This is the first of two articles on packet capture and its vital role in network cyber security. We’ll cover important aspects of the role of effective packet capture in cyber security including liability, risk management, insurance coverage, and regulatory compliance.
The theory and practice of cyber security together cover a broad spectrum of activities, from the top-down view of the collection, transmission, storage and distribution of data to the in-the-trenches application of protective devices and practices.
Some solutions claim to be full-spectrum end-to-end solutions; others occupy unique niches. Full packet capture offers a unique value proposition, solving the growing problem of rapid and accurate forensic determination of breaches and other system failures.
Full packet capture is essential for a wide range of analytics and forensic needs – from security threat detection and investigation to network and application performance monitoring. While many analytics tools claim to provide some basic packet capture capability, most do not provide 100% full packet capture with the depth of history required to accurately investigate breaches and incidents.
Key to Forensics and Regulatory Compliance
It has been well known for many years that much of the financial and brand damage of breaches occurs between the time of the actual exploit and its discovery and remediation. Preparing for and responding to the growing problem of breaches and other system failures now requires near-real-time analysis and forensic determination of causes and future preventive measures.
Effective packet capture and storage solutions provide the necessary foundation to assure compliance with statutory responsibilities, regulatory requirements, and liability risk management needs. Without this solid foundation, there can never be a practical and cost-effective means of meeting these needs.
The “best practices” standard in nearly every industry and organization with these responsibilities is rapidly integrating packet capture as a vital building block. Whether the requirement be for legal compliance, continuing assurance of cyber security measures for liability insurance coverage, or the internal necessities of the organization itself, responsible organizations are actively integrating high-capacity packet capture and storage solutions as the new norm.
To determine if you took best practice steps against a breach, you should not only frequently document your vulnerabilities and patching process you should capture and store all packets of traffic at line speed. That way, in the event of a breach, you can go back and figure out, forensically, what happened. This best practice ‘network recording’ model can be used in your favor showing due care and due diligence before, during and after a breach for just about any regulatory compliance standard – from SOX to HIPAA to GLBA to GDPR. In addition, it may help make your case when you are trying to make a cyber-insurance claim.
Gaps in Current Solutions
Currently, many organizations with the responsibility of maintaining the integrity and confidentiality of sensitive information are incurring high costs for ineffective protections. They are paying over and over for defensive capabilities but lack the proper tools and evidence to quickly and accurately investigate breaches and incidents. As a result, they pay in wasted human resource employing expensive security analysts to piece together disparate clues in an attempt to determine the extent and seriousness of breaches and security events flagged by their security tools. Then they pay again through damaged reputations and impacted market valuations for belated and inaccurate reporting of these events to customers and investors. The serious gap usually results not from an inability to detect suspicious events – rather it typically results from an inability to rapidly and accurately investigate those security events in the most efficient way possible.
Most InfoSec vendors attempt to build their own hardware appliance dedicated to hosting a single, real-time analytics application. These appliances analyze network packets for suspicious activity or indicators of compromise but they usually don’t record the network packets once they’ve been analyzed or, if they do, only record a very small sample of packets surrounding an event. This means when security or performance monitoring tools spot a problem and raise an alert, the crucial evidence is gone.
Leading enterprises have learned that streamlining and accelerating security investigation and response is the key to efficient and effective security teams, and the primary ingredient to accomplishing this is having ready access to 100% accurate network history to enable rapid and conclusive investigations. A state-of-the-art platform, such as the EndaceProbe™ Analytics Platform, can scale to provide weeks or months of accurate network history. By providing tight integration between the security tools and the packet history these EndaceProbe’s record, security analysts can get from an alert to the underlying evidence in the packet history in a single click – accelerating the investigation process and dramatically increasing the productivity of overworked security teams.
This approach of relying on definitive packet level evidence is much more efficient than sifting through disparate clues in log files and other data sources in the hope that the extent and seriousness of a breach can be accurately understood and reported to customers and markets. Weeks or months of investigation can be reduced to just hours or minutes.
Endace’s State of the Art Solutions
For more than 15 years, Endace has provided high-speed, network recording and visibility solutions to monitor and protect some of the world’s largest, most complex networks. Customers who trust EndaceProbes include global banks, telcos and service providers, media and broadcast companies, health organizations, retailers, e-commerce and web giants, governments and large enterprises. Customers choose Endace technology because it can monitor and capture network traffic with 100% accuracy regardless of network speeds or loads. It can scale to meet the needs of the fastest networks and is built on an open architecture that enables integration with a wide variety of custom, open source and commercial solutions.
The EndaceProbe Analytics Platform provides 100% accurate, continuous packet capture, while simultaneously hosting a wide range of commercial and open-source network security and performance monitoring applications such as threat detection, IDS, NPM and APM tools. EndaceProbes offer real-time packet capture with up to a petabyte of storage on each appliance and the ability to connect multiple EndaceProbes to scale to multi-petabyte capacity – sufficient to enable investigations that need to reach back weeks or months. Endace partners with all major SIEMS and infosec tool vendors including DARKTRACE, which has fully integrated its Enterprise Immune System with the EndaceProbe platform and enabled its Enterprise Immune System sensor to run on this hunk of fast iron to be able to analyze high-speed links without bottlenecks.
Convergence of Real-time Packet Capture with Real-time Network Security AI
Darktrace and Endace recently announced a partnership that combines Darktrace’s leading cyber AI with Endace’s unparalleled forensic capabilities. This combined solution empowers organizations to discover in-progress attacks anywhere on the digital infrastructure with Darktrace’s AI, and investigate them with industry-leading speed, scale and accuracy using Endace’s packet-level network history. For more details on this announcement, see https://www.endace.com/darktrace-and-endace-partner-for-cyber-ai-and-forensics.
The EndaceProbe platform is the packet capture and hosting platform that forms the cornerstone of Endace’s network-wide Network Recording solution. Multiple (up to hundreds) of EndaceProbes can be connected together with centralized management provided by EndaceCMS Central Management Server (virtual or physical) that allows administrators to monitor the fabric, and push out updates or configuration changes, and InvestigationManager (a VM component) that lets analysts / analytics solutions rapidly search across the fabric to find and retrieve packet data relating to specific threats or performance problems. With the Endace solution in place analysts can search for “needle-in-the-haystack” packets across Petabytes of packet data, representing weeks or months captured network history, and get results in seconds. This level of productivity boost is welcome relief for over-stressed and time poor security analysts tasked with the defense of critical infrastructure.
Signup Today for a Game-changing Live Demo
Catch a game-changing webinar and live demonstration, where AI Threat Detection Meets AI Threat Response to see this incredible integration in action. In this webinar, you’ll see how Endace and Darktrace have joined forces to deliver real-time threat detection and autonomous response with definitive network evidence.
Darktrace can now be deployed and hosted on the EndaceProbe platform with full integration between Darktrace’s Threat Visualizer and the packet-level Network History recorded by EndaceProbes. Register today and block Thursday, April 11th at 9am US Pacific Time (noon Eastern Time, 5pm London Time) for this awesome demo.
Next week, this article will be complemented by the 2nd in the series, concentrating on why organizations should look to integrate network history into their existing security tools and move towards hosting virtualized instances of their chosen security analytics solutions on a real-time high end packet capture platform that is years ahead of dedicated, application specific hardware appliances.
About the Author
Yan Ross, J.D., is a Cybersecurity Journalist & The Editor-at-Large for Cyber Defense Magazine. He is an accredited author and educator and has provided editorial services for award-winning best-selling books on a variety of topics. He also serves as ICFE’s Director of Special Projects, and the author of the Certified Identity Theft Risk Management Specialist ® XV CITRMS® course. As an accredited educator for over 20 years, Yan addresses risk management in the areas of identity theft, privacy, and cyber security for consumers and organizations holding sensitive personal information. You can reach him via his e-mail address at firstname.lastname@example.org