In today’s Zero Trust (ZT) world, organizations have been heavily focused on Zero Trust edge identity solutions. In some cases, however, they’ve neglected visibility across all the connections, endpoints, and applications in the enterprise. Network analysis and visibility (NAV) solutions have become almost an afterthought to ZT, but they are actually central to a robust ZT architecture.
Forrester’s just-published The Network Analysis and Visibility Landscape, Q1 2023 report provides an overview of the NAV market and 23 vendors in this very mature space. Security and risk (S&R) pros can use this information to make well-informed decisions on vendor selection, as well as the use cases associated with this technology.
NAV Is A Necessary, But Not New, Security Capability
In 2011, Forrester coined the term “network analysis and visibility” and emphasized how orgs needed to examine network traffic for security and as a key component of a Zero Trust strategy. This enabled enterprise IT to effectively identify lag across an enterprise but not necessarily whether the issue was good, bad, or indifferent. As the market matured, vendors began moving past simple metadata ingestion and started taking a good, hard look at the data itself, opening new avenues of inspection and correlation across multiple use cases and expanding into security-focused use cases.
Today, NAV solutions occupy a unique position in an organization’s ZT technology deployment, at the heart of the network. The central location of NAV technologies provides unmatched visibility into everything from lateral movement and nefarious activities to application dependencies across multiple environments. The visibility and comprehensive monitoring provided by NAV products allows for granular reporting and a focused approach to remediation across the network. While other organizations have coined alternate terms for this technology, such as network detection and response and network traffic analysis, Forrester defines NAV as:
Security solutions that deploy passively in networks to analyze network traffic to detect threats using behavioral and signature-based approaches; discover and establish relationships between assets; analyze traffic flow; extract relevant metadata; enable full or targeted packet capture; integrate with other control points to remediate detected threats; and enable network forensics.
Evaluating The NAV Market
Now that the NAV Landscape is published, I’m turning my attention to The Forrester Wave™: Network Analysis And Visibility, Q2 2023, which will be the first evaluative research on NAV.
Organizations can use the Landscape as well as the forthcoming Wave evaluation as they research an existing, replacement, or net-new NAV implementation. As they investigate NAV solutions, S&R pros should:
- Understand the environment. NAV solutions provide visibility into all network traffic, regardless of location. This statement does have a caveat in that you should understand where to place the sensors to capture relevant traffic. Traditionally, sensors are placed at, or near, the core of the network to capture traffic from every direction. Particular attention should be placed around cloud properties and other ingress/egress points such as OT/IoT environments. Take your overall architecture into account. Ask the vendors about cloud, multicloud, hybrid, and on-premises deployment capabilities, and match these to your specific use cases.
- Scrutinize offerings that heavily rely on machine learning and artificial intelligence. The majority of NAV vendors offer AI/ML capabilities in some form or fashion, and this is a good thing, but this technology can, and does, often result in a high percentage of false positives, requiring tuning efforts to be implemented by your security analysts. Look for vendors that utilize multiple correlation data points to reduce the white noise without significant input from your analysts.
- Know that endpoint telemetry data matters. NAV solutions should be able to do more than ingest endpoint detection and response (EDR) and extended detection and response (XDR) solutions’ information. They should also do so in a bidirectional fashion, thereby making the EDR/XDR solutions aware of threats that may have not been promulgated to that specific vendor’s indicator of compromise and/or behavioral databases yet. This sharing of data allows for actionable intelligence to be shared across multiple services, thereby enhancing your organization’s resiliency against novel new threats.
- Realize that “pretty” does not equate to usability of the UI. Let’s face it, we all like shiny things. The UI is no exception. When looking at vendor offerings, don’t get caught up in the glitz and glam. Look for functionality over form, an easy button, if you will. Does the UI provide the ability to drill down, in context, without having to discern a specific shade of green? Does a 3D adaptable rendering provide value, or is it hiding a shortcoming of the product? As products evolve, it is imperative to be mindful of analyst experience when selecting a product that will be central to identifying threats on the network.
Stay tuned for the upcoming Wave evaluation and other ZT research I’m working on.
Are you in the market for a NAV solution and have questions on how best to proceed? Feel free to reach out to me for an in-depth discussion about this very important space.