FOR, by Adam Powers, director of technology, Lancope

Network Behavior Analysis (NBA) systems excel at detecting and mitigating worms, viruses and other malware.

NBA systems leverage NetFlow/sFlow from existing network infrastructure to simultaneously analyze hundreds of network points without requiring additional hardware at each monitoring location -- creating end-to-end network visibility.

Because NBA systems analyze packet payload and are primarily driven by host relationships, statistical analysis and behavioral modeling, they are not burdened with inspection and pattern-matching for every packet.

NBA systems are "infrastructure aware" in that once worms/viruses hit the network, NBA appliances know exactly what router/port to disable or where to install an ACL to quarantine the worm or virus.

Easy-to-deploy, cost-effective and a proven defense against new and undocumented attacks, NBA systems are integral for IT organizations looking to detect and respond quickly to network debilitating outbreaks.

AGAINST, by Matt Miller, vice president of engineering, CounterStorm

Network behavioral anomaly detection (NBAD) is not the most effective solution for stopping worms and viruses.

In much the same way that intrusion detection systems (IDS) evolved to provide attack mitigation at the network perimeter in the form of intrusion prevention systems (IPS), NBADs must evolve into a viable security solution for the network interior. Today's NBADs need constant tuning and maintenance and produce volumes of data. This requires network experts to filter out high numbers of false positives to derive any actionable information.

Many enterprises buy NBADs for their claimed security benefits, but in the end use them as decision support tools for network monitoring and operations. When NBADs are expected to provide real-time containment of actual security incidents, such as worm outbreaks, they continually fall short.

A true internal network security solution needs to correlate evidence from several best-of-breed engines, where anomaly detection should play a supporting, but not leading role.