There's a new weapon in the security arsenal that monitors network traffic and issues real-time alerts when it spots unusual or suspicious behavior on the network.

Network Behavior Analysis (NBA) tools fill the void left by static security products such as firewalls, which simply enforce pre-existing policies, and intrusion-detection/prevention systems (IDS/IPS), which detect and block attacks based on known signatures.

NBA tools are constantly monitoring and analyzing network traffic, looking for that zero-day attack, for that client machine that's been turned into a spambot, for that server containing sensitive information that's trying to connect to the Internet at 3 a.m.

"NBAs focus on abnormal behaviors without necessarily designating them good or bad. In this way, NBAs can be considered the last line of defense to client networks. We foresee the demand for NBA functionality will grow through 2010, as organizations look for technology to fill the gaps in their comprehensive enterprise monitoring," says Paul Proctor, research vice president at Gartner.

"It's another layer in the security model," says Brandon Greenwood, network operations and security manager at Xango, a company that makes a nutritional supplement in Lehi, Utah. "For us the problem was not only a compliance initiative, but also a best practice that needed to be addressed as part of a defense-in-depth architecture."

Xango selected an NBA from Sourcefire to help secure 750 users located at multiple sites throughout the world. Greenwood says the Sourcefire products were easy to install and pricing was reasonable: starting at US$30 per host, before a volume discount.

Greenwood says the NBA tool has picked up security vulnerabilities that an IDS/IPS would not see. For example, a user installs an FTP service on a server that is not sanctioned for FTP services. The NBA device sees the control traffic and fires off an alert. "Before the user can even transfer data, I have been on the phone with them making sure that the service is really needed there and, if so, that the proper change management steps are taken to get the service up," Greenwood says.

I can see for miles

AirTran Airways deployed Lancope's StealthWatch in April, says Michelle Stewart, manager of data security for the Orlando airline. "It has given us complete visibility into what people are doing on the network and provided us accountability of their actions. It also shows how WAN traffic is shared among http, filesharing, and applications. This visibility makes it a lot easier for non-network engineers to see traffic to and from credit card kiosks and reservations centers."

According to Stewart, AirTran has a distributed network that supports operations in 55 airports and a handful of campuses. The initial reason for pursuing NBA was compliance with PCI Data Security Standards, but the tool has proven to be an effective addition to the company's security defenses.

In one specific instance, Stewart adds, AirTran detected "attempted" remote access activity, by whom and on which computer; something AirTran could not previously track.

"Complete visibility allows customers to get ahead of the problems before they become a serious issue," says Paul Stamp, principal analyst at Forrester Research. "Difficult behaviors to detect, such as walk-in worms, configuration failures, and spiteful insider attacks are prime examples of an NBA's efficiency."

He adds, "After firewalls and appropriate processes for tuning, analysis and remediation are deployed; it's left to the NBA tools to identify these threats. With NBA technology, a clearer visibility into 'normal' is automatically computed and available, but it also alerts users when the 'abnormal' occurs."

While NBA tools are typically first deployed for security or compliance reasons, customers are also finding that these products allow IT to get a better handle on things like application performance. In some sense, NBA products are beginning to morph into sophisticated network management tools.