But even stopping only the true positives is not sufficient to meet the challenges of network security today. For one thing, there can be activity that gets missed. As noted already, no solution is 100 percent effective. Moreover, to quickly and efficiently find the origin of a problem once it is discovered, a company needs to be able to go back and look at all of its traffic.
The way to accomplish a full perspective of the traffic on your network—not just whether or not there is a possible threat—is by looking at a copy of the actual traffic that has gone in and out of a network, and the way to do that is full-packet-capture technology.
“You really need to be able to go back in time a long way to essentially reconstruct and deconstruct attacks into their elements—the stages—so that you can understand how it happened, and so that you can identify if other similar attacks have happened,” explains Tim Sullivan, chief executive officer of nPulse Technologies. “That will help you understand whether or not you’re under a sustained campaign of attacks and also help you predict the formation of attacks in the future.”
The packet-capture technology offered by nPulse, a hardware appliance called Capture Probe Extreme (CPX), captures network packets in real time. After a breach occurs, system administrators can go back and look at the traffic that occurred around the time of the breach. That information can be used to drill down and further understand where and when the attack happened.
Obviously, storage issues arise when talking about recording traffic continuously. While there is local storage on the CPX appliance, Sullivan says that it can only hold about a day’s worth of packet capture. Therefore, CPX is designed to write to a storage area network (SAN) device, which can retain more traffic history and is typically deployed at the network level.
“In most cases you’re going to have your storage where your capture is, which is going to be on your network,” Sullivan explains. However, he adds that some companies, such as government agencies, have their packet capture occurring on an appliance in the cloud. Therefore, their storage would normally be in the cloud as well.