Skip to main content

Threat detection with network metadata vs. DPI

By Joel Esler
VP Threat Research

For decades, deep packet inspection (DPI) appliances have been the conventional approach for threat detection and application-aware security on the network. But over time the effectiveness of DPI is decreasing. I spent much of my career using DPI for threat detection, every year, we received questions from customers – and as a result, conducted research – that showed the increasing amount of encryption. Acknowledging that DPI is increasingly blinded by encryption, some vendors have taken the tactic of examining traffic to the point they knew it was encrypted only to pass it through to avoid the hit to performance. This isn’t a great option because some of the latest research finds that more than 66% of malware is hidden in encrypted traffic. 

Other DPI vendors are trying to decrypt traffic before inspecting it. To do this, they must intercept every packet they want to examine. Then decrypt, read, and log the content before re-encrypting it. It’s a complex and time-intensive process that reduces the traffic they can examine with existing appliances, so they buy bigger appliances to try to scale. Compliance and privacy concerns also crop up because content is encrypted for a reason; decryption exposes it. 

These teams operate using the prevailing wisdom that you have to examine everything. But the world doesn’t work that way anymore. As of March 2021, 95% of Internet traffic was encrypted, and as Zero Trust proliferates, network encryption will become pervasive. It’s only a matter of time before traffic across the Atomized Network, a complex and fluid environment consisting of multi-cloud, or on-premise, will all be encrypted. The other factor to consider with the Atomized Network is that there is no middle anymore, so there aren’t many places to put the middlebox appliances that DPI runs on. Appliance-based security models are dying off. 

Enter network metadata
Fortunately, there’s no need to capture and inspect full packets, try to use decryption, install more hardware or software, or resign yourself to detecting malicious activity after you’ve already been infected. There is a more innovative way to examine all your network traffic, encrypted and decrypted, in real-time to detect and protect against attacks. That’s where Netography comes in. 

We provide customers with visibility into their traffic based on metadata from the network itself. And our Threat Detection Models make sense of it in real-time. Our Threat Research Team can instantly roll out new cloud-hosted threat detection models to provide real-time and retrospective detection so that customers can block or remediate threats on their networks. 

Traditional DPI-based network threat detection appliances will have a role to play in your technology stack for a while. But there’s no doubt their usefulness is diminishing. Now’s the time to start evaluating your options and consider additional layers of protection to fill the widening visibility and security gaps. Netography offers a new paradigm based on network metadata, architected for today’s modern enterprise networks and proven to detect and defend against today’s stealthy attacks instantly.