Security News > 2021 > April > All Eyes on PCAP: The Gold Standard of Traffic Analysis
The addition of artificial intelligence to PCAP could well change the use and value of PCAP in future years.
Carson summarizes the value of PCAP. "Recently, I analyzed a severe ransomware incident. With the log data remaining it was only possible to get a partial view on how the attackers worked - but if I had full PCAP data then it would be possible to create a much more detailed attack path."
While storage costs are coming down, network traffic is going up, and it remains inhibitively expensive to store more than a few days of PCAP data.
If a company does not have the resources to effectively analyze that amount of data quickly, it is hard to justify the expense of PCAP. "PCAP has a place," says Richard Bejlitch, principal security strategist at Corelight, "But one must balance trade-offs of storage, ability to query, and other factors. I would encourage agencies looking into upgrading their network security monitoring infrastructure to first see if transaction logs could solve their problems, with targeted or 'smart' PCAP for edge cases and additional inquiry. A 'full PCAP first' approach can be costly and slow compared to the alternatives."
"In most modern communications," says Vectra's Tavakoli, "The packets would be encrypted. On such connections all that would be visible is that communication between two systems occurred and how much data was exchanged." It must be asked whether the cost of PCAP can be justified in an environment that effectively doesn't allow full PCAP. Here there are two options.
Will decreasing storage costs and improved and automated AI-based analysis bring it within the budget of more companies? Or will improving AI-based network detection and response solutions render full PCAP redundant?