Cyberattacks are getting more devious and incessant, putting security teams back on their heels in a reactive mode. Finally, enterprise security analysts have help – packet capture and analysis (PCAP). Most companies use this technology reactively today and only by select security engineers. Now, because of technological advances, PCAP has become a critical foundational cybersecurity tool to get deeper insights into network intrusions and malware infections.
Think of PCAP as an application programming interface (API) that allows access to packet data captured from a live network. PCAP provides all packet information – from the Ethernet header to the application payload – delivering visibility of the end-point, application, and network interaction, pre- and post-event, and for back-in-time analysis if stored.
PCAP delivers the necessary visibility for security teams to understand threats, including what was breached, how the network was accessed, what was done while the malicious actor had access to the network, how long they were inside the network, and what they left behind.
PCAP was complex and costly
Packet capture appliances are dedicated proprietary hardware solutions that have long been viewed as too complicated and expensive for widespread use and deployment, thus rarely employed in an enterprise environment. Packets are captured at key network aggregation points and stored on proprietary hardware platforms. Those are often performance-limited by their traditional architecture of hard disk drives (HDDs), serial bus, and storage controller leading to:
- Scalability issues: Today’s network traffic speeds at 40 and 100 Gbps and double-digit annual traffic growth challenges those architectures, leading to racks of equipment to distribute and analyze the traffic load for capture.
- Slow data access: This negatively impacts capture performance. Today’s packet capture products are unable to read and write concurrently. If the user tries to access a large amount of data on disk, packets on the capture site may be dropped due to resource constraints, creating gaps in the network data captured, impacting intrusion detection and analysis.
- Limited resource: Because of these limitations, packet capture solutions are often a scares resource in most organization, leading to limited and reactive deployments, often initiated after an intrusion is detected. This adds further complexity as deployments and configurations are complex, events need to happen again to be captured.
Why PCAP has become attractive to enterprises
As proven by the recent flurry of cyberattacks, notably the SolarWinds incident, some resourceful malicious actors can skirt current security measures. Today, many companies center their security policy around the castle mentality – secure the access and egress of the network and the end-devices to keep threats out. While it’s essential to have this protection, today’s networks require much more. As adversaries become more resourceful, security threats are also increasingly internal to the organization, either through intentional or unintentional actions of employees and business partners or dormant malware that already infiltrated the network.
Today’s approach of perimeter defense and monitoring network devices generates massive amounts of metadata, comprised of events, alarms, or statistics created by intrusion detection and prevention systems, endpoint detection systems, switch and router flow analysis, or traffic monitors. While security teams like the metadata because not much processing and storage are needed, it’s difficult for security pros to analyze logs and correlate different sources, making it hard to uncover advanced persistent threats (APTs) and zero-day attacks. It offers just a snapshot of events and network traffic summaries, making it insufficient to ascertain the spread of the threat, how the attacker accessed the network, what was exfiltrated, all essential to mitigate future threats.
The rise of NVMe solid state drives
The evolution of high-speed storage technologies based on NVMe Solid State Drives (SSD) that stores data in flash and non-volatile memory rather than conventional mechanical HDD drives has been transformative. Combining SSD high-speed storage with switched PCIe fabrics and a streamlined file systems, the throughput for read and write runs up to 20 times faster than conventional HDD-based approaches.
This advancement also facilitates read and write access simultaneously, enabling full PCAP access from multiple servers for data storage and access -- eliminating any potential for gaps in the network traffic collected. This allows for more economical and broader deployment of PCAP products, providing the details on all transactions on a network, including pre- and post-event for any alarm or event reported as well as including back-in-time analysis. Since all traffic is stored, mitigations can be validated by replaying the traffic.
As attackers continue to mount zero-day attacks, security professionals need in-depth insight into intrusions to protect their sensitive data and intellectual property. Next-generation PCAP gives them the visibility required for intrusion detection and response as well as threat hunting for quick mitigation.
Jereemy Leasher, senior security architect, Axellio