Why Packet Capture Matters
You've probably heard the phrase "The Truth is in the Packets"?
Packet Capture enables SecOps, NetOps and IT teams to determine, with surety, exactly what is happening - or what has happened - on their network. It provides the evidence teams need to investigate and and understand cyber threats and performance issues without guesswork. So they can respond quickly and effectively.
Packet Capture is a Critical Source of Evidence
For large organizations, the cost of impaired network performance or unplanned downtime, can be thousands of dollars per hour. The cost of security breaches can be even more astronomical, causing lost customers, severe brand and reputational damage, costly legal action and potentially wiping millions off a company’s valuation.
Which makes rapid, accurate incident response and root cause analysis a critical business imperative. Fast and effective response to cybersecurity threats and network performance issues requires visibility into what's happening on the network, so you can quickly identify the root cause of issues when they are detected. With surety.
And that’s why full packet capture is a critical resource for IT, security operations and network operations teams. It provides the certainty about what happens on the network, and helps these teams ensure their networks run safely and efficiently - 24x7x365.
Here are some of the most common problems that IT, security operations and network operations teams struggle with, that access to full packet capture enables them to solve:
Insufficient Visibility into Network Activity
Monitoring tools often see an incomplete view of network activity. Frequently they rely on summarized information such as NetFlow or system event logs. This simply doesn't provide sufficient detail to reliably identify when an issue has occurred or gain insight into the root cause.
On heavily loaded and high-speed networks the problem gets even worse. Many security and network monitoring solutions just can't keep up. Which means they can miss seeing what's happening altogether.
Security, IT, and network operations teams need to be able to see exactly what’s happening on the network so they can quickly investigate the anomalies that their monitoring tools detect. Packet capture is the gold standard for seeing exactly what happened – the evidence is there in the network packets. Without access to packet capture, incident investigation is slow, cumbersome, and often inconclusive.
Lack of Historical Data for Accurate Forensics
Most monitoring tools that analyze network traffic are focused on detecting real-time events. Once they have finished analyzing the traffic they are no longer interested in it - though some tools such as firewalls may keep a handful of packets to record what triggered an alert. Unfortunately, as we all know, not all issues are detected immediately. Security breaches, for example, may not be discovered until days or weeks later.
Not having data needed to analyze and reconstruct historical network activity makes it next to impossible to quickly investigate an issue after the event to determine what happened. In the event of a data breach, for example, you need to be able to quickly go back in time to reconstruct exactly what happened, how it happened, what systems were compromised, or what data may have been stolen or modified .
Packet capture provides a complete, packet-level history of all network activity. You can reconstruct events, and drill down to the actual network packets to pinpoint precisely what took place. Without packets, there's only theories and guesswork that can't be proven for sure one way or the other.
With the ability to quickly search a packet-level history of activity across the network, IT, security operations, and network operations, teams have complete visibility into historical events – enabling them to investigate and respond to cyber threats or performance issues quickly.
Relying Solely on NetFlow and Log Data
While NetFlow and log data are useful for troubleshooting network issues or investigating security threats, by themselves they often don’t provide sufficient information to be able to accurately reconstruct events so that you can conclusively determine what happened, how, and who or what was impacted.
NetFlow is summary data about the conversations happening across the network. It will tell you which hosts are talking to each other, when, how much data was exchanged, and potentially what applications were being used. But it won’t tell you what the actual data exchanged in those conversations was.
Without the ability to determine the content of conversations, it’s often extremely difficult to determine clearly whether a conversation is malicious or benign. And even more difficult – or even impossible – to ascertain what data was stolen or corrupted in an attack or whether an attacker was able to move laterally from an initial incursion to compromising other hosts on the network. Full packet capture provides the actual data to be able to answer these critical questions.
For more information on NetFlow and Packet capture and the pros and cons of each see "NetFlow versus Full Packet Capture".
Log data is also a useful resource – provided that logging is configured correctly to record the event and the log file information can be trusted.
But can you really trust log files? Increasingly attackers use wipers or other ways to erase log files or doctor the contents of logs to remove evidence of their activity. Full packet capture, on the other hand, is typically invisible to attackers so provides a reliable, tamper-resistant source of evidence about what happens on the network.
Because packet data contains accurate timestamp information, it’s also invaluable as a way to correlate telemetry from other data sources – such as monitoring tool alerts or log files – so you can accurately reconstruct the timeline of events.
Conclusion
Packet data is an incredibly useful evidence source for ensuring the security and reliability of your network. Without access to packets, visibility into network activity can be compromised. Conversely, with access to historical packet data, SecOps and NetOps teams can investigate and resolve issues faster and with greater confidence.
Want to know more? Read our introduction to network packet capture.
Who is Endace?
Endace specializes in scalable, high-speed, high-performance packet capture. Our solutions are used by some of world’s biggest organizations on some of the fastest networks on the planet.
If you are looking for a packet capture solution, we’d love to show you why Endace is the best choice. Contact us to book a demo or ask a question.