Full application of behavioral analysis (NBA) tools
Source: Internet
Author: User
KeywordsBehavioral analysis
The NBA is another security model, not only to meet compliance requirements, but also to be part of an enterprise's deep defense architecture. Brandon Greenwood is the network operation and security manager of Utah State, a Xango company that produces nutritional additives. He thinks the NBA is another security model. For them, adopting the NBA is not just about implementing a compliance program, but also a best practice as part of a defense-in-depth architecture. Xango selected the Sourcefire company's NBA to help protect 750 users scattered around the world. Greenwood said that Sourcefire product installation simple, reasonable price, each host starting at 30 U.S. dollars, if the volume is large, there are discounts. Greenwood that NBA tools can find IPs vulnerabilities. For example, some people may have an FTP service installed on a server that does not allow FTP services to be used. NBA devices will alert you when they see the flow of control. "Even before the user starts transmitting data, I call each other to make sure that the service is really needed, and if so, we can take appropriate change management measures to enable the service." "Greenwood said. Comprehensive understanding of network operation Michelle Stewart, the data Security manager for Orlando AirTran Airlines, introduced the company's Lancope NBA tool--stealthwatch in April 2007. "It gives us a full picture of what people do on the web and allows us to be accountable for our actions," she said. It also shows how WAN traffic is shared between HTTP, file sharing, and other applications. The visibility of this flow greatly simplifies the flow of non-network engineers to the credit card terminals and booking centers. According to Stewart, AirTran has a distributed network that supports business operations at 55 airports and several university campuses. The original reason for buying the NBA was to comply with the PCI data security standards, but it turned out that the tool was a powerful complement to the company's security defense mechanism. Stewart cited an example: The NBA found "attempted but attempted" remote access activities and found out who the other was, and on which computer the attempt was made, before AirTran could understand the information. Paul Stamp, chief analyst at Forrester Research, said that a thorough understanding of the situation allowed customers to take the lead before the problem became serious. Some of the typical examples of NBA efficiency include the ability to discover behaviors that are often difficult to discover, such as sneak worms, operator configuration errors, and malicious internal attacks. "The task of identifying security threats was handed over to the NBA tools after deploying firewalls and adapting the analysis and remediation processes appropriately." With the NBA technology, users can be more clearBe aware of ' normal behavior ' and notify the user if ' abnormal behavior ' occurs. "Stamp said. Although NBA tools are usually first deployed for security or compliance, it is also found that these products enable IT staff to control application performance more effectively. In a sense, NBA products are beginning to become advanced network management tools. Q1 Labs, a company that offers NBA products, says Tom Turner, vice president of marketing, said: "Understanding the application is a unique feature of our product Qradar." Qradar was originally a professional NBA product that uses network streaming to provide visibility to network and security operators. But then we come to realize that the architecture we use to collect, store, process, and analyze network streaming data also helps in the analysis of log and event data. "Q1 Labs has launched the 5th version of Qradar, which actually integrates security information management (SIM) with the NBA." The product applies contextual information from the network stream to the event stream from the security device, and the resulting results clearly list the prioritized, accurate data that is useful for both security and network operators. Similarly, the nitrosecurity company's Nitroview products specifically enhance visibility to understand all aspects of information security. Eric Knapp, senior product marketing manager, said: "Network behavior needs to be visualized because people often consider network security from a topological aspect, but all other relevant flow data needs to be visualized." "Nitroview collects data from multiple sources and regulates it so that data can be" merged and visualized. All of this data can be viewed through graphs, circular analysis charts, distribution graphs, and/or topological diagrams. To prevent a false sense of security according to Proctor, the disadvantage of the NBA system is that the false positives rate is high, unless you can effectively build the correct model. Several factors that affect the modeling of network behavior are: The number of network behaviors, the number of event types, the intensity and consistency of environment and network activity, the reliability of bad behavior and the user's skill and experience. Jason L. Stradley, head of security architecture at TransUnion Company in Chicago, is Sourcefire's client, saying: "Like all solutions of this type, the NBA will also have false positives." The successful resolution of false positives depends on several aspects. The first is to have a platform to learn the attack independently, and to be able to accept instructions from the operator. Other aspects do not involve technology, but involve methods. "Stradley believes that in order to fully utilize any security monitoring solution, the enterprise must develop a process to analyze all events, including false positives. Then they have to have a way to process the system for adjustment. Events cause the system to cause the alarm, this event is very likely to be abnormal situation, should be analyzed as soon as possible. ToIt is the enterprise without this method, the deployment of any product is useless. The key to NBA products, says Phil Hochmuth, an analyst at Yankee Group, is that they do not deal with threats themselves, but rather deal with anomalies that deviate from standard behavioral patterns in network traffic. "One obvious example is that if a PC is infected with a worm and a tidal stream of ' port-scanning ' traffic suddenly comes from this machine, the NBA can recognize the situation and notify IT staff no matter what kind of worm appears on the computer. A less obvious example is if the IP address of a server is connected to an unknown IP address outside the enterprise, the NBA can find it because it has established a benchmark for the normal network behavior of the server. "Proctor said:" Network behavior analysis tools fill in the gaps left by the policy-and feature-based solutions such as firewalls, intrusion detection systems, intrusion prevention systems, and security information and event management, and those single point scenarios are not able to detect these threats if they are not specifically configured to detect threats. NBA technology is a decision support system, it provides the network knowledgeable operators with visual traffic analysis, so he can explain and analyze various suspicious activities on the network, and take appropriate response measures. "Currently, manufacturers of NBA products include: Arbor NX, Cisco, Graniteedge NX, Lancope, Mazu NX, Nitrosecurity, Q1, Network and Sourcefire and so on. Explain how the NBA works. Phil Hochmuth, a senior analyst at the Corporate Research unit of the Yankees group, analyses how the NBA works: "NBA products use collectors, which can be stand-alone servers or specialized devices; and then network streaming (Netflow), IP stream Information (ipfix) or send data such as Sflow to the collector. "After sending the NetFlow data to the collector, the header information of all packets processed by the network node is basically collected and sent out, which is like the shipping log for this network device." NBA products collect data from all network devices that support network streaming data, and then understand the full picture of activities on the network, such as which IP addresses are connected to each other, what applications are running on the network, and so on. In addition to the basic network stream data , the NBA tools provide other features: it can detect and map all the devices on the IP network (from clients, servers, switches to routers, and so on). Because all network devices are described and have all the "shipping logs" collected from routers and switches, NBA tools can also perform complex network traffic analysis. Users can establish a benchmark performance model for network behavior, identify areas of network congestion or low utilization, and the most important for security peopleTo be: It can also detect traffic anomalies. Paul Proctor, a Gartner analyst, explains from another perspective that the NBA:NBA system can analyze network traffic from sources such as Cisco's NetFlow or juniper, or from data from sources that support cflow standards, You can also directly contact data from packet analysis. This system can combine the use of deterministic (feature) detection and nondeterministic (anomaly) detection to inform network and security operators of suspicious activity, and provide information about network activity for analysis and response. Basically, the NBA is to let people understand the network behavior of a window, need network knowledgeable operators to interpret the analysis results. "Related articles" Network behavior analysis: A new way to deal with old enemies "responsible editor: Yutie TEL: (010) 68476606" Original: Full application of behavioral analysis (NBA) tool return to network security home
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.