With consolidation now the norm in the over-invested network/security market sectors, vendors are scrambling to...
snatch up technologies that are extremely worthy but can't seem to get off the ground. Network behavior anomaly detection – which uses flow-based information collected from networking devices to detect strange behavior within the enterprise – is one such technology.
Network behavior detection has long been positioned against IDS/IPS, but it continues to struggle as a standalone technology. IPS providers are feeling pressure to advance their application infrastructure as the industry continues to consolidate and Internet threats grow in sophistication. (Leading vendors in this market include Arbor, Lancope, Mazu and Q1 Labs, although Q1 Labs has developed a compelling solution since adding SIM capabilities to its behavior detection.)
One of the more significant movements currently occurring in the threat protection space is among intrusion prevention system (IPS) providers and the way in which they are steering their technology from both application and product development perspectives. IPS technology, with its traffic blocking and remediation capabilities, is shaking out to be a foundational element of larger network frameworks and as the appropriate core for broader technological consolidation -- such as with behavior detection.
The IDS/IPS market has itself undergone rapid and profound transformation over the last several years as vendors scurried to brace for the fallout of the "IDS is Dead" prediction of a well-known analyst house. Ironically, that painful transition has opened up new doors for IPS products and breathed new life into the market.
At the same time, network anomaly detection providers have been struggling for years to gain recognition. The technology has not been able to capture the same kind of large capital budget status as other threat protection technologies and is seen by many as more appropriately a product feature, as opposed to a standalone product.
That's not to say it isn't an important technology; in fact, it will help carry IPS into next-generation releases. Behavior-based detection provides customers with visibility into their internal networks, allowing them to see what's happening across the network and search for suspicious behavior. IPS, on the other hand, looks for malicious behavior by searching for specific types of traffic -- attack traffic or traffic that violates policy. Customers therefore need IPS solutions that include behavior detection capabilities, and they will continue to see partnerships and acquisitions based around behavior detection becoming key features within broader threat protection products, namely IPS.
Such a broad IPS solution supports a deeper understanding of the internal network through network intelligence that includes threat discovery through traffic pattern behavior detection, which addresses risk management and vulnerability assessment. Behavioral detection capabilities help IPS vendors mature their application infrastructure and help customers to leverage their IPS investments. Sourcefire's Real-time Network Awareness (RNA) technology is a good example of this maturing market, with its behavioral profiling that provides analysis of network vulnerabilities. Earlier this year, ISS began partnering with Arbor Networks to include its behavior detection capabilities with its ISS Proventia IPS product. Also, Enterasys partnered with Q1 Labs to include behavior detection with its IPS offering.
This type of network intelligence will open new opportunities for IPS vendors when they eventually add access control capabilities into their technology. The ability of anomaly detection products to track individual user activity, quickly detect emerging threats, and continue network monitoring addresses increasingly critical capabilities for IPS vendors as they position themselves within network access control frameworks.
With consolidation on the rise, users can expect to see significant enhancements made to their IPS investments to include added behavior detection, a sturdy addition that will help in the fight against emerging threats.
Charlotte Dunlap is an analyst for Current Analysis, which provides competitive response to vendors, users and integrators. She has more than 15 years of experience covering high-tech/security issues as a journalist and analyst. She can be reached at firstname.lastname@example.org.
This article originally appeared on SearchNetworking.com.