23 Nov 2023
by Cary Wright

Why Packet Capture Is as Important in the Cloud as It Is On-Premise (Guest blog from Endace)

Author: Cary Wright, VP Product Management at Endace

Rapid growth in cloud vulnerabilities, hijacked cloud credentials, sophisticated threat actors targeting cloud deployments, and difficulty troubleshooting performance issues across multi cloud environments have made one thing very clear: visibility into network activity is just as essential in public cloud as it is in on-premise or private cloud environments.

Unfortunately, as organizations migrate workloads into the cloud, visibility into network activity in the cloud is often an afterthought. This leaves network security and operations teams unable to see what’s happening so they can adequately defend against threats to cloud-based assets and troubleshoot performance issues in public cloud infrastructure. This is amplified for Communication Service Providers (CSPs) who are tasked with deploying, monitoring, and managing complex new services across hybrid multi-cloud such as 5G or SD-WAN.

The problem is further exacerbated by the fact that many monitoring tools don’t work seamlessly across both on-premise and cloud environments, or even across different cloud environments, making it difficult to get a unified view of activity across the entire hybrid cloud network.

The cloud is less secure than you think:

The risk to cloud security is demonstrable. According to IBM’s recently released 2023 Cost of a Data Breach Report, data stored in the cloud comprises 82% of all data breaches, with just 18% of breaches involving data stored solely on-premises. The report found that nearly 40% of data breaches studied resulted in the loss of data across multiple environments including public cloud, private cloud, and on-premise — showing that attackers were able to compromise multiple environments while avoiding detection.

The cloud is harder to monitor than you think:

Increasingly complex cloud enterprise architectures, made even more complex by multi-cloud deployments, make troubleshooting issues in public cloud infrastructure challenging. Often monitoring tools are specific to a given cloud environment – making it difficult to troubleshoot issues in distributed applications where different components of the application reside in different environments.

Even if you can collect and collate metadata from each of the environments to get a unified view of activity across all the different environments, often that only serves to flag where a problem might be occurring but doesn’t provide enough information to identify the root cause. Is it a problem with a specific application component or somewhere in the network connectivity between components? Is it a code problem, a network problem or configuration issue?

Monitoring virtualized network functions (VNFs) in cloud:

Deploying VNFs across hybrid multi-cloud provides great flexibility and many benefits for communication service providers. For example, VNFs can be used to extend the reach or capacity of a 5G mobile network, rapidly scale for peak demand, or implement new business models such as network slicing without large infrastructure investments.

Monitoring and managing VNFs is crucial to ensure services meet the expectations of users, and when things go wrong getting to the root cause quickly is essential. Capturing packets from both East-West and North-South communications between VNFs provides the vital clues required for rapid resolution of issues. Having all the packet capture points viewable from a single console allows for accurate tracing of call flows across multiple cloud environments

The truth is in the packets:

Everything that happens across a hybrid cloud infrastructure relies on network connectivity – whether that’s North-South or East-West connectivity. And the fundamental truth about what actually took place on the network can only be found in the network packets. If you can capture and record the packets that traverse the network you have an indelible record of that activity.

That is why the gold standard for Network and Security teams investigating threats, outages, and performance issues is being able to analyze the actual packets themselves to see precisely what happened. No other evidence source is as definitive as packet data. Without access to the packets, analysts are forced to hypothesize about what happened. And that can be misleading or even downright dangerous.

The challenge of scalable, hybrid cloud packet capture:

Capturing and recording packet data across complex, high-speed, high-volume networks is difficult. High speed links and large data volumes mean packet capture solutions must be highly scalable and provide sufficient storage to record days or weeks of traffic. This ensures the right data is available when SecOps and NetOps teams need to accurately reconstruct and investigate historical events. They must be able to provide this capability in a range of environments from on-premise networks to private cloud datacenters and public cloud deployments.

Even more difficult is making it easy for NetOps and SecOps teams to quickly locate the specific packet data they need to investigate a specific issue – particularly when you are dealing with potentially petabytes of recorded data. Analysts need to be able to quickly identify the scope and severity of a detected threat, or the root cause of a problem, quickly so they can remediate it before it becomes a major issue. Responding quickly is key to stopping attacks early in the kill chain and reducing cybersecurity risk, and essential in preventing costly downtime or outages that can adversely affect productivity and damage brand reputation.

Until recently, gaining access to full packet data in public cloud environments was difficult to impossible. Now, cloud providers such as AWS and Microsoft Azure, as well as network infrastructure specialists such as Gigamon, Keysight, F5, Niagara Networks and others can provide access to packet data in public cloud infrastructure. By deploying the right packet recording and monitoring infrastructure, organizations can finally achieve the same level of visibility in public cloud environments that their SecOps and NetOps teams rely on to protect their on-premise infrastructure. Moreover, this can provide the unified visibility across the entire hybrid cloud that these teams need and have been sorely lacking.

Enabling faster, more accurate incident response:

The key to enabling faster cyber threat response and performance troubleshooting is making sure analysts have definitive evidence at their fingertips as they investigate issues. Time that analysts are forced to spend collecting and collating evidence from multiple sources to identify what happened is time that attackers will use to further compromise assets, or time in which employees, partners or customers remain unable to access critical resources they need.

As hybrid cloud monitoring tools mature it’s becoming easier to be able to detect issues across the network as they occur. And with the right choice of tools, NetOps and SecOps teams can gain the centralized, “single-pane-of-glass” visibility they so desperately need. The final piece of the puzzle is providing the definitive evidence that enables them, when a problem is detected, to pinpoint the cause and remediate the issue quickly and definitively.

Packet data provides this crucial evidence source. While monitoring tools can flag up potential issues, such as a data breach, without access to the actual packets analysts can’t definitively answer questions like “what data did the attackers actually get away with?” And, even in situations where analysts may be able to eventually reach a conclusion about what happened, with access to the actual packets they can invariably reach that conclusion much more quickly.

Cloud Week 2023

News, views and insights on how cloud computing continues to reshape how we live and work. techUK's annual Cloud Week is an opportunity for the tech community to explore key issues in cloud and highlight new ideas and thought leadership from our members.

Find out more


techUK's Technology and Innovation newsletter

If you’d like to start receiving information about relevant events, news and initiatives via techUK’s monthly Tech Tracker Newsletter, please subscribe here and join the Technology and Innovation contact preference.

Sign-up here



Cary Wright

VP Product Management, Endace

Cary is VP Product Management at Endace, leading the development of network forensics products used by government, telcos, financial institutions, and other large enterprises to manage and secure their networks. Cary has more than 30 years’ experience developing network monitoring and security products at HP, NEC, Agilent, Ixia, and Endace.