If you started to research NDR solutions to any degree, you’ve likely noticed that most vendors use packet infrastructure to monitor, ingest, and analyze traffic for threat activity. Packet analysis is a very popular threat detection method, but it has shortcomings that may not seem obvious at first glance.
For starters, deploying packet infrastructure is costly, time-consuming, and resource intensive. In essence, these NDR solutions require you to build, manage, and maintain a parallel network. The cost of this infrastructure does not scale well.
For that reason, most people choose to only monitor segments of their networks—high ingress/egress points or areas with a large amount of sensitive data, like financial servers. This strategy makes sense, you want to protect what’s most valuable. And packet analysis can provide rich details about the traffic in those monitored areas.
But your view is limited. Increasing your view with a packet-based NDR solution requires a large infrastructure investment to capture and process those packets.
So outside of the NDR software, you’ll need to spend a pretty penny on infrastructure to get it to work as intended. These are the obvious costs. Let’s uncover the hidden costs.
IT environments can be incredibly complex. Physical, virtual, and cloud environments—in addition to software-defined networks and SaaS applications—make monitoring networks with packet capture tools much more complex.
Knowing how to architect the solution alone requires resources from both your team and the NDR vendor you’re working with. This means many NDR deployments take months to get off the ground.
Once the packet capture tools are in place, it’s your team’s responsibility to manage and maintain that infrastructure. With an IT talent shortage and skills gap, dedicating personnel to maintaining the ancillary technology supporting your packet-based NDR solution should only be done with careful consideration.
According to the latest report from Ponemon and IBM, dwell time for an attack is an average of 277 days. When you go to investigate an attack, you want to have long-term data retention to understand the scope and impact of the compromise.
One of the perceived advantages of a packet-based NDR solution is access to the payload, but many packet-based solutions do not process and retain the entire packet for threat detection. That said, because you have the infrastructure to capture packets, if you add disk storage, you can retain the payload.
Storing packets, however, does add a layer of complexity and cost. Payloads take up a lot of storage, so most people choose to limit their storage to a few weeks or days.
Additionally, most internal traffic is now encrypted. Again, a packet-based NDR solution will still process the packet metadata, but it will not decrypt the packet. So, if you want to dig into that payload, you’ll want to store the payload and retain decryption keys for those packets.
Ensuring you have the disk space to store millions of packets and encryption keys is challenging. This, again, is why most teams decide to limit their network visibility and monitoring to a few areas.
While not necessarily a cost, there are risks associated with selecting a packet-based NDR solution. This is primarily because most people limit their threat detection visibility.
A report by Positive Technologies found that cybercriminals can penetrate 93% of company networks. Without wide visibility of your network traffic, attackers could hide in corners, harming your business without detection.
Most packet-based NDR solution customers monitor only small segments of their entire network. They also tend to limit themselves to just north-south traffic. This makes it difficult for those solutions to detect lateral movement, command and control, data staging, and other sophisticated attacks that are not occurring in the areas closely monitored.
The average cost of a data breach is $4.35 million. Without complete network visibility, you leave yourself exposed to the risk of a breach.
Packet-based NDR solutions may be the most common on the market, but they are not your only choice. A flow-based NDR solution, like Plixer Enterprise, use network flow data (NetFlow, IPFIX, xFlow, etc.) as their primary data ingestion source. These solutions can still process and analyze data from packet brokers, but they do not require the infrastructure and resources necessary with the other solutions.
Many people still underestimate the security context present in network flow data. When properly analyzed, though, network flow data is a powerful data source for exposing sophisticated threats in your IT environment—without the overhead of a packet-based solution.