Network Traffic Analytics: Helping to Speed up Incident Investigation and Resolution
By Gavin Hill, Vice President, Datacenter and Network Security Products, Bitdefender
The effectiveness of security incident investigation and resolution is key to the effectiveness of all defense
efforts. But improving incident investigation and resolution does not come without challenges. The reality
is there are too many alerts to handle combined with poor correlation between alerts.
However, an emerging category of Network Traffic Analytics (NTA) tools can address these challenges
and accelerate incident investigation and resolution. But let’s understand the challenges first.
Improving the quality of security alerts
Although an excess of alerts is among the most important challenges Security Analysts and Security
Operating Centers (SOCs) face, only 54 percent of respondents in the 2018 Security Operations Center
Survey by SANS Analyst Program collected SOC metrics. Organizations missing SOC KPIs have trouble
adjusting their skill level, processes and tools to ensure proper handling of all security incidents.
How many security incidents are too many to handle? This varies from organization to organization, but
the outcome of alert fatigue seems to be the same: roughly 30 percent of alerts globally are simply
ignored. Analysts suffer from alert fatigue due to a staggering volume, with organizations reporting
anywhere from 10,000 to 1 million a day. The sheer volume of alerts is often fueled by issues of quality
or relevance that come because of limited context, alert redundancy, an increase in false-positives and
alert delivery issues.
What can be done? The quest to increase the efficiency and effectiveness of incident investigations must
start by improving the quality and relevance of alerts and reducing their number. Most devices in the
environment, from end-user devices to servers, switches, routers or firewalls, generate some sort of
alerts. But which ones should take priority? Which ones, if ignored or not investigated promptly, pose the
highest risk?
In a recent blog post on RSA 2019, ESG senior analyst Jon Oltsik said, “ESG research indicates that
network security monitoring is most often the center of gravity for threat detection. In other words, SOC
analysts detect suspicious activity on the network first and then pivot elsewhere for further investigation
... CISOs can get a big bang for their buck by implementing one of the more modern network security
monitoring/analytics tools.”
Enter Network Traffic Analytics solutions. Alerts generated by these tools are more relevant than alerts
generated by other security layers. This is because they can provide complete visibility across
infrastructure, including detailed explanations for incident severity scores, and smart alert triage that