Federal Government Digital Transformation Services

Federal Government Digital Transformation Services

Advertisements

Amazon Web Services – security best practice rules

Amazon Web Services best practice rules

Cloud Conformity covers the AWS services below according to these rules

https://www.cloudconformity.com/knowledge-base/aws/

Amazon FSx

AWS Exploits

Market Guide for Network Traffic Analysis

Market Guide for Network Traffic Analysis

Published 28 February 2019 – ID G00381265 – 23 min read


Network traffic analysis is a new market, with many vendors entering since 2016. Here, we analyze the key NTA vendors to be considered by security and risk management leaders.

Overview

Key Findings

  • Applying behavioral analysis to network traffic is helping enterprises detect suspicious traffic that other security tools are missing.
  • The barrier to entry in this market is low, and the market is crowded; many vendors can monitor traffic from a SPAN port and apply well-known behavioral techniques to detect suspicious traffic.

Recommendations

To improve the detection of suspicious network traffic, security and risk management leaders should:
  • Implement behavioral-based network traffic analysis tools to complement signature-based detection solutions.
  • Include NTA-as-a-feature solutions in their evaluations, if they are available from security information and event, firewall, or other security products.
  • Focus on scalability (can the solution analyze the volume of traffic in the network?); efficacy of detection (perform a proof-of-concept trial in the environment); and price (at this early stage, market pricing varies widely).

Market Definition

Network traffic analysis (NTA) uses a combination of machine learning, advanced analytics and rule-based detection to detect suspicious activities on enterprise networks. NTA tools continuously analyze raw traffic and/or flow records (for example, NetFlow) to build models that reflect normal network behavior. When the NTA tools detect abnormal traffic patterns, they raise alerts. In addition to monitoring north/south traffic that crosses the enterprise perimeter, NTA solutions can also monitor east/west communications by analyzing network traffic or flow records that it receives from strategically placed network sensors.

Market Description

Dozens of vendors claim to analyze network traffic (or flow records) and to detect suspicious activity on the network. To develop a scope of vendors, we have applied the following criteria.

Inclusion Criteria

Vendor must:
  • Analyze raw network packet traffic or traffic flows (for example, NetFlow records) in real time or near real time
  • Have the ability to monitor and analyze north/south traffic (as it crosses the perimeter), as well as east/west traffic (as it moves laterally throughout the network)
  • Be able to model normal network traffic and highlight anomalous traffic
  • Offer behavioral techniques (non-signature-based detection), such as machine learning or advanced analytics, that detect network anomalies
  • Be able to emphasize the threat detection phase, rather than the forensics — for example, packet capture (PCAP) analysis — phase of an attack

Exclusion Criteria

We exclude solutions that:
  • Require a prerequisite component — for example, those that require a security information and event (SIEM) or firewall platform
  • Work primarily on log analysis
  • Primarily use rules, signatures or reputation for detection capabilities
  • Are based primarily on analytics of user session activity — for example, user and entity behavior analytics (UEBA) technology
  • Focus primarily on analyzing traffic in Internet of Things (IoT) or operational technology (OT) environments

Market Direction

Throughout 2019, NTA vendors will need to develop their solutions in two primary categories:
  • Detection
  • Response
In the detection category, we expect vendors to continue investing in the machine learning (supervised and unsupervised) techniques that many providers are offering today. Much of the innovation in these areas will not be noticeable to customers; however, vendors must continually invest in detection techniques to have a high degree of efficacy in detecting suspicious network traffic.
Improvements in the response category will be more noticeable. Although the primary use of NTA tools is detection, organizations expect more help from the tools when it comes to investigating and mitigating an incident. There are two broad categories under response:
  • Automated response
  • Manual response
Some types of alerts are good candidates for automated response. For example, if the detection tool has a high degree of confidence that an endpoint has been compromised, that endpoint can be automatically isolated from the network. For incidents that cannot be automatically blocked or handled, the NTA tool and/or third-party tools can provide incident response capabilities.
Responding to more-complex and targeted attacks is primarily about attack investigation and threat hunting, and NTA solutions should develop their capabilities in these areas. Already, many solutions generate metadata and provide the ability to search it, so that incident responders can more quickly respond to attacks and investigate threats. Solutions also capture and store some packets, so that incident responders can perform basic forensics functions, such as going back in time to understand host activity around the time of detection. We expect more vendors to deliver improved threat-hunting features, as they upgrade user interfaces (UIs) and deliver more contextual information to the incident responders.

