Network Traffic Analyzer (NTA)

What is the NTA?

The Samurai Network Traffic Analyzer (NTA) is a virtual appliance designed to provide deep visibility into network activity and detect suspicious or malicious behaviour. It can be deployed in a virtual environment or as an AWS EC2 instance, enabling passive monitoring and analysis of east-west and north-south traffic for security threats and anomalies. The NTA compliments existing security measures, delivering deeper insight into traffic and potential risks. Our approach leverages core capabilities to maximize protection and visibility:

Advanced Analytics

  • Utilizing machine learning and behavioral analysis, the Samurai Real-Time Engine (deployed on the NTA) identifies anomalous network activities that could indicate security threats, even those that evade traditional detection methods.

Cyber Threat Intelligence Integration

  • We apply our global threat intelligence feeds to enrich network data with context about known malicious actors, emerging threats, and attack patterns. This enhances the accuracy and speed of threat detection.

Network Layer Threat Hunting

  • The ability to proactively hunt for threats at the network layer, our Samurai SOC analysts can identify suspicious patterns and indicators of compromise that automated systems might miss.

Full Packet Capture (PCAP)

  • With full packet capture capabilities, the Samurai NTA allows for comprehensive forensic analysis. In the event of a security incident, Samurai SOC analysts can reconstruct sessions and examine payloads to understand the full scope and impact of the breach.

What are example use cases for the NTA

  • Clients with bespoke or unsupported systems e.g no current integration
  • Clients who want to expand their monitoring capabilities leveraging NTTs global threat intelligence
  • Clients who want to expand monitoring beyond telemetry data sources integrated into Samurai MDR, or have systems that do not produce telemetry data with limited threat detection capabilities, refer to Telemetry Data Source Categorization to understand how Samurai categorizes supported integrations
  • Clients who wants to get a quick cyber security grip on new acquisitions
  • Clients with distributed branch offices with heterogenous environments and no central log collection

What are the components of the NTA?

The NTA gains visibility of network traffic through traffic mirroring. The NTA monitors the traffic utilizing specific components and generates security detections (alerts) which are sent to the Samurai platform and triaged, investigated and validated by SOC analysts potentially leading to a security incident reported to you. Refer to the high level diagram below:

nta_internals.png

Figure 1: The NTA internal components

Traditional IDS Meets Advanced Analytics

  • The NTA includes a traditional Intrusion Detection System (IDS) component (Suricata), which provides baseline network monitoring. However, its true strength lies in its ability to decode network protocols, converting them into detailed activity logs.

Real-Time Detection with Advanced Analytics

  • These activity logs are processed by the NTA resident Samurai Real-Time Engine, which applies:
    • Advanced Analytics to identify subtle anomalies.
    • Threat Intelligence to detect known malicious patterns.
  • This approach ensures a proactive, accurate understanding of network activity.

Full Traffic Recording (Stenographer)

  • The NTA records all traffic flowing through its sensor.
  • This enables comprehensive forensics and retrospective analysis, providing critical insights into historical activity.

Automatic Alert Data Collection

  • When an alert is triggered, the NTA automatically captures related packet data and sends it upstream to the Samurai platform for investigation by SOC Analysts.
  • This allows for immediate analysis and a deeper understanding of a potential incident.

What data is analyzed by the NTA?

All network traffic you decide to mirror to the NTA is analyzed. The NTA operates passively monitoring the mirrored taffic without introducing latency or affecting production systems. Even when network traffic is encrypted (e.g HTTPS, SSL/TLS), the NTA can still extract and analyze unencrypted meta data such as IP addresses, port numbers, traffic patterns etc and correlate this metadata with Threat Intelligence such as known malicious IPs, domains or abnormal behaviors - the NTA can identify potential threats and suspicious activity maintaining effective threat detection without decrypting the payload.

If a client has the capability to decrypt traffic before mirroring to the NTA it is of course advantageous, however we recognize this may not be optimal or available in many cases.

All data resides local to the NTA. Any security detections (alerts) made by the NTA coupled with PCAP data is sent to the Samurai platform for investigation by SOC Analysts.

What are the deployment options?

There are two options for deploying the Samurai NTA, both options cover network traffic visibility but are deployed and configured differently.

  1. Deployment on virtual system(s)
  2. Deployment on an AWS EC2 instance

Who is responsible for the NTA?

You, the client is responsible for installation and configuration of the NTA including the underlying hypervisor/virtual machine settings and/or AWS EC2 configuration and settings.

The Samurai team is responsible for ensuring health and availability of the NTA which includes maintenance of the Operating System and installed software.

Samurai will send email notifications to registered users should your NTA encounter any problems, once any issues have been resolved you will be notified again when a healthy status is reached.

If the Samurai team determines that an NTA is oversubscribed we will liaise with you to determine the best plan forward - this could include requesting you to update assigned virtual resources.

Can I get assistance with deployment of an NTA

Yes, if you require help and guidance with NTA deployment and configuration we can help via the Samurai Onboarding service. The service is typically utilized by new Samurai MDR clients to support transition onto Samurai Managed Detection and Response (MDR) but also for clients who wish to expand or review existing commitment including the NTA.

What’s Next?

Review the requirements to determine what is needed before deployment and configuration of an NTA.

Requirements

Deployment

NTA Details