If you hear about Network Traffic Analysis (NTA) for the first time, You probably first think of classic network monitoring, but network traffic analysis goes much further than that.
Network analysis is essentially about intercepting and examining data packets in order to draw conclusions about the information they contain from the recurring patterns of communication.
The general rule is: The more data packets have been intercepted or monitored, the more reasonable conclusions can be drawn about the content of a message flow.
A short example:
For an IDS or IPS system, it is easy to write a rule that says: “If connections to the Tor network are attempted, I do X:”.
Things look different if you want to sensibly implement rules like: “Speak when twice as much data flows from the file server in period X than the 2-week average.”
Tools and systems that today attempt to technically implement Network Traffic Analysis (Network Detection and Response, NDR for short) attempt to close this gap between time and knowledge.
By identifying road users within the network communication, how they relate to each other and ascribing their typical behavior to them, the detection of malicious intentions should be automated as far as possible.
This in turn should enable IT security personnel to implement tailor-made threat detection rules for each company in order to simplify threat hunting and also to fuel incident response workflows.
A Security Operation Center (SOC) is now synonymous with using a Security Information and Event Management (SIEM) product. It is the backbone of the SOC and emerging NDR products will not change that. In the coming years, they will become the second essential pillar of the SOC.
SIEM is primarily based on the collected logs configured on the monitored devices. NDRs that use network traffic analysis through a lot of machine learning are independent of this. If SIEM is the skeleton of a SOC, NDRs become the muscles of the SOC through Network Traffic Analysis.