Market Analysis

Here, we analyze the segments of the NTA market.
Pure-Play NTA Companies: The vendors in this category are mostly smaller specialty companies. Their primary focus is on the detection use case; however, many are working on enhancing their response capabilities.
Network-Centric Companies: Several companies that have historically targeted network use cases, such as network performance monitoring and diagnostics (NPMD; see “Magic Quadrant for Network Performance Monitoring and Diagnostics”), have developed solutions to address security use cases. These network-centric solutions were already monitoring network traffic, and these vendors have applied analytical techniques, such as machine learning, to detect anomalous traffic. We expect more network-centric vendors to develop solutions that target the security market.
Others: A few vendors do not fit cleanly in the two categories defined above. For example, large, diversified network security providers, such as Cisco and Hillstone Networks, also offer NTA solutions. Cisco has Stealthwatch, and Hillstone has the Server Breach Detection System. Two vendors that originally began as network sandboxing companies, FireEye and Lastline, have diversified their product portfolios by adding NTA solutions. FireEye now sells SmartVision and Lastline offers Breach Defender. We expect other network security vendors to follow the path of the vendors listed here and enter the NTA market.

Representative Vendors

The vendors listed in this Market Guide do not imply an exhaustive list. This section is intended to provide more understanding of the market and its offerings.

Market Introduction

Table 1 highlights the NTA vendors that met our inclusion criteria and were not eliminated by our exclusion criteria (see Note 1).

Table 1: Representative Vendors in NTA

Enlarge Table
Vendor
Product, Service or Solution Name
Awake Security
Awake Security Platform
Bricata
Bricata
Cisco
Stealthwatch
Corelight
Corelight Sensor
Corvil
Corvil Security Analytics
Darktrace
Enterprise Immune System
ExtraHop
Reveal(x)
Fidelis Cybersecurity
Fidelis Elevate
FireEye
SmartVision
GREYCORTEX
MENDEL
Hillstone Networks
Server Breach Detection System
HPE Aruba Networks
IntroSpect
IronNet Cybersecurity
IronDefense
Lastline
Lastline Defender
Plixer
Scrutinizer
HighBar SS8
SS8
Vectra
Cognito Detect
Source: Gartner (March 2019)

Vendor Profiles

Awake Security

Based in Sunnyvale, California, Awake Security’s solution uses a combination of supervised and unsupervised machine learning and other analytical techniques to detect suspicious traffic. The product can be deployed all-in-one (sensor and analytics) in a single unit or in a distributed fashion, where the sensor and the analytics hub are separated. The sensor can be deployed as a physical or virtual appliance across IT, OT and IoT networks, as well as in the cloud to protect Amazon Web Services (AWS), Azure and Google Cloud Platform (GCP) workloads. Awake uses machine-learning-based, encrypted traffic analysis to find threats in encrypted data, without needing to decrypt. Awake does not provide a decryption engine for Secure Sockets Layer/Transport Layer Security (SSL/TLS) traffic.
Awake does not block attacks natively. Awake’s approach is to integrate with orchestration solutions (e.g., Splunk Adaptive Response or Demisto) or endpoint solutions (Carbon Black) to perform quarantine or trigger remediation playbooks. For example, customers use these mechanisms to block domains and IPs at the firewall or proxy and to take devices offline. Awake sells the solution as an annual subscription, based on aggregate throughput. Virtual appliances are available at no charge, and physical devices are available for a fee.

Bricata

Based in Columbia, Maryland, Bricata’s detection capabilities include signature and behavioral techniques (including supervised, but not unsupervised, machine learning). It uses two IDS/IPS engines, Suricata and Zeek (Bro), simultaneously. Suricata provides signature-based threat detection. Zeek enables stateful, behavior-anomaly-based threat detection. Bricata also licenses Cylance’s INFINITY technology for threat detection. Zeek generates network metadata that populates Bricata’s repository. The repository comes with a threat-hunting environment for manual threat detection.
Bricata’s architecture is composed of two main elements. Sensors (physical or virtual) are deployed on the network and perform PCAP, metadata generation and intrusion prevention system/intrusion detection system (IDS/IPS) functions, including dropping packets. A Central Management Console (CMC) repository is typically deployed in a data center. The CMC processes and analyzes the data collected from the sensors, and it provides an interface for threat hunting. Bricata does not decrypt SSL/TLS traffic, although it provides a built-in mechanism for JA3 fingerprinting of SSL sessions.
Bricata offers subscription licensing based on the aggregate throughput of the traffic being monitored. Customers purchase physical sensors and CMCs; however, virtual instances are free of charge. Hardware warranty, software maintenance and Bricata support are included in the subscription price. Higher levels of support are available at an additional charge.

Cisco

Headquartered in San Jose, California, Cisco plays in the NTA market with Cisco Stealthwatch. Stealthwatch’s data source is primarily NetFlow records and is deployed as a physical appliance, a virtual appliance or a SaaS solution. Through its Flow Sensors, Stealthwatch provides Layer 7 application visibility by gathering application information, along with on-demand PCAP. Stealthwatch can also ingest data from cloud platforms, such as AWS, Azure and GCP, as well as from Kubernetes environments. It also has the option to run on-demand PCAP. Full PCAP is not natively supported. Stealthwatch leverages various techniques for analytics, including signature-based detection, statistical analysis, and both supervised and unsupervised machine learning. Cisco integrates with Cisco Talos Intelligence Group for threat intelligence feeds.
Stealthwatch is sold as a term-based subscription based on the necessary flows per second, network device count or total monthly flows, depending on the product and deployment infrastructure. The subscription includes virtual flow collectors and the management console; however, additional fees are required for the appliance-based version of the product. The cloud version of Stealthwatch uses a combination of sensors for customer premises and API connectivity to flow sources in public clouds. Stealthwatch is integrated with the Cisco Identity Services Engine, which allows it to quarantine hosts. Stealthwatch does not decrypt traffic, but uses Encrypted Traffic Analytics (ETA) to detect malware and ensure cryptographic compliance. The product’s core market is midsize-to-large enterprises.

Corelight

Headquartered in San Francisco, California, Corelight’s solution is based on open-source Zeek (formerly known as Bro). Corelight has added enhancements that focus on scale, manageability and data enrichment. The solution consists of a range of physical and virtual sensors. These sensors analyze network traffic across multiple protocols, execute in-line detection analysis, and forward the events and parsed data logs to a customer’s SIEM or data lake. The Bro/Zeek scripting framework provides an optional feature that allows customers to write their own detection content. This is a popular approach for advanced customers that can optimize detection capabilities for their own environment.
Corelight’s detection capabilities include heuristic analysis and statistical analysis, but no machine learning. However, some Bro/Zeek customers have used the Python machine learning library to do both supervised and unsupervised machine learning. Corelight also performs some simple pattern-matching (signaturelike) detection. Corelight does not collect and analyze NetFlow or IPFIX records; however, the Corelight sensors generate metadata, which can be stored and analyzed for forensic analysis using third-party tools. Corelight does not decrypt SSL/TLS traffic, although it provides a built-in mechanism for JA3 fingerprinting of SSL sessions.
The solution is licensed on a subscription basis, which includes service and support, as well as hardware, software and a technical account manager. Enterprise support (e.g., hardware replacement) is available separately.

Corvil

Based in Dublin, Ireland, Corvil is an NPMD vendor that has adapted its IT operations solutions for NTA with a solution called Corvil Security Analytics. It operates on metadata derived from raw network packets, applying signature-based detection using Snort rules, proprietary rules, protocol analysis and reputation-feed-based traffic matching. The reputation-feed-based traffic matching leverages feeds from Emerging Threats ETPro IP and Domain reputation feeds, as well as abuse.ch (SSL Blacklist). Corvil offers basic, unsupervised machine learning, but it does not provide supervised machine learning. Corvil Security Analytics is sold as a hardware appliance, and can be complemented by host-based software sensors.
Corvil Security Analytics is priced on a perpetual-license basis, with customers choosing the appropriate appliance type based on network traffic rates. Hardware appliances support up 80 Gbps line rate capture and up to 300TB of storage. The use of the Corvil virtual sensor is free. Corvil appliances can decrypt SSL and TLS traffic, and they support JA3 fingerprinting of SSL sessions. The product’s core market is the large enterprise.

