What’s the architecture for a successful deployment?


            For security teams, the ideal is to have a “single-pane-of-glass” that collects and collates threat telemetry
            from all of the different sources and provides a single view of threat activity across the threat lifecycle.
            Typically, organizations are electing to implement a SIEM tool, or a data-lake that provides data mining
            and search capabilities. SOAR tools are also rapidly gaining in popularity - as a way to help organizations
            collect and analyze evidence of threat activity.


            The key capability that organizations need is being able to quickly reconstruct events from the collected
            and collated telemetry to understand what happened, how it happened, and what the impact of that event
            is. With a centralized view of activity, analysts can ask  and answer questions quickly to understand
            whether there has been lateral movement from an initial compromise, whether data has been exfiltrated
            or not, etc.

            Having access to full packet capture data is an indispensable resource in enabling this capability. With
            access to the actual packets, including payload, analysts can see what activity took place on the network
            and reconstruct events precisely - right down to seeing what data may have been exfiltrated and how an
            attacker is moving around the network to increase their foothold.

            Full packet capture data is also an incredibly powerful resource for proactive threat hunting. Packet data-
            driven threat hunting and simulation exercises are a great way for teams to determine the effectiveness
            of their detection tools - including AI/ML tools - to understand why they are not detecting events that they
            ought to, or alternatively why they are incorrectly flagging non-malicious activity as malicious.


            Packet capture data is invaluable as an evidence source because it is complete and reliable. Where a
            skilled attacker will often delete or modify logs to hide their activity, it's very difficult for them to manipulate
            packet data captured off the network - particularly when in most cases they are not even aware that it’s
            being captured and don’t have access to it. This makes packet data a trusted source of “truth” about
            what’s really happening on the network.



            Right deployment, right outcome


            AI/ML  detection  tools  have  a  lot  of  promise.  However,  there  are  pitfalls  if  the  right  architecture  and
            capabilities are not in place. In order for AI/ML threat detection tools to deliver on their promise to reliably
            detect and remediate threats, companies must be able to trust them to make the right decisions, not to
            miss things, and to act accurately. To achieve this level of trust, we must be able to always verify and
            validate decisions made by AI/ML tools. To do this, companies need to ensure they have the right data.

            Packets are an indispensable resource for validating AI decisions. But in order for packet data to be
            useful it needs to be complete and accurate, with no blind spots, and provide as much lookback history
            as possible. It also needs to be easily accessible and provide fast search and data mining.


            Considering how packet data can be incorporated into workflows is also important. When packet data
            can be integrated into security tools - enabling analysts to pivot from a specific alert or event to the related





                                                                                                              17