A comparison of NDR solutions: Deep packet inspection (DPI) vs. metadata analysis

Executive summary

In today’s complex IT environments, Network Detection and Response (NDR) solutions are crucial to identify, assess, and respond to cyberthreats. Many NDR solutions rely on deep packet inspection (DPI) technology, which utilises traffic mirroring to analyse the payload of each packet passing through a mirrored sensor or core switch.

DPI metadata analysis

DPI has become popular since it provides very detailed traffic analysis. However, this approach requires designated hardware sensors and large amounts of processing power, while at the same time being blind to encrypted network traffic and only analysing data flowing over the mirrored infrastructure.

Metadata analysis (MA) overcomes these limitations to provide detailed and insight-enriched visibility into the entire network. In addition, MA is completely unaffected by encryption and ever-increasing network traffic. These advantages make MA-based NDR solutions a superior and future-proof alternative to NDR solution relying on deep packet inspection.

Modern organisations are characterised by complex IT environments and expanding attack surfaces. To protect themselves, they need a robust cyber architecture with a reliable Network Detection and Response (NDR) solution. NDR is crucial to detect suspicious behaviours and malicious actors, and quickly respond to threats. NDR tools continuously analyse traffic to build models of “normal” behaviour on enterprise networks, detect suspicious traffic, and raise alerts.

Traditional NDR solutions rely on deep packet inspection (DPI). This approach supports detailed analysis and has thus become quite popular. But as data volumes increase and network traffic becomes increasingly encrypted, such solutions are becoming inadequate to protect enterprise networks moving forward. What organisations now need is a more future-proof NDR solution relying on metadata analysis.

In this article, we explore and compare two NDR approaches: deep packet inspection and metadata analysis. We will examine why metadata analysis is a superior detection technology to protect IT/OT networks from advanced cyber threats.

What is deep packet inspection and how does it work?

Deep packet inspection is the traditional approach to NDR. DPI monitors enterprise traffic by inspecting the data packets flowing across a specific connection point or core switch. It evaluates the packet’s entire payload, i.e., its header and data part to look for intrusions, viruses, spam, and other issues. If it finds such issues, it blocks the packet from going through the connection point.

DPI relies on traffic mirroring. In effect, the core switch provides a copy (“mirror”) of the network traffic to the sensor that then uses DPI to analyse the packet’s payload. Thus, DPI provides rich information and supports detailed analysis of each packet on the monitored connection points. This is one of its biggest benefits.

However, its drawbacks outnumber this benefit. As network traffic continues to increase and IT environments become increasingly complex and distributed, DPI is reaching its limits.

Why DPI can’t detect or prevent advanced cyberattacks

One critical drawback of DPI is that it requires large amounts of processing power to thoroughly inspect and analyse the data section of packets. In data-heavy networks, it can’t inspect all network packets, making it unsuitable for high-bandwidth networks.

Moreover, it only provides detailed analysis of the network traffic transmitted on and flowing through the monitored core switches. As less and less network traffic is flowing through core switches, DPI offers limited visibility into the IT network.

In addition, DPI is blind when it comes to analysing encrypted network traffic. Encryption has become a crucial component of online privacy and cybersecurity controls. However, it also allows cybercriminals to launch devastating cyberattacks. In fact, most modern cyberattacks, including ransomware, lateral movement, and Advanced Persistent Threats (APT) heavily utilise encryption in their attack routines. Since DPI was not built to analyse encrypted traffic, this limitation can create serious security gaps for modern enterprises.

DPI is also inadequate in enterprise environments that use Software as a Service (SaaS) apps and other assets not “owned” by the enterprise. DPI tools can’t provide adequate visibility into these assets, which leaves the organisation vulnerable to attacks launched through these third-party applications. This is one of numerous CISO cybersecurity challenges, where DPI doesn’t provide the assistance it should.

A more robust approach to NDR: Metadata analysis

The metadata analysis (MA) approach used amongst others by ExeonTrace can effectively address the limitations of DPI. Unlike DPI, which only inspects the traffic flowing across mirrored core switches, MA looks at log data from multiple network sources (Switches, Cloud logs, Firewalls etc.) to provide visibility into the entire network. In addition, MA does not require designated hardware sensors, is unaffected by encryption and can effectively deal with ever-increasing network traffic. The MA solution records and analyses multiple types of data for every packet passing through the network, and captures attributes about network communications, applications, and even actors.

Based on this information, MA provides an extensive analysis without slowing down the network. Metadata analysis provides visibility into the entire network, making MA optimal for distributed, high-bandwidth networks. Moreover, since MA is completely unaffected by encryption, it can more effectively detect, prevent, and address cyberattacks hiding behind encrypted traffic. Consequently, MA does not suffer from the limitations imposed on NDR by DPI.

How security teams and organisations can benefit from metadata analysis

Unlike DPI, MA-based NDR solutions offer robust and future-proof network analysis capabilities to protect organisations from known and unknown cyberthreats. As we have seen, MA can deal with ever-increasing network traffic and are completely unaffected by encryption, allowing organisations to detect and prevent even the most advanced cyberattacks.

When MA is supplemented by system and application logs, it allows for richer, deeper, and more actionable insights than DPI. Security teams can effectively and consistently detect vulnerabilities and get better visibility into enterprise security blind spots (e.g., shadow IT), which is a common entry point that’s exploited by cybercriminals. They can continually monitor suspicious activity on all devices and endpoints connected to it. Such holistic, comprehensive, and reliable visibility is just not possible with DPI.

Finally, DPI analysis is data-heavy, making it difficult and expensive to store historical records for future investigations. MA however, is typically “lightweight”, which makes it easy and inexpensive to store and review later for forensic investigations.

As the threat landscape expands, organisations can no longer afford to continue to rely on DPI-based NDR. To prepare for the future and stay ahead of the bad guys, they need to adopt a MA-based NDR solution like ExeonTrace.

Don't miss