What's driving the trend towards always-on packet capture for cyberdefense?


By Cary Wright, Vice President of Product Management at Endace Limited

Always-on packet capture has traditionally been restricted to the largest enterprises: organizations that simply couldn't afford to be without full packet data because of the critical nature of what they protect – banks, military, government etc. But increasingly security teams across all industries are recognizing the importance of having access to the full payload information that packet data provides.

Access to the actual data traversing the network enables security teams to accurately reconstruct attacks or breaches, see the contents of malware files, exfiltrated data, command-and-control traffic and more. It gives certainty about what happened on the network that other data sources – such as metadata and log files – simply doesn't provide.

If packet data is so useful, why aren't more organizations already recording it?

There are two main reasons. The first is cost. Until relatively recently, recording large volumes of network traffic was cost-prohibitive. That's changed now with reduced storage costs, efficient compression and "smart truncation" making it cost-effective to store weeks or months of full packet data.

The second reason is that analyzing packet data was a specialized skill. The value of recording large volumes of network traffic depends on your ability to search petabytes of packet data and zero- in on packets of interest quickly. That required the skills of senior team members, who are the most in-demand and have limited time to dedicate to this task. Rapid search and the integration of packet data into security tools is changing that – putting vital evidence right at analysts' fingertips as they need it.

What's driving adoption now?

In short, the volume and sophistication of cyberattacks makes it critical for security teams to have the tools and evidence to defend against network attacks. Attackers, including nation-state actors, are using zero-day vulnerabilities and sophisticated supply-chain attacks against enterprise targets. Enterprises are seen as the "soft underbelly" because they lack the budgets and experience of security teams from organizations like banks and military which have long been preferred targets.

There is growing recognition that perfect protection is illusory: ultimately, attackers will breach even the best defenses. When that happens, security teams must detect, investigate, and respond to those attacks quickly to minimize the impact. As a result, attention is focusing on giving defenders the ability to mitigate attacks. AI tools, security automation and orchestration (SOAR) and sophisticated telemetry correlation all focus on increasing the speed and effectiveness of response to attacks.

As the recognition of the value of packet data has grown, so has the maturity of capture and recording solutions. The ability to cost-effectively record weeks or months of traffic, search that data quickly, and integrate packet search, data-mining and retrieval into SIEMs and SOAR platforms has increased its value to security teams. Analysts no longer need to master arcane packet-wrangling wizardry to zero-in on packets of interest as they investigate and respond to threats: packet capture has come of age.

Cary Wright is Vice President of Product Management at Endace Limited.


Sustaining Partners