Full Packet Capture for Full Network Visibility

Posted by Fuel HQ on Dec 27, 2018 11:48:00 AM

Thursday, December 27, 2018

PublicSectorIt can be tempting for companies to emphasize the adaptation and usage of new security tools. New tools with better features can be flashy, easy to justify and widely available. However, new tools are of no use if they aren't able to be deployed with speed and accuracy to respond to cybersecurity attacks.

Cyberattacks can happen at a moment’s notice. In a recent Fuel webinar, David Monahan, managing research director of security and risk management at Enterprise Management Associates (EMA), warned about five main attacks that security teams face. These include internet-based reconnaissance and direct attacks; phishing emails; malicious websites, links, and malvertising; rogue software; and tainted programs.

 

These attacks occur for a variety of reasons. It could be malicious websites or insiders. Other potential culprits include missed patches, poor coding practices, and poor change management. Monahan said he has seen poor change management in his career time and again. A situation will occur that “allows a third party vendor to come into the environment to make a change in the system,” he explained. “Then, the person responsible for re-enabling firewall rules and re-enabling the router configurations…doesn’t do it. Ultimately the system was compromised by an external threat.”

Monahan also said there are apps out there that weren't programmed well from the start, so they leak data. “They expose us either from a mobile perspective or from out laptop, desktops, etc.” he noted.

Security Tools Need to Give Context

One problem, other than the attacks themselves, is gathering accurate information and making sure security tools give the proper context. Monahan said a firewall, endpoint and intrusion detection system all have pieces of information to share when it comes to an attack. However, going through these different systems separately can be very time consuming.

“What drives the most delay is the manual effort involved to get all those pieces together to create context,” he stated. To save time, organizations need to have the proper tools in place. Security teams waste time due to false positives, or lack of context. For instance, as Monahan noted in the webinar, 31 percent of security teams said alerts were identified as false positives, and 52 percent of alerts were misclassified as critical/severe.

Companies are not confident in their ability to detect a threat before it's an issue, either. Monahan found that 42 percent of organizations are "highly doubtful" to only "somewhat confident" that they could detect an important security issue prior to it causing significant impact. When a breach occurs, organizations must have a plan and incident response team ready to go. Organizations should also implement call center procedures and training. Once a company is breached, people and lawyers will be calling with questions.

Full Packet Capture

To gain context, Monahan suggests full packet capture, which allows a security team to do full threat hunting, troubleshoot applications and faults and replay zero-day post rule updates. Full packet capture allows teams to view their post-event reconstruction, which enables teams to see everything that happened between the target host and the source host, and what that communication was. Monahan said a team could see what data got pushed out and what information got pushed in during the attack. Still, teams should be aware that packet capture usually requires a large amount of storage. Meanwhile, some teams might consider network flow data instead. However, Monahan warns that while network flow is good for trends and summaries, it gives teams much less detail.

Monahan found that 60 percent of organizations with high alert false positive rates used packet data to improve context for better outcomes. Without packet capture, it can take teams days, weeks, even years to identify intrusions. With packet capture, security teams can find intrusions within minutes.

According to Michael Morris, director of global business development at Endace, packet capture used to be a “nice-to-have” feature and NetOps, SecOps, and DevOps teams didn’t share tools. Now, packet capture is used by all teams for full visibility. During the webinar, Morris warned that he is seeing a wide variety of threats and they are becoming more complex. “A lot of threats that are happening are taking much longer to manifest and actually come to life,” he noted.

Speed, evidence, and accuracy are provided with packet data, which security teams need as threats become more sophisticated. With full packet capture, teams can spend less time deciding threat legitimacy and more time mitigating the damage and keeping their data safe.

To learn more on the topic, watch the Fuel webinar, “The Secrets Of Hi-Fidelity Cybersecurity – Accelerating Threat Investigation And Response.”

 Stream the webinar here

 


More to Explore

Check out these Fuel blog posts for further reading:

Posts by Topic

see all

Subscribe to Blog Updates

Recent Posts

Posts by Topic

see all