Useful, Challenging, Ineffectual: Three Ways to Look at DPI
Martin Roesch, CEO
Deep Packet Inspection (DPI) has a target on its back due to the deployment challenges of dispersed, ephemeral, encrypted, and diverse (DEED) environments. But there’s a subsuming area to explore and that’s the total cost of ownership (TCO) issues compounded by DEED environments. This challenge has existed for approaching two decades and has forced tradeoffs between budget and DPI deployment. However, due to the rapid evolution of networks over the last four years, we’ve now reached a breaking point where the tradeoffs are becoming unpalatable for many organizations.
This is not to say that DPI is no longer useful. Rather, the cost and complexity of deploying and managing DPI where and when you need it is increasing while your capability to detect compromises is not. To protect today’s modern enterprise networks efficiently and effectively, it’s important to look at DPI’s limitations to understand where DPI is still useful, when challenges occur, and where an alternative approach improves network defense without the heavy lift and TCO burden of DPI.
Where DPI is still useful:
DPI is typically deployed as an on-prem technology that provides high-fidelity protection capabilities so you can detect and potentially block specific attacks. For example, when an attack like Log4j emerges, and you want to see if you’re being targeted, the capability DPI has to look for Layer 7 attacks is useful.
DPI is also useful to very precisely monitor North-South traffic in and out of high-value environments, such as a subset of your data center where credit card information is stored and you have a PCI compliance requirement.
Where DPI is useful but costly and challenging:
Challenges emerge when you want to use DPI at scale. Because budgets are rarely large enough to support inspection everywhere on the network, organizations make tradeoffs and typically only instrument the prime routes of concern in and out of the organization. The ability to see and inspect East-West traffic is highly limited so lateral movement is typically not something that will be observed due to these cost- and complexity-driven deployment limitations.
In Zero Trust environments where almost all traffic is encrypted, teams are increasingly in the position of having to balance the cost of decrypting traffic with what they want to inspect. This includes the financial costs directly associated with the specialized technology required to inspect encrypted traffic and computational costs associated with these decryption approaches – which further increases financial costs. As networks expand, the need for more decryption capability and more DPI capability increases, expanding costs once again.
Lifecycle management challenges inherent in appliance-based legacy architectures also add cost and complexity, including constantly updating content, managing and curating policies, as well as parsing, contextualizing, and validating event loads for response. The appliances that host the DPI process also need to be lifecycle managed as vendors end-of-life them or as increasing bandwidth and evolving network architectures necessitate replacement of obsolete DPI infrastructure.
A less obvious but more challenging problem relates to outcome misalignment. Attack detection is interesting, but the outcome most organizations want is compromise detection. Most organizations structure their security operations not around collecting every representation of threats that arrive on their networks on a minute-to-minute basis but around identifying which detections are due to actual compromise. At this point, they will kick off their incident response processes. Detecting thousands of very specific attacks against patched or otherwise unaffected machines is much less useful than detecting a single compromise so you can initiate an investigation and your incident response processes.
Where a new approach is needed:
DPI really breaks down in today’s ever-expanding DEED environments, where a multitude of TCO-compounding problems occur.
As networks become more dispersed across multi-cloud plus on-prem environments, more sensors, agents, taps, and decryptors are needed and still leave critical visibility gaps. And while it’s possible to use DPI in the cloud, it’s not practical. For a number of reasons relating to privacy, security, and architecture, cloud providers don’t want to provide packets at scale to DPI processes, so it’s challenging to field effectively. Packet tap aggregators for the cloud exist but are extremely expensive and difficult to operate and you still need decryption. The TCO of going from 20 to 50 to hundreds or thousands of sensors across large enterprise networks is untenable.
Cloud environments are also particularly ephemeral, so detection capabilities need to come and go as workloads come and go. Configurations must match the requirements necessary to secure diverse environments, which is problematic. The standard way of provisioning sidecars or virtual appliances, managing license keys, and integrating with remote infrastructure isn’t well-suited for dynamic environments, particularly the cloud.
Going the DPI route in a dispersed, encrypted, and ephemeral environment is akin to plugging holes in a dike and comes at the expense of insights, understanding, and compromise detection inside your environment. Organizations end up spending a lot of money for not a lot of capabilities and still don’t get comprehensive visibility and the outcome they want. There are better, budget-friendly ways to achieve compromise detection.
Netography Fusion is a cloud-native Network Defense Platform (NDP) that provides real-time compromise detection and response capabilities across hybrid, multi-cloud, and on-prem networks. Designed for DEED environments, the platform monitors the entire environment from a single console, inspecting North-South and East-West traffic equally well at scale, and makes determinations about whether devices are behaving in ways that indicate they have been compromised. It relies on enriched metadata to identify anomalous activity regardless of encryption. And as a 100% SaaS platform it enables automatic provisioning and auto-registration to provide visibility where and when you need it in a matter of minutes without the need to deploy appliances, sensors, taps, and agents.
Requiring less curation and enabling easier and broader deployment, Netography Fusion complements DPI where it is still useful and delivers a more effective way to get the outcomes you want with vastly lower TCO.