DETECTION, RESPONSE, AND CONTINOUS MONITORING.

100% Full Packet is Expensive and Limiting
The value of full packet capture systems has been limited based on the expensive cost of storage and the narrow view back in time they provide. With attacks taking longer and longer to discover, keeping full packet capture for more than 30 days has become insanely expensive, especially above the 5-10Gb/s range.
Metadata First - A Different Approach
PacketSled takes a new approach in building a forensic record. PacketSled probes look at network traffic in real time and build a forensic stream of information about what they see inside the network flows. These flows are then classified into protocols and families, and then additional protocol metadata is extracted. This data includes things such as email addresses, SQL queries, logins, URLs, and filenames associated with the flow. This data is then stored in a big data aggregator, for fast searches and indexing.
Selective Full Packet
By using metadata, PacketSled can make intelligent decisions about what needs to be stored for forensic purposes. For example, if a flow is classified as an Oracle SQL flow, we might determine that extracting the login, password, server name, and sql query are sufficient information in a high transaction environment. This information, compared the the actual full packet itself could average to being 200x smaller. In another example we may determine that for an FTP server we are interested only in login, password, filename, and file sizes as a forensic record, but also would like to extract the content (the files themselves) for forensic purposes. Finally we may find that some high risk activities would justify full packet capture, such as all outbound traffic from a network on port 443 that was not actually SSL/TLS would be of interest to us, if it could not be classified as a protocol.
Deep Insight Into Network Data
For metadata to be an efficient arbiter of resources, it needs depth of protocol coverage to be effective. Over 1200 protocols and 6000 metadata attributes makes PacketSled the deepest looking forensic solution on the market today, making it easy to search and alert on protocol attributes, and quickly search and pivot on the elements in the forensic record that you find relevant.

© 2017 PacketSled, Inc.