Typically companies only keep the full traffic history on hand for about a week; federal government agencies are required to keep it for 30 days, Sullivan says. After that, he explains, a company can still use the metadata to review the details of a breach; it just takes more time, money, and effort to break that data down.
“It’s all about time. You’re trying to remediate as quickly as possible. You can always try and throw bodies at the problem but… obviously, human beings just cannot do what software can do as quickly. So, it’s going to be more expensive and time-consuming to do it without full-packet capture,” he says.
Sullivan uses a football metaphor to explain the difference between metadata alerts and packet capture. “An alert would be like I say, ‘Did you see that touchdown that Eli Manning threw last night on Monday night football in the second quarter?’ So now I’m talking about the event [that is comparable to seeing the metadata]. If you were to go to YouTube and watch it, now you have the recording of it [that is comparable to the full-packet capture].”
Sullivan adds that this does not replace intrusion detection and prevention systems or firewalls, but it is an important supplement to them.
Other vendors also go beyond alerts, but not necessarily in the automated pre-event way that nPulse does. If clients want to pay for added functionality, Trustwave offers features that take its IDS a step beyond alerts. With certain security packages, Trustwave’s Spider Labs threat research team will go in and look at the traffic after a client’s security event has occurred to analyze it. “Traffic capture as packet capture is done on the [individual organization’s] IDS, and the relevant capture is forwarded to the Trustwave security operations center respective to the alert it represents,” says Jamie French, technical product marketing manager at Trustwave. “It’s not just a regurgitation of known and understood things, but we actually are identifying new and complex attack patterns and actually protecting our customers,” he says.
When a breach that originally went undetected is discovered retroactively, and packet capture is not stored on the IDS appliance, the Spider Labs team can still use the metadata to go back and understand the attack. “We’ll be able to piece together audit logs around detection of the attacks, so that we can actually understand the techniques that were used, and we incorporate that type of information into our signatures,” he adds.
No matter how it is done, French says that he sees a trend in customers wanting to know as much as possible about what goes on in their networks so that they’re better prepared to deal with increasingly sophisticated threats. “It broadens out further than just network intrusion detection and prevention, but holistically customers are trying to incorporate more contextual data about their environment,” he notes.