Darktrace

Based in Cambridge, U.K., and San Francisco, California, Darktrace’s Enterprise Immune System is built on unsupervised machine learning technology. The company states that it relies on more than 50 unsupervised learning approaches. Darktrace can be deployed to secure physical (IT and OT), virtualized, infrastructure as a service (IaaS) and SaaS environments. Deployment options include Darktrace appliances, software sensors and connectors that are installed passively in the customer’s network or cloud. A master appliance correlates behavior across the organization’s infrastructure. Darktrace Antigena, an optional product that provides autonomous response capabilities, uses multiple techniques (e.g., TCP Reset, applying Active Lists via firewall integrations) to automatically mitigate threats to the customer’s environment.
The pricing model for Darktrace software is a subscription service based on the size of the company and the distribution of the deployment. A popular service option is the Threat Intelligence Reports, which analyze the most significant threats detected by Darktrace’s technology. Pricing for Antigena Network is 50% of the license value for the Enterprise Immune System.

ExtraHop

Based in Seattle, Washington, ExtraHop started as an IT-operations-focused NPMD vendor. The company has expanded its focus to security buyers, by adapting its packet analysis technology for the NTA market. The product, Reveal(x), performs real-time stream processing of raw network packets and applies its unsupervised machine learning algorithms to detect behavioral anomalies. The metadata extracted from the packets is tracked, allowing Reveal(x) to identify behavior indicative of an attack by comparing against a number of proprietary unsupervised models. Reveal(x) is sold as a hardware appliance or a virtual appliance.
Licensing for Reveal(x) is on a subscription basis, priced by the number of critical assets that are being monitored. The physical appliances are sold as a separate one-time cost, while virtual and cloud appliances are free. Hardware appliances support up to 100 Gbps line rate capture and up to 2PB of storage. Reveal(x) can ingest third-party threat intelligence feeds, based on the standard Structured Threat Information eXpression (STIX) format. The solution supports SSL/TLS and perfect forward secrecy (PFS) traffic decryption at line rate.

Fidelis Cybersecurity

Based in Washington, D.C., Fidelis offers a security platform (Fidelis Elevate) that combines IDS, NTA, network sandboxing, web and email data loss prevention (DLP), endpoint detection and response (EDR), asset classification, and deception. The Fidelis Elevate platform collects Layer 7 metadata for many protocols. Fidelis primarily uses supervised learning for north/south network traffic analysis. It leverages unsupervised machine learning to build a risk score (Alert Threat Score) for each alert, helping with event triage. The solution includes a threat intelligence feed to catch identified attacks and supports open-source and third-party threat intelligence sources. Fidelis supports event-triggered, full PCAP and can store up to one year of metadata for retrospective analysis.
Metadata can be aggregated from multiple sensors in an appliance (Fidelis Collector) and stored for one year or longer. The solution can send TCP resets, or block if deployed in-line, and can integrate with Fidelis’ endpoint and response solution for additional response capabilities. The vendor offers multiple physical and virtual sensors, including a generic one for all protocols, and specialized versions for mail, web, cloud and data center traffic. Fidelis does not decrypt SSL/TLS traffic.
Fidelis Cybersecurity uses a traditional, perpetual-sale model for its physical appliances, with an annual support fee. The solution can be complemented with managed detection and response (MDR) and threat-hunting services. The vendor offers its cloud management solution as a subscription.

