Since Packet capture is an integral part of Intrusion Management strategy, the question remains, what factors influence an organizations Packet Capture strategy? Please provide some insight into some of these factors and why they are or are not relevant?
Shain R. Amzovski says
With cybersecurity becoming more difficult each day, as new attacks and threats are developed, organizations are always looking for the best way to invest their money to protect their information assets. Packet capturing is not new technology and has been being used to determine and respond to threats. Ideally, an organization would like to capture and monitor all packets travelling through its network, but this is not realistic because it may not provide a benefit to the organization. The first reason capturing all packets is not feasible is because of the amount of data storage it would require. Data storage costs are becoming increasingly more expensive, especially when companies have data stored in the cloud. Monitoring 1Gbps of data with a 30-day retention policy would require 316TB of data storage. When this number increases to 10Gbps, 12.4PB is required for a 30-day retention policy. This is an unmanageable amount of packets to monitor. (Obremski, 2016). A good packet capture strategy would be to “collect data from as many points across your networks as possible, some data is more valuable for forensics investigations than other network data. You can reduce the amount of data that needs to be stored by placing network taps strategically and prioritizing networks that are ingress/egress paths or that contain sensitive data.” (Obremski). A successful packet capture strategy for an organization can determine what happened, how the incident happened, and if anything was actually compromised. The author of this article states, “A successful packet capture system needs to capture at line rate, index and compress the data in real time and write everything to disk continuously while simultaneously managing all the storage and retrieving data as needed for forensics investigations.” (Obremski). If a capture packet system does not compress the packet data, once again, it will be costly for an organization in storage costs. Prior to developing a strategy for packet capturing, a few of the most important issues would be storage costs, and which points to collect packets from on the network. Some points are more critical than others, and offer better packet information for forensics. The most cost effective strategy should be put in place as it is not reasonable to collect all packet information.
In this week’s lab, I believe we will be capturing packets using WireShark. Although WireShark is great tool for packet capturing, the files are generally too large to analyze at the packet level. WireShark is a great tool for monitoring a computer’s activity if you believe the computer has been compromised.
Article:
https://securityintelligence.com/is-full-packet-capture-worth-the-investment/
Ruslan Yakush says
Shain, great point about WireShark. I agree that WireShark is a great tool, but for post-incident activities. Whenever we have issues in our networking we use it to capture as detailed data as possible to narrow down to a root cause and abnormal traffic behavior. It is also great tool for solutions post-deployment verifications, for example, to make sure that certain packets are encrypted, tagged with specific vlan or other property and other requirements. Obviously, since WireShark produces so much data, it would be impractical to collect data on ongoing basis for all systems, but only upon need such as proof-of-concept or forensics analysis.
Anthony Clayton Fecondo says
I definitely agree with your analysis. Total packet capture consumes way too much storage media to be practical. However, how does one decide what traffic to capture? I’ve been thinking about that question a lot this week. My conclusion is that I have to agree with Ruslan. Wireshark is more practical for the applications he suggested because full packet capture is just infeasible.
I wonder, if you had to capture specific traffic, what would it be?
Jose Gomez says
I agree with your opinion on Wireshark its a tool heavily used to help identify intrusions in a system. Its ability to sniff packets and analyze them helps when analyzing traffic or an incident. When doing an incident investigation it becomes invaluable to help find the bread crumbs that may lead to the source of an intrusion.
Ryan P Boyce says
The largest factor in a company’s packet capturing strategy is the amount of storage it takes to perform this task. Capturing network traffic and writing this data to disk means major overhead for a company. Depending on the node(s) and network(s) being monitored, terabytes worth of data can be generated every single day. A company must first determine if they can afford this overhead and if capturing all network traffic is worth it time. If it is not, they make look to capture only certain traffic from certain machines/networks. They may choose to only monitor their most sensitive systems such as production database or application servers. Similarly, they may choose to monitor only systems that have already be identified as having issues. For example, if administrators or developers notice a certain application is creating more http sessions than it should be, Wireshark may help determine why this is happening.
