To offer more affordable and compact solutions, some solution providers are pitching triggered or “smart” packet capture solutions as an alternative to always-on capture.
Always-on packet capture is the practice of recording all packets that traverse a given network link. This approach guarantees that security and IT teams have a full record of the data that passed through a link. With a sufficient data retention policy, an always-on packet capture practice ensures that security teams can fully investigate an incident no matter how long it takes them to detect the issue. Also, it ensures that network operations teams can recreate network sessions when they receive complaints from end users or application teams. The data is always there, available for analysis.
Depending on the volume of traffic on a given link and the number of links an organization is trying to monitor, packet capture can consume considerable data storage capacity, requiring enterprises to invest in physical or cloud-based appliances dedicated to packet storage. This can eat into IT and security budgets and take up precious rack space in data centers and server rooms. To mitigate this issue, some vendors introduced triggered packet capture (AKA smart packet capture).
Triggered capture allows organizations to selectively capture packets under certain conditions. For instance, a security solution will trigger a packet capture when it detects a known threat or anomalous traffic. Other tools might trigger packets only when specific protocols are detected on the network, such as FTP. These practices will certainly reduce the total amount of data storage an organization consumes with packet capture. However, it's not a robust and reliable enough approach for all organizations.
First, triggered packet capture that relies on threat detection can only respond to known threats. Unknown threats leveraging zero day vulnerabilities, or advanced persistent threats by skilled attackers will go undetected for a period of time, allowing threat actors to establish a foothold inside a network. Performance issues also go undetected until a user opens a support ticket. By the time engineers respond to the ticket and start capturing packets, it is often too late for them to get the relevant data. In both cases, a triggered packet capture will not store a full record of security and performance issues.
Triggered packet capture will not meet the standards for highly regulated industries, in which a full record of all packets is required by regulators and auditors. For example, in the United States, all federal government departments and agencies are mandated to capture and retain 72 hours of all packet data that traverses their networks, both on-premises and in the cloud. Triggered packet capture is simply unacceptable because the Federal Bureau of Investigation and the Cybersecurity Infrastructure Security Agency will demand a full 72 hours’ worth of traffic data while conducting an investigation. Enterprises are increasingly facing similar demands. With the ongoing rise in cybersecurity incidents, the U.S. Securities and Exchange Commission is establishing strict breach reporting requirements for publicly traded companies that will ultimately force more comprehensive packet capture requirements.
Comprehensive, always-on packet capture solutions can also boost IT and security team productivity by reducing investigation and response times. The integration of full packet capture data into security and performance monitoring tools and workflows can reduce the time it takes to investigate and resolve both security alerts and performance problems by ensuring analysts have a complete record of any incident on the network. Moreover, the ability to drill down to packet level across both on-premises and cloud infrastructure increases visibility and provides a unified view of everything that’s happening across the wider, hybrid cloud network – removing blind spots.
While some organizations with relaxed cybersecurity policies, regulatory requirements, and end-user experience standards will find triggered packet capture solutions compelling and useful, many organizations will find them impractical. Any security or IT operations professional who is exploring the concept should carefully review whether such a solution is appropriate and even meets minimum viable security standards. This review will require consultation with multiple stakeholders given that network, application, cybersecurity, and compliance teams may all have packet data storage requirements.
Organizations that need always-on solution for packet capture should evaluate Endace, which offers hybrid cloud packet capture solutions. Endace provides unified, always-on packet capture for on-premise, public cloud and private cloud deployments. For more information see: https://www.endace.com/endaceprobe.