Dig Deeper: Why High-Performance Network Traffic Analysis is Growing in Popularity in SIEM Environment


Network traffic analysis is more important than it has ever been - How network-based traffic analysis tools extend existing SIEM systems.

For many companies today, it is usual to store automatically logged data of all actions or processes of a computer system in so-called log files. These provide a clear picture of activities in the network. Processing the amount of these files is a particular challenge: Some devices, such as firewalls, proxies or active directory servers, sometimes generate over 1,000 messages per second - but log data processing is still widely used in practice, especially with the help of so-called "Security Incident and Event Management" systems (SIEM in short).

A major disadvantage of log files is the fact that a system must generate them before they can be processed further. In contrast, raw data from network traffic contains a lot of information that is not even recorded in log files.

The reasons why many companies analyze log files instead of real network traffic are mainly:

  • The high memory requirements
  • The difficult processing of data volumes
  • The high hardware requirments

In short: The costs resulting from these factors are particularly feared.

"The detailed, high-performance and continuous evaluation of network traffic was unthinkable for many years compared to the added value," says Dominique Petersen, co-founder and head of "Advanced Threat Detection" at finally safe. "With our own 'made in Germany' solutions we were able to develop the technology that enables companies today to run network traffic analysis efficiently, economically and above all permanently.", Petersen continues.

The essential benefit of network traffic analysis (NTA) for companies and organizations is the ability to detect and close blind spots in communication and security gaps on end devices that enable attackers to perform successful attacks today.

For an effective defense it is important to take the attacker's perspective. As finally safe we have been doing this for several years. The focus of our work is to identify the techniques and methods that enable attackers to successfully attack companies:

  1. Hidden tunnels in network protocols
  2. Command and control / botnet connections
  3. Identification of vulnerabilities and configuration problems

We continuously identify these characteristics and behaviors in network traffic, using machine learning methods more often. Based on this, we are continuously expanding our detection capabilities in the network traffic of our analysis platform.

Examples of attacks that are difficult to detect without network traffic data:

#1: Exfiltration of data using ICMP

ICMP (Internet Control Message Protocol) is a common network protocol used to exchange information and error messages in computer networks.

Attackers use this protocol to e.g. sneak data out of a company - or vice versa. To do this unnoticed, so-called tunnel are used - the contained data remains hidden.

If only log files of a firewall, for example, are evaluated, they only contain the information that an internal device "addresses" an external server - which represents normal behavior.

Using network traffic analysis, detailed real-time content and behavioral analysis of all ICMP traffic can be performed to detect and report tunnel usage at an early stage.

#2: Botnet connection from infected PC

Botnets are connected infected computers on which automated malware, so-called bots (robots), operate. These are available without the consent of the owners and can be "rented" illegally and used for attacks.

Companies can be part of a botnet without realizing it. Log entries from firewalls only register "normal" traffic, e.g. an internal device communicating with an HTTP server ("surfing in the web").

NTA performs in-depth, high-performance deep packet inspection (DPI) of data to detect and report botnet traffic early.

The examples show that log files and higher-level systems such as SIEM should be supplemented with intelligently evaluated network traffic information in order to be prepared against advanced attacks. These have been used more and more frequently for some time.

An NTA analysis platform can be easily integrated into any network infrastructure. A sensor appliance is passively connected to a switch or packet broker via a mirror port. The solution can be operated as a "cloud", without an external connection and as a managed service.

The solution developed by finally safe offers interfaces to SIEM, NAC and common ticket systems and can thus be fully integrated into existing security architectures. In addition, a REST API is also provided.

Since 2015, the Advanced Security Analytics platform has been deployed in public authorities, energy and water suppliers and operators of Security Operation Centers (SOC).


NTA is still regarded as "too expensive" or "luxury" - but is now essential for the detection of weak points and attacks in the network - also in the SIEM context.

Today, NTA is a high-performance solution that can be implemented with standard hardware and thus helps to reach the next level of security - both in combination with so-called Next Generation Firewalls and in the SIEM and managed-SIEM environment.

With NTA, previously blind spots and vulnerabilities can be uncovered, which today make it easy for attackers to infiltrate and extract data for remote control of malware.

Do you have any questions about the above examples? Please contact us with our request form!


Go back