Remember Wireshark from the good old days of your IT degree or early engineering adventures? Well, guess what? It’s still kicking and just as relevant today as it was back then, and guess what else? It is still open source! Do your engineering or security teams use it? There’s a good chance they do if you’re on-premises. Believe it or not, Wireshark isn’t just for the land of wires and cables anymore. With some help from Falco and Kubernetes, it has a place in the cloud SOC.
In case you’re wondering what we are talking about, let us explain. Wireshark is a high caliber detective tool that allows users to both capture and scan traffic running on a network, in real time. It is useful for:
- Network Monitoring: Wireshark allows you to monitor network traffic in real time, helping to detect anomalies or suspicious activities.
- Network Forensics: It enables the inspection of captured traffic for investigating security incidents, identifying attack patterns, and understanding the scope of a breach.
- Protocol Analysis: Wireshark provides deep insight into network protocols, aiding in understanding how systems communicate and identifying vulnerabilities or misconfigurations.
- Security Auditing: By analyzing network traffic, Wireshark can help in auditing network security policies, ensuring compliance, and identifying potential weaknesses in the network infrastructure.
The cloud security game is about speed these days. Doesn’t this sound like something useful for security teams looking to find and respond to threats faster? A SOC for an on-premises environment can still use Wireshark as it has for 20 years. However, we want a cloud SOC to be able to use Wireshark. Real-time network detection, analysis, and response is necessary in the cloud. A packet capture file (PCAP) is still relevant for cloud-native environments, as it holds a plethora of information. You just need to know how to generate the file using Kubernetes and containers.
Using Wireshark and the open source threat management tool Falco Talon, your SOC can automatically receive contextualized packet capture details related to a detection alert. This speeds up the investigation process, which was, and can still be, quite tedious. But in reality, it shouldn’t take long at all because you only have minutes to investigate a cloud attack. The faster the investigation, the sooner remediation can take place.
Wireshark’s versatility and cost (it’s free!) makes it a valuable asset in the arsenal of security professionals, providing deep visibility into network traffic and aiding in maintaining a secure and resilient network infrastructure.
Want more technical details or want to share with your team? We have a technical explanation and workflow for practitioners.
Is your team looking at packets? Join us at SharkFest this year and take your skills to whole other level!