True or False: Packet monitoring is best used for troubleshooting network or application problems, not cybersecurity.
If you answered yes, you might be surprised to learn that many organizations use packet-based monitoring to better detect, investigate, and respond to security threats spread across an increasingly distributed networked infrastructure. Complementing other solutions like security information and event management (SIEM) and endpoint detection and response (EDR) tools, packet-based network detection and response (NDR) solutions are increasingly providing security teams with detailed network context and investigation capabilities that have become necessary to meet modern cybersecurity demands.
Though packet monitoring has traditionally been used for analyzing networks, managing traffic, and identifying performance issues, large enterprise organizations are finding additional advantages to using a single packet-based data source for both network and security uses.
Specifically, this article will explore several use cases for using packet monitoring for enterprise security, including threat detection and investigations, finding anomalies, and baselining new environments that completely bust the myth that packet monitoring isn’t a worthwhile exercise for security teams today.
Threat Detection, Finding Anomalies, and Retrospective Investigations
Enterprise hosting environments have become much more complicated over recent years. With the rapid increase in bring-your-own-device (BYOD) and Internet of Things (IoT) applications running in SaaS environments monitoring these connected devices is daunting, if not impossible. For example, IoT devices will not support EDR agents. Malicious software can also cover its tracks on endpoint devices, making intrusions more difficult to detect. But network packets enhanced with smart metadata offer enterprise security teams an alternative that can fill these security visibility gaps with insights generated based on network traffic in real-time, offering a level of scrutiny that other solutions may miss or overlook.
In fact, according to a recent survey conducted by Omdia on packet intelligence usage in enterprises, many security teams are using network data to support other security solutions, with real-time threat detection named as the leading security use case for packet monitoring in the past 12 months. By combining threat intelligence feeds with comprehensive security visibility across networked environments, potential threats can be detected sooner before they cause damage to the network infrastructure or compromise sensitive information. Companies can also go back in time using previously captured packet-derived network metadata, so in the event of a data breach or malware, they can retroactively trace the problem back to its source. Besides threat investigation and detection, packet monitoring is also helpful for verifying that other security devices perform correctly. For example, packet-based NDR solutions can confirm that network micro-segmentation is performing as designed.
Baselining New Environments
Since the pandemic, organizations have increasingly shifted to cloud and edge usage for remote access. Packet intelligence can help set a baseline level of security for these new environments, as it’s already used across network domains of most organizations that would have once been wholly based on premises. In Omdia’s survey, most organizations either already capture packet data in the cloud or plan to do so. Only 15 percent surveyed have no plans to utilize packet monitoring for cloud security.
Interestingly, organizations that underwent a digital transformation during the shift to remote work were also more likely to implement packet monitoring in their cybersecurity stack. Specific systems such as IoT application devices need endpoint agents for gathering telemetry, and some virtual resources in cloud service providers also need more transparency and consistent monitoring that security teams require. Thus, a device-agnostic solution like packet monitoring is ideal for new environments.
Barriers to Packet Monitoring for Security
The Omdia survey also mentions perceived barriers to using packet capture for cybersecurity. Some of these included staff not skilled in packet level analysis, inability to scale to high traffic rates (e.g., 40 Gbps), poor analytical performance (e.g., it takes too long for query results), operational costs (e.g., requires too much storage capacity and in the ability to view encrypted traffic.
The reality is that all these barriers can be overcome when using advanced, deep packet inspection-based NDR tools that are designed to provide visibility into modern-day network environments (e.g., legacy networks and public clouds), can scale to the highest packet rates (e.g., 100 Gbps), use intelligent indexing and compression techniques to minimize storage requirements and ensure responsive analytics and can decrypt encrypted traffic.
The Myth is Busted
In summary, packet monitoring is detailed, accurate, and device-agnostic, making it ideal for IT teams who seek a cybersecurity solution that works across devices and can be used in both on- and off-premises environments.
Gone are the days when networks were operated entirely onsite. With remote/hybrid work and applications in the cloud here to stay, security teams require a packet-based NDR solution that runs seamlessly across environments and provides the detail needed to keep networks secure. In the past, packet monitoring was indeed used primarily for troubleshooting purposes. However, security teams today realize the value of using packet monitoring for cyber defense to mitigate attacks before they cause harm. As organizations continue to explore new network environments post-pandemic and find more security uses for packet monitoring, they continue to shatter the myth that packet monitoring cannot provide security on its own.
Tom Bienkowski is the director of product marketing at NETSCOUT.