Full Packet Capture (FPC) is often seen as the poor relation in Security Information & Event Management (SIEM), Intrusion Detection (IDS) and Intrusion Prevention (IPS) world.
Whilst SIEM, IDS and IPS take center stage, poor old packet capture is often relegated to the subs bench to kick its heels and keep warm whilst SIEM pulls on the number nine shirt and takes all the glory.
But is that the whole story or is full packet capture in fact the super sub ? Remember Ole Gunnar Solskjaer, he saved the day for his manger on more than one occasion. Sure IDS, SIEM and IPS are all central in detecting and alerting on possible threats but these platforms all suffer from the same flaw, they can only alert on what they see. With the increase in data center speeds and volume of data moving over these networks it’s becoming increasingly difficult for IDS,SIEM and IPS to keep up with the data rate. Few if any can capture at line rate and if you are doing DPI on the traffic you will be getting nowhere near line speed at which point you’re dropping packets and you may well be dropping the ones that contain the IoC and malware.
There is a saying in the packet capture world, packets don’t lie. The last thing any organization wants if it’s breached, is not knowing what happened. If you don’t know what happened you can’t explain to stakeholders why their data was lost or stolen only for it to turn up on pastebin. Your Risk, Compliance and PR departments will be an interesting place to be when that happens, alongside the reputational damage this will cause your business, you could also be looking at financial pain due to breaches of data privacy.
So, what is full packet capture? It’s not as some suspect sending somebody off to the data center laptop in hand ready to plug into a span port, firstly it won’t give you historical data and secondly the laptop NIC will be overwhelmed and drop packets. For good measure Wireshark will also lock up.
Full packet capture means capturing all the traffic, that means utilizing the full range of products on the market, copper and fiber TAPs, network packet brokers (NPBs, more on them in another blog) and sending that to specialist recording devices that take the traffic at line rate, with on-box or off-box storage that scales to petabytes. The data can then be accessed quickly and efficiently by the IT, forensic, or law enforcement teams, giving them a full historical insight into what was on the network.
It’s like having a Tardis, think Dr Who, that enables you to go back in time after the fact and analyze or play back the data. It’s an invaluable tool in your security toolbox. Next time someone mentions full packet capture think Solskjaer not Cantona.