Packet capture for detection
At my company we are designing a detection architecture, after analysing the requirements for packet capture and the cost implications we are debating the importance for incident detection?
Someone here with experience who can provide some guidance?
As you mentioned it is not cheap to store network telemetry as packet captures. If you look strictly at building a good detection architecture, I would say it is definitely a must have; however, it is not indispensable. You can build a good detection architecture without packets, the endpoint provides good visibility as well as the rest of networks devices in your network. They should be good enough to provide you with the right visibility.
PCAP is a nice to have these days. You can get a good degree of visibility with network logging and endpoint which is in the end where the attacker leaves the biggest footprint.
Thanks this is very helpful. I can see I am not alone in my conclusions. If you have strong endpoint architecture and EDR, PCAP becomes less important for threat detection.
PCAP is overestimate these days. If there is an EDR and good policy and controls in the network, packet analysis is simply redundant.