In a broad sense, other network devices give a macro view of the lower level view Wireshark gives. For example, most modern firewalls have the ability to monitor middle levels of the OSI stack. Any behavior that is irregular will be seen by the firewall and the connection closed. This is a sign that some system has been corrupted and that more detailed packet analysis is needed. In this example, Wireshark was not needed to identify initial intrusion but, instead, to see very specific intrusion details much like a detective would be called in after a police officer responded to the initial crime.
Ultimately, storage capacity, system/application importance, and network architecture determine when and where Wireshark/packet capturing is used. The nature of business will also play a major factor in how much packet capturing is needed as well. A company who is performing mostly research (localized applications analyzing local data) might not have as high demand for network analysis as perhaps a web hosting company would.
Shain R. Amzovski says
Ryan,
You make some great points here with your summary on packet capture. I agree storage is a big factor in determining what packets are captured in what areas of the organization. Things can get very costly very quickly with storage costs. I like the analogy you made with the firewall and Wireshark as the detective. Wireshark is a good tool for analyzing packets and determining what happened, where it happened, and what was affected.
Vaibhav Shukla says
Packet capture is the process of intercepting and logging traffic and usually a packet analyzer is used for capturing traffic which is a computer program or piece of computer hardware that can intercept and log traffic that passes over a digital network or part of a network.There are some factors which determine the packet capturing strategy .
Storage and cost factor-When we talk about full data capture then in an organization a typical system can generate GB’s of data and then retaining of data may requires TB of hard disks space for an yr or month.Looking at the size of organization the amount of storage space required may exceed the cost associated with the risk of compromising system.Thus the cost benefit analysis during risk assessment usually drives organization to not have full data capture.
Legal issues-The data captured and stored for retention should be protected from any unauthorized access any data leakage could land organizations into legal issues.Thus maintaining and securing such huge amount of data could be a challenge.
Organizations should not focus on complete data capture but can focus on data capture for some highly sensitive systems like web-servers
Shain R. Amzovski says
Vaibhav,
I agree capturing all packets would require a cost-benefit analysis. Storage can add up quickly, 1Gbps with a 30-day retention policy is roughly 316TB of storage. Also, I agree that legal issues are important in this assessment as well. Too much data stored would make the packets harder to analyze, and may not provide the best solution for detecting a breach, determining what happened, and find out what information was breached.
Ruslan Yakush says
Vaibhav, nice comment about capturing only highly sensitive systems. Packet capture systems could pull data from mirrored ports (R-SPAN) over deeper network segments, considering that vlans and routing are configured properly throughout the network. Also, for maintaining security of captured data, an encryption can be used for data capturing and storage along with authentication controls to restrict access only to authorized individuals.
Zhengshu Wu says
Vaibhav, good post.
I agree that not all network traffic requires monitoring or provides limited value. Some examples might include scheduled high-volume backups, traffic to/from the full packet capture device itself or duplicative traffic monitored by another full packet capture system.
Sachin Shah says
I agree logging is important but takes up a lot of space. I think it comes down to cost-benefit and what is being logged. I believe web-server or database servers would have to be the utmost of value. I work in a hospital and the application server which our Electronic Medical Record system resides is more important than some off our “one-off” systems. Hence logging will be needed in the patient care systems.
I do coding and and if I have extensive logging I have seen the log files become larger than a gig. At that point it takes forever or a log file to even open.
Anthony Clayton Fecondo says
what factors influence an organizations Packet Capture strategy? Please provide some insight into some of these factors and why they are or are not relevant?
In any instance, the ideal scenario would be total packet capture. However, there are limitations that make a strategy like this impractical. First and foremost, the amount of storage that would be required to retain a copy of every packet that is transmitted through the network would be cost-prohibitive. A balance has to be struck between retaining necessary information and keeping expenses reasonable. One such compromise is the use of NetFlow instead of packet capture. NetFlow doesn’t capture the contents of packets. Instead, it captures metadata of the packets such as time sent/received, size of the packet, sender’s ip and receiver’s ip.
