IDC recently released it's analysis on the rapidly growing network intelligence and threat analytics (NITA) market. In this inaugural report, IDC's Research Director for Security Products, Chris Kissel examines the market and the importance of network data for security.
Network intelligence extracts metadata from packets and applies insights about the packet based on user behaviors (UBA) and network events and often cross-correlate with threat intelligence or attack simulation to find possible adversaries.
"NITA roughly tracks to a more common industry acronym: network detection and response (NDR)," adds Kissel. The report provides insights for the future of network detection and response (NDR).
ExtraHop was not only named as a top-three NITA vendor, but was named as the "Vendor Who Shaped the Year"—which according to Kissel is attributed to "unique capabilities and first-mover cloud advances."
Below are the top takeaways for organizations to consider in their network detection and response strategies. The full report can be downloaded here or to hear further insights listen to the market discussion in the accompanying webcast featuring Chris Kissel.
The NITA Market Is Growing Fast
The NITA market (up 18.9% in 2019) is growing rapidly—much faster than AIRO products (up just 5.7%) because these tools:
- Are adaptable in the face of remote workforces and changing infrastructures
- Compliment other tools
- Offer versatility and faster workflows
- Will detect threats missed by signatures
- Make it easier to investigate advanced threats
Network intelligence and threat analytics (NITA) is a technology sector within the cybersecurity AIRO product group within the IDC Security and Trust set of services. The acronym AIRO (analytics, intelligence, response, and orchestration) establishes the foundation for the types of technologies and platforms that are mapped within the service.
The webcast analyzes the report and provides insight into why the NITA market is growing rapidly. In particular, the webcast discusses how signature-based approaches will miss some threats, especially sophisticated attacks like SUNBURST, making it critical to use network telemetry to understand behavior. As Kissel put it, "If you're still thinking about signatures as the only way that you can detect an adversary, I think you've got real problems."
How the Network Is Used to Unmask the Adversary
The NITA report is IDC's first examination of the detection and response market with this framing. Kissel has included a variety of network solutions he believes are important to consider in your security tooling strategy, including NDR, Deception, PCAP and NPM, and Emulation.
In the webcast, Kissel discusses the importance of the network in stopping advanced threats. He stressed that a strong perimeter is important, but inevitably threats will get inside. Because advanced threat behavior is visible across the network, NITA solutions have a unique ability to connect the dots in a way other solutions can't.
As the report explains, "...NITA platforms assume an analytical view of the network (i.e., a bird's eye view). NITA platforms can monitor for configuration drift and look for indicators of compromise (IoCs) from sessions, telemetry coming from IT and cybersecurity tools, or artifacts coming from the metadata of the files themselves."
Vendor Who Shaped the Year: ExtraHop
The report cites several reasons for choosing ExtraHop as the Vendor Who Shaped the Year, but they start by saying that "ExtraHop comes to mind because its platforms were fully qualified when Microsoft Azure announced a beta version of VTAP and when AWS made its traffic mirroring capability generally available (GA)."
Over the last three years, ExtraHop has worked with the major cloud players to perform out-of-band analysis on network traffic across cloud scenarios:
- In October 2018, Microsoft Azure announced a beta trial for its VTAP enabling mirroring of virtual machine traffic for out-of-band monitoring.
- In June 2019, Amazon Virtual Private Cloud (Amazon VPC) capabilities became generally available in all public AWS regions.
- In December 2019, Google announced packet mirroring capabilities for Google Cloud Platform (GCP) and later on became generally available in March 2020.
The report notes that "ExtraHop was an originating, platform-qualified vendor and strategic business partner at the time of all three announcements."
Further, ExtraHop Reveal(x) provides central management even if you're securing cloud environments across multiple cloud providers. That allows you to monitor, secure, and threat hunt across your entire footprint without having to deal with disjointed data sets.
We're excited to be a top-3 vendor in IDC's NITA market classification. However, our customers would tell you that, with additional capabilities such as network performance monitoring and out-of-band decryption, Reveal(x) brings more to the table than IDC's definition of NITA. And with Reveal(x) 360, our SaaS-based solution for unified security across complex hybrid networks, ExtraHop is revolutionizing what's possible in network-focused security.
Securing the Cloud with a Cloud-Native Approach
In reviewing ExtraHop, IDC paid close attention to our cloud-scale machine learning to provide peer group analysis and identify device or asset behaviors that indicate network privilege escalation and ransomware. IDC also noted that Reveal(x) can provide continuous packet capture, record storage, and more.
The report noted that Reveal(x) provides:
- Efficient workflows
- Wider coverage in one tool across cloud, multicloud, and on-premises environments
- Fast and effective forensics
- Threat detection and response, including sophisticated advanced threats
- Mapping of detections to the MITRE ATT&CK framework
- Integration with other solutions in the SOC toolset
Given the last year's major shift to remote work and the acceleration of cloud adoption, complete cloud coverage is of particular importance. As Kissel put it in the webcast, "It's not only contemporary, it's necessary."