CS Nov-Dec 2022
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
packet data<br />
BUILDING A CAPTIVE AUDIENCE<br />
PACKET CAPTURE IS BECOMING INCREASINGLY IMPORTANT,<br />
AS MARK EVANS, VP OF MARKETING, ENDACE, EXPLAINS<br />
Mark Evans, VP of marketing, Endace.<br />
There's an adage amongst experienced<br />
SecOps and NetOps analysts - 'PCAP<br />
or it didn't happen' - highlighting<br />
why network packet capture data (the file<br />
extension .PCAP is a common file format)<br />
is so crucial. Packets provide the only truly<br />
definitive evidence of performance and<br />
security issues that happen on a network.<br />
If you can't see the packets, you may never<br />
know for certain exactly what happened.<br />
Recent widespread security vulnerabilities<br />
- such as Solarflare and Log4J 2 - have<br />
illustrated just why access to packet data<br />
on-demand is so important, igniting<br />
demand for full packet capture solutions<br />
to fill the visibility hole.<br />
Governments are also becoming aware<br />
of the importance of packet capture.<br />
The US White House has mandated,<br />
by February 2023, all Federal agencies<br />
must be able to provide access - when<br />
requested by CISA or the FBI - to a<br />
minimum of 72 hours of full packet<br />
capture data for investigating<br />
cybersecurity events.<br />
However, there's still confusion and<br />
misinformation about why packet data is<br />
important and what the term 'packet capture'<br />
means. Some organisations believe they can<br />
do packet capture by relying on network<br />
flow data and endpoint monitoring. Others<br />
only record a handful of packets relating<br />
to specific events or use 'triggered' packet<br />
capture, because they believe it saves on<br />
storage costs.<br />
This article seeks to clarify the confusion<br />
around packet capture, so organisations<br />
can make informed decisions.<br />
WHY IS PACKET DATA IMPORTANT?<br />
Packet payloads are often the only way<br />
to identify specifics: did a phishing attack<br />
compromise credentials? What data was<br />
stolen or modified in a breach? Or what<br />
malware was dropped on compromised<br />
hosts?<br />
While log files and flow data can indicate<br />
an issue has occurred, oftentimes they can't<br />
show the exact root cause of that problem.<br />
They don't provide crucial detail, such as the<br />
32<br />
computing security <strong>Nov</strong>/<strong>Dec</strong> <strong>2022</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk