An Introduction to Network Behavioral Analytics
Behavioral analytics is critical to successful security monitoring and detection. Quite simply, standard rule and signature based detection is wholly insufficient to detect today’s attacks. Unfortunately, when most organizations think about and implement behavioral analytics they only approach it through looking at human behaviors via user behavioral analytics (UBA). However, real security is better achieved when you marry UBA with network and asset behaviors.
Network behavioral analytics look for anomalies in the way network systems and protocols operate and communicate on a computer network. Just like humans, computers and networks tend to function consistently and predictably over time. They tend to follow the same patterns over and over.
A mail server has the function of receiving, processing, and sending email for an organization. The normal behaviors we would expect to see include a high amount of email protocol traffic such as SMTP, IMAP, or Pop3; emails that include the organizational email domain on at least one side of the communication; and we can even expect to see a relatively consistent volume of email traffic at a given time of day. As the analytic understands what is normal behavior for the server, it then can start looking for anomalies. Perhaps we see an unexpected increase in web browsing (HTTP) traffic originating from the server or we see an abnormal spike in data leaving the server. Each of these could be indicative of malicious activity or at the least identify anomalous activity that ought to be investigated.
Another strategy for these analytics is to monitor the behaviors of protocols across the network. DNS for example is a well-defined and structured protocol. We know how it should work and what the traffic looks like. So if we observe behaviors deviating from that model, then we have an alertable event. We could also look for unexpected spikes in the volume of obscure protocols communicating on the network or unexpected outbound traffic to known malicious sites or locations that have not been observed before.
Through monitoring the way your network behaves then correlating it with your user and asset behavioral analytics, you will successfully discover more malicious activity and keep your network secure.
About Security On-Demand
Security On-Demand (SOD) provides full-spectrum threat management and advanced cyber threat detection services for hundreds of businesses and government agencies globally. SOD’s patented, behavioral-analytics ThreatWatch technology enables the detection of advanced threats to protect brand value and reduce the risk and mitigate the impact of a data breach. SOD is headquartered in San Diego, CA with international R&D offices and a Security Operation Center in Warsaw, Poland.