Packets Matter is an op-ed series advocating the use of PCAP as the primary source of intelligence in enterprise network security.
One of the common questions I hear at the vendor booths of cyber security conferences is, “Do you monitor logs?”
If you work for a large enterprise, your network security team probably monitors logs for breaches and other incidents. Logs are often the first and only source of information available to incident responders. This is an unfortunate trend, because logs will rarely support an effective response to advanced persistent threats (APTs), such as the recently disrupted Chinese cyber espionage group, Axiom.
Let’s take a look at three critical failures of logs in the network security process, and understand how a more advanced technology – packet capture (PCAP) – can shift the advantage from APTs to incident responders.
Logs are prone to sabotage.
Logs are generated by applications. Those applications live in your network, and by definition they are vulnerable to exploitation. Consequently, the logs are vulnerable to exploitation, too. Can you guess what would be the first thing a smart attacker does upon a successful breach? Modify the logs to hide the evidence of the breach and any future malicious activity. This makes logs a dubious source of information when the issue at hand is an advanced threat.
But there’s one thing a hacker can’t exploit. And that’s the wire.
PCAP has the unique advantage of being completely inaccessible to hackers when properly implemented. Install a network tap and you can copy packets right off the wire and onto a physically isolated network enclave. An attacker would need to walk into that facility and connect to the hardware to have any hope of destroying evidence. That’s the kind of system that will inspire confidence in the results of an incident response investigation.
Logs give an incomplete view of reality.
Applications write just enough information in their logs to support diagnostics. They discard the rest to conserve disk space and to keep the logs legible to humans. Likewise, they tend to write interpretations of events rather than the contents of the events themselves. Altogether this produces a source of information that is incomplete and sometimes vague or irrelevant to an incident response investigation.
PCAP serves as the ground truth of events on the network. It retains the fidelity of every byte that touches the network, including the packet payloads where one would find the contents of a malicious file. PCAP gives incident responders a complete, forensic view into the state of the network at any time. And it does not impose limits to the scenarios a team can investigate. An application would never log the TCP flags of a communication; yet that might be just the information your network security team needs to confirm a breach and follow its movement across the network.
PCAP presents the facts your network security team needs to move beyond correlations and come to definitive conclusions that drive remediation.
Logs are expensive to manage.
Every application writes its logs in a unique way. Combining hundreds of logs into a single, searchable format demands time, money, and a commitment to data integration.
“Did we exclude any important logs?”
“Did we map the data fields correctly?”
“How do we ignore duplicate events from multiple logs?”
“Was there no email traffic on Sunday? Or was the mail server down? Should we monitor uptime logs, too?”
These are the mundane questions your network security team will need to answer on a regular basis, when instead they should be laser-focused on discovering and responding to incidents. Time spent on data integration is time borrowed from the security process.
PCAP eliminates your commitment to data integration. It does not care about the format of the data. When you switch to PCAP, you manage between one and a dozen sensors as opposed to a hundred applications. You leverage parsers for standard protocols as opposed to “rolling your own” for proprietary formats. And you empower the team to focus on the security process as opposed to the health of their tools.
PCAP may require a more expensive storage solution up front. But it repays that investment with low and predictable maintenance costs.
Ultimately, logs are diagnostic tools for systems and applications. They are not security tools, and they will not facilitate an effective response to a breach. IT leaders must recognize that an effective security operations center will demand the costs of a network security solution that empowers the team to focus on incident response.
Consider the benefits of adopting a network security solution that capitalizes on the robust advantages of PCAP. Learn how Novetta Cyber Analytics unlocks its full potential at scale.