Blog :: NDR

Why you shouldn’t rely on packet analysis for threat detection

If you’re familiar with Plixer’s solutions, you’ve likely noticed that one of our main competitive differentiators is that our solutions don’t depend on packets but instead use network flow data. Network flow data comes from your existing infrastructure—switches, routers, firewalls, packet brokers, security tools, network monitoring systems, and more.

You might have wondered why we choose network flow data over the data derived from packet capture. We’ve developed four points that explain our reasoning.

  1. Packet capture infrastructure is costly: NDR solutions that rely on packets to analyze traffic for threat detection require more overhead. To feed data to the NDR solution, you’ll need to deploy probes or other collections agents on your network. This comes at a cost. For packet-based NDR solutions, you’re not just purchasing a security solution. You also need to add new/additional infrastructure and dedicate time to deploying and maintaining packet capture infrastructure. 
  2. Relying on packet capture leaves visibility gaps: Because packet capture infrastructure is costly and requires additional resources, organizations often limit packet capture to only a few areas of their network. Often, organizations place packet capture tools at high-volume ingress and egress points. But that leaves much of your network untapped for analysis and threat detection. This method would be akin to a bank only having security cameras near the building’s entrances. Helpful to see who has left and exited the building, but you’re left entirely unaware of what’s happening inside the building. Most threats are too sophisticated to announce their presence as they enter your network, so it’s important to track what they do while inside your network.  
  3. Packet analysis is overly complicated for threat detection: Most NDR vendors that rely on packet analysis know that packet capture cannot provide complete network visibility. Packet-based NDR solutions will fill gaps with network metadata to get around these gaps. Additionally, because each packet contains a payload—all the data captured—they are often very large and take up a lot of space. To save space, packets are usually compressed, and the NDR solution processes only the metadata for threat detection. But you’re still paying for the entire packet and all that data, even if you don’t use it. This is a cumbersome way to just process metadata. It is kind of like taking an airplane to the grocery store. You still get to your destination, but you’ve used a lot of energy and resources to get there. A car would have been an easier way to do it.  
  4. Packet analysis is better for forensics: We’re not against packets, but the more efficient way to detect threats is through network flow data. Not only does using network flow data save you from having to invest money and time into deploying and maintaining packet capture tools, but it also gives you rich data that is effective at detecting threats. Threats, whether in the form of malware, DDoS, phishing, etc., have noticeable characteristics that a sophisticated NDR solution can identify based on how the threat behaves on a network. Using AI/ML, network flow data sets a baseline for normal behavior. When a device starts to communicate differently—talking to devices it’s never spoken to before, accessing data it’s never tried to access before, etc.—this data trail is observable through network flow data. You could see this in packet capture data, too, but with more resources. Say, though, that you wanted to see specific data about what was moved. In this case, a packet’s payload can be very helpful. That’s why we believe packet analysis is better for forensics. A packet’s payload allows you to drill down your investigation to specifics only packet capture can provide. But that’s only if a threat actor did not encrypt the traffic. If a hacker has brought their own encryption, then the payload is unreadable. 

The better option is an NDR solution that uses the extraordinarily valuable network flow data that already exists on enterprise infrastructure. Likewise, an NDR solution needs to provide pervasive network visibility by bridging the corporate network to the public cloud.

The Plixer NDR platform meets all those requirements and also provides:

  • Comprehensive response 
  • Integrations with other response and workflow tools 
  • Anomaly detection 
  • Support for Zero Trust Network Access (ZTNA) 
  • Detection of lateral traffic movement 
  • Detection of Command & Control (C2) communication 
  • Detection of sensitive data being moved 
  • Detection of data exfiltration 
  • Host classification/profiling 

To see Plixer’s solution in action, schedule a demo today.