Our Solution Architect here at KedronUK, Chris Booth, shares his thoughts on the question, packet capture: how important is it for cyber security?
Historically, packet capture has been a tool for troubleshooting complex problems where other information sources are not providing enough detail. Some enterprises have deployed permanent packet capture solutions within data centres but the investment required in storage to provide even short-term data retention deterred many interested users. With 10Gbps (or faster) backbones commonly in use, a busy network will generate Petabytes of data on a weekly basis. Analysing this vast amount of data to provide meaningful insights is also challenging.
However, over the past two to three years a wave of new vendors has seen many businesses investigate traffic based tools, with Gartner naming this sector Network Traffic Analytics (NTA). NTA tools make use of machine learning to automate the analysis of the captured data (be that flow records like NetFlow or raw wire-data) and from this be able to detect/alert on anomalous traffic and events. These data feeds should include both North-South (to/from the Internet) and East-West (internal) traffic.
Whilst attackers will try to hide their presence once a device has been compromised, they have to traverse a network to scan for targets, access resources, attack and/or exfiltrate data. Therefore the network can be seen as the “source of truth”, as it provides empirical evidence.
The Enterprise Management Association (EMA) has recently released a report entitled “Unlocking High Fidelity Security (2019)”. The majority of respondents to the report were IT managers or directors for SME sized companies (1000 to 4999 employees).
Key findings in the report include:
- Although depending on the type of attack, 60% believed network data is the better source of data for the earliest detection of a breach (compared to endpoint data).
- The report identifies metadata as a new class of data. Metadata is not the full packet, but the most useful parts, along with additional supporting information which can be deduced from the contents of the packet. For instance, an IP address extracted from a packet can then be geo-located. 65% of respondents identified that metadata is “very valuable” in assisting with investigations, with a further 14% marking it as “extremely valuable”. Metadata can also offer benefits from a retention perspective – by not storing the entire packet, the “lookback” window can be much bigger.
- Enterprises that were using packet data had the highest confidence they were detecting threats at the reconnaissance of the “Kill Chain”.
- The report concludes “While network packets do not contain all of the information needed to complete an investigation, the fact that 99% of daily activities across a network makes it easy to understand why companies feel they have a heightened sense of awareness. They can detect issues faster than businesses replying on perimeter, systems, application, and authentication logs”.
Packet data solutions can also provide useful insight for network teams, as they can determinate a range of metrics such as round-trip-times and potential TCP issues like zero windows.
How can KedronUK help?
KedronUK can assist organisations looking to deploy NTA technology for security and/or performance requirements. Our vendor partnerships include both flow data and packet data based NTA solutions, allowing us to pragmatically discuss and demonstrate the benefits and value of these tools.
Call us today on 01782 752 369
KedronUK, Kern House, Stone Business Park, Stone, Staffordshire ST15 0TL