Another issue that’s similar to cost effectiveness, is the time it would take to sift through total packet captures. Again NetFlow provides a solution to this by reducing the content that you have to analyze when reviewing packets.
A third issue could be privacy. Firstly, employees might feel uncomfortable with the entire contents of all of their activity being recorded. Secondly, if any of this information is sensitive, the organization has the added burden of keeping the data within the captured packets safe.
Mengxue Ni says
Anthony, nice post! I like what you listed here and they are definitely relevant to packet capture strategy. I think cost effectiveness can be considered when decide to collect all the packet or not. By comparing the cost and benefit of collecting all packets or filter it, organizations can make a better decision based on their situation. I like your last point most, organizations should all consider the balance between privacy of employees and security of the company and follow related regulations and laws.
Anthony Clayton Fecondo says
Mengxue, I’m glad you mentioned the point about privacy vs. security. This is an issue that I’m really interested in at the moment and I think as professionals in the security realm, many times its easy to forget about the privacy aspect in the pursuit of total security. I think its important to remember that no matter how many controls you put on a system, the system will never be impenetrable. With that in mind, I would argue we should be willing to sacrifice some degree of security to protect the rights of the data owners when its reasonable.
Ruslan Yakush says
Having Packet Capture strategy in the organization is great for a number of benefits including using captured packets for forensics analysis in the event of an incident, detecting malware activities using commands and controls, identifying source of triggering malicious activities, helping in root cause analysis, verifying data encryption upon turning up an encryption for a certain application with a specific protocol, investigating abnormal behavior of a certain traffic between source and destinations, having all the details of the data at 1-7 layers of OSI model for deep dive protocol analysis and troubleshooting everyday networking issues. All these benefits are influencing factors for implementing a packet capture strategy in the organization as it would enable “Detection Controls”.
Some of these factors create irrelevance for a packet capture strategy including an enormous amount of captured data. Without having data analytics system that would digest all the data and translate into human-readable format, it would be useless to capture all the data, especially keeping it for a long time. Retention policy should also be in place to limit packets history to a certain point. Another irrelevance would be inability to prevent an intrusion by performing data capture on perimeter network. For example, when a malicious code is executed on one of hosts that would be transferred via USB storage media within LAN, packet captures would not prevent an incident since this traffic then would be captured on outbound direction when device is within LAN.
Packet Capture Strategy should be implemented in a way so that network traffic is captured on all required entry and exit points of the infrastructure segments where critical servers are located. At a minimum, an organization should at least implement sniffer solutions on perimeter/edge network in-line of core routers and firewalls. However, this would only detect and prevent ingress and egress traffic at the edge between LAN and WAN, and create a single point of failure. So, better strategy would be having decentralized packet capture for redundancy and load balance, then enabling SPAN ports on key infrastructure segments where sensitive data is stored to enable traffic mirroring from different LAN segments and that would also monitor end points to improve insights of detection and preventions strategy.
Vaibhav Shukla says
Yeah apart from storage the packet analysis could also be an important issue with packet capturing.The amount of data generated could be huge and collection of data is not worth until it is properly analyzed and one requires proper analytic tools .
Loi Van Tran says
Ruslan,
I believe that capturing traffic at the entry and exit points makes a lot of sense. A more interesting point you made was that packet capturing helps with identifying the successful implementation of encryption. I remember doing this in our Operating System Security class. We were able to use Wireshark to capture unencrypted telnet traffic, we than add IPsec controls to encrypt telnet traffic and verified that it worked with Wireshark.
Anthony Clayton Fecondo says
Ruslan, thanks for the insights. You mentioned a lot of important aspects of packet capture. One of the problems you noted was storing the data. I’m not sure if you’re familiar with NetFlow, but its an alternative to total packet capture which captures the packets metadata rather than the actual contents. If you were to implement that as part of the packet capture strategy, what data would you take a total packet capture of and which would you choose to use NetFlow for?
