<img alt="" src="https://secure.hiss3lark.com/173130.png" style="display:none;">

Datashield's Resource Library

Read all of our news, articles, reviews, and more in our company blog

All Posts

The Packet Advantage

Learn why packet level detail and full packet capture are critical to the forensic capabilities of a security analyst.

Listed below are the top 7 reasons why packets are superior to logs alone.

1. Root cause analysis

Logs usually provide insight into how devices responded, but full packet capture tells the story of what happened. Packet data eliminates ambiguity and provides context that isn’t available in any other alerting or monitoring medium.

2. Higher-resolution alerting

Packet capture offers insight into the life cycle of a session, what it contained, and how it evolved. This insight is highly valuable for alerting and provides threat analysts with more tools to detect malicious activity faster and with greater accuracy.

3. Protocol details

Packets provide hundreds of additional data points that can be queried, analyzed, and correlated that aren’t available in logs alone. A deeper inspection of protocols gives both security analysts and system engineers better awareness of their environment.

4. Vendor-agnostic

With access to raw data, an analyst does not need to rely on what an IDS/IPS/firewall vendor thinks is essential in a session. While useful and often relevant, vendor severity thresholding may not keep pace as quickly as needed with the evolving threat landscape.

5. Forensic replay and reconstruction

The ability to replay a session and extract files or other artifacts enriches and advances threat intelligence and investigations. It can eliminate doubt around the contents of a flagged event and give analysts more actionable data and intelligence on what’s moving over the wire.

6. Device policy vetting and enhancement

Comparing packet data to IDS/IPS/firewall responses can aid in network hardening by identifying misconfigurations and device rules that are inadequate in stopping the malicious activity. Packet data improves security posture and helps get the most out of existing security infrastructure.

7. Reduced false positives

Logs don’t contain the wealth of data seen in packets. There are fewer avenues of white-listing available in logs, whereas packets may have dozens of headers, payload specifics, and enrichments refine and streamline noisy alerts. Packet data reduces analyst – and customer – workload, enhancing the entire solution.

If your organization is looking to switch from logs to a full packet capture system, Datshield would be happy to help you plan, implement and grow your security platform. Contact us today.

Topics from this Article

Managed Detection and Response, Full Packet Capture, Security Information and Event Management, Threat Hunting, Alerting, False Positives, Firewall

David Norlin
David Norlin
Dave Norlin is the Chief Information Security Officer at Datashield and contributes technical content to the Datashield resource library. On top of running the SOC at Datashield and interfacing with customers, Dave offers his technical acumen and insight in the form of educational materials for the Datashield resource library. Dave is also one of the hosts of Datashield's podcast The Hash-Time Show.

Related Posts

Detecting and Preventing UNC1878

Recently, The FBI, the Department of Health and Human Services and the Cybersecurity and Infrastructure Security Agency (CISA) released an alert that warned that the healthcare industry was being targeted by hackers.

What is Microsoft Azure Virtual Network?

Azure Virtual Network (VNet) is a platform enabling you to create and maintain private networks in the context of Azure cloud and services. VNet works in a similar fashion a network in a data center works while introducing added advantages such as scale, availability, and isolation. 

What is Microsoft Azure Traffic Manager?

Azure Traffic Manager is a DNS-based load balancer to manage user traffic distribution of service endpoints in different data centers. This tool can service any of the Azure global regions and secure an optimal level of availability and responsiveness for your services.