Is Full Packet Capture Worth the Investment?

Let’s face it: Cybersecurity isn’t getting any easier as attacks become stealthier, more complex and harder to assess. Organizations are wisely investing in security intelligence to detect and respond to threats. But what happens once a potential incident has been identified? How do we truly know what happened, what assets or data have been compromised, and what remediation is required to address the immediate threat and defend against repeat attacks?

In nearly every case, the data required to answer these questions has already traversed our networks. So it really becomes a matter of capturing that data such that it can be recalled, investigated using forensics and the root cause of the breach determined. Packet capture certainly isn’t new, and more companies are seeing the value in capturing full packet data. But is it worth the investment?

How Much Data Storage Do You Need?

Not surprisingly, one of the challenges of full packet capture is the amount of data storage required. Storage costs scale based on the amount of data traversing the network and the length of time for which that data must be retained.

So how much storage is needed? Let’s assume we capture 100 percent of the network traffic in the following scenarios:

Scenario One: One Network, 1 Gbps of Data

We have a network with an average of 1 Gbps of data. I want to capture and retain that data for 30 days to give our security team time to detect an incident and then look back to understand not only what happened during that incident, but also the events leading up to and setting the stage for that particular incident.

We can calculate the amount of data storage required by converting bits per second to bytes per second and then multiplying by the number of seconds in the 30 days. This amounts to a total 316.4 TB to store the 30 days’ worth of full packet data. Other items, such as indexes to find the data of interest, will require additional storage. But if done properly, the majority of storage will be dedicated to packet data. The 316.4 TB of data is a large but manageable amount of storage to deploy.

Let’s see what happens when the network bandwidth and number of network taps increase.

Scenario Two: Four Networks, 10 Gbps of Data Each

Let’s say we have four networks we want to tap, each of which is running at 10 Gbps. Again, we do the math and see that our storage requirement has grown to 12.4 PB for the 30 days’ worth of data.

The amount of data that needs to be stored can increase rapidly, depending on the network bandwidth and the number of points in the network that are tapped. Extending the retention period beyond 30 days will likewise increase the amount of storage required.

Full Packet Capture Can Help Save

Before you conclude that you’ll need more storage than you can afford or care to deal with, consider the following: Some packet capture solutions utilize compression algorithms that dramatically reduce the amount of storage space required while preserving the integrity of the data.

The second thing to consider is that, while it’s extremely beneficial to collect data from as many points across your networks as possible, some data is more valuable for forensics investigations than other network data. You can reduce the amount of data that needs to be stored by placing network taps strategically and prioritizing networks that are ingress/egress paths or that contain sensitive data.

For many, this serves as a good starting point that allows them to scale out their full packet capture deployments over time. Some packet capture solutions also allow customers to capture subsets of their network data to further optimize what data is collected and maximize the return on their packet capture investment.

Other Implementation Considerations

While it initially may seem cost effective to assemble your own packet capture platform, perhaps by leveraging open-source software and hard drives sitting unused in the corner of the data center, it’s worth considering the time and effort required to do so. Also consider whether you’ll ultimately achieve a packet capture platform that can keep pace with network traffic across a wide range of protocols, scale with your business over time, and assure that you’ve captured and can quickly find the data needed when it matters most.

A successful packet capture system needs to capture at line rate, index and compress the data in real time and write everything to disk continuously while simultaneously managing all the storage and retrieving data as needed for forensics investigations. Dropping packets or losing data at any point simply isn’t an option.

When a security incident is detected, you need to quickly determine what happened, how it happened and what, if anything, was compromised. Getting back to the question of whether packet capture is worth the investment, ask yourself this: How much would you be willing to pay for those answers?

Chances are it far exceeds the cost of deploying full packet capture and forensics. But, ultimately, this is an investment choice that needs to be made in advance. No amount of money will enable you to travel back in time to get the data you need but didn’t capture. Only a conscious investment in packet capture beforehand will ensure that the data is there when it’s needed.

There is a big difference between speculating about what occurred versus knowing exactly what happened and being able to respond with confidence. How much is that worth to you?

Contributor'photo

Tom Obremski

QRadar Product Manager, IBM

Tom Obremski is a product manager for IBM QRadar Security Intelligence. Tom has over 20 years of experience developing...