Companies need reliable packet capture to maintain an accurate source of truth for what happened on their networks. Netflow can't recreate that tarball deleted off your server once attackers finished their exfiltration, and it's not always detailed enough for writing an IDS signature with. "Capture All the Things!" seems impossible to scale in the real world, even host-based IDS and network logging are incomplete solutions. This leaves incident response teams with conjecture "we saw traffic on this port, but we don't know what it was."
Historically, scaling packet capture infrastructure to meet corporate network demands is a significant challenge. Physical space for infrastructure is limited, traffic rates are too high to maintain meaningful retention windows, and cost is prohibitive. Additionally, how do you efficiently query petabytes of data in time to resolve an incident?
To address this problem, our in-house security team built a scalable, cost-effective, multi-petabyte solution using the Open Compute Project. This presentation will walk you through the architecture and design decisions that helped us build a packet capture infrastructure capable of handling tens of Gbps per host and providing retention measured in petabytes. This solution automatically delivers packets to analysts and responders, so they can quickly identify and report the truth of what happened during an incident.
