Full Packet Capture (PCAP) sounds far less glamorous than Security Information & Event Management (SIEM), Intrusion Detection (IDS) and Intrusion Prevention (IPS). That said, every security analyst will go gooey eyed at the prospect of having access to a single authoritative source of data when investigating incidents or simply understanding trends.
Detecting possible threats is certainly a key requirement, a capability that a packet capture platform such as SentryWire’s provides out of the box, the ingestion of logs (typically provided through SIEM’s but seldomly checked or correlated with packet data) is equally important, but every security professional knows that nothing beats having the real-thing – an authoritative data source of all packet data, indexed and ready to search in minutes, irrespective of the volume of data.
The real data enables you to gain actual “intelligence” from analyzing the incident and the data. The truth lies in the packets!
Having access to logs, meta-data, etc. from different data sources is important and may help providing a trigger, but if you have an incident and no single authoritative source of data that shows you exactly what happened, you will be very, very busy trying to piece together the pieces and establish a picture of just what went wrong and who was responsible. Just ask British Airways or HSBC – just two random recent examples in a string of ever more high-profile incidents.
For days, while the incident was public already, the British Airways investigative team struggled to provide clarity on what had happened exactly, and which customers were affected and how.
Bad enough having been breached, but not being able to explain what happened is bad PR, may result in fines due to breaches of data privacy and most importantly doesn’t allow organizations to take effective corrective measures – how can you fix it if you don’t understand what happened exactly?
What exactly is full network data packet capture (FPCAP)?