back caretBlog

Why You Need PCAP and Forensics in the Cloud

Unlock Both with Reveal(x) 360 Ultra Sensors for AWS

Packet capture plays a vital role in forensic investigation, incident response, and threat hunting, but it hasn't always translated easily to security use cases in cloud environments. Historically, collecting and analyzing packets in cloud environments was a complex, time-consuming, manual process that often involved using multiple tools.

To avoid those issues, cloud-focused security teams often rely on logs. However, it's impossible to log everything in cloud environments, which limits the amount of information incident responders and threat hunters can use to conduct deeper investigations. Limited information leads to limited insights and less context, but ExtraHop is making packet capture (PCAP) in cloud environments possible without the complexity and friction of limited data sources and multiple tools.

Reveal(x) 360 Ultra cloud sensors with continuous PCAP unlock forensics in AWS environments with streamlined and guided investigation for always-on incident response and threat hunting. By capturing every packet, Reveal(x) 360 Ultra cloud sensors provide unprecedented visibility, definitive insights, and immediate answers, reducing the amount of time and effort previously required to perform packet-level analysis. Cloud-focused security teams now have the forensic detail they need to get to ground truth or to fulfill chain-of-custody requirements.

Available in 1 Gbps and 10 Gbps sensors, Reveal(x) 360 Ultra cloud sensors enable SOC analysts and incident responders to view metrics and packets from a single management interface, securely accessible from anywhere. With detections, transaction records, and packets all indexed and searchable, analysts can also expedite speed to resolution. ExtraHop continuous packet capture appliances write natively to an Amazon Elastic Block Store (EBS) volume. Organizations that want to save important flows can query the REST API for the related packets, download them, and save them to a local file store or a cloud store like S3 for archival purposes.

Forensic investigation is more critical than ever as organizations navigate the landscape of a post-compromise world. Attacks evolve daily, and the number of advanced threats security teams are forced to confront continues to rise. The new realities of cloud and hybrid security also show the value of always-on incident response compared to IR that's focused on specific security events.

For attacks like SUNBURST, which didn't cause detections to fire, only continuous PCAP enables analysts to go back in time and inspect packets for proper forensics. Line-rate decryption and analysis via cloud-hosted machine learning ensure that analysts also have an accurate understanding of what's happening in their AWS environment.

To experience Reveal(x) 360 for yourself, start the live online demo. You can choose a scenario to stop a SUNBURST attack, find threats in a real cloud environment, or investigate a simulated attack unfolding in real time. You can also choose to explore the demo on your own.

Related Blogs

Sign Up to Stay Informed