Mengqi He says
Packet capture is a very important part in development of intrusion detection and response. Captured packets can be used to investigate and analyze to help monitor traffics of the network and detect suspicious activates. Packet capture can be a part of IDS to indicate whether an internal IP address is communicating with a suspicious outside IP address and figure out whether an IDS alert is real or not, or be a part of incident response, doing a continuous capture for forensic analysis during an incident or a post-incident capture to determine if data exfiltration has occurred.
When developing the packet capture strategy, an organization should understand what packets should be captured and where and how long to store the captured packets, and there are several factors should be considered including the space and budget to store the packets, ingesting speed, retention policy and regulatory requirements. The space and budget to store captured packets are limited, and it’s impossible for organizations to capture everything. Therefore, an organization should figure out the minimum storage required for captured packets that enable it operate in the most cost-effective manner. When estimating the minimum storage required, an organizations need to consider its ingesting speed, which is the speed that the organization can monitor the connection and analyze captured packets. With higher ingesting speed, the organization can store packets for a shorter time and thus require less space for packet storage.
In addition, packet capture should also consider an organization’s retention policy. Retention policy usually indicates what kind of data to store, where and how long to store the data and how to dispose the data properly. The policy should also include guidelines for storing captured packets. Therefore, an organization should refer to retention policy to ensure they store and dispose the packets properly.
One more important thing needed to consider is the regulatory requirement. There are regulations requiring organizations to capture packets for forensics, e-discovery, and post-breach analysis. For example, the NIST SP800-53 requires logging of events “adequate to support after-the-fact investigations” of security incidents and “identifying the information involved” in the case of a security incident. HIPPA also has the similar requirement.
Reference: https://www.sans.org/reading-room/whitepapers/forensics/implementing-full-packet-capture-37392
Zhengshu Wu says
Mengqi, good to mention the legal consideration of HIPAA.
As HIPAA requires health concerning data to be encrypted during transmission. This puts packet capture in a unique place – since they contain all of the transmitted data, they could be considered to be both the electronic records themselves,and representative of the transmission of those records. In the case of capture tools Wireshark, it usually run on workstations where the captures are saved locally, and require replication of resources like RSA keys when doing analysis.
Julien Rossow-Greenberg says
The largest obstacle when developing a packet capture strategy is storage. Though many packet capture solutions integrate space saving compression methods, capturing 100% of network traffic even in a small to mid-size organization is going to require a large amount of storage. The organization must ask itself first; do we need to capture all traffic? In most cases, not all traffic is equal in terms of importance to organizational security. Costs can be cut by eliminating traffic deemed of no forensic value. Can we leverage open source tools to offset the cost of storage? Open source tools can be both cheap/free while also scalable. Investing in the mastering of an open source utility can sometimes outweigh the benefit of investment in a commercial utility.
Mengxue Ni says
I totally agree with you Julien, storage is the most important factor that should be considered when establish packet capture strategy. In order to capture traffic that are necessary for organizations, they need to use packet filters. It will lower the cost of storage, but it can’t be ensured that all the packet filtered are not useful for future use or investigation. Therefore, setting packet filter is a very important step that should be considered carefully.
Joseph Nguyen says
Ruslan, do you know any organization that has a real implementation of packet capture strategy on the daily basis or part of Intrusion Management strategy? If there are companies that do, it would be interesting to know concretely what they exactly do, what are their strategies. Besides for an investigation or post-incident.
I like the decentralized packet capture idea that you mentioned, that means the network structure is prepared and ready for investigation. Switches, routers, ports are ready for packet capture and the deployment can be done very rapidly and simultaneously at different points of the network.
Mengqi He, you mentioned NIST SP800-53, HIPPA that requires logging of events for investigation. It down on me that some regulation such as PCI DSS prohibits the practice of logging personal information or CC number in the audit log.
Kevin Blankenship says
Joseph,
It is an interesting contradiction to have some regulations require logging of all information, and others that restrict that. Different countries have stricter regulations around the handling PII (Germany for example) than others.