FireEye

Based in Milpitas, California, FireEye’s SmartVision solution can be implemented as part of FireEye Network Security, as well as non-FireEye environments. SmartVision uses a combination of signatures, machine learning and heuristics, as well as its MVX engine (primarily sandboxing technology) to detonate suspicious objects moving over Server Message Block (SMB) protocols. SmartVision includes FireEye’s IPS engine. FireEye leverages an indicator correlation engine, along with a custom signature database with rules generated from cyberattacks. SmartVision also relies on machine learning capabilities. Customers can deploy SmartVision on FireEye NX appliances or on virtual appliances. SmartVision does not decrypt SSL/TLS traffic.
When enabled on an NX appliance, SmartVision is capable of monitoring network traffic in north/south and east/west directions, and all detections occur on the NX sensor directly. The pricing model for the SmartVision Edition is a subscription based on aggregate throughput. As many as 20 virtual sensors are provided for free. Service and support are included in the price of the subscription.

GREYCORTEX

Based in the Czech Republic, GREYCORTEX’s MENDEL solution uses behavioral techniques (supervised and unsupervised machine learning) and signature-based detection. A detection rule set that it licenses, the Emerging Threats ETPro, is one aspect of its signature-based capability. Sensors (physical and virtual) are deployed in the customer’s network, and they forward flow records, application metadata and signature-based events to collectors that analyze the information. Sensors and collectors can be combined in a single appliance. MENDEL is capable of decrypting SSL/TLS traffic.
GREYCORTEX has also developed a solution for monitoring OT networks. It provides visibility into several protocols that are common in SCADA environments, and it also uses machine learning and signature-based detection mechanisms. GREYCORTEX mainly targets Europe, the Middle East and the Asia/Pacific (APAC) region. Two pricing models are available. Customers can purchase the sensors and collector appliances and purchase a perpetual software license. Alternatively, they can purchase a subscription, which includes monthly fees for the appliances and service and support.

Hillstone Networks

Based in Beijing, China, Hillstone Networks is a network security vendor, with a regional headquarters in Santa Clara, CA. The vendor introduced its NTA product, named Server Breach Detection System (sBDS), with two appliances in 2017. Hillstone’s NTA product extracts Layer 7 metadata and applies clustering, an unsupervised learning algorithm, to identify deviation from normal activity. sBDS also includes an IPS and an antivirus engine. It also implements some limited deception features (for example, emulating the answer of a web server). Each appliance embeds a management and monitoring interface, and centralized cloud monitoring is also available (Hillstone CloudView). sBDS integrates with Hillstone firewall to add blocking capabilities. Hillstone sBDS does not decrypt SSL/TLS traffic.
Hillstone NTA primarily targets the data center, with many dashboards focused on this use case. The vendor prices its NTA solution using the traditional appliance model, with upfront cost for the hardware, and subscription and support as yearly fees. It also offers NTA as a service, where the cost of the devices is included in the yearly subscription.

HPE-Aruba

Based in Santa Clara, California, HPE-Aruba has acquired Niara, which had been targeting UEBA opportunities in 2017. Since 2018, HPE/Aruba has been repositioning the Niara technology, now known as IntroSpect, to compete in the NTA market. The solution is available in two packages: IntroSpect Standard (the NTA product) and IntroSpect Advanced (adds UEBA and log source features). IntroSpect collects and analyzes packet level information, as well as logs, and it provides user attribution and investigative support. The product is integrated with Aruba’s ClearPass NAC offering to provide automated response; however, HPE-Aruba also sells it as a stand-alone solution. Detection relies heavily on behavioral techniques (supervised and unsupervised machine learning, heuristics, and statistical analysis), and it includes a rule engine that can be programmed to look for specific conditions. IntroSpect does not decrypt SSL/TLS traffic.
Key components of IntroSpect’s NTA solution include Real Time Packet Processing (RTPP) and a centralized Analyzer. The RTPPs can be physical or virtual appliances. Customers purchase RTPP (virtual appliances are free) and the Analyzer appliance, along with a software license subscription for the Analyzer (based on the number of users, systems and devices in the customer’s network).

