What is network traffic analytics and how does it enhance security?

IT managers have mined network traffic data for decades to improve bandwidth and enterprise performance. But, more recently, a new class of tools has emerged that aims to help enterprises tap network traffic analytics to better secure their networks by understanding network activity. These tools apply machine learning, heuristics and other techniques to evaluate collected packet data to try to identify malicious traffic that would normally go unnoticed.

Aggregated packet data collected from sensors can provide a clearer window into what's happening across the network in near real time. Network traffic analytics tools assess traffic and flow data, constructing a baseline of normal traffic patterns. These tools employ machine learning and advanced analytics to identify and alert IT of potentially harmful anomalies that stray from the norm.

Network traffic analytics tools yield intelligence that gives IT administrators considerable visibility into east-west network activity by parsing flow and traffic data culled from network sensors. These tools can also examine north-south traffic as it traverses the perimeter.

With significant advances in monitoring and analytics, network traffic analytics tools provide a complete perspective on activity from Layer 2 to 7 to reveal which devices are communicating with one another and the volume and content of their communications. Some of these tools can establish behavior patterns associated with encrypted traffic without having to actually decode that traffic.

The current focus of network traffic analytics technology is threat identification in real time, not forensic analysis.

The current focus of network traffic analytics technology is threat identification in real time, not forensic analysis. When used with complementary threat management services, such as endpoint security tools, network traffic analytics can provide an even richer perspective on activity and help expedite a response.

Network traffic analytics can also integrate with incident-response services to mitigate the threat when there's a high degree of confidence in the alert by isolating a compromised device from the network. While many organizations are reluctant to move toward an automated response capability once an alert is received, some are more willing to mechanize intermediate steps or enact security controls -- such as blocking certain domains -- that are potentially less disruptive than taking a system offline.