Welcome to the
CyberIQs Knowledge Centre

Packet capture for ...
 
Notifications
Clear all

Packet capture for detection


rizzi
(@rizzi)
New Member
Joined: 2 years ago
Posts: 4
Topic starter  

At my company we are designing a detection architecture,  after analysing the requirements for packet capture and the cost implications we are debating the importance for incident detection?

Someone here with experience who can provide some guidance?

 

Thanks!


Quote
the_eagle
(@the_eagle)
Eminent Member
Joined: 2 years ago
Posts: 28
 

Hi Rizzi,

As you mentioned it is not cheap to store network telemetry as packet captures. If you look strictly at building a good detection architecture, I would say it is definitely a must have; however, it is not indispensable. You can build a good detection architecture without packets, the endpoint provides good visibility as well as the rest of networks devices in your network. They should be good enough to provide you with the right visibility.


ReplyQuote
skytech
(@skytech)
New Member
Joined: 2 years ago
Posts: 1
 

PCAP is a nice to have these days. You can get a good degree of visibility with network logging  and endpoint which is in the end where the attacker leaves the biggest footprint.


ReplyQuote
rizzi
(@rizzi)
New Member
Joined: 2 years ago
Posts: 4
Topic starter  

Thanks this is very helpful. I can see I am not alone in my conclusions. If you have strong endpoint architecture and EDR, PCAP becomes less important for threat detection. 


ReplyQuote
block2chain
(@block2chain)
New Member
Joined: 2 years ago
Posts: 4
 

PCAP is overestimate these days. If there is an EDR and good policy and controls in the network, packet analysis is simply redundant.


ReplyQuote
Share: