Those of us with less than perfect 20/20 vision know the drill – sit in the chair and try to read the last line of characters on the eye chart while the optometrist flips through a set of lenses. The relief in the “aha” moment where you can actually see the characters is palpable.
Security teams go through the same process when trying to understand a potential threat. Their “lenses” come in the form of queries, reports, correlation rules, dashboards, etc. designed to bring clarity to the sludge pile of logs and undifferentiated alerts that they have collected.
But even with the best tools and the most comprehensive logs, true 20/20 insight will not be achieved. No matter how detailed the logs are, they are summaries of specific activities and transactions. Relying solely on logs leaves out information that is often critical in nature.
Some enterprises have tried to dive deeper into network traffic through the capture of NetFlow data. NetFlow summarizes the essential transactional elements of source, destination, protocol, duration, number of bytes transferred, etc. Helpful, but just a step further on the path to real clarity (is this view better than the previous one? Umm..maybe..).
To fully reach 20/20 security visibility, the final set of lenses comes from packets. It is only at the packet level that the exact nature of the traffic can be seen in its entirety. For example, entropy calculations that measure the normality or predictability of packet traffic can illuminate the interplay between encrypted payloads over unencrypted channels, which may indicate a compromise.
In order to investigate a threat, it is often the packet detail that is required for a definitive diagnosis. To mix medical metaphors, packet analysis is like a full blood workup – many different tests can be applied on the same raw material to determine what, if anything, is anomalous.
The good news is, with big data platforms and modern analytics and forensics technology, it is now practical for an organization to efficiently utilize packet-level insight on a routine basis. When it comes to spotting subtle attacks with very faint signals, packets can deliver the clarity to definitively see what’s really happening and give analysts the perfect 20/20 vision into their risk posture.