The purpose of network traffic analysis is to gain insights based on network traffic patterns that can help teams find and remediate network performance or security problems.

Network traffic analysis is important because network traffic patterns can vary widely. The routes that packets traverse as they move between network segments and endpoints may vary, for example, resulting in different levels of performance depending on how efficient the various routes are. Likewise, malicious network activity, such as port scanning or Denial-of-Service (DoS) attacks, often creates unusual traffic patterns. By detecting anomalies, organizations can identify potential security risks, then block them before a breach occurs.

Network traffic analysis typically includes the following steps:

• Establish a baseline: First, network operations teams monitor the network during periods of normal activity to understand what typical network traffic patterns look like.
• Anomaly identification: Ongoing monitoring makes it possible to detect anomalies, such as unusual types of traffic flows or requests.
• Anomaly analysis: Not all anomalies within network traffic signify a problem. Therefore, when an anomaly is detected, engineers must investigate it to determine whether it results from a benign cause (such as the deployment of a new application that results in traffic pattern changes) or a problem. Problems could constitute performance issues (such as a failed router or switch that causes packets to be routed in unexpected ways) or security issues (like a network scan by malicious actors). 

To work well at scale, network traffic analysis processes should be automated. This can be done by pairing automated monitoring tools with rule-based detection engines that can detect deviations from normal traffic patterns.

Consider the following best practices to maximize the impact of network traffic analysis:

• Establish dynamic baselines: On modern networks, network traffic patterns may fluctuate during normal activity. For that reason, establishing a static baseline may not be possible. Teams should instead perform dynamic baselining, which involves determining how network traffic changes based on different conditions, such as the time of the day or the day of the week.
• Contextualize data: On its own, data about network traffic is of limited value. You must contextualize it by comparing it to other data sources, such as endpoint logs and metrics, to determine how unusual traffic patterns correlate with other events. For example, a spike in dropped packets could be explained by an application crash that is recorded in a server log.
• Know your network architecture: The type of network architecture that you use can play a significant role in shaping network traffic. Modern networks that make extensive use of software-defined network abstractions are likely to involve more complex and less consistent packet flows, for example, than simple networks. For this reason, it's important to factor in network architecture when determining whether a given traffic pattern is anomalous.
• Prioritize traffic alerts: As with any type of monitoring and analysis, network traffic analysis may produce alerts of varying levels of severity. For example, a sudden flood of data associated with a suspected DoS attack is a more serious risk than a moderate latency increases for a non-critical application. It's important to know which types of traffic-related issues pose the highest risk so that your team can react to them first.

These practices help ensure that network traffic analysis plays as effective a role as possible, alongside other network monitoring and management techniques, in helping your organization to identify and respond to performance and security issues that place the network at risk.

Network Traffic Analysis (NTA) helps security teams rapidly detect anomalous activity and malicious behavior as such activity moves laterally across the network.

At VMware, NTA is a component of NSX Advanced Threat Prevention along with Intrusion Detection/Prevention System (IDS/IPS), Network Sandboxing, and Network Detection and Response (NDR).  VMware’s NTA implementation uses the intelligence from security experts inside the VMware Threat Analysis Unit (TAU) and multiple forms of ML to produce proactive threat intelligence to identify known and novel threats.

NTA is available across all three products in the NSX Security portfolio: NSX Distributed Firewall with Advanced Threat Prevention, NSX Gateway Firewall with Advanced Threat Prevention, and NSX Advanced Threat Prevention (standalone). The distributed firewall option allows for TAP-less NTA deployment providing east-west protection against advanced threats while increasing operational simplicity.