July 14, 2016 By Tom Obremski 4 min read

Let’s face it: Cybersecurity isn’t getting any easier as attacks become stealthier, more complex and harder to assess. Organizations are wisely investing in security intelligence to detect and respond to threats. But what happens once a potential incident has been identified? How do we truly know what happened, what assets or data have been compromised, and what remediation is required to address the immediate threat and defend against repeat attacks?

In nearly every case, the data required to answer these questions has already traversed our networks. So it really becomes a matter of capturing that data such that it can be recalled, investigated using forensics and the root cause of the breach determined. Packet capture certainly isn’t new, and more companies are seeing the value in capturing full packet data. But is it worth the investment?

How Much Data Storage Do You Need?

Not surprisingly, one of the challenges of full packet capture is the amount of data storage required. Storage costs scale based on the amount of data traversing the network and the length of time for which that data must be retained.

So how much storage is needed? Let’s assume we capture 100 percent of the network traffic in the following scenarios:

Scenario One: One Network, 1 Gbps of Data

We have a network with an average of 1 Gbps of data. I want to capture and retain that data for 30 days to give our security team time to detect an incident and then look back to understand not only what happened during that incident, but also the events leading up to and setting the stage for that particular incident.

We can calculate the amount of data storage required by converting bits per second to bytes per second and then multiplying by the number of seconds in the 30 days. This amounts to a total 316.4 TB to store the 30 days’ worth of full packet data. Other items, such as indexes to find the data of interest, will require additional storage. But if done properly, the majority of storage will be dedicated to packet data. The 316.4 TB of data is a large but manageable amount of storage to deploy.

Let’s see what happens when the network bandwidth and number of network taps increase.

Scenario Two: Four Networks, 10 Gbps of Data Each

Let’s say we have four networks we want to tap, each of which is running at 10 Gbps. Again, we do the math and see that our storage requirement has grown to 12.4 PB for the 30 days’ worth of data.

The amount of data that needs to be stored can increase rapidly, depending on the network bandwidth and the number of points in the network that are tapped. Extending the retention period beyond 30 days will likewise increase the amount of storage required.

Full Packet Capture Can Help Save

Before you conclude that you’ll need more storage than you can afford or care to deal with, consider the following: Some packet capture solutions utilize compression algorithms that dramatically reduce the amount of storage space required while preserving the integrity of the data.

The second thing to consider is that, while it’s extremely beneficial to collect data from as many points across your networks as possible, some data is more valuable for forensics investigations than other network data. You can reduce the amount of data that needs to be stored by placing network taps strategically and prioritizing networks that are ingress/egress paths or that contain sensitive data.

For many, this serves as a good starting point that allows them to scale out their full packet capture deployments over time. Some packet capture solutions also allow customers to capture subsets of their network data to further optimize what data is collected and maximize the return on their packet capture investment.

Other Implementation Considerations

While it initially may seem cost effective to assemble your own packet capture platform, perhaps by leveraging open-source software and hard drives sitting unused in the corner of the data center, it’s worth considering the time and effort required to do so. Also consider whether you’ll ultimately achieve a packet capture platform that can keep pace with network traffic across a wide range of protocols, scale with your business over time, and assure that you’ve captured and can quickly find the data needed when it matters most.

A successful packet capture system needs to capture at line rate, index and compress the data in real time and write everything to disk continuously while simultaneously managing all the storage and retrieving data as needed for forensics investigations. Dropping packets or losing data at any point simply isn’t an option.

When a security incident is detected, you need to quickly determine what happened, how it happened and what, if anything, was compromised. Getting back to the question of whether packet capture is worth the investment, ask yourself this: How much would you be willing to pay for those answers?

Chances are it far exceeds the cost of deploying full packet capture and forensics. But, ultimately, this is an investment choice that needs to be made in advance. No amount of money will enable you to travel back in time to get the data you need but didn’t capture. Only a conscious investment in packet capture beforehand will ensure that the data is there when it’s needed.

There is a big difference between speculating about what occurred versus knowing exactly what happened and being able to respond with confidence. How much is that worth to you?

More from Intelligence & Analytics

What makes a trailblazer? Inspired by John Mulaney’s Dreamforce roast

4 min read - When you bring a comedian to offer a keynote address, you need to expect the unexpected.But it is a good bet that no one in the crowd at Salesforce’s Dreamforce conference expected John Mulaney to tell a crowd of thousands of tech trailblazers that they were, in fact, not trailblazers at all.“The fact that there are 45,000 ‘trailblazers’ here couldn’t devalue the title anymore,” Mulaney told the audience.Maybe it was meant as nothing more than a punch line, but Mulaney’s…

New report shows ongoing gender pay gap in cybersecurity

3 min read - The gender gap in cybersecurity isn’t a new issue. The lack of women in cybersecurity and IT has been making headlines for years — even decades. While progress has been made, there is still significant work to do, especially regarding salary.The recent  ISC2 Cybersecurity Workforce Study highlighted numerous cybersecurity issues regarding women in the field. In fact, only 17% of the 14,865 respondents to the survey were women.Pay gap between men and womenOne of the most concerning disparities revealed by…

Protecting your data and environment from unknown external risks

3 min read - Cybersecurity professionals always keep their eye out for trends and patterns to stay one step ahead of cyber criminals. The IBM X-Force does the same when working with customers. Over the past few years, clients have often asked the team about threats outside their internal environment, such as data leakage, brand impersonation, stolen credentials and phishing sites. To help customers overcome these often unknown and unexpected risks that are often outside of their control, the team created Cyber Exposure Insights…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today