Network behavioural analysis project deployment

Deploying a successful network behavioural analysis project begins with cooperation and involvement from many teams within your organization.

The foundation of any project is the quality of its team. As a project management professional (PMP), I have seen the truth of this statement over the years. For a technical project, some of the team members are obvious (e.g., IT operations), others are not (e.g., compliance). In network behavioural analysis projects, we are talking about user behaviour, and this opens the door to many teams across the enterprise that may need exposure to the project. Our current webcast offers more detail on some of these players, but as a minimum, I suggest that you invite members from the following areas of the enterprise:

  • Business process management
  • IT network operations management
  • Senior security management
  • Security teams such as:
    • Incident response
    • Firewall team
    • Anti-virus team
  • Compliance, audit and related teams

As noted in this list, we can optimise network traffic, react to security events, and improve business processes using a behavioural analysis tool on the network.

Potential technical decision points

With any project, there are a myriad of decisions to make. Most of these questions are answered before vendor evaluation and selection. Several are adapted and improved after vendor selection is made and solution capabilities known. For example:

  • Where will your network sensors be placed, and what added packet feeds will be used in your deployment?

  • How will you coordinate times between devices (endpoints, servers, routers, switches)? It does no good to correlate data (packets) if the time stamps are inconsistent.

  • How will you integrate with related solutions (IAM, NAC, change and patch management, etc.)? What new business processes may be needed to support this integration? Will you need professional services from the vendor or outside consultants?

  • What are your anomaly policy requirements? How will you define "normal" versus "anomalous" network behaviour?

  • Will you provide security/business policy enforcement with your NBA deployment? If so, what are your enforcement mechanisms?

  • What are your data-retention needs for the NBA system? (This has eDiscovery and compliance implications.)

  • Which canned reports can you use as is, and what customised reports will you require? Will you need professional services in creating these reports?

Big-picture project plan

By now you are asking, "How big is this project? I'm just a network engineer, and you're telling me to invite senior security management and the business unit to the project team."

Never fear -- it's not all that bad. The depth of what a network behavioural product offers helps you find the money for its placement. Instead of simply booking this against your IT operations budget, you can ask the security folks and the business unit for money as well. And it really is helpful.

A typical project plan outline should look something like:

  • Selection and deployment of the NBA solution
  • Integration of existing data streams with the new NBA network monitor streams
  • Creation of NBA solution policies (start with vendor-supplied templates and adapt them, based on your security and business policies)
  • Tuning of solution to remove false positives
  • Creation of NBA baseline (may take seven days or three months, depending on the size and diversity of your enterprise network load)
  • Adjustment of the reporting console for efficient NBA analysis and incident response
  • Creation of incident reports and response mechanisms
  • Initiation of network performance and business process improvements

Note that the real payoff comes near the end, when you engage the security, network operations and business teams. Up to this point, it is a fairly standard technical project.


It is critical in any project to start with the right team. In this one, we have to look beyond the IT folks to our security and business units to pull the most value from the project. Also, the decisions made by the project team will define both the integration of the NBA solution with existing architecture and the value seen from it by the business side of the house. Lastly, we've seen that in many respects this looks like a standard networking project -- until the baseline is derived. It is at this point that we begin to see our greatest value. From network performance improvements to optimising business processes, the opportunities abound. The most amazing part of this project is that this is only a first- or second-generation tool. Academic research and vendor strategies show that improvements are on the way. I, for one, am excited about the future of this space.

About the author: Tom Bowers, managing director of security think tank and industry analyst firm Security Constructs, holds the CISSP, PMP and Certified Ethical Hacker certifications, and is a well-known expert on the topics of data leakage prevention, global enterprise information security architecture and ethical hacking. His areas of expertise include aligning business needs with security architecture, risk assessment and project management on a global scale. Bowers serves as the president of the 600-member Philadelphia chapter of Infragard, is a technical editor of Information Security magazine, and speaks regularly at events like Information Security Decisions.

Read more on Data centre networking