AIOps: The State of Full Packet Capture Enters the Age of Practicality

It's a great time to be a security analyst, but those who serve in the role today are facing much higher expectations from their organizations compared with when I started out. Many are teetering on the edge of burnout because their companies need to get to the truth sooner, leaving analysts stuck with traditional approaches and tactics associated with full packet capture as the high-speed network's bandwidth increases by the day. The state of full packet capture -- fundamental to enabling security analysts to hunt for threats, discover anomalies, or respond to incidents -- has seen a few incremental advancements over the several decades but nothing that has allowed the analyst to allocate less time to it because there is still a bit of heavy lifting required. As a security analyst in the military, my first experience with full packet capture in the late '90s was the SHADOW system, an open source project dubbed an intrusion-detection system but really a full packet capture system designed for retrospective analysis, also known as threat hunting. The project was essentially a framework built with tcpdump and a collection of Perl scripts.