Network analysis provides an unparalleled advantage for enterprise security and operations. As network, application, and security expertise continue to diverge with the acceleration of technology, critical advancements in network monitoring are analogous to the development of better telescopes in astronomy – and allow us to see further and more clearly. However, the approach to analyzing the network has traditionally offered a challenging choice between packet recording and metadata flow records. The cost of each approach varies from the simple capture, to complex optimization of storage, to detailed analysis before or after query time. Most use cases benefit from longer retention history, but the relative cost of that retention varies dramatically between the approaches. The availability of historical data leads to the discovery of additional use cases, providing even higher ROI. Even more nuanced is the cost of the specific expertise required to utilize each approach effectively. Historically, organizations had to choose between approaches, but now there is a breakthrough that allows companies to take advantage of a complete solution that surpasses both legacy approaches providing deep benefits to the company’s security strategy.
Packet Recording is the oldest form of data capture for network monitoring. Engineers and scientists used the packet recording and playback to develop and optimize the networking stack directly. A primary benefit is the zero-touch aspect to ensure that the observation of the packets does not impact the network infrastructure in any form including basic resource utilization. While the technique is often applied across the application stack, the rapidly evolving applications and network capacity is increasing the complexity cost to capture, store, recall, and analyze the traffic. The primary cost factor is the storage resources and capacity to record enough network traffic to provide relevant history. However, the additional cost is the recall and queries that requires expertise to reconstruct network activity to provide insight.
Flow Records or metadata extraction was introduced as a simplified version of network analysis to provide visibility into connectivity, bandwidth, and other key performance indicators. The forms of metadata records evolved to encompass more metrics, but the primary approach utilizes the network elements to generate a simplified record often referred to as a tuple (sFlow, NetFlow, IPFIX). The primary tradeoff of this approach is the loss of granularity due to the summarization of the observed traffic at common network layers and visibility to application specific details. While the overall resource cost for flow records is not high, metadata generation is always a lower priority than network routing and is impacted during heavy load.
A Balanced Approach
WireX Systems Contextual Capture™ incorporates aspects of both deep packet analysis and metadata extraction to provide a more balanced approach to the complexity cost. This approach significantly improves overall performance through expanded historical capacity and more directly accessible insight. Passively monitoring packets ensures the zero-touch philosophy prevents any additional resource demands on the network elements to generate metadata. Additionally, this enhances security by providing an isolated second factor evaluation and record of application, endpoint, and user activity. Contextual Capture™ processes all packets in real-time through protocol specific analyzers to produce contextual records that are then indexed and archived for rapid historical queries of up to one year. The detailed summary of application-level context is indexed during storage to enable efficient, relevant answers to queries posed. WireX Systems Contextual Capture™ enhances a variety of use cases by supporting both less experienced staff and accelerating the work of top-level analysts.
| Packet Recording | Flow Records | WireX Systems Contextual Capture ™ | |
| Granularity of Data | Good
Detailed packet-level data |
Bad
Summarized traffic data |
Good
Rich Contextual information from payload |
| Storage Requirements | Bad
Requires substantial storage space |
Good
Less storage than packet recording |
Good
Optimized through indexing and compression |
| Real-time Analysis Capability | Bad
Mostly used for retrospective analysis |
Moderate
Suitable for some real-time applications |
Good
Designed for real-time and historical analysis |
| Ease of Use for Non-Experts |
Bad
Requires significant expertise to interpret |
Moderate
Easier than packet recording but requires network expertise |
Good
Accessible to a wide range of users |
| Impact on Network Performance | Good
Depending on whether taps or span-ports are utilized |
Bad
Collect and transmit flow records. |
Good
Depending on whether taps or span-ports are utilized |
| Historical Data Access | Bad
Limited to hours or days of storage |
Moderate
Much longer history but fewer answers due to limited detail. |
Good
Vastly longer history (Months) with application context to drive decisions. |
| Information Density | Bad
Significant detail, but massive volume. |
Bad
Significant history but lacking detail due to summarization |
Good
Proper balance of application detail and historical significance. |
As indicated in the comparison table, the advantages of WireX Systems Contextual Capture™ provide the best balance between cost and needs. Unlocking the value of network data through historical data enables more rapid incident response. The quality and speed of response is limited to the quality of available data. The accessibility of the contextual records enables a broad array of secondary use cases and provides significant value through direct network observation.
It is important to understand the complete picture of capabilities when selecting network instrumentation. WireX Systems Contextual Capture ™ provides complete accessible insights from direct network observation providing organizations unmatched visibility.
