Network behavior and anomaly detection has been at the core of QRadar since day one. And for good reason - almost all threat activity plays out across our networks. To help organizations detect and combat these threats the new IBM Security Network Threat Analytics app (NTA) is now available to all QRadar customers. But it’s more than just an app, NTA delivers the latest innovations in network analytics, and leverages machine learning techniques that run and scale across your QRadar deployment.
Like other QRadar apps, the IBM Security Network Threat Analytics app is available for download from the XForce App Exchange. While detailed documentation is available online, I do want to point out a few things. First, NTA requires your QRadar deployment to be at v7.4.2 or newer. If you’re wondering why, the 7.4.2 release added innovations that allow the NTA analytics to be run wherever your flow data is being processed and stored. Which brings me to the second item I want to highlight, which is the need for flow data. This can be any type of flow data. Netflow, JFlow, IPFix etc. from your switches, routers, and firewalls. Or better yet, you can use QRadar Network Insights data, which provides much deeper network visibility by taking packets as they cross the wire and reconstructing entire network sessions to extract key information that powers both NTA as well as your rules-based content.
To install NTA, simply download the app from the XForce App Exchange and install as usual. Deploying on an App Host is recommended for NTA given the resources required for the app. Upon installation you’ll see the usual prompts for an authorized service token. Once the token is added NTA will automatically start analyzing your historical flow / QNI data (you’ll generally need at least 1 week’s worth of data, but more is always better) to build a baseline of what is happening across your networks. During the initial training period results won’t be available but you’ll be able to monitor the progress and percentage of training that is complete.
In the settings panel you’ll see an uninstall button which is unique to NTA. Should you ever need to uninstall NTA for any reason, you’ll want to use this button rather than the traditional uninstall method in Extensions Management. Using this uninstall button inside the NTA app will shut down the analytics running in the QRadar pipeline, remove the analytics models and then uninstall the app.
Once the initial training is complete the app dashboard will populate the results as NTA begins to analyze all real-time network activity as it occurs. In addition to this, the training process continues in the background to continually improve and adapt its understanding of your networks and the communications taking place. The NTA dashboard allows you to select a time interval and view the network activity deviating from typical behavior in the graphs and tables of network outliers.
The outlier scores are on a scale of 0 to 100 with higher numbers representing behavior that deviates to a larger degree across all aspects of that network session. The “Baseline occurrence” field pertains to the type of network traffic that this particular network session is representative of and how common that type of network activity is across your networks.
Clicking on any row brings you to the detailed analytics results.
On the left you’ll see the identifying information for that network session and on the right is a graphical representation of the key features contributing to the outlier score. The purple bars represent parameters that are outside of their expected values in the baseline and the green bars are showing parameters that are relevant but not necessarily unexpected. Further down you can see the list of all parameters and their results. This includes those that deviated from what was expected, along with the common values or ranges for those parameters. Remember the deep network visibility I talked about earlier? When QNI is included as part of your QRadar deployment you’ll see how all of that additional data and visibility makes NTA even more powerful by including the deeper QNI visibility in its analysis.
If you haven’t already done so, I would encourage you to download the Network Threat Analytics (NTA) app for your QRadar deployment. And if you’re not leveraging flows or QNI today, this is a great time to get started.