Let’s face it: Cybersecurity isn’t getting any easier as attacks become stealthier, more complex and harder to assess. Organizations are wisely investing in security intelligence to detect and respond to threats. But what happens once a potential incident has been identified? How do we truly know what happened, what assets or data have been compromised, and what remediation is required to address the immediate threat and defend against repeat attacks?

In nearly every case, the data required to answer these questions has already traversed our networks. So it really becomes a matter of capturing that data such that it can be recalled, investigated using forensics and the root cause of the breach determined. Packet capture certainly isn’t new, and more companies are seeing the value in capturing full packet data. But is it worth the investment?

How Much Data Storage Do You Need?

Not surprisingly, one of the challenges of full packet capture is the amount of data storage required. Storage costs scale based on the amount of data traversing the network and the length of time for which that data must be retained.

So how much storage is needed? Let’s assume we capture 100 percent of the network traffic in the following scenarios:

Scenario One: One Network, 1 Gbps of Data

We have a network with an average of 1 Gbps of data. I want to capture and retain that data for 30 days to give our security team time to detect an incident and then look back to understand not only what happened during that incident, but also the events leading up to and setting the stage for that particular incident.

We can calculate the amount of data storage required by converting bits per second to bytes per second and then multiplying by the number of seconds in the 30 days. This amounts to a total 316.4 TB to store the 30 days’ worth of full packet data. Other items, such as indexes to find the data of interest, will require additional storage. But if done properly, the majority of storage will be dedicated to packet data. The 316.4 TB of data is a large but manageable amount of storage to deploy.

Let’s see what happens when the network bandwidth and number of network taps increase.

Scenario Two: Four Networks, 10 Gbps of Data Each

Let’s say we have four networks we want to tap, each of which is running at 10 Gbps. Again, we do the math and see that our storage requirement has grown to 12.4 PB for the 30 days’ worth of data.

The amount of data that needs to be stored can increase rapidly, depending on the network bandwidth and the number of points in the network that are tapped. Extending the retention period beyond 30 days will likewise increase the amount of storage required.

Full Packet Capture Can Help Save

Before you conclude that you’ll need more storage than you can afford or care to deal with, consider the following: Some packet capture solutions utilize compression algorithms that dramatically reduce the amount of storage space required while preserving the integrity of the data.

The second thing to consider is that, while it’s extremely beneficial to collect data from as many points across your networks as possible, some data is more valuable for forensics investigations than other network data. You can reduce the amount of data that needs to be stored by placing network taps strategically and prioritizing networks that are ingress/egress paths or that contain sensitive data.

For many, this serves as a good starting point that allows them to scale out their full packet capture deployments over time. Some packet capture solutions also allow customers to capture subsets of their network data to further optimize what data is collected and maximize the return on their packet capture investment.

Other Implementation Considerations

While it initially may seem cost effective to assemble your own packet capture platform, perhaps by leveraging open-source software and hard drives sitting unused in the corner of the data center, it’s worth considering the time and effort required to do so. Also consider whether you’ll ultimately achieve a packet capture platform that can keep pace with network traffic across a wide range of protocols, scale with your business over time, and assure that you’ve captured and can quickly find the data needed when it matters most.

A successful packet capture system needs to capture at line rate, index and compress the data in real time and write everything to disk continuously while simultaneously managing all the storage and retrieving data as needed for forensics investigations. Dropping packets or losing data at any point simply isn’t an option.

When a security incident is detected, you need to quickly determine what happened, how it happened and what, if anything, was compromised. Getting back to the question of whether packet capture is worth the investment, ask yourself this: How much would you be willing to pay for those answers?

Chances are it far exceeds the cost of deploying full packet capture and forensics. But, ultimately, this is an investment choice that needs to be made in advance. No amount of money will enable you to travel back in time to get the data you need but didn’t capture. Only a conscious investment in packet capture beforehand will ensure that the data is there when it’s needed.

There is a big difference between speculating about what occurred versus knowing exactly what happened and being able to respond with confidence. How much is that worth to you?

More from Intelligence & Analytics

Despite Tech Layoffs, Cybersecurity Positions are Hiring

4 min read - It’s easy to read today’s headlines and think that now isn’t the best time to look for a job in the tech industry. However, that’s not necessarily true. When you read deeper into the stories and numbers, cybersecurity positions are still very much in demand. Cybersecurity professionals are landing jobs every day, and IT professionals from other roles may be able to transfer their skills into cybersecurity relatively easily. As cybersecurity continues to remain a top business priority, organizations will…

4 min read

79% of Cyber Pros Make Decisions Without Threat Intelligence

4 min read - In a recent report, 79% of security pros say they make decisions without adversary insights “at least the majority of the time.” Why aren’t companies effectively leveraging threat intelligence? And does the C-Suite know this is going on? It’s not unusual for attackers to stay concealed within an organization’s computer systems for extended periods of time. And if their methods and behavioral patterns are unfamiliar, they can cause significant harm before the security team even realizes a breach has occurred.…

4 min read

Why People Skills Matter as Much as Industry Experience

4 min read - As the project manager at a large tech company, I always went to Jim when I needed help. While others on my team had more technical expertise, Jim was easy to work with. He explained technical concepts in a way anyone could understand and patiently answered my seemingly endless questions. We spent many hours collaborating and brainstorming ideas about product features as well as new processes for the team. But Jim was especially valuable when I needed help with other…

4 min read

Ex-Conti and FIN7 Actors Collaborate with New Backdoor

15 min read -   April 27, 2023 Update This article is being republished with modifications from the original that was published on April 14, 2023, to change the name of the family of malware from Domino to Minodo. This is being done to avoid any possible confusion with the HCL Domino brand. The family of malware that is described in this article is unrelated to, does not impact, nor uses HCL Domino or any of its components in any way. The malware is…

15 min read