FloCon 2017 has ended
Back To Schedule
Wednesday, January 11 • 2:00pm - 2:30pm
echo 'PCAP cant scale'| sed 's/cant/does/'

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Companies need reliable packet capture to maintain an accurate source of truth for what happened on their networks. Netflow can't recreate that tarball deleted off your server once attackers finished their exfiltration, and it's not always detailed enough for writing an IDS signature with. "Capture All the Things!" seems impossible to scale in the real world, even host-based IDS and network logging are incomplete solutions. This leaves incident response teams with conjecture "we saw traffic on this port, but we don't know what it was."

Historically, scaling packet capture infrastructure to meet corporate network demands is a significant challenge. Physical space for infrastructure is limited, traffic rates are too high to maintain meaningful retention windows, and cost is prohibitive. Additionally, how do you efficiently query petabytes of data in time to resolve an incident?

To address this problem, our in-house security team built a scalable, cost-effective, multi-petabyte solution using the Open Compute Project. This presentation will walk you through the architecture and design decisions that helped us build a packet capture infrastructure capable of handling tens of Gbps per host and providing retention measured in petabytes. This solution automatically delivers packets to analysts and responders, so they can quickly identify and report the truth of what happened during an incident.


Erik Waher

Erik is a security engineer with a love of all things on the network.

Wednesday January 11, 2017 2:00pm - 2:30pm PST
Great Room V-VIII 7450 Hazard Center Dr.