Published on January 19th, 2017 | by Andrew Weisman
Help Wanted: Packet Inspection Capabilities
Help wanted: A security tool that understands packets, gives full network visibility and hunts for breaches. Must be easy-to-use and work well with others. Willing to work nights, weekends and holidays.
Sure, I’m being a bit cheeky here, but when you think about 99% of bad things being seen on the network, the need for network visibility for enterprise security is now of paramount importance. For some, this could lead to a conversation around packet recorder technology.
While packet recorders are useful, one might argue they are very one dimensional.
Does What It Says On The Tin
At the core, a packet recorder does just that – it records packets. It indexes them for quick retrieval, and it may even create some metadata. In the security world, an analyst can use this technology to identify events of interest with information extracted from layer 2, 3, or 4 of the OSI stack.
Looking through the lens of a security analyst, one might infer that this level of information would be key to understanding breach activity. After all, wouldn’t having access to the full packet be the gold standard for understanding network activity?
Well, not so fast. The packet recorder can prove helpful for an analyst to determine the root cause of a breach, but a packet recorder won’t necessarily “discover” the breach. From this perspective, it is a very different tool than say something like SS8’s BreachDetect.
Searching the Haystack for a Single Needle
With a packet recorder, an analyst would need to sift through the immense amounts of information to determine the type of activity that is occurring, and then investigate in depth what kind of threat there may be, how it occurred, and how deep the threat penetrated the network. Can you imagine reviewing gigabytes of data looking for the needle in the haystack?
Then there is the deployment overhead and capitalized costs involved with packet recorders. Deployment of packet recording equipment can be quite costly, due to the fact that you need disk space to store entire packets at high data rates, multiplied by the length of time needed to be stored. And when you think about the average breach going undetected for more than 200 days, that’s a lot of storage, footprint, and dollars.
When you are looking at a product designed for breach detection you can look for anomalies in the network traffic all the way through layer 7. For breach detection, you don’t need the full packet. The full packet history is only going to increase the time and the need to go through the massive amount of analysis.
Full Layer Visibility
What’s important from a breach detection perspective is the ability to correlate the information among the flows, and to look for anomalous behaviors that a packet recorder cannot detect.
Did I mention the factor of cost?
Sure, an analyst can create a signature to detect future anomalous behavior, which is very useful, but what about zero day threats? Zero day threats don’t have a signature, so it becomes essential to be able to retain the network history in the form of rich compact records for continuous retrospection.
Packet recorders can be helpful tools for detailed network forensics and investigations, but the limitations around the amount of network history that can be retained, the costs associated with storing entire packets, and the lack of an automated workflow for identifying advanced threats make these tools a non-starter for the purpose of breach detection.