Access the actual content of a network conversation - easily

            The forensic evidence gained from packet capture is a vital resource for incident response teams, helping
            to accurately reconstruct cyberattacks so analysts can understand exactly what happened and what the
            full impact is. Forensic evidence can provide a detailed breakdown of how far an attacker penetrated,
            how they managed to get around existing defenses, and what data and systems were attacked and
            potentially compromised. Without this knowledge, SecOps teams can have a hard time understanding
            how to respond to and resolve incidents.

            Some security teams rely on piecing together evidence from log files -- system logs, application logs,
            authentication  logs  etc.  --  combined  with  network  metadata,  threat  intelligence  and  alerts  from  their
            security monitoring tools. The problem with this is that it doesn’t provide the actual payload information
            that enables teams to accurately reconstruct what took place to see exactly what files were transferred,
            what data was extracted, and what systems were impacted. Log files and metadata provide a snapshot
            summary of events which is useful for building a picture of activity. But relying solely on these sources
            and not having access to packet data means teams can risk missing critical evidence when it really
            matters.

            The alternative is to record full packet data, which lets analysts inspect historical traffic to investigate
            threats more closely. This provides access to the actual content such as files, malware, ransomware,
            executables, zip archives, exfiltrated documents, code downloads and more – anything attackers can
            use to compromise user and network security and steal data.

            Analysts can also re-analyze recorded packet data to generate detailed logs on-demand - including DNS,
            HTTPS, TLS, SMTP, database transactions, and more - or analyze recorded traffic using new rules to
            detect network threats that might have been missed the first time and provide deeper contextual insight
            into attack activity.



            Accelerating investigation and response

            The experience that many teams had in the past with packet capture is that it can be challenging to
            accurately record and manage large volumes of data at high-speed -- and time-consuming to locate the
            specific data that is needed for an investigation. Packet analysis has traditionally required deep expertise
            too.

            Modern packet capture solutions are designed to be modular and scalable. They can cost-effectively
            record weeks to months of history at today's fastest network speeds (10 Gbps up to 100 Gbps or more),
            giving security teams plenty of time to go back and investigate historical events.

            Analysts can search/data-mine recorded data to find and analyze relevant packets quickly from within
            what may be petabytes of data. Integration with a wide variety of cybersecurity solutions makes it possible
            to "pivot" in-context from an alert in a security or performance monitoring tool directly to the relevant
            packets.  This  speeds  up  and  streamlines  the  investigation  process  and  can  also  enable  common
            evidence collection and analysis tasks to be automated (e.g. using SOAR tools.)







                                                                                                            160