Top 8 Network Traffic Analysis (NTA) Tools
DarktraceVectra AIAuvikPlixer ScrutinizerCisco StealthwatchSolarWinds NetFlow Traffic AnalyzerAwake Security PlatformExtraHop Reveal(x)
The Antigena feature is most valuable. Once it learns your environment, Antigena can step in and block a denial of service attack, a ransomware attack, or just about anything that doesn't belong in the environment. It can detect any type of attack that hits the environment because it understands what normal looks like for the network. It is very useful for an autonomous response.
Cognito Streams gives you a super detailed view of what happens in the network. It is just a super easy way to capture network traffic for important protocols, giving you an advantage. This is very helpful.
The TrafficInsights feature not only shows me network bandwidth usage without the need for expensive, in-line traffic decryption, but it gives me which device is using the most traffic. It ranks devices by which are using the most CPU, memory, storage, and it keeps those up to date, non-stop.
We didn't experience any bugs.
It helps us determine what is going on with our Internet and who is hogging it all up. If we get a real high throughput or a throughput that's going over and getting dropped fairly quickly, we can tell who (or what device) is consuming that traffic.
From what I understand, you can encrypt and unencrypt traffic moving in transit. This is one of the features that we liked about it.
Great network monitoring, looking at anomaly detection and evaluation.
The software management tools are very useful for our customers.
For managing the traffic, it provides you a response about whether the traffic is down, up, or heavy, which is a very powerful feature. It has a good response time. We have been using this solution for many years, and we don't have any problem with this solution.
The interface itself is clean and easy to use, yet customizable. I like that I can create my own dashboards fairly easily so that I can see what is important to me. Also, the query language is pretty easy to use. I haven't needed to use it a ton, but as I need to go in and do different queries based on their requests, it has been fairly simple to use.
We had useful information within the hour of deployment. The ability to trace back for historical analysis, as well as the behavioral analysis done with the security information, puts the user in a position to make an informed decision to mitigate the performance or security incidents. Regarding the security incidents, Reveal (x) is able to create incident cards that guide your teams through the incidents and gives you the option to delve into the transaction detail to potentially view payloads as well.
NTA vs. NDR
Noticeably absent from the term “Network Traffic Analysis” is the word “response.” Network-based solutions should be able to not only investigate and detect threats, but also respond rapidly and effectively. There has been a recent shift in terminology to refer to NDR, or “network detection & response,” which uses NTA but then goes one step beyond, with automated threat response and threat-hunting, using intelligent integration with firewalls, NAC, SOAR, or EDR platforms.
Benefits of Network Traffic Analysis
Benefits of NTA include:
Broad Visibility: NTA tools can monitor and analyze a broad range of communication types, including traditional TCP/IP-style packets, traffic from (or within) cloud workloads, serverless computing instances, and API calls to SaaS apps.
Encrypted Traffic Analysis: Most (more than 70% of) web traffic is encrypted. NTA products offer an accessible method for decrypting network traffic that won’t disrupt data privacy implications. They are able to do this by analyzing the data without actually looking at it.
Comprehensive Baseline: Modern IT environments are constantly changing. NTA tools track behaviors that are unique to a particular entity or to a small number of entities in comparison to the rest of the entities in the environment. As behaviors change, their machine learning baselines are able to evolve in real time. Baselines are even more comprehensive now, due to entity-tracking capabilities, which allow them to understand not only traffic patterns but source and destination entities as well. (For example, normal workstation activity would not be normal activity for a camera.)
Entity Tracking: NTA solutions allow you to track and profile every entity on a network - from devices to users to applications and destinations. Behaviors and relationships are then attributed to each of these entities, which is much more valuable than just a list of IP addresses.
- Detection and Response: Because behaviors are attributed to specific entities, there is plenty of context for detection and response workflows. This means security professionals no longer need Instead of having to sift through multiple data sources, security professionals can quickly detect anomalies, track them down, and react accordingly.
What to Look for in an NTA Solution
There are two basic kinds of NTA tools: flow-based tools and DPI (deep packet inspection) tools. Within these, there will be options for historical data storage, software agents, and intrusion detection systems.
Consider the following things when deciding what NTA solution is right for you:
1. Availability of flow-enabled devices. Not all devices are capable of generating the kind of flows required by NTA tools. In contrast, DPI tools accept raw traffic that is vendor independent and found on every network through any managed switch. Network routers and switches don’t require any kinds of special modules or support.
2. The data source: Packet data and flow data come from different sources. Not all NTA tools can collect both. So decide on your priorities before deciding. And then be strategic in choosing what to monitor. Don’t take on too many sources too quickly.
3. Historical data vs. real-time. While historical data can be critical to analyzing past events, not all NTA tools retain this data over time. Have a clear idea of which kind of data is most important to you.
4. Is the software agent-based or agent-free?
5. Full packet capture, complexity, and cost. When looking at DPI tools, consider the cost and expertise required for those that capture and retain all packets versus one that extracts only the critical details and metadata.