Blog
Why Wire Data Is the Purest Form of Truth in Cloud Security
Comparing wire data and log data for the cloud
Ryan Davis
December 5, 2019
When it comes to cybersecurity, IT teams typically rely on log files, endpoint data, and wire data. Unfortunately, log files can be altered or turned off, and endpoints can be bypassed.
With wire data, however, you get the purest form of truth, as every conversation on the network is shown in real time. Network detection and response (NDR) solutions use wire data to shine a light on where attackers have gone, the data they've taken, and whether they're still in your environment.
In this blog post, we'll showcase the benefits of seeing data in motion and discuss why visibility into wire data through network detection and response is crucial for your cloud security operations.
Wire Data Versus Log Data
Security information and event management (SIEM) tools typically leverage log data to identify security issues. But can IT teams trust log data? From a security perspective, log data and wire data differ on four key dimensions.
1) Empiricism
Log data is self-reported by systems. When attackers gain root access to a network, one of the first things they do is modify or erase log files. In contrast, wire data is observed, not self-reported. There is no way to turn off or modify packets, making it impossible for hackers to go unobserved.
2) Signal-To-Noise Ratio
Log data is voluminous and not all logs are created equal. A degree of effort is usually required to clean up log files for use with security tools. Wire data is always clean and consistent, thanks to transportation and application protocols.
3) Breadth
Logs are programmed to record only certain pieces of information. In addition, elements of the IT infrastructure, such as firewalls or IoT devices, may not have logging enabled. Since wire data captures all activity on the network, it automatically includes deep context across the entire hybrid attack surface.
4) Management
One of the biggest disadvantages of log data is the time required to get the right data. Development teams often have to make modifications to log files, and fields may need to be mapped from heterogeneous systems. Wire data can be used with no additional intervention. It is clean, consistent, and contains everything communicated on the network.
Wire Data and the Cloud
In on-premise data centers, traffic monitoring is a feature that IT teams take for granted. Until recently, cloud service providers didn't have a good answer for traffic monitoring. VPC flow logs in AWS and network security group (NSG) flow logs in Microsoft Azure met some security needs, but they didn't include transaction payload information. For many companies, this created a barrier to enterprise cloud adoption.
To prove that a security exploit or attack has behaved in a certain way, IT teams need packet capture and wire data. This is true for both on-premise and cloud workloads. Network packets are viewed as "ground truth," and they can be analyzed by network detection and response tools.
Fortunately, AWS, Google Cloud, and Microsoft Azure have all deployed or will soon deploy traffic monitoring and mirroring capabilities. Traffic mirroring enables access to actual packet streams and wire data. This represents a richer source of information for cloud security analytics than flow logs.
ExtraHop offers an agentless NDR solution for the cloud that provides complete cloud traffic visibility, as well as integrates with AWS for automated threat response. Learn how ExtraHop Reveal(x) Cloud delivers SaaS-based, cloud-native security for the hybrid enterprise in the 5-minute introductory video:
Discover more