IronNet Cybersecurity

Based in Fulton, Maryland, IronNet’s solution uses sensors that are implemented in the customer’s network and an analytical back end that can be hosted on-premises, in the IronNet cloud or in AWS. Historically, the sensors have been physical appliances, although IronNet plans a virtual sensor for 2019. The solution supports full PCAP and stores approximately three days of PCAPs and approximately 90 days of session metadata. IronNet’s detection capabilities are based on signatures, machine learning and other analytical techniques. The solution has an add-on capability that enables enterprises to share behavioral intelligence with peer enterprises and, optionally, with government to enhance the detection of industry-sector-wide campaigns. IronNet’s sensors do not decrypt SSL/TLS traffic. However, they can analyze the SSL/TLS traffic and identify malicious activity during a session.
IronNet targets large enterprises that are concerned about attacks from nation states. Customers must purchase the hardware sensors and the associated software. They pay a flat monthly fee for the analytical back-end component.

Lastline

Based in Redwood City, California, Lastline’s Lastline Defender solution uses a combination of techniques, including supervised and unsupervised machine learning, deep learning, deep packet inspection, NetFlow record analysis, and other analytics to detect malicious network behaviors and suspicious traffic. Lastline’s sandbox technology is embedded in its Defender solution to analyze files and determine whether they contain malware. The sandbox analysis is also used to feed training data to Defender’s detection capabilities. The solution has a flexible deployment model. Customers can install Lastline sensors on their networks and use the Lastline cloud to support the detection capabilities. Alternatively, customers can install all Lastline components on-premises, and they can protect workloads in public clouds. Lastline can inspect SSL/TLS traffic when deployed in-line as an explicit proxy.
Lastline can automatically respond to (for example, block) incidents that it detects. It also has several technology partnerships that enable customers to automatically respond to incidents detected by Defender. The solution has integrations with endpoint vendors, including Carbon Black and Tanium; network vendors (Check Point, Palo Alto Networks and Fortinet); SIEMs; security orchestration; automation and response (SOAR) solutions; and email and web gateways. The pricing model is a per-user/per-year subscription. Software sensors are provided free of charge. These sensors include the Suricata IDS and are enhanced with Lastline’s custom protocol analysis, as well as components that perform email inspection and static file analysis. Lastline sensors can be deployed in-line for blocking malicious traffic or deployed as a span/tap on the network, and deployed as mail transfer agents (MTAs).

Plixer

Headquartered in Kennebunk, Maine, Plixer offers the Scrutinizer product for NTA. Scrutinizer is deployed on-premises with hardware or virtual appliances, but can also be deployed in a private cloud, a hybrid cloud and as SaaS. The solution’s primary data source for analytics is flow data, in addition to collecting data from VMware ESXi, Cisco ACI and AWS flow logs. Plixer does not natively support full or on-demand PCAP, nor the decryption of packets. Scrutinizer leverages signature-based detection, heuristic detection and statistics analytics, but does not support supervised or unsupervised machine learning. Heuristic detection involves analyzing traffic behavior, with persistent flow risks assessments as an example. Scrutinizer supports threat intelligence feeds for host and domain reputation, as well as offering historical forensics for incident responses.
For on-premises virtual and hardware deployments, the product is sold as either a three- or five-year subscription and is based on the number of devices exporting flows and metadata. For SaaS deployments, a three- or five-year subscription plan is also available and is based on the volume of collected data. Scrutinizer’s flow support has been extended with vendor-specific templates for a number of hardware vendors, including Cisco, Juniper and Palo Alto Networks, giving them access to a broad set of metadata. Plixer Scrutinizer is also sold to IT operations for performance monitoring and is a fit for midsize and large enterprises.

HighBar SS8

Based in Milpitas, California, SS8 is a security company that was recently acquired by private equity firm HighBar. SS8’s NTA solution is available in the form of virtual appliances, both for the sensors and for its centralized management and monitoring platform (Security Analytics Platform). SS8 sensors sit out of band, and extract Layer 7 metadata from raw network packets. The technology uses unsupervised machine learning to highlight outlier devices on the network. It also leverages more-traditional signatures to detect known attacks. SS8 does not decrypt SSL/TLS traffic.
SS8 licenses its solution in the form of a subscription, based on the total average traffic throughput and the duration of data retention. Its largest target markets include industrial, financial and governmental agencies in North America.

