Deep packet inspection (DPI) is a method of examining the content of data packets as they pass through the network. Contrary to conventional packet (or NetFlow) filters—which are devices that check only the packet headers for information regarding Internet Protocol (IP) address, source, and destination as well as port numbers—DPI examines a much larger range of metadata and the inspection process includes examining not just the header but also the data, or payload, the packet is carrying.
So, Why DPI for Cybersecurity?
The only place an attacker can’t hide is on the network.
DPI tools, as opposed to NetFlow-based tools, provide the most meaningful content possible in threat detection and response. This is because network packets cannot be altered, so they represent the absolute truth. A network detection and response (NDR) solution is the only way to expose bad actors and can work in conjunction with other tools such as endpoint detection and response (EDR); security information and event management (SIEM); firewalls; security orchestration, automation and response (SOAR); and extended detection and response (XDR) to increase the strength of your security stack.
The network itself is constantly evolving, and with the addition of cloud, these modern-day networks require instrumentation and network intelligence capable of providing continuous and consistent visibility into all areas to account for visibility gaps where hidden threats may be concealed.
The rich data evaluated by DPI provides a more robust mechanism for enforcing network packet filtering because DPI can be used to identify and block a range of complex threats hiding in network data streams, including:
- Visibility into encrypted packets
- Data exfiltration attempts
- Content policy violations
- Criminal command and control (C2) communications
Traditional security tools are designed to be reactive and are triggered only once a policy violation happens. But having a DPI-based NDR solution allows you to collect and contextualize event information before a breach occurs. Having the ability to filter down to the most relevant information will help reduce the mean time to knowledge (MTTK) and mean time to remediation (MTTR) of potential incidents.
How Can NETSCOUT Help with DPI?
For more than two decades, NETSCOUT has managed the world’s most complex networks by using a patented technology called Adaptive Service Intelligence (ASI). ASI technology converts raw packets into a robust set of Layer 2–7 metadata, in real-time, that can be used for network/application performance analysis and cybersecurity use cases. This continuous full-packet capture gives you the visibility at the point of intrusion, instead of detection, to see the incident before, during, and after an attack, allowing you to stop and prevent any future attacks.
NETSCOUT uses this market-leading, patented technology to offer a scalable DPI-based NDR solution known as Omnis Cyber Intelligence. This allows NETSCOUT to provide a common and consistent method of DPI, which creates and enables a needed forced multiplier encouraging security and ITOps team integration (for example, NetSecOps collaboration).
With Omnis Cyber Intelligence providing real-time granular analysis of the underlying traffic flows, intermediaries can seamlessly and efficiently enable cloud traffic to be imparted with the same traffic management, security, and monitoring policies as traffic that is hosted onsite. The same capabilities that are available on premises exist in the cloud environments.
Omnis Cyber Intelligence is powered by Omnis CyberStream sensors. CyberStream uses a combination of NETSCOUT ASI technology and indexing and compression techniques to create a robust source of Layer 2–7 metadata, known as NETSCOUT Smart Data. This Smart Data can be stored locally on CyberStream sensors, which have hundreds of terabytes of storage capacity.
NETSCOUT’s Omnis Cyber Intelligence platform is designed to ensure a consistent security operations center (SOC) analyst experience and create an analytics process that leads to faster detections, improved security, better mitigations, and an improved security posture going forward.
Learn more about how deep packet inspection can help with threat detection and response.