Network Security, Threat Management, Risk Identification/Classification/Mitigation, NDR

Thwarting the Insider Threat with Network Traffic Analysis

This post was authored by Matt Alderman, CEO of Security Weekly.

For decades, anyone analyzing network traffic concentrated on external network traffic, known as north-south traffic, through the perimeter via firewalls.  Although firewalls evolved to better analyze this traffic, two primary trends emerged: 1) cloud adoption was causing the perimeter to become more porous, even to the point of extinction, and 2) as attackers gained sophistication, threats inside the network were becoming increasingly difficult to detect. North-south traffic analysis was no longer enough to protect an organization’s network. 

What initially emerged to analyze internal network traffic, known as east-west traffic, were deep packet inspection solutions initially built for ingress/egress traffic analysis.  The challenge with these inline solutions is that they were very expensive to deploy and scale, leading organizations to make strategic bets on which east-west traffic to monitor and which traffic not to monitor.

Also during this time, user and entity behavior analysis emerged as a possible solution to insider threats.  These solutions relied primarily on logs to analyze user behavior on hosts, but did not provide deep analysis on east-west network traffic.  To gain the full value from these solutions, they typically needed to be integrated with the security incident and event management (SIEM) platforms, which still had limitations when it came to detecting unknown attack behaviors.

Recognizing the limitation of existing solutions in the market, Gartner identified a new security market known as Network Traffic Analysis (NTA).  The capabilities defined in their Market Guide include: 

  • Analyze raw network packet traffic or traffic flows (for example, NetFlow records) in real time or near real time
  • Have the ability to monitor and analyze north/south traffic (as it crosses the perimeter), as well as east/west traffic (as it moves laterally throughout the network)
  • Be able to model normal network traffic and highlight anomalous traffic
  • Offer behavioral techniques (non-signature-based detection), such as machine learning or advanced analytics, that detect network anomalies
  • Be able to emphasize the threat detection phase, rather than the forensics — for example, packet capture (PCAP) analysis — phase of an attack

Of the dozen plus vendors identified in this new market, the pure-play NTA vendors have the best capabilities.  Specifically, ExtraHop Reveal(x) delivers complete visibility and real-time detection of rogues, insiders, and low-and-slow attacks, with guided investigation for immediate, confident response.  Key differentiators include:

  • Out-of-band, passive processing of network traffic at scale (up to 100Gbps). Many vendors top out at 40Gbps or fewer per appliance, which is not enough for today’s enterprises.
  • Instant access to application transaction contents at Layer 7 (application details), enabling rapid detection and investigation of suspected threats.
  • Real-time detection of threats based on machine-learning driven behavioral analysis to catch unknown unknowns in ways that rules-based detection can’t.
  • Decryption capabilities, including for Perfect Forward Secrecy (PFS), providing access to concrete evidence of TTPs in use that would otherwise escape detection by concealing themselves in genuine, legitimate traffic.

In an emerging market, category leaders need to do it better and/or differently.  In ExtraHop’s case, they do both.  To learn more, visit

Matt Alderman

Chief Product Officer at CyberSaint, start-up advisor, and wizard of entrepreneurship.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.