Throwing the Insider Threat with Network Traffic Analysis This article is written by Matt Alderman, CEO of Security Weekly.

For decades, anyone analysing network traffic has been focusing on the external
network traffic, the so-called north-south traffic through the
perimeter firewalls.  Naarmatefirewalls have evolved to better analyze this traffic, two major trends have emerged: (1) to measures the cloud moved, the perimeter became more porous even to the point of extinction, and (2) as attackers have become more sophisticated, threats within the network have become more difficult to detect.
The analysis of traffic between north and south was no longer sufficient to protect the organisation’s network.

Originally, there were in-depth package analysis solutions for analyzing inbound and outbound traffic on the internal network, the so-called East-West traffic.  The problem with these flow-through solutions is that they were very costly to deploy and scale, which led to organisations placing strategic interests where traffic would be controlled from east to west and where it would not.

Also in this period the analysis of user and organizational behavior within the
program turned out to be a possible solution for the problem of insider threats.  These solutions were mainly based on
protocols to analyze user behavior on hosts, but did not allow in-depth analysis of the
network traffic from east to west.  To take full advantage of these
solutions, they generally had to be integrated with
Security Incident and Event Management (SIEM) platforms, which still had
limitations when it came to detecting unknown attack behaviour.

Gartner recognized the limitations of the existing
solutions and identified a new security market known as Network Traffic
Analysis (NTA).  Capacities defined in
in the Market Guide

  • Analyze raw network packet traffic or
    flows (such as NetFlow records) in real or near real time.
  • Able to track and analyse north/south traffic
    (if it exceeds the perimeter) and east/west traffic
    (if it moves laterally in the network).
  • Ability to simulate normal network traffic and flag abnormal traffic
  • Suggest behavioural methods (
    detection without signature), such as machine learning or advanced analysis, that make it possible to detect anomalies in the network.
  • Ability to focus on the threat detection phase,
    , instead of the attack phase – such as Packet Capture Analysis (PCAP)

Of the more than a dozen operators identified in this new market, the NTA network game providers have a better chance
.  Specifically, ExtraHop Reveal(x) provides full
visibility and real-time detection of fraudsters, insiders and
attacks at low and slow attack speeds, with targeted research for an immediate and secure
response.  Some of the most important features are

  • Passive out-of-band processing of
    network traffic on a single scale (up to 100 Gbps). Many providers reach 40Gbps or less per
    device, which is not enough for today’s companies.
  • Immediate access to the transaction content of the
    Level 7 application (application details) to quickly detect and investigate suspicious
  • Real-time threat detection based on behavioral analysis managed by the
    machine to detect unknowns such as
    that cannot be detected by the rules.
  • Decryption functions, including for the Perfect
    Forward Secrecy (PFS), which provides access to specific evidence of
    TTP usage that would otherwise go unnoticed by hiding in real, legitimate traffic

In emerging markets, industry leaders need to do better and/or do things differently.  In the case of ExtraHop, they both do.  For more information go to