Preferring to err on the side of caution, many security practitioners seek to capture "everything" in fear of missing "something." It's a "big net" approach and the reason why teams have historically turned to full packet capture (PCAP).
FPC is a troubleshooting tool that establishes after-the-fact investigative capabilities that capture every packet, such that one can be assured they also captured malware samples and network exploits to determine if a compromise, or breach, or data exfiltration has occurred. Many security tools rely on detecting known malicious traffic based upon specific signatures. But, in order for signatures to be written, an attack needs to occur and then be analyzed to write the signature. So, what happens if a new attack comes along and the signature doesn’t exist yet? That is where FPC establishes an additional layer of security on top of signature-based approaches, allowing analysts to review all systems communications to protect against zero-day exploits and new malware/attacks.
Issues have emerged, however, because teams typically cannot leverage the potential of full packet analysis. This is due to the extensive costs of storage required to review records that go back 30, 60, or 90 days. Security operations center (SOC) analysts need this kind of "lookback window" time frame because – if they're investigating a particular interaction that could have taken place between an employee and a possible threat/cyber criminal (whether the employee is complicit or unaware of the situation) – then they may need to go back a month or longer to capture and document all key interactions.
Yet, most SOC teams won't be able to afford up to 90 days of storage; in fact, most struggle to achieve up to a week's worth, and that's not nearly enough to fully investigate and document possibly suspicious interactions.
What’s more, FPC does not integrate well with modern Security Information and Event Management (SIEM) workflows, forcing analysts to “chair swivel” from SIEM into another pane of glass to locate and retrieve packets that capture everything – including what teams cannot decrypt.
Fortunately, an alternative approach is readily available that addresses the challenges: Smart PCAP.
Smart PCAP gives analysts the ability to choose the packet evidence they collect and make it retrievable via SIEM. Through Zeek-aware protocol analyzers that fully understand what is in the packets, as well as the ability to PCAP everything Zeek doesn't understand (like that proprietary protocol you might have running on your network), Smart PCAP links logs, extracted files, and security insights with solely the packets that a team needs for investigations. With this, analysts gather comprehensive yet compact network log evidence while easily configuring precise packet captures.
As a result, teams achieve 100 percent visibility and extend lookback windows to 90 days or more – even years – instead of a week at an affordable cost due to the minimization of expensive storage rack requirements. By combining powerful, rich Zeek logs and smart packet captures of just the data you need, organizations can cut costs by up to 50 percent and expand retention times by up to a factor of ten.
Security teams are the detectives of IT. They must go deep into the past to investigate issues of the present. Via Smart PCAP, they avoid the collection of every single piece of evidence so they can focus strictly on the clues they need, retrieving them with a single SIEM click. This results in not only a more efficient and affordable process but a more successful one as well.
Sarah Banks is Senior Director of Product Management at Corelight.