However, in the case of PCI DSS, PII can be handled in a separate fashion. PCI DSS rules only cover the credit card information provided by a user.
Requirement 3.3: says to “Mask PAN (Primary Account Number) when displayed (the first six and last four digits are the maximum number of digits to be displayed), such that only personnel with a legitimate business need can see the full PAN.”
Requirement 3.4 says to “Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using any of the following approaches:
One-way hashes based on strong cryptography, (hash must be of the entire PAN)
Truncation (hashing cannot be used to replace the truncated segment of PAN)
Index tokens and pads (pads must be securely stored
Strong cryptography with associated key-management processes and procedures”
The only cross-over between PII requirement and PCI standards is the cardholder name. This data must be stored, but does not need to be masked within logs and database storage. (Requirement 3.3)
Any logging, servers, applications, or users working within the PCI scope have much stricter security requirements than those of other systems. And requirement 3.3 does grant permission to access cardholder data if there is a legitimate business need (like an incident response scenario).
So two separate logging policies can be in place to handle PCI and PII information, while still meeting incident response and legal requirements.
Mengqi He says
Joseph, it’s interesting that you mention that PCI DSS prohibits the practice of logging personal information or CC number in the audit log, I think what NIST SP800-53 and HIPPA require is logging of events only for supporting investigation but not logs containing users’ private information such as CC information, but I believe it’s true that there may be some conflicts when dealing with different regulations and organizations’ own requirement. That’s why organizations need a packet capture strategy to indicate what packets they need and should capture, how long they should keep the packets and how to dispose the packets. Of course, the storage is also an important factor organizations should consider when develop the strategy.
Deval Shah says
Joseph,
You bring up a good point. So, one regulation requires that logging is in place of incident handling, yet the other is restrictive. So what do you do? How do you balance competing regulations?
Joseph Nguyen says
Professor, I think some finance applications can be customized and granularly log certain information only. I worked for banks in Switzerland/Germany for anti-laundry money. Swiss regulations in the finance sectors are complying with European regulations, and both EU laws and regulations are in a certain way different from those of the US.
Banks are complying to checking finance transactions logs every day within their systems against several lists (World list Sanctions, PEP, Politically Exposed Person and AML, Anti-Laundering Money). The lists Sanctions/PEP are upgraded regularly; the AML list criterions are those that can be customized like a certain amount of money, where these transactions come from as a country, persons, an organization, etc. There are about 30 criterions that can be chosen. They can then be combined, checked, compared with the transactions logs produced by the bank systems to see if there is a match. The bank Department of deontology is responsible for verifying those hits.
I am not sure exactly what information those regulations information are required to log and those that are excluded and what these logs are for or how they are compared against. But think the compliance department can surely provide those details and how they should be implemented.
Josh Zenker says
A packet capture strategy requires your organization to strike a delicate balance. You must weigh several factors, including where in your network to perform packet capture, how to ensure captures are available when they are needed, how much capture data you should store, and what your legal/regulatory obligations are. No solution will be perfect, but you have to decide what is most likely to serve your organization’s needs.
In order to get useful packet captures, you need to position your capture device(s) at a point in your network where they can see the complete picture. Typically this means mirroring/spanning ports on your core routers or adding an in-line fiber tap. Port mirrors are less expensive to implement, but they can impact the performance of your routers or switches because of the extra processing required to forward the packets to another port. A tap—nowadays usually positioned directly in your fiber line—is more expensive and can take down that line if it fails. However, it will provide the closest to perfect packet capture.
Packet captures are useless for forensics if you didn’t capture packets during the time period of interest. To this end, you need to plan for your packet capture devices to be running all time. In special cases, you might consider having a port mirror or tap in place to which a capture device can be temporarily connected to investigate a particular issue.
Captures can consume considerable storage space, depending on how much traffic is flowing through your network. You need to decide where you’re going to store all the capture data and what it’s going to cost you. The key decision will be how long to store your captures. As Professor Shah pointed out in class, it can take months before a security breach is discovered. If you’re not retaining captures at least that long, they won’t help you to track down the initial compromise.
