Sergej Khackimullin - Fotolia
Network traffic analysis best practices: Assess and repeat
Network traffic analysis best practices require network teams to work closely with security teams and constantly assess their tool sets, analysis processes and traffic patterns.
Network traffic analysis is an important extension of network traffic monitoring, but organizations sometimes neglect the process because of other business or network priorities.
Network traffic analysis is the process of assessing captured traffic information, but it involves more than a simple assessment. Organizations that hope to examine performance accurately, make proper network adjustments and maintain a secure network should adhere to network traffic analysis best practices more consistently, according to Amy Larsen DeCarlo, principal analyst at GlobalData. This network management process means a continuous evaluation of network traffic, assets, analysis methods and tool sets.
Further, as networks, applications, tools and attacks grow more sophisticated, network teams and security teams must establish baselines for network traffic and work together to ensure their purposes are closely aligned.
Editor's note: The following interview was edited for length and clarity.
What is the purpose of network traffic analysis?
Amy Larsen DeCarlo: A big piece of network traffic analysis is protecting the network and ensuring you have optimal uptime and minimal disruption. It's great if the network is up, but it's not so great if it's slow. It's not just maintaining uptime, but making sure performance is optimal. Security is also a factor because a breach can result in material loss to a company, bring down resources and interfere with communications, which then interferes with productivity.
Who performs network traffic analysis: network teams or security teams?
DeCarlo: It depends on the organization. Network traffic analysis is a good way to discover if there's a security issue, but it generally still falls under the purview of the network administration team. But, as networks and applications became more sophisticated, monitoring and management tools became more sophisticated as well. There's a whole other layer to this in terms of being able to accurately identify what is malicious traffic versus what is just an unusual traffic pattern. Network administration teams are being tasked with more security-related things, and security teams need to understand all aspects of what's happening on the infrastructure and the applications running across it.
What are some network traffic analysis best practices?
DeCarlo: First, you have to know what your assets are. I know we're not talking about asset management, but that's a good indicator. Understand how your network is changing and what your resources are. Then, evaluate them on a continuous basis, and repeatedly look at what you have in your tool set that might need to change.
As part of monitoring, establish a baseline so you know what's normal. Study the traffic; record it over a period of time, noticing utilization and which devices are coming into play. If you suddenly see a flood of traffic overwhelming a server -- that isn't cyclical or seasonal traffic -- that might be indicative of an attack. Then, you can parse and dig into that traffic to see what it is.
Also, look at what your methodology is. How are you obtaining your information? How frequently are you reevaluating? How proactive are you when there's a new application or when you're making a major change to the network? If you're moving an application to the cloud, how are you monitoring that? A best practice is to continually reassess those tools.
Another thing is getting the security and application teams to work together, like DevSecOps. This is a dream because it really doesn't work this way. But it means getting everybody involved in development stages, planning, application engineering and network adjustments. It's looking at the data and analysis and continuing to cycle it back into the development side of things, while also looking at it from a security perspective.
It sounds great on paper, but it's really difficult to do in a production environment because everyone doesn't have the same priority all the time. The ultimate priority might be the same -- or it should be the same -- but the tasks they have oriented toward achieving them aren't always going to align perfectly.
What issues do teams run into when they're analyzing network traffic?
DeCarlo: Accuracy is one problem. It becomes a particularly thorny subject on the security side because, sometimes, what looks like a negative traffic pattern or something that might be harmful really isn't. That can lead to false alerts and administrators ignoring alerts because most of the alerts are probably harmless. So, they might miss an alert that was an early indicator of a problem.
Networks are changing a lot. They're much more virtual. Then, you introduce cloud, which raises even more complications with trying to track traffic in a multi-tenant third-party environment. Those are complicated environments, and not all tools are created equally.
Another problem related to that is, as networks become more complicated and as tools become more sophisticated, being able to maintain a level of training for networking administrators and security professionals gets more difficult.
Do certain enterprise verticals better understand how to analyze network traffic?
DeCarlo: Certain verticals are more leading edge in terms of technology deployments, like financial services. But high-tech companies you would expect to be way ahead of this -- like telecommunications -- aren't perfect. They still have issues, and their whole business is optimizing their network.
In general, the organizations that have always prioritized network performance and security are the ones that are going to do the best. Some of that is very much dictated by regulation, but even highly regulated industries, like healthcare, still have problems. It depends on the company, the culture and the resources.