Packet Inspection vs. Packet Dynamics for Security
What is the difference between packet inspection for security and packet dynamics for cybersecurity?
Simply put, one approach is fading like the sunset. The other is shining like the noontime sun.
Let’s look at each of these approaches and where they stand in our evolving threat landscape.
What is Packet Inspection for Cybersecurity?
Packet inspection is a little like going through security at the airport. Data knocking at your network door has a destination, but before letting it fly, you need to inspect its contents to see if it is malicious.
At the airport, x-ray machines look inside your bags for any signs of risk.
On your network, it’s likely a firewall or perhaps intrusion detection taking a look: is this traffic authorized? Is it safe? Can we give it the green light to travel within our environment?
This approach used to work well. Programmers updated security rules occasionally, which at the time was good enough to keep up with attackers. Plus, before 2014, most network traffic was sent in plaintext. So inspection devices could see and analyze data coming in or out of the network.
These tools helped enable secure business operations for many years.
Google pegs encrypted traffic rates at approximately 95% and is pushing for more, and recent research revealed that in Q2 2021, 95% of malware arrived via encrypted traffic. These factors represent a significant collision of challenges, and it is a severe problem for rules-based packet inspection tools. They cannot see into encryption.
As a result, network defenders are flying (mostly) blind, and organizations are approving traffic they cannot analyze, which is driving risk upwards.
A recent Gartner note explains why hiding within encryption is a tactic of choice for attackers: “An embarrassing amount of traffic in organizations today goes uninspected simply because it is encrypted. This is not acceptable.”
And the European Union Agency for Cybersecurity (ENISA) recently wrote about this, as well:
“Organizations relying on such controls for their information security lose valuable insight and end up having blind spots in their managed infrastructure.”
Fortunately, as the effectiveness of traditional packet inspection for security fades like the sunset, something new is lighting the way for organizations.
What is Deep Packet Dynamics for Security?
Instead of needing to inspect packets for security, Deep Packet Dynamics (DPD) looks at behaviors within your environment.
They create a historical inventory for behavioral profiling and fingerprinting, a technique equally effective with encrypted and unencrypted traffic.
LiveAction built its Network Detection and Response Platform on this approach. Called ThreatEye, its use of DPD collects over 150 different traits and characteristics. Tracked traits include producer/consumer ratio, jitter, RSTs, retransmits, sequence of packet lengths and times (SPLT), byte distributions, connection set up time, round-trip time, etc. DPD uses SPLT to make inferences based on the behavior of the encrypted traffic itself.
For example, web browsing, email, and file downloads-uploads can all be differentiated based on their SPLTs. Additionally, SPLTs tend to be different for malware and typical network traffic.
Check out the Google Query behavior vs. the Adwind JRAT SPLT:
Deep packet dynamics can detect the difference and applies Machine Learning to do complex event processing to understand how multiple attacker actions can create a single picture.
Gartner Senior Analyst Nat Smith researches the Network Detection and Response segment of cybersecurity, and he shared in a recent interview how powerful it is for organizations.
“NDR detects things that are maybe very, very weak signals that have not been seen by some of the traditional pieces and can stop them right there…so that’s the instant gratification and kind of value.”
An NDR platform built on Deep Packet Dynamics is helping organizations decrease risk and lighting the way for organizations who want to evolve with the times. Learn more here.