Strengths: Unique visualisation and excellent analytics.
Weaknesses: If there are any it would be a fairly steep learning curve to really exploit all of the information this system provides. If you are a security analyst by trade, though, you’ll have absolutely no trouble.
Verdict: This is an excellent network forensics tool with hidden depths and a massive amount of actionable information available both to prevent and analyse complex breaches. We designate it Recommended.
PacketSled is a cloud-based breach detection and network forensics tool that provides real-time detection of threats as they cross the wire, and retroactive investigation of host activity including the application of new indicators to historical data. The service uses a software-based sensor at the customer's network connected to a span port or a network tap.
A unique feature of PacketSled is it keeps everything that it captures indefinitely. That permits retroactive analysis of data applying new indicators. Even though the sensors capture the full packet, they reduce the packet to metadata events based on user configuration. Probably the most striking feature of the solution is its user interface. It allows analysts to drill down through an intuitive graphical display into details of various addresses.
Implementation is relatively straightforward since most of the action is in the PacketSled cloud. Sensors do need to be deployed, but that should not be a problem for a network administrator who knows where to place them on their particular network. The sensors are based on Bro, an analysis framework for networks. The sensor can output data in a variety of formats, including written reports and packet capture files (.pcap). It also sends its data to the PacketSled Aggregator in the cloud. The Aggregator pulls the pieces together, stores them and simultaneously sends them to a user interface where analysts can login and examine what the sensors have seen and what the analysts need to obtain actionable information.
Query in the user interface is by means of natural language commands or, as PacketSled puts it, "Google for your packets." The main dashboard gives a global picture of sensor activity, including geolocation. The system is heavily behaviour-based so behavioural alerts have good meaning when taken in context.
Drilling down from the dashboard a user enters the investigator. This allows even more drilldown based on a comprehensive source/destination picture. And an actual picture it is. Traffic paths are shown as stars with one end to an arm being the source and the other being the destination. This type of display clearly shows bots or fast flux networks attempting to connect to a target and shifting IP addresses frequently, for example. Clicking on one end of an arm drills down to a wealth of specific data that can be used to track, contain, resist and attack from a skilled, determined adversary.
The sensors use a combination of index and non-index fields, which allows a detailed natural-language approach to hunting. Moreover, there is a timeline view and there are multiple types of analytics carried out. This versatility can be harnessed to create an ongoing threat feed. And, the system includes a built-in case management tool.
While the price on this may seem high - £60,412 per year on a two-year contract - the amount of actionable information it provides is prodigious. Given the user interface, the advanced analytics, the retention of historical data for future analysis if necessary, and simplicity of management, this tool is worth every penny in the time it saves analysts. In incident response, time is far more than just money. In extreme cases it can mean the survival of an organisation. Any tool that will help reduce the time to a solution the way PacketSled does is well worth the price.
Support is reasonable given that this is largely a cloud service and the only help a new user is likely to need consists of initial setup. Even so, eight-hours-a-day/five-days-a-week assistance is available. The website is complete for a sales-oriented site. At first, that concerned us. However, the types of things that one would expect on such a site - support information, user guides, etc. - all are embedded in the service. So, they are directly at hand instead of the user needing to dig around an external website.