Time to Retire Deep Packet Inspection?
What is Deep Packet Inspection (DPI)
Deep packet inspection (DPI) is a full packet inspection of the data streams that flow across a network. With Google finding 90% of today’s chrome traffic encrypted, DPI must increasingly rely on decryption methods to complete its inspection. DPI uses SSL/TLS inspection to decrypt, scan, and detect malicious code hidden within encrypted traffic tunnels. Encrypted traffic has become a favorite haunt of cyber criminals looking to hide malicious without raising flags.
Encryption is the greatest gift for opportunistic cyber criminals hoping to go undetected.
Decryption lets you identify specific file and data types and the contents of the application data within the payload.
Without decryption, traditionally, all you can discern from encrypted traffic is the payload size, traffic source, destination IP address, and the protocol used.
Although decryption provides needed visibility into network traffic, it has downsides that make enterprises look for alternatives.
- Increased CPU load on your firewall
- Reduces network performance
- Increased latency
- Higher risk of packet loss
- Ethical privacy concerns
Why Organizations are Moving Away From DPI
Because of how sensitive decrypting consumer data is, organizations don’t want to risk accidentally decrypting protected personally identifyable information (PII). Decryption can be risky on specific subnets and violate GDPR, HIPAA, and PCI DSS depending on the techniques used.
These compliance standards protect user privacy, requiring organizations not to decrypt medical, or financial records and other individually identifiable information used or disclosed.
Texas has an Illegal Decryption law since 2017 that states there must be a legitimate business purpose to decrypt any private information.
But how do you know you aren’t decrypting the wrong traffic until it’s too late?
You can’t put the toothpaste back in the tube. The public pressure around the ethics of decryption and the risk of being liable for violating compliance laws have created momentum for organizations looking for an alternative to decryption.
This alternative is called Deep Packet Dynamics (DPD).
What is Deep Packet Dynamics (DPD)?
DPD solves the decryption problem by using a metadata-based technique to identify threats within encrypted tunnels without decrypting the traffic. DPD uses behavioral profiling and fingerprinting to identify abnormal patterns in network traffic and end-user behavior.
Benefits of Deep Packet Dynamics
With DPD, you don’t have to worry about violating privacy compliance laws. DPD reveals features of a packet’s data without seeing its actual contents.
DPD also creates an opportunity for better data storage practices. If you know that the payload is not malicious, there is no reason to store the entire packet. We call this intelligent packet capture. Critical aspects of the packet are retained for historical reference and forensic analysis, and the payload is tossed.
This more efficient packet storage can increase the lifespan of your data storage from months to years, depending on your an organization’s storage capacity. Longer data storage is not just a nice-to-have but an executive order requirement for many federal agencies agencies starting this August 27th.
ThreatEye by LiveAction collects over 150 unique traffic traits and characteristics to identify suspicious behavior. ThreatEye examines DPD data to identify anomalous activity, device compromises, and exploits without decryption.
Machine Learning models are applied to identify advanced behavioral threat actor anomalies including phishing, unauthorized remote access (RDP/VPN), reconnaissance, lateral movement, C2, tunnelling, hands-on-keyboard, secure-shell exploits, man-in-the-middle attacks, and data exfiltration.
See it in action. Schedule a free 1:1 demo today.