PacketWatch Blog

Full Packet Capture (FCP) vs Flow Data

Written by Chuck Matthews | October 14, 2022 11:00:00 AM Z

Full Packet Capture (FPC)

One of the key features of the PacketWatch technology is continuous Full Packet Capture (FPC). FPC constantly records the individual network packets into files called PCAPs (Packet Capture). Collecting PCAPs over time allows retrospective and time series analysis. Many security vendors have chosen to provide only “flow”-based network information (e.g., NetFlow, IPFIX, sFlow, etc.).

Full Packet Capture (FPC)
“Allows retrospective and time series analysis.”

Eighty Percent isn’t Good Enough

Flow-based Data
“Is a summary or just a sampling of what happened.”

 

Flow-based data is a summary or, in some cases, just a sampling of what happened on the network. Details are removed to reduce overhead and simplify processing. For instance, flow data does not permit you to analyze the actual packet payload for specific data. That would be akin to noting a truck going down the street from point A to point B but not being able to see what it is carrying inside. Afterall, NetFlow was created by Cisco for network performance monitoring, not security uses. Flow data can be beneficial in presenting summary information about conversations and provide a quick, high-level context, but it lacks details to allow conclusive determination of what is happening.

As such, Gartner sees most organizations implementing a dual approach with flow data used perhaps 80% of the time and packet-level data from key network locations for the critical 20% remainder. Having both flow and PCAP data is key to a threat hunter’s success and why PacketWatch is such a favorite of experienced hunters.

Here’s Why

With the massive increase in zero-day attacks, lingering advanced persistent threats, mutable malware, and ransomware attacks, organizations are realizing that investigating threats with their NetFlow-based tools alone leaves them unable to draw definitive conclusions about what’s happened. Last year 80 zero-days were reportedly exploited in the wild before patches existed.  That is more than double the volume in 2019, the prior record. The average time to patch a vulnerability (MTTP) is between 60 and 150 days. So, the ability to look back and conclusively identify the potential exploit of a zero-day vulnerability is key. Having full PCAPs and the high-level flow data for that period permits a threat hunter to look back in time and conclusively identify a successful exploit of that zero-day vulnerability.

Combine the Data

Further, to understand a network or application performance problem, flow data, while useful, often isn’t sufficient. Again, combining flow data and recorded PCAPs provides a definitive record for network operations personnel. The combination of Flow and FPC/PCAPs gives both your NetOps and SecOps teams the ability to monitor the network for problems, and the detailed packet information needed to reconstruct precisely what happened. Ask us how you can easily add flow data, FPC and PCAPs to your security toolset today with PacketWatch. Even better, ask us how we can provide a fully managed MDR solution, including PacketWatch.

Remember, 80% isn’t good enough when it comes to your security! Give us a call at 1-800-864-4667, or reach out via our Contact Us form.