The bane of all security teams is a false positive combined with little or no information to diagnose it. Even the simplest alert could require a time-consuming search through multiple systems, databases, logs, and reports just to get to the point where an analyst understands what (or what hasn’t) happened and then formulates a response. Practitioners call this “swivel chair investigation.” (Watch the video.)
Gartner published the Market Guide for Network Traffic Analysis(1) and two of the criteria for inclusion is that a vendor “must analyze raw network packet traffic or traffic flows (for example, NetFlow records) in real-time or near real-time,” and “offer behavioral techniques (non-signature-based detection), such as machine learning or advanced analytics, that detect network anomalies.” Many vendors have found a way to check that box.
What might be missed in all the “AI-washing” that is affecting the security industry is investigation support. Unfortunately, when you look at the fine print from NTA vendors, they are long on detection and short on follow-up. You may get an IP address and a set of packets to analyze via Wireshark, but that’s about it.
IntroSpect NTA. Advanced Detection and Accelerated Investigations
HPE Aruba is included as a Representative Vendor for its NTA IntroSpect, which processes both packets and NetFlow. We have had customers measure up to 30 hours of savings by utilizing IntroSpect to incident investigation and response.
What sets us apart? We invest as much in attack detection as we do investigation support. Because we have built our own deep packet inspection solution we not only feed rich packet metadata to the machine learning (ML) models, we can also easily reconstruct network conversations without having to revert to the packets themselves. Imagine starting with an alert and with one click see all the relevant information across all types of traffic – see all the requests and responses (in order!) in HTTP traffic.
And, because IntroSpect has been built on a user-centric platform, the analyst starts not with an IP address, but with who the user is associate with the alert. Summarized traffic insights and user attribution—time savings to the max.
Don’t Settle for an IDS on ML Steroids
Most NTA platforms look like traditional IDS with ML pasted on top. Like most IDSs, they produced a large number of false positives mixed in with a few valuable alerts. IntroSpect NTA shines a light on those advanced attacks that get past IDS and other traditional defenses while automatically “connecting the dots” for the security team to understand what is happening and take action.
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties or merchantability or fitness for a particular purpose.
About the Author
Larry Lunetta is vice president of security product marketing at Aruba, a Hewlett Packard Enterprise company. Larry is also a guest lecturer for entrepreneur studies at Arizona State University.