Security operations center (SOC) analysts need this kind of "lookback window" time frame because – if they're investigating a particular interaction that could have taken place between an employee and a possible threat/cyber criminal (whether the employee is complicit or unaware of the situation) – then they may need to go back a month or longer to capture and document all key interactions. This is due to the extensive costs of storage required to review records that go back 30, 60, or 90 days. Issues have emerged, however, because teams typically cannot leverage the potential of full packet analysis. So, what happens if a new attack comes along and the signature doesn’t exist yet? That is where FPC establishes an additional layer of security on top of signature-based approaches, allowing analysts to review all systems communications to protect against zero-day exploits and new malware/attacks. But, in order for signatures to be written, an attack needs to occur and then be analyzed to write the signature. Many security tools rely on detecting known malicious traffic based upon specific signatures. Preferring to err on the side of caution, many security practitioners seek to capture "everything" in fear of missing "something." It's a "big net" approach and the reason why teams have historically turned to full packet capture (PCAP).įPC is a troubleshooting tool that establishes after-the-fact investigative capabilities that capture every packet, such that one can be assured they also captured malware samples and network exploits to determine if a compromise, or breach, or data exfiltration has occurred.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |