Market Guide for Network Traffic Analysis Published 28 February 2019 - ID G00381265 - 23 min read Network traffic analysis is a new market, with many vendors entering since 2016. Here, we analyze the key NTA vendors to be considered by security and risk management leaders. Overview Key Findings  Applying behavioral analysis to network traffic is helping enterprises detect suspicious traffic that other security tools are missing.  The barrier to entry in this market is low, and the market is crowded; many vendors can monitor traffic from a SPAN port and apply well-known behavioral techniques to detect suspicious traffic. Recommendations To improve the detection of suspicious network traffic, security and risk management leaders should:  Implement behavioral-based network traffic analysis tools to complement signature-based detection solutions.  Include NTA-as-a-feature solutions in their evaluations, if they are available from security information and event, firewall, or other security products.  Focus on scalability (can the solution analyze the volume of traffic in the network?); efficacy of detection (perform a proof-of-concept trial in the environment); and price (at this early stage, market pricing varies widely). Market Definition Network traffic analysis (NTA) uses a combination of machine learning, advanced analytics and rulebased detection to detect suspicious activities on enterprise networks. NTA tools continuously analyze raw traffic and/or flow records (for example, NetFlow) to build models that reflect normal network behavior. When the NTA tools detect abnormal traffic patterns, they raise alerts. In addition to monitoring north/south traffic that crosses the enterprise perimeter, NTA solutions can also monitor east/west communications by analyzing network traffic or flow records that it receives from strategically placed network sensors. Market Description Dozens of vendors claim to analyze network traffic (or flow records) and to detect suspicious activity on the network. To develop a scope of vendors, we have applied the following criteria. 1 Inclusion Criteria Vendor must:  Analyze raw network packet traffic or traffic flows (for example, NetFlow records) in real time or near real time  Have the ability to monitor and analyze north/south traffic (as it crosses the perimeter), as well as east/west traffic (as it moves laterally throughout the network)  Be able to model normal network traffic and highlight anomalous traffic  Offer behavioral techniques (non-signature-based detection), such as machine learning or advanced analytics, that detect network anomalies  Be able to emphasize the threat detection phase, rather than the forensics — for example, packet capture (PCAP) analysis — phase of an attack Exclusion Criteria We exclude solutions that:  Require a prerequisite component — for example, those that require a security information and event (SIEM) or firewall platform  Work primarily on log analysis  Primarily use rules, signatures or reputation for detection capabilities  Are based primarily on analytics of user session activity — for example, user and entity behavior analytics (UEBA) technology  Focus primarily on analyzing traffic in Internet of Things (IoT) or operational technology (OT) environments Market Direction Throughout 2019, NTA vendors will need to develop their solutions in two primary categories:  Detection  Response In the detection category, we expect vendors to continue investing in the machine learning (supervised and unsupervised) techniques that many providers are offering today. Much of the innovation in these areas will not be noticeable to customers; however, vendors must continually invest in detection techniques to have a high degree of efficacy in detecting suspicious network traffic. Improvements in the response category will be more noticeable. Although the primary use of NTA tools is detection, organizations expect more help from the tools when it comes to investigating and mitigating an incident. There are two broad categories under response:  Automated response 2  Manual response Some types of alerts are good candidates for automated response. For example, if the detection tool has a high degree of confidence that an endpoint has been compromised, that endpoint can be automatically isolated from the network. For incidents that cannot be automatically blocked or handled, the NTA tool and/or third-par