In Lukas' case, Lancope packages its StealthWatch software on appliances that are distributed across a network, near a core switch or data-centre router. The product does not sit in line of network traffic, but passively monitors conversations between hosts and clients. He chose the product because it can tap NetFlow data in Cisco routers and help him monitor traffic out to the edge -- without having to distribute appliances at each location.
The Lancope technology also helps Lukas protect devices on his network that he can't always patch.
"We have some devices that we can't patch or put antivirus software on because of their medical nature, and it gets a little tense," Lukas explains. "We can't always just be shutting down switch ports on these devices, because they are important for medical reasons, but knowing what's happening early helps protect them."
For other technology users, network behaviour analysis equips them with more knowledge and helps them reduce the time and manual labour it takes to track down and fix problems, respectively.
David Obrys, global infrastructure security co-ordinator at Cabot Corp., a speciality chemicals and materials company in Boston, uses Maze Networks' Profiler product to speed response to potentially dangerous events.
"Prior to rolling this technology out, it might have taken us days to figure out what caused an event, scrambling through logs," Obrys says. "Now that it helps us understand what is right on our network, it's much easier to find what is wrong. Speed is so important when it comes to security."
James Ballou, IS security specialist and HIPAA security officer at Driscoll Children's Hospital in Texas, says with a small staff technology that automates the collection and analysis of security data helps him better secure his internal net. He uses Cisco's MARS to detect anomalies in network traffic, because the technology looks at data from different sources, gauges its potential risk and correlates it with other events on the network.
"I need proactive, consistent threat management and preprogrammed responses built into our system to mitigate issues," Ballou says.
David Arbo says his Arbor Networks Peakflow X system spots unknown variants of known viruses and worms, which is critical to the director of infrastructure services and information security at APL, a shipping company based in California.
"We have had experiences in which we are protected against the known worm, but a new variant crops up, and we don't have the profile yet," Arbo says. "The technology has provided increased visibility when that scenario crops up and lets us know if we should be blocking ports and what areas are impacted."
Arbor Peakflow X quantifies normal network behaviour, analysing flow statistics from such appliances as Cisco's NetFlow, Juniper Networks' cFlow, sFlow from Extreme Networks and Foundry Networks devices, as well as raw packet data. It uses this information to create baseline definitions of normal network behaviour. Arbo says the flow data is also useful when engineering the network. Another means of protection, he explains, is network segmentation and understanding traffic flows will help him design the network for optimal security and performance.
"We leverage Arbor for analysis and information to help us put in place other active protection layers, such as perimeter firewalls, IDS and IPS tools," Arbo says. "If I can understand the traffic flows, I can know the best places where to put a gate or filter for the traffic."
Yet despite its strengths, network behaviour-analysis technology could use some improvement. Arbo says he'd like to see more planning capabilities within the product to help him better gauge the impact of changes he makes to the network. While the vendors provide automated remediation features within their various products, customers need to have more confidence in the actions the products would take in response to events on their specific networks.
"A key area for these vendors is to allow customers to move faster and with a higher degree of confidence as to the outcomes their products can guarantee," Arbo says.