Scott Crane, co-founder and CEO of Packetloop
Sydney startup Packetloop is looking forward to rapid expansion of its five-person business after its big data security technology was snapped up by security giant Arbor Networks, which will integrate Packetloop’s novel analysis tools into its NetFlow security platform.
The company – which was founded less than three years ago as a way of improving forensic analysis of network security compromises – produces a big-data tool that intercepts, displays and archives all network traffic passing network taps.
A detailed analysis toolkit allows investigators to rewind and fast-forward through the network traffic stream, allowing them to pick out particular types of traffic and follow its during a particular time period. Historical data can be re-scanned against an ever-growing cloud database of threats, allowing the detection of past infections by attacks that have only been discovered subsequently.
The technique – which co-founder and CEO Scott Crane likens to re-testing athletes’ years-old drug-test samples against modern detection tools – is invaluable for picking out the subtle traces of advanced persistent threats (APTs), which often fly under the radar by keeping network activity to an absolute minimum. And, by using raw data instead of relying on server logs, the system can pick up activity that may normally be ignored by traditional log-based security environments.
It won’t necessarily stop an APT in mid-flight, but the company’s technology is proving to be a favourite with forensic analysts who are “time poor and under heaps of pressure to get results,” Crane told CSO Australia.
“Because we deal with taps we can take it anywhere on the network, and we’re not reliant on logs or parsers. We wanted to deliver a tool that would be high yield, and we’re very strong on the visualisation aspect so they can zoom in and out, and understand what the data is telling them. The moment we ingest that packet, and capture that data, we’re processing it and analysing it onscreen for the analyst.”
Such capabilities bring new visibility to the process of security discovery, which has become an increasingly important function in security-conscious businesses and security response teams that have “whole departments dedicated to trolling through data looking for things they’ve missed", Crane said.
The process comes at a resource cost, Crane conceded: a “really big organisation” might generate 1 to 2 terabytes of network data in a day, or around 700TB of data per year.
Packetloop has addressed this issue by building its archival capabilities in the Amazon Web Services cloud, allowing for scalability and instant access on a per-gigabyte, per-month basis. It’s also planning to bundle the capabilities into a standalone appliance with a substantial disk capacity for data storage.
Packetloop’s technology will be integrated with the Arbor Networks product family in coming months, with Packetloop retaining its Sydney operations and expecting to hire “a dozen or so” new staff to ramp up its capabilities.
“It’s a huge thing for security in Australia, and startups in Australia,” Crane said, noting that in Arbor “we’ve met a team of people that’s culturally almost identical to where we are today, just bigger. They’re passionate, focused, committed professionals that have fun getting the job done.”