Your industry’s legal and regulatory obligations are another consideration when deciding how long to retain captures and what to capture in the first place. Particularly in industries like finance and healthcare, organizations are required to keep records for a specific amount of time and protect client privacy in specific ways. Financial industry regulatory bodies like the SEC and healthcare legislation like HIPAA are two examples that might apply to your industry.
What works for one organization may be too costly or simply ineffective for another. You will never be able to capture and retain 100% of your network traffic. Even if you could, you would have to bring big data tools to bear in order to find anything useful in all that data. Ultimately, it’s up to your management to decide how much to spend and what risks to accept when creating a packet capture strategy.
Julien Rossow-Greenberg says
Josh, great insight. As you said, it’s impossible to capture and retain 100% of your traffic. So it’s important for the organization to try to determine where packet capturing fits in the overall risk framework of the organization. This is obviously a very important decision, especially today, as the ability to look back on your traffic could have huge financial and legal ramifications.
Mengxue Ni says
Packet capture can be used by both security team and hackers. So, the question is how security teams can use it to prevent hackers to steal their data. Packet capture is a term for intercepting a data packet that is crossing or moving over a specific computer network. Once a packet is captured, it is stored temporarily so that it can be analyzed. The packet is inspected to help diagnose and solve network problems and determine whether network security policies are being followed. Hackers can also use packet capturing techniques to steal data that is being transmitted over a network.
First, before we establish the packet capture strategy, we need to understand the goal of packet capture for each time. Then we need to have different procedures for different use of packet capture. Second, the strategy need to be updated by related laws or regulations on time. Lastly, how to disclose the capture is important, security team need to decide to keep the capture data for future use safely or properly destroyed the record.
Instead of filtering a specific portion of a packet, complete packets can be captured. The full packet includes two things: a payload and a header. The payload is the actual contents of the packet, while the header contains extra information, including the packet’s source and destination address. The different applications and uses of data capturing include the following:
• Security: Data capturing is used to identify security flaws and breaches by determining the point of intrusion.
• Identification of Data Leakage: Content analysis and monitoring helps to ascertain the leakage point and its sources.
• Troubleshooting: Managed through data capturing, troubleshooting detects the occurrence of undesired events over a network and helps solve them. If the network administrator has full access to a network resource, he can access it remotely and troubleshoot any issues.
• Identifying Data/Packet Loss: When data is stolen, the network administrator can retrieve the stolen or lost information easily using data capturing techniques.
• Forensics: Whenever viruses, worms or other intrusions are detected in computers, the network administrator determines the extent of the problem. After initial analysis, she may block some segments and network traffic in order to save historical information and network data.
Useful link: https://www.techopedia.com/definition/25333/packet-capture
https://www.howtogeek.com/104278/how-to-use-wireshark-to-capture-filter-and-inspect-packets/
Joseph Nguyen says
Josh, as you mentioned, I think the capture strategies should be considered after an audit, or particularly after an intrusion detection audit where specific/sensitive areas in the big picture might be considered. Capture of total network traffic seems to me not a very good idea.
Loi Van Tran says
The challenge with any data collection is storage capacity, relevance, and the data’s value to the business. Packet capture technology is a detective control; used to investigate post-incident, If the company properly developed their data classification and retention policies, then the task of determining what to capture would probably make more sense. Through data classification, the organization have identified what is important/sensitive to the organization. Safeguards were implemented to prevent CIA from being compromised.
So what happened if an attacker gained unauthorized access? Packet capturing would help identify what was access, what was exfiltrated, track how the intrusion was carried out, etc. It also helps the company internally; i.e., ensuring encryption is working properly. The company may determine that data stored, used, and transmitted with higher classification should be captured to limit storage needs. Like many have already mentioned, storage becomes increasingly expensive if the business decides to capture everything.
