July 14, 2016 By Tom Obremski 4 min read

Let’s face it: Cybersecurity isn’t getting any easier as attacks become stealthier, more complex and harder to assess. Organizations are wisely investing in security intelligence to detect and respond to threats. But what happens once a potential incident has been identified? How do we truly know what happened, what assets or data have been compromised, and what remediation is required to address the immediate threat and defend against repeat attacks?

In nearly every case, the data required to answer these questions has already traversed our networks. So it really becomes a matter of capturing that data such that it can be recalled, investigated using forensics and the root cause of the breach determined. Packet capture certainly isn’t new, and more companies are seeing the value in capturing full packet data. But is it worth the investment?

How Much Data Storage Do You Need?

Not surprisingly, one of the challenges of full packet capture is the amount of data storage required. Storage costs scale based on the amount of data traversing the network and the length of time for which that data must be retained.

So how much storage is needed? Let’s assume we capture 100 percent of the network traffic in the following scenarios:

Scenario One: One Network, 1 Gbps of Data

We have a network with an average of 1 Gbps of data. I want to capture and retain that data for 30 days to give our security team time to detect an incident and then look back to understand not only what happened during that incident, but also the events leading up to and setting the stage for that particular incident.

We can calculate the amount of data storage required by converting bits per second to bytes per second and then multiplying by the number of seconds in the 30 days. This amounts to a total 316.4 TB to store the 30 days’ worth of full packet data. Other items, such as indexes to find the data of interest, will require additional storage. But if done properly, the majority of storage will be dedicated to packet data. The 316.4 TB of data is a large but manageable amount of storage to deploy.

Let’s see what happens when the network bandwidth and number of network taps increase.

Scenario Two: Four Networks, 10 Gbps of Data Each

Let’s say we have four networks we want to tap, each of which is running at 10 Gbps. Again, we do the math and see that our storage requirement has grown to 12.4 PB for the 30 days’ worth of data.

The amount of data that needs to be stored can increase rapidly, depending on the network bandwidth and the number of points in the network that are tapped. Extending the retention period beyond 30 days will likewise increase the amount of storage required.

Full Packet Capture Can Help Save

Before you conclude that you’ll need more storage than you can afford or care to deal with, consider the following: Some packet capture solutions utilize compression algorithms that dramatically reduce the amount of storage space required while preserving the integrity of the data.

The second thing to consider is that, while it’s extremely beneficial to collect data from as many points across your networks as possible, some data is more valuable for forensics investigations than other network data. You can reduce the amount of data that needs to be stored by placing network taps strategically and prioritizing networks that are ingress/egress paths or that contain sensitive data.

For many, this serves as a good starting point that allows them to scale out their full packet capture deployments over time. Some packet capture solutions also allow customers to capture subsets of their network data to further optimize what data is collected and maximize the return on their packet capture investment.

Other Implementation Considerations

While it initially may seem cost effective to assemble your own packet capture platform, perhaps by leveraging open-source software and hard drives sitting unused in the corner of the data center, it’s worth considering the time and effort required to do so. Also consider whether you’ll ultimately achieve a packet capture platform that can keep pace with network traffic across a wide range of protocols, scale with your business over time, and assure that you’ve captured and can quickly find the data needed when it matters most.

A successful packet capture system needs to capture at line rate, index and compress the data in real time and write everything to disk continuously while simultaneously managing all the storage and retrieving data as needed for forensics investigations. Dropping packets or losing data at any point simply isn’t an option.

When a security incident is detected, you need to quickly determine what happened, how it happened and what, if anything, was compromised. Getting back to the question of whether packet capture is worth the investment, ask yourself this: How much would you be willing to pay for those answers?

Chances are it far exceeds the cost of deploying full packet capture and forensics. But, ultimately, this is an investment choice that needs to be made in advance. No amount of money will enable you to travel back in time to get the data you need but didn’t capture. Only a conscious investment in packet capture beforehand will ensure that the data is there when it’s needed.

There is a big difference between speculating about what occurred versus knowing exactly what happened and being able to respond with confidence. How much is that worth to you?

More from Intelligence & Analytics

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

12 min read - For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in…

Email campaigns leverage updated DBatLoader to deliver RATs, stealers

11 min read - IBM X-Force has identified new capabilities in DBatLoader malware samples delivered in recent email campaigns, signaling a heightened risk of infection from commodity malware families associated with DBatLoader activity. X-Force has observed nearly two dozen email campaigns since late June leveraging the updated DBatLoader loader to deliver payloads such as Remcos, Warzone, Formbook, and AgentTesla. DBatLoader malware has been used since 2020 by cybercriminals to install commodity malware remote access Trojans (RATs) and infostealers, primarily via malicious spam (malspam). DBatLoader…

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today