"Application visibility has always been a distinguishing feature for our product, QRadar," says Tom Turner, vice president of marketing at Q1 Labs. "QRadar began its life as a pure-play NBA product using flows to provide visibility to network and security operations staffs. Over time, we realized that our architecture for collecting, storing, processing and analyzing flow data, also notably contributed to the same disciplines we applied to log and event data."

Q1 Labs has released v.5 of QRadar, which essentially merges the worlds of security information management (SIM) and NBA. The product applies the contextual information from network flows to the event streams that come from security devices. The end product produces finely prioritized and accurate data that is useful to both security and network operations personnel.

Similarly, NitroSecurity's NitroView is "specifically targeted at improving visibility into all areas of information security," says Eric Knapp, senior product marketing manager. "Network behavior is an important thing to visualize because networks are often thought of in terms of topologies, but all other relevant data needs to be visualized as well."

NitroView collects data from multiple sources and normalizes it, so it can be "visualized together". All of this data can be viewed in graphs, pie charts, distribution graphs and/or topology graphs.

False sense of security

According to Proctor, NBA systems can suffer from high false-positive rates unless good behavior can be effectively modeled. Factors that can affect network behavior modeling include the number of possible behaviors, number of event types, strength and consistency of the environment and of the network activity, reliability of the bad behaviors, and user skills and experience.

"As with all solutions of this type, there are false positives," says Sourcefire customer Jason L. Stradley, director of security architecture at TransUnion in Chicago. "Dealing with false positives successfully is based on several components. First is to have a platform that can learn certain things on its own and combine that with a capability of being taught other things by an operator. The other components are not technological, but procedural."

In order to get the most out of any security monitoring solution, adds Stradley, organizations must have a process to analyze all events, including false positives. Then, they must have the discipline to work with the system to tune it. When an event causes an alert to be generated by the system, it's very likely that event will be something outside of the norm and it should be investigated as soon as possible. Without this organizational discipline, implementation of any product will fail.

Yankee Group Analyst Phil Hochmuth says the key to NBA products is that they don't address threats, per se; they address anomalies in network traffic that deviate from standard behavior patterns.

"An obvious example: if a PC is infected by a worm, and a flood of port-scanning traffic suddenly comes from that machine, NBA can identify and alert IT staff, regardless of the specific worm on that PC. A more subtle example: if a server's IP address makes contact with an unknown IP address outside the enterprise, NBA can detect this too, because it's already built a baseline of normal network behavior for that server."

Proctor adds, "Network behavior analysis fills the gaps left by policy- and signature-based point solutions such as firewalls, intrusion-detection systems, intrusion-prevention systems, and security information and event management that miss threats for which they are not specifically configured to detect. NBA technologies are decision-support systems that provide visibility to a knowledgeable operator who can interpret, investigate and appropriately respond to a variety of suspicious activities on the network."

Current NBA vendors include Arbor Networks, Cisco, GraniteEdge Networks, Lancope, Mazu Networks, NitroSecurity, Q1 Labs, Foundry Networks and Sourcefire.

Sartain is a freelance writer in Utah. She can be reached at julesds@comcast.net.