Vectra

Headquartered in San Jose, California, Vectra’s NTA product (Cognito Detect), uses hardware and virtual sensors to forward and store a proprietary set of traffic metadata to the analytic engine (Cognito Brain). The vendor’s detection engine combines supervised and unsupervised machine learning algorithms to detect attacker behaviors. It uses several deep-learning models (e.g., recurrent neural networks and long short-term memory) when necessary. The vendor also implements heuristics for known bad behaviors (such as port scan detection) and enables customers to import specific indicators of compromise (IOCs) to quickly identify a recent prominent attack. Vectra aggregates individual alerts into security incidents for an individual host, with on-demand, full PCAP for forensics investigation. The vendor also offers a dedicated view called Attack Campaigns to track attacks across the enterprise network. Vectra partners with other security vendors, endpoint protection, firewalls, SIEM and SOAR to provide response capabilities. Vectra does not decrypt SSL/TLS traffic.
Vectra offers specialized detection for data center and cloud use cases. It sells sensor hardware (virtual sensors are provided free of charge), then licenses its technology per concurrent active device, with different prices for clients and servers. Support is included in the per-device subscription. The vendor also offers additional subscriptions, such as regular reviews performed by vendor’s security analysts, or a recently launched, cloud-based metadata search engine, Cognito Recall.

Solutions in Adjacent Markets

Below is a list of vendors we are tracking that did not qualify for inclusion in this Market Guide.

IoT and OT Specialization

  • Armis
  • Cyberbit

NTA as a Feature

  • IBM QRadar (Network Insights)
  • LogRhythm (NetMon)
  • Palo Alto Networks (Cortex XDR)

Others

  • AizoOn
  • Gigamon (ICEBRG acquisition)
  • ProtectWise
  • SecBI
  • Vehere

Market Recommendations

Enterprises should strongly consider NTA to complement signature-based and sandboxing detection methods. Many Gartner clients have reported that NTA tools have detected suspicious network traffic that other perimeter security tools had missed.
When evaluating vendors (see Note 2), assess the following factors:
  • Scalability — Does the solution have the capacity to analyze the amount of traffic in your environment?
  • Workflow — Does the vendor provide tools natively and workflow guidance to assist in responding to its alerts? Does the vendor integrate with SOAR tools?
  • Pure-Play Versus NTA as a Feature — Is it more sensible to implement NTA as a feature from another technology vendor (for example, SIEM), or do you require a more full-featured, pure-play NTA solution from one of the vendors analyzed in this Market Guide?

Note 1Representative Vendor Selection

These 17 vendors were selected because they met Gartner’s inclusion criteria, and were not eliminated by our exclusion criteria noted above.

Note 2Gartner’s Initial Market Coverage

This Market Guide provides Gartner’s initial coverage of the market, and focuses on the market definition, rationale for the market and market dynamics.

Vectra vs. Darktrace, ExtraHop, Cisco Stealthwatch and Coreligh

The right data source is critical to expose attacks fast

Network metadata
Network metadata contains vital descriptors of the data itself to create a searchable index in real time and at a fraction of the size of full packet captures. Metadata as a source is the right data type, but used alone it lacks indicators of compromise that show analysts where to hunt.

Security-enriched network metadata
Enrichment techniques, used to identify data such as host ID and beaconing, are employed to augment network metadata. This data cocktail is essential to quickly  identify threat activity in security event messages and conduct more conclusive incident investigations.

NetFlow
NetFlow is network performance monitoring data remarketed for security. It shows connections that were made but does not show what these connections were used for. Network detection requires details, such as whether an SMB connection was used to authenticate a user, mount a share or execute code. NetFlow does not provide these details, rendering it blind to network visibility and incapable of detecting threats.

Full packet captures
Network packets provide deep network visibility but are difficult and expensive to scale. The sheer amount of packets causes slow search performance that makes incident investigations frustratingly painful.

graph showing SIEM, Netflow, IDS, PCAP and security-enriched metadata on a scale of relevance and visibility. Security-enriched metadata is the highest for both.

Vectra vs. Darktrace, ExtraHop, Cisco and Corelight 2019-10-10 08-47-50

How to avoid ANU style data breach

  • Endpoint
    • SEG
    • SWG
    • NGAV
    • Firewall
    • EDR
    • MAC
  • IPS/IDS
  • DBSS
  • SIEM

How to avoid ANU style data breach