Network Traffic Analysis for Security:

A “Market” on the Cusp of the Chasm?

Arabella Hallawell

At Arbor, and at our parent company NETSCOUT, we talk a lot about the value that comes from Network Traffic. Traffic can bring end-to end visibility of all users, applications and services, their activities and locations from a single perspective, allowing security teams to understand trouble spots and threats, and make smart and accurate decisions quickly before the wider infrastructure is impacted.

In the new threat era of more planned, targeted campaigns against organizations, network traffic provides the greatest panorama of new “clues” or tip-offs about abnormal behavior - users, hosts, services and applications communicating inside or outside the network in a concerning way – and also the evidence to show the what, when, who and how a ‘crime’ occurred.

Yet why has Network Traffic Analysis (NTA) - or its second, older cousins Network Forensics and Network Behavior Anomaly Detection (NBAD)– not emerged beyond early adopter or expert market segment status?

The signs are emerging that more organizations are considering or evaluating NTA. Industry analyst firms ESG and IDC have published data and market reports on the importance of Network Traffic Analysis for security. Both SANS, the research organization, and IDC conducted surveys in 2016 of enterprise decision makers which place understanding and investment in staff and solutions that understand normal traffic patterns and operations to detect and investigate abnormal ones, as a top shortage and initiative.

But there have been plenty of security market segments - probably better described as use cases – that never break out into the security mainstream and form ~ $400M+ in market size, signaling wider adoption and existence “of being.”

Indeed, well-known business author Geoffrey Moore(Crossing The Chasm), still defines a market best with his four criteria of:

  • A set of actual or potential customers
  • for a given set of products or services
  • who have a common set of needs or wants, and
  • who reference each other when making a buying decision.

This definition helps one to see when a market segment or a use case is still emerging and not quite a ‘true’ market. Despite the excitement around the EDR (endpoint detection and response) space, there are multiple different use cases and distinct technology capabilities awkwardly grouped together, including from stopping the execution of malicious activity to alert triage and investigation/forensics. The sets of products are not standard and the needs and wants are not always common.

NTA for security can also be used for multiple use cases such as detection of suspicious activity to investigation of activity that might be an incident, to forensics post -breach. The capabilities needed from a provider might be different depending on the use case. Multiple use cases requiring different technologies and needs stymie true market creation.

However, we might just be on the cusp of a chasm for NTA. Today’s new threat environment of attack campaigns do require different skills and solutions where use cases that once were separate, such as detection or forensics, now must come together in a new way.  That’s because attack campaigns require different solutions than threats in the past- such as a nasty malware program.  Finding attack campaigns require skill-sets, processes and solutions to see multiple subtle signs of malicious activity, and that can chain together timelines of activity in real time- and retrospectively, as campaign artifacts typically hang out in networks for weeks or months.

This is a new need for a broader set of organizations and one that several vendors are vying to solve.  A combination of multiple vendors successfully innovating to help solve real problems, and fast buyer alignment around core capabilities required, can build a market quickly.

Check out the video product tour of Arbor Networks Spectrum 2.2, a high performance network traffic analysis platform integrating Netflow, packet and threat intelligence data for real-time and retrospective investigation of advanced threats.