Blog
Gain PCAP and Forensics in Google Cloud
Dig Deeper, Investigate Faster with Reveal(x) 360 Ultra
Dale Norris
June 21, 2022
On-premises SecOps and IT Ops teams have long had relatively easy access to packet capture for forensics and incident response. But when you move into hybrid environments or fully take the leap into the cloud, that relative ease of using PCAP can devolve into really bad headaches.
The cloud spurs innovation, but it also expands the attack surface, introducing new opportunities for advanced threats to succeed. Those new opportunities include third-party risk and threats to software supply chains where PCAP is essential for understanding the scope of what happened. For defenders, access to packets in cloud environments for IR and deep forensic investigation has historically been difficult.
With the introduction of ExtraHop Reveal(x) 360 Ultra for Google Cloud Platform, we're eliminating the friction traditionally associated with PCAP in the cloud and speeding forensic investigation. When combined with the deep visibility, real-time detection, and fast investigation made possible by taking a network-based approach to threat defense, organizations can strengthen security for Google Cloud.
Solve PCAP Problems with Reveal(x) 360 Ultra
Traditional approaches to PCAP in the cloud require adding friction-causing agents or packet forwarders. And even then, investigators and incident responders usually have to swivel between tools to analyze those packets. Given those problems, security teams often turn to logs as a solution, but they offer limited insights and lead to trial-and-error analysis that slows down investigations.
With a Reveal(x) 360 Ultra subscription, users don't need to worry about agents or packet forwarders. ExtraHop integrates with Google Cloud Packet Mirroring to remove those friction points. Security teams can also capture and analyze packets in the same solution, meaning they no longer need to waste time switching between tools. Because when attacks happen, every second counts.
Reduce MTTR in Google Cloud
Whether it's determining the scope of an incident or remediating it, cloud security teams need streamlined processes that get them to forensic evidence faster. And that necessary speed goes beyond being able to access information in a single tool. Investigators and incident responders need the right information, and they need to be able to find it quickly.
With access to packets, detections, and transaction records that are indexed and searchable in a single cloud-native platform, investigators and analysts can filter by metric, transaction, user, and more. Streamlined workflows allow security teams to quickly get the forensic context they need, enabling them to significantly reduce mean time to resolution/remediation (MTTR) for incidents in cloud environments. That faster response also helps security teams take the fight against ransomware to the cloud.
Packet-Level Forensics and IR for Google Cloud
Continuous PCAP also enables always-on incident response in Google Cloud. Instead of requiring an event or incident to trigger PCAP, Reveal(x) 360 Ultra allows IR and forensics teams to continuously gather and store that information. When PCAP only begins after being triggered, IR and forensics teams don't have access to packets from before the detection. Savvy attackers are also adept at avoiding rules-based detections and that leads to unacceptably long dwell times.
The SUNBURST attack provides a glaring example of how attackers can dwell in an environment undetected for months, causing untold damage. Only continuous PCAP provides the time machine analysts need to go back and inspect packets without the need for a trigger. Continuous PCAP also ensures that security teams can fulfill chain of custody requirements for criminal investigations.
You can test out packet-level forensics in Reveal(x) 360 by starting the cloud demo.
Discover more