Zhengshu Wu says
Packet Capture provides a network defender an after-the-fact investigative capability that other security tools cannot provide. Uses include capturing malware samples, network exploits and determining if data exfiltration has occurred. Packet captures are a valuable troubleshooting tool for operations and security teams alike. Successful implementation requires an understanding of organization-specific requirements, capacity planning, and delivery of unaltered network traffic to the packet capture system.
Successful implementation relies on three key factors. First, planning for organization-specific requirements including minimum retention and where to capture network traffic. Second, delivering unaltered traffic to the packet capture system. Third, sizing the packet capture system to process and store the required network traffic.
When planning a full packet capture deployment, several decisions are required that will affect capacity planning: Where to place full packet capture monitoring? What to monitor? What are the data retention requirements? Moreover, what redundancy or scaling requirements exist?
Deploying full packet capture systems requires careful planning and an understanding of the organization’s network. Equally important is continuing to monitor that the packet capture system operates as expected in the event of an incident.
Reference: https://www.sans.org/reading-room/whitepapers/forensics/implementing-full-packet-capture-37392
Jimmy C. Jouthe says
The packet capture strategy would be more in line with preventing and detecting the types of threats an organization receives on a daily basis, as well as the risks an organization expects to face based on a thorough risk assessment. As time goes on the expectation would be to fine tune the strategy as more data is collected and analyzed to discover patterns that would help in making the prevention and detection more effective. As more and more threats are being introduced, packet capture strategies would need to include ways of detecting these new risks and ,more importantly, preventing these new risks. Whether it’s using hardware, software or any other method it’s up to the organization on the best method to capture packets. Cost may be a factor; a company may not have enough in the budget to capture it all so putting more of focus on the data that is more important may have to be part of that strategy. Interoperability may also be a factor; based on how an organization’s software management system is set up on the network, finding a software solution that is compatible may be the best strategy. Rank-ability is also a factor; an organization may only want to put more of its resources on capturing packets of data in one part of the network, versus another part of the network, because of the risk in damaging an organization’s availability, confidentiality and integrity. Location can also be a factor that influences how an organization’s packet capture strategy. An organization may want to put more focus on the data as it comes in and out of the network to the public internet. Or an organization may want to have more of its bases covered and add sensors to monitor data as it leaves individual devices as well. Another factor is “what” to capture; what does an organization look for when capturing packets? Does it look for keywords? Patterns of sensitive data that pertains to an organization. It all comes down to an organization’s plan of action. Part of plan could be based on best practices, standards and/or legal obligations that pertain to an organization’s industry.
Marcus A. Wilson says
Organizations have identified the need to collect as many data points as possible across their networks to be able to use the appreciate forensics for investigations into compromises. The challenge is where and how long to store this data, how much is too much or too little, and how to effectively and efficiently retrieve this data when it is needed.
With that said, many have mentioned storage capacity as one of the larger factors that may influence an organizations packet capture strategy and I agree with this. Organizations have begun to battle this challenge by using different compression algorithms to lessen the storage capacity requirements. They have also begun to target monitoring on areas of their network that may have direct or heavily utilized paths to sensitive areas or information. By starting with segments of the network they can build out a more complete strategy as they go along or get smarter on how they select areas to monitor. Another factor that all of this packet storage leads to is how the data is actually stored such as indexing. Collecting all the data in the world means nothing if you do not have the ability to retrieve it when needed or are not able to properly investigate.
Sachin Shah says
When is comes to packet capture strategy, the company needs to prioritize on which servers or machines to packets need to truly be monitored or logged. I work in a hospital and we have over 50 applications, yet the important systems such as our EMR, Interface Engine, Web hosting, and data warehouse take precedence. We have logging for those and they may take up lots of terabytes of storage each minute, hour or day but it is mission critical. Companies want to log all packet activity than it will be expensive, lots of storage space needed and cumbersome to view such lengthy files.
we have certain systems or servers that are used by 5-12 users, would monitoring all packet activity be worth it? Probably not. Yet there needs to be proactive approach if there are certain parts in a network where activity may be suspicious.