Blog :: Network Operations :: Security Operations

Asking the Hard Questions: Why Analyze Network Traffic?

critical thinking

There are times when we adults would be better off thinking like toddlers. More specifically, I want us all to go back to the days where we asked incessant strings of questions before our tired parents got us to stop. “Why, why, why?” This mindset helps answer the question, “Why analyze network traffic?” The simplest response I can give is that network traffic analysis is akin to the rare tireless parent who answers everything you want and need to know.

Why analyze network traffic?

What is network traffic analysis?

Before going more in-depth, I want to ensure that you and I have the same idea of what network traffic analysis is. Here is a good explanation from Techopedia:

Network traffic analysis is the process of recording, reviewing and analyzing network traffic for the purpose of performance, security and/or general network operations and management.

It is the process of using manual and automated techniques to review granular-level detail and statistics within network traffic.

Note that it specifies “granular-level” detail. This means that we’re going further than a top talkers report. The smaller conversations on your network can be the most illuminating.

Techopedia further elaborates:

Network security staff uses network traffic analysis to identify any malicious or suspicious packets within the traffic. Similarly, network administrations seek to monitor download/upload speeds, throughput, content, etc. to understand network operations.

This is important: security and network teams can both analyze network traffic to their benefit. They may be looking for different things, but they can use the same system.

In other words, both teams need the granular visibility and investigative capabilities that come with network traffic analysis in order to effectively accomplish their goals.

Don’t operate your network under fog of war

Foggy network visibility

Every good decision has good information behind it. How do you know how to respond to an incident, be it security- or network-related, without the context surrounding the issue? How can you know that you’ve completely resolved an issue without knowing the root cause?

For example, we recently experienced a network performance problem. Our tech support team quickly figured out which host was flooding the network. That was enough to stop that instance of the problem, but not necessarily the problem itself. Instead, they dug deeper—they asked why the issue happened in the first place. They were able to analyze network traffic to answer that question and fix the issue for good.

Let’s get into the specifics for each team.

Security team—why analyze network traffic?

It’s important to invest in preventative technology—there’s a lot of threats it can block. But by no means should all of your resources go into it. You have something important to guard. Does it make sense to set up defenses, but then blindly trust that those defenses will hold?

Social engineering is more sophisticated than ever. The Internet of Things is creating exponentially more threat surfaces than ever. Hackers are unleashing bigger, more devastating attacks than ever. That’s a lot of “than ever”s to manage; inevitably, something will get past your firewalls and IPS. You may be able to recognize that a breach has happened, but it’s not until you analyze network traffic that you can answer the hard questions. When did it happen? How? Who was behind it? What was exposed or stolen?

During a security incident, time is critical. Network traffic analysis provides you the means to much more quickly investigate and then, armed with that context, figure out a response and solution.

Network team—why analyze network traffic?

Organizations are built from a lot of moving parts, and many of them rely upon the network running smoothly. If a business-critical—and in some industries, even life-critical—application goes down, operations can come to a halt. You may eventually find answers by combing through logs and packets, but that’s a lot of precious time poorly spent.

With the right context at your fingertips, however, you gain a much better understanding of the situation and can better determine the next steps. Knowing where to start and quickly being able to retrieve actionable data is key to quick remediation.

How to analyze network traffic

It starts by turning on the capability. I’m willing to bet that most devices on your network can already export the data you need; you just need to configure it.

The next step is to collect that data for visualization and set up an analytics system that can quickly visualize your network data and run algorithms on it in the background. Ideally, you should also have the flexibility to create your own thresholds and alarms, so that you’ll receive notification of potential issues.

If you’re looking to answer the hard questions about your own network, you may like to check out the free trial of our network traffic analytics system.