Peter Sanders, VP Field Applications Engineering at Napatech, looks at the importance of zero packet loss to a successful IDS deployment - measured by its effects on intrusion alert generation and file extraction.
In a world where cybercrime is constantly increasing and the question is no longer, if you get hacked but more likely when you get hacked, organizations are continuously trying to defend and protect their assets with any means available. Under a cyber-attack, valuable assets can be damaged, stolen or denied access to, causing monetary losses and loss of intellectual property. With so much and more at stake, it is natural that organizations are spending millions on cybersecurity.
Installation of Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), different types of network surveillance tools, network analysis tools and you name it – all data monitoring, analysis and evaluation systems are being deployed these days to prevent cybercrime. These systems either perform the related functions in real time or whenever possible for the sake of securing the intellectual property of the companies.
Visibility and tracking
One of the most important aspects of detecting cyberattacks and breaches is visibility – who did what, when and where. Similarly, when making any post analysis on a detected attack or breach, it is very important to have the history that makes it possible to go back in time and analyze what happened in detailed. The same history can also be a prerequisite for implementing new strategies and measures to prevent similar incidents from occurring in the future, and to verify that the new measure could have prevented the incident the first time. Further, such a history can also be used to document or verify that any Service Level Agreements are respected and delivered within the terms.
Data analysis and inspection
This is where packet capture comes into play, as the ultimate tool for analysis of incidents and data verification. With the complete packet flow on record, it is possible to study and analyze the incident down to the very minute level of detail. Every single packet can be detected and inspected, and any flow can be recreated down to the exact timing for every packet. With the exact packet flow at hand it is possible to apply new and more advanced types of analysis, and to search for any trends, patterns or anomalies. Even manual packet inspection can be conducted if needed. The most important fact is that it is possible to find the last little details by going over the packets again and again, for each iteration slightly modifying the focus points until the root cause of the incident is discovered.
Finally, when any new security measure is designed, it is possible to test them out in a lab environment with the exact packet flow from the old attack to verify that it actually works as expected before implementing it in the real network.
This is where the ultimate power of packet capture gets visible – containing the complete source to the truth. So why is packet capture a must-have in the fight against the increasing cybercrime? The answer is simple – to be able to do any Deep Packet Inspection and Analysis of what happened and to ultimately defeat the threats. Perhaps even learn from the attack and ultimately get a step ahead of the attackers.