November 23, 2024
Deep Packet Inspection vs. Metadata Analysis of Network Detection & Response (NDR) Solutions
Today, most Network Detection and Response (NDR) solutions rely on traffic mirroring and Deep Packet Inspection (DPI). Traffic mirroring is typically deployed on a single-core switch to provide a copy of the network traffic to a sensor that uses DPI to thoroughly analyze the payload. While this approach provides detailed analysis, it requires large amounts of processing power and is blind when

Today, most Network Detection and Response (NDR) solutions rely on traffic mirroring and Deep Packet Inspection (DPI). Traffic mirroring is typically deployed on a single-core switch to provide a copy of the network traffic to a sensor that uses DPI to thoroughly analyze the payload. While this approach provides detailed analysis, it requires large amounts of processing power and is blind when it comes to encrypted network traffic. Metadata Analysis has been specifically developed to overcome these limitations. By utilizing metadata for analysis, network communications can be observed at any collection point and be enriched by the information providing insights about encrypted communication.

Network Detection and Response (NDR) solutions have become crucial to reliably monitor and protect network operations. However, as network traffic becomes encrypted and data volumes continue to increase, most traditional NDR solutions are reaching their limits. This begs the question: What detection technologies should organizations utilize to ensure the maximum security of their systems?

This article will shed light on the concept of Deep Packet Inspection (DPI) and Metadata Analysis. We will compare both detection technologies and examine how modern Network Detection and Response (NDR) solutions can effectively protect IT/OT networks from advanced cyber threats.

What is Deep Packet Inspection (DPI), and how does it work?

DPI is a way of network traffic monitoring used to inspect network packets flowing across a specific connection point or switch. In DPI, the whole traffic is typically mirrored by a core switch to a DPI sensor. The DPI sensor then examines both the header and data section of the packet. If the data section is not encrypted, DPI data are rich in information and allow for robust analysis of the monitored connection points. Traditional NDR solutions rely on DPI-based technologies, which are quite popular to this day. However, in the face of rapidly expanding attack surfaces and evolving IT environments, the limitations of DPI have become increasingly prevalent.

Why Is DPI not enough to detect Advanced Cyberattacks?

Organizations are increasingly using encryption to protect their network traffic and online interactions. Although encryption brings enormous benefits to online privacy and cybersecurity, it also provides a suitable opportunity for cybercriminals to hide in the dark when launching devastating cyberattacks. As DPI was not designed for the analysis of encrypted traffic, it has become blind to the inspection of encrypted packet payloads. This is a significant shortfall for DPI since most modern cyberattacks, such as APT, ransomware, and lateral movement, heavily utilise encryption in their attack routine to receive attack instructions from remote Command and Control Servers (C&C) scattered across cyberspace. In addition to absent encryption capabilities, DPI requires large amounts of processing power and time in order to thoroughly inspect the data section of each packet. Consequently, DPI cannot analyze all network packets in data-heavy networks, making it an unfeasible solution for high-bandwidth networks.

The New Approach: Metadata Analysis

Metadata analysis has been developed to overcome the limitations of DPI. By utilizing metadata for network analysis, security teams can monitor all network communications passing through any physical, virtualized or cloud networks without inspecting the entire data section of each packet. Consequently, Metadata analysis is unaffected by encryption and can deal with ever-increasing network traffic. In order to provide security teams with real-time intelligence of all network traffic, Metadata analysis captures vast arrays of attributes about network communications, applications, and actors (e.g., user logins). For instance, for every session passing through the network, the source/destination IP address, session length, protocol used (TCP, UDP), and the type of services used are recorded. Metadata can capture many other key attributes, which effectively help detect and prevent advanced cyberattacks:

  • Host and server IP address, port number, geo-location information
  • DNS and DHCP information mapping devices to IP addresses
  • Web page accesses, along with the URL and header information
  • Users to systems mapping using DC log data
  • Encrypted web pages – encryption type, cypher and hash, client/server FQDN
  • Different objects hashes – such as JavaScript and images

How can Security Teams benefit from metadata-based NDR?

Implementing a Network Detection and Response (NDR) solution based on Metadata analysis provides security teams with reliable insights on what happens inside their network – no matter whether the traffic is encrypted or not. Metadata analysis supplemented by system and application logs allows security teams to detect vulnerabilities and improve internal visibility into blind spots, such as shadow IT devices, which are considered a common entry point exploited by cybercriminals. This holistic visibility is not possible with DPI-based NDR solutions. In addition, lightweight metadata allows for efficient log data storage of historical records, facilitating forensics investigations. Data-heavy DPI analysis makes long-term storage of historical data practically infeasible or very expensive. Finally, the metadata approach allows security teams to determine the source of all traffic passing through corporate networks and monitor suspicious activity on all devices connected to networks, such as IoT devices. This makes complete visibility into corporate networks possible.

Conclusion: The Future of Cybersecurity is the analysis of Metadata

Traditional DPI-based NDR tools will eventually become obsolete for enterprise cybersecurity as the threat landscape expands and more traffic becomes encrypted. These developments are already felt across the cybersecurity industry, as more companies are adopting MA-based security systems to effectively seal security gaps and protect their digital assets.

ExeonTrace is a leading NDR solution based on Metadata Analysis. Unlike traditional DPI-based NDR systems, ExeonTrace provides clever data handling, is unaffected by encryption and does not require any hardware sensors. Furthermore, ExeonTrace can effortlessly deal with high-bandwidth network traffic as it reduces network volumes and provides more efficient data storage. Consequently, ExeonTrace is the NDR solution of choice for complex and high-bandwidth corporate networks.

ExeonTrace Platform: Screenshot of custom network analyzer graph

Book a free demo to discover how ExeonTrace can help address your security challenges and make your organization more cyber-resilient.