Stacey Halota
Stacey Halota
While reading Jeffrey Carr's interesting new book, Inside Cyber Warfare, I was struck by a mention that there were so many new viruses in 2009 that Symantec needed to write a new virus signature every nine seconds. I thought to myself how staggering a number that is and how it could only get worse in 2010.

That is not to say that signature-based software doesn't play an important part in a layered defense strategy; however, it just can't keep up with malware being generated. I happened to be reading this book right after the Hydraq trojan and Kneber botnet received so much publicity, and that led me to think about a technology that I have always been a fan of and have used extensively, network behavior analysis (NBA). To me, NBA is like the Rodney Dangerfield of the information security tool world – it just doesn't get any respect (or enough respect). Unlike firewalls or anti-virus, it is not necessarily considered a “must-have” in a company's computing environment, but maybe it should be. I prefer to think of it as the Swiss Army knife of information security tools.

NBA uses passive monitoring sensors, network flow data and other sources to monitor network traffic and establish a baseline for normal network behavior. It can then be configured to report and alert on behavior that deviates from that baseline. Not only does NBA help protect against zero-day malware and non-signature based events, it does many other things well:

Provides expanded internal network visibility: Because NBA reads information from devices already on the network (routers, etc.), you can get more visibility while deploying fewer sensors. It may be cost-prohibitive to deploy an IDS and/or IPS across your entire internal network, but this is not out of the question with an NBA tool.

Works with other solutions like IPS and data leakage prevention: While NBA tools don't prevent events from happening, you can use NBA alerts to trigger IPS events. It can work with routers and switches by shutting down ports, changing routes or invoking ACLs. You can augment DLP by defining custom NBA policies on allowable behavior, triggering when the conditions are met (like data transfers from an unexpected source).

Helps with compliance: You can use NBA tools as virtual gateways surrounding critical Payment Card Industry, SOX, HIPAA or other systems containing regulated data and define specific compliance policies for these systems, providing an additional layer of defense.

Provides value outside information security: It is always great when you can buy a tool that is seen as useful outside of the information security group. Network engineers can use NBA tools to troubleshoot network performance problems, find out who creates the heaviest traffic loads, trace back unusual activity, and run automated reports by application. NBA tools show dependencies between users, applications, systems and network infrastructure and can help with documenting disaster recovery plans or planning data center moves.

Security dollars are hard won and tough choices have to be made where they should go. Speaking as someone who has seen the benefits NBA tools have provided for many years in our complex environments, given their bang for the buck, NBA tools deserve some respect – and a place on the “must-have” information security tool list.

Stacey Halota was SC Magazine's CSO of the Year in 2009.