In this article, Jeremy Leasher, senior security architect, Axellio, discusses how next-generation packet capture (PCAP) and distribution platforms are making packet capture a viable solution. Advanced PCAP provides the information needed to efficiently address Zero-Day attacks and advanced persistent threats (APT) while extending the useful life of existing security monitoring infrastructure.
The massive cyberattacks governments and businesses have recently experienced have shown our online ecosystems’ fragility. This exploitation of network vulnerabilities drives enterprise IT organizations to search for new solutions to shore up their network security. Once dismissed due to complexity and hardware constraints, Packet Capture (PCAP) analysis is becoming a central cybersecurity tool for enterprise IT networks.
Packet Capture – the Old Way
PCAP analysis, an approach to capturing and analyzing network traffic, has always been the most insightful analysis tool for incident response and forensic analysis. PCAP provides unprecedented insight into protocol communication between multiple endpoints, including timing and sequencing of events and protocols used, where the attack came from, which internal assets were involved, and how the attack spread laterally through the network. However, traditional PCAP, especially in high-speed networks, is complex, costly, and challenging to use. Thus, it is used infrequently, often as a last resort.Â
Instead, IT operations more frequently rely on metadata such as logs, events, alarms, and traffic flow analysis. This data is often insufficient for incident response, especially for Zero-Day attacks and internal threats resident in the network. It does not reveal how far the threat has spread and the attacker’s entry point. And innovative attackers can modify this information to hide their tracks.Â
Packet capture appliances are dedicated, generally, proprietary hardware solutions. They capture packets at key network aggregation points via test access points (TAPs) or span ports on switches and routers, storing the resulting packets in storage appliances. Most packet capture solutions rely on hard disk drives (HDDs), traditional storage devices containing spinning magnetic disks. This approach, combined with limitations of the storage bus and controller technology used for HDDs, creates a significant performance bottleneck: lower throughput and the inability to read and write simultaneously.Â
To offset this limitation, packet brokers are regularly employed to distribute traffic across multiple storage servers, often requiring a rack full of hardware when monitoring 100 Gbps links or multiple 10 or 40 Gbps links.
The inability to read and write simultaneously means that access to the data needs to be carefully managed and limited in scope. Any read actions immediately impact write performance and can reduce intake rates by as much as 25% or more. To streamline the write process, extensive traffic indexing is done pre-storage to give users the ability to slim down the traffic needed for analysis through extensive filter criteria, limiting the amount of traffic that can be analyzed.Â
Learn More: The Encryption Elephant in the Room: Getting to Secure Encrypted Traffic
Next-Generation PCAP – Beyond Packet Analysis
Next-generation PCAP and distribution appliances based on the latest compute and storage technologies provide additional value for the security monitoring infrastructure. They make packets readily available for any event, providing the insight security teams need for quick decisions and mitigation.Â
Advanced PCAP and analysis solutions take a different approach by creating a network visibility hub. They first store the data to disk at high speed and then distribute the traffic selectively and rate controlled across the many monitoring and analysis applications. Attributable to the high-speed data access, indexing can be limited to a minimum as search for any packet information can be performed post-capture, providing the flexibility needed for detailed analysis. This leads to a more streamlined architecture and addresses the primary drawbacks of a conventional solution while creating a broader use model, increasing the value to the IT organization.
Next-generation PCAP solutions are evolving into network visibility hubs, just like packet brokers, traffic aggregators, TAPs, and network visibility fabrics (NVF) have done over the last decade. However, today’s NVF still forwards traffic in real-time into monitoring applications, easily overloading them from traffic spikes or the double-digit annual traffic growth experienced by many enterprise networks.Â
Advanced packet capture solutions store the packets first and then analyze their content directly from the disk at the above capture rates. Using the latest high-speed storage technologies based on NVMe Solid State Drives (SSD), storing data in flash, non-volatile memory instead of traditional mechanical HDD drives makes this possible. Combined with switched PCIe fabrics, it increases the throughput to disk along with a streamlined file system, creating up to 20 times faster read/write access than HDD-based approaches while allowing for read and write access from multiple servers simultaneously.Â
This approach allows for a high-speed continuous stream to disk of the incoming traffic while reading and distributing the traffic from disk at rates that applications can easily consume. If applications cannot keep up with the incoming traffic, this traffic is not lost but buffered on disk for slightly delayed analysis. This can save significant monitoring solution investment, as monitoring applications, today designed for peak traffic utilization, can now be architected for average traffic utilization or even virtualized, not requiring expensive proprietary hardware.Â
It also makes packets readily available for any detected event. Even though storage capacity may be limited, effective data management and creative storage approaches allow storage of packet data for days or weeks. Having packet data readily available for any event provides the security analyst with a comprehensive view of the pre and post-event packet data, providing unparalleled insight into the event’s urgency, the approach taken to enter the environment, and how far it spread. It furthermore permits validating any mitigation put into place with the actual traffic while allowing for forensic analysis to see whether this attack pattern had already been employed previously and went undetected.Â
The combination of packet analysis for incident response and forensic investigation with traffic load management for the entire traffic monitoring infrastructure creates a compelling cybersecurity solution to combat malicious attacks. This approach also provides the robust business case PCAP solutions need for comprehensive enterprise IT deployment that had eluded it in the past.Â
Let us know if you liked this article on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!