I’ve read that establishing a full-packet capture system for outbound traffic is the best way to confirm what did...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
or didn’t leave the network in the event of a suspected breach event. What’s the cheapest and most efficient to implement a full-packet capture systemif we don’t have one today and don’t want to invest in new hardware or software?
Unfortunately, it’s impossible to implement full-packet capture without investing in new hardware or software, unless an organization has a lot of storage space sitting around doing nothing.
While it’s certainly true that full-packet capture is the best way to know what happened on a network in the event of a breach, it’s extremely expensive to implement because it requires massive amounts of storage. For example, if an enterprise has an outbound Internet connection that averages 400 MB over the course of a day, that’s 50 MB of data every second. At this rate, an enterprise would be consuming more than a gigabyte of storage every minute. Compression can reduce this burden; however, the idea of capturing every byte that crosses a network boundary is simply unreasonable.
An alternative way to monitor outbound traffic is to capture network flow data instead. Rather than tracking the actual data passed between systems, this approach captures only high-level meta information about each connection, such as the source and destination IP addresses, ports and the total amount of data passed in either direction. While this approach wouldn't definitively detail what data has left the network, it would give a general idea of the quantity of data flowing to remote locations without breaking the bank. Cisco Systems Inc.’s NetFlow technology and Juniper Networks Inc.’s J-Flow feature both provide similar functionality that is likely to already exist within an enterprise network environment.
Dig Deeper on Network Intrusion Prevention (IPS)
Related Q&A from Mike Chapple
The OWASP Top Ten list is not a compliance standard but a set of best practices for enterprises looking to boost Web app security. Here's how to get ...continue reading
A data breach notification policy is important to have, but deciding how to alert customers can be tough. Expert Mike Chapple explains some best ...continue reading
Tokenization technology can be confusing. Expert Mike Chapple explains what the difference is between two types of tokens and how tokenization can ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.