Packet capture and analysis gains momentum as a cyber solution
With full packet capture and analysis tools, agencies can secure networks and support zero-trust approaches.
Capturing data packets after a breach is like installing a security camera after a burglary, according to Mark Zeller, chief revenue officer at Axellio, citing what company CEO Bill Miller often said. It will help with the next problem, but the initial damage is done.
A cybersecurity company, Axellio has seen agency requests for full packet capture and analysis (PCAP) solutions grow in recent months, Zeller said, particularly in the area of always-on PCAP.
“More organizations understand the need for having the packets to actually do the determination [of the problem] and the idea that if you can catch it faster, there’s less damage to your reputation, your brand, your revenues, your intellectual property, your personal information,” Zeller said.
Packets are the way data traverses a network and communicates across devices. What’s more, they are immutable, unlike logs, which security tools commonly rely on to look at incidents. If an intrusion occurs, an agency can research the packets to pinpoint where and when the problem happened. The packets also show whether the intrusion came from an internal or external location, which supports the growing zero-trust security approach.
“What I’ve seen in the past is organizations will use firewalls. Firewalls actually use packets to say, ‘Hey, here’s a known threat and I’m going to get rid of it.’ The problem is not all threats are known,” Zeller said. Unknown threats can get through, but with always-on PCAP, agencies can identify and mitigate problems faster and then validate their strategies against the problematic packet flow.
Requests for information and proposals involving full PCAP are growing. For instance, in March, the Homeland Security Department’s Enterprise Security Operations Center requested information on next-generation full PCAP solutions, stating that it considered “Full Packet Capture a cornerstone of the cyber security visibility stack enabling analysts to perform investigation analysis while also satisfying DHS security requirements.”
In July, the State Department’s Bureau of Diplomatic Security issued a request for quotes for upgrading its full PCAP capability. One requirement is the ability to capture 100% of all network packets traversing the department’s points of presence.
Additionally, the Cybersecurity and Infrastructure Security Agency’s National Initiative for Cybersecurity Careers and Studies offers several classes on full PCAP.
Use of PCAP is not without its challenges, though. For one, it requires agencies to save all their data, something they have not typically done, largely because of storage costs. As equipment costs have fallen, however, the ability to capture and store packets is more accessible, Zeller said.
“As the cost of this comes down and the importance of protecting data and your security posture becomes more important, I only see this growing,” he said.
Areas particularly ripe for growth include state and local governments, health care and utilities, Zeller said. For instance, the Ohio Transportation Department issued a request for proposals in 2019 for roadside units with log files in PCAP format as part of its smart infrastructure project.
Zeller offered four stages to implementing full PCAP. The first is to design a network visibility fabric, which involves CAP access points or existing switches and routers called SPAN ports that drive the packets into a packet capture technology.
Second, agencies need a way to capture all the packets. “If you lose packets, you actually missed a lot of the capability that put your packet flow together to determine what your problem was,” Zeller said.
The third stage requires a tool that can analyze the packets in real or near-real time to flag concerns. Open source network-monitoring tools such as Zeek can help by analyzing and creating alerts and logs that get forwarded to IT managers.
Lastly, agencies need analysts who can understand how to look at the packets, determine what happened and test and develop mitigation strategies.
“It will go a long way toward helping organizations develop a zero-trust architecture,” Zeller said.
NEXT STORY: 6 steps to IoT security