When it comes to network security, what you don't know can definitely hurt you.

For Dan Lukas, lead security architect at Aurora Health Care, his fear of the unknown keeps him motivated to protecting the healthcare organization's resources, which supports about 30,000 users, 13 hospitals, 175 pharmacies and 125 clinics throughout the U.S. state of Wisconsin.

"People may think they know what's going on inside their network, but often they don't," Lukas says.

Recently, Lukas says his hub-and-spoke network fell victim to a spybot virus exploiting a Microsoft Server Service vulnerability, which "could allow an attacker who successfully exploited this vulnerability to take complete control of the affected system," according to a Microsoft Security Bulletin. A mobile user connected his infected laptop to the network, which kicked off the virus. Yet Lukas says the damage was minimal, because he had technology in place to detect the traffic changes.

About a year ago, Lukas deployed StealthWatch appliances from network behavior-analysis vendor Lancope, to get a better read on traffic out to the edge of Aurora's distributed network in a way he felt an intrusion-prevention system could not. The technology helps him see in real time what is traversing his net and spot unknown traffic and new traffic patterns that could represent a threat.

"StealthWatch helps us see the state of the union, so to speak, right now -- and not just the bad stuff. It also works to set application baselines and performance analysis," Lukas says. "We have things that jump on our network that we don't always have all the information on in terms of how they work, so we needed a way to spot them without necessarily knowing about them in advance."

Another layer of security

Network behavior-analysis systems promise to add another layer of security to corporate networks by watching traffic for changes in typical actions. The systems typically perform a benchmark of traffic behavior and monitor for changes. Then if, for example, a relatively unused server begins to propagate many requests, the anomaly-detection system might suspect the host could be falling victim to a worm. Or if enterprise application traffic deemed content-sensitive starts to use Port 80 -- the port left open on firewalls for Internet traffic -- the products could send an alert about a possible breach of compliance policies.

Companies such as Arbor Networks, GraniteEdge Networks, Lancope, Mazu Networks and Q1 Labs offer products that perform this type of traffic-monitoring and behavior analysis of known and unknown threats. Cisco also offers this type of technology, though its MARS (Monitoring Analysis and Response System) performs network anomaly detection and can interpret signals and alerts from IPS gear and react by sending policies to routers and switches.

Tools for monitoring traffic for potential breaches are becoming a staple in most security managers' arsenal. According to Gartner, by the end of 2007, 25 percent of companies will employ such tools as part of their network security strategy.

"This technology provides a clearer window into potential security threats on a network," says Stephen Elliot, a senior analyst with IDC. "The vendors today layer on added intelligence about how to respond to the threats, who's affected, what's infected, and the technology provides more visibility into the state of network security.

In Lukas' case, Lancope packages its StealthWatch software on appliances that are distributed across a network, near a core switch or data-center router. The product does not sit in line of network traffic, but passively monitors conversations between hosts and clients. He chose the product because it can tap NetFlow data in Cisco routers and help him monitor traffic out to the edge -- without having to distribute appliances at each location. Netflow is Cisco's technology for storing traffic-flow histories on routers and switches. Pulling NetFlow data and analyzing the flows with tools from Cisco and third-party vendors can reveal network trends, such as bandwidth and protocol use as well as user traffic patterns.