|
|
 Mark Grodzinsky and Ron Nevo presented for cPacket at Security Field Day 13 |
This Presentation date is May 29, 2025 at 9:00-10:30.
Presenters: Andrew Barnes, Mark Grodzinsky, Ron Nevo
Follow on Twitter using the following hashtags or usernames: #XFD13
cPacket Security Field Day Introduction
Watch on YouTube
Watch on Vimeo
cPacket delivers zero-downtime observability for mission-critical networks across finance, healthcare, and government. Trusted with over 50% of global market data, our ASIC+FPGA-powered platform aligns with NIST CSF 2.0 to provide pervasive, scalable visibility across hybrid and cloud environments—enabling real-time packet analytics, rapid threat detection, and enhanced protection for SOC/NOC operations. Founded in 2007 as a semiconductor company specializing in hardware-offloaded string search, cPacket evolved to build a full platform for network observability, initially gaining traction with British Telecom for the London 2012 Olympics. Their core strengths lie in providing nanosecond timestamping, pervasive packet capture, and real-time network analytics across hybrid environments, including private and public clouds, and data centers. Their ideal customers are “zero downtime enterprises” in finance, healthcare, and government that demand packet precision, performance, and the newly added context provided by AI.
cPacket believes that robust network observability solutions can significantly augment and strengthen security postures without replacing existing security tools. Their approach is built on a pervasive, independent, and scalable architecture, allowing them to capture packets anywhere in a hybrid network, from 100 to 400 gigabits per second, and process trillions of packets daily. Crucially, their solutions operate independently of application logs, ensuring visibility even if applications are compromised. The cPacket architecture involves monitoring points (taps, spans, virtual taps) that feed into packet brokers equipped with FPGAs and ASICs on every port. These hardware components enable high-speed packet inspection and counting at the port level, allowing for capabilities like string matching on every packet at speeds up to 1.6 terabits per second.
The solution further includes sophisticated packet capture analytics, capable of writing 200 gigabits per second directly to disk while simultaneously indexing and analyzing packets for session length, duration, and latency. While cPacket does not decrypt data, they extract and analyze a vast amount of metadata from handshakes, DNS calls, ICMP, and other network traffic to gain visibility into network health and potential threats. This collected data and metrics are centralized in C-Clear, where they are enriched, analyzed with AI/machine learning algorithms, and presented through dashboards and workflows, including Grafana and custom APIs. cPacket also offers the ability to push metrics and packets to external object storage for long-term retention or more extensive AI analysis, and is investing in LLM-based interactions for agentic AI, demonstrating their commitment to an open API ecosystem that integrates with security companies, SIEMs, and IT service management platforms.
Personnel: Mark Grodzinsky, Ron Nevo
cPacket Network Observability for Deterministic Incident Detection
Watch on YouTube
Watch on Vimeo
cPacket enables deterministic incident detection by inspecting every byte in every packet at line rate, delivering real-time visibility into threats like DNS beaconing, volumetric DDoS, and C2 channels. With high-speed, packet-level analytics across hybrid cloud and enterprise networks, security teams gain definitive, actionable insights to accelerate threat detection, incident response, and breach prevention. cPacket’s approach to incident detection is “deterministic,” meaning it relies on clear, definable thresholds. For threats like DNS beaconing, cPacket’s smart port technology, leveraging FPGAs and ASICs, can inspect every byte in every packet at line rate to perform string matching. This allows for immediate detection of specific domain requests, such as those associated with supply chain attacks, providing a definitive “yes or no” answer regarding infection status.
For volumetric DDoS attacks, cPacket’s ability to count every packet in real-time allows for rapid detection of anomalies, such as an unusually high ratio of SYN packets to SYN/ACK packets (SYN flood) or excessive DNS responses without corresponding requests (DNS amplification). These detections are measured in seconds, providing much faster and more accurate alerts than traditional methods like NetFlow. While cPacket focuses on detection rather than mitigation, these real-time alerts can be used to initiate on-demand mitigation strategies with ISPs or scrubbing centers, particularly crucial for financial services firms that prioritize low latency.
Furthermore, cPacket’s packet capture solutions can identify long-duration, low-traffic sessions, which are characteristic of command and control (C2) channels. By tracking millions of open TCP sessions, even those with minimal data transfer, cPacket can alert security teams to sessions that persist for days or weeks, indicating potential compromise. While this specific capability primarily applies to TCP sessions, the overall approach of leveraging high-speed, pervasive network observability to detect clear deviations from normal behavior offers invaluable, actionable insights for security teams, complementing existing security tools by providing definitive, packet-level evidence of threats.
Personnel: Andy Barnes, Ron Nevo
cPacket Network Observability for AI-Enhanced Incident Detection
Watch on YouTube
Watch on Vimeo
cPacket uses AI-driven network observability to detect unknown and emerging threats across hybrid cloud and enterprise environments. By applying machine learning and unsupervised anomaly detection to trillions of packets and billions of sessions, it identifies behavioral deviations, flags exfiltration and lateral movement, and delivers deep, real-time insights for proactive, scalable cybersecurity and incident response. The challenge of identifying what constitutes “normal” versus “abnormal” behavior in complex networks is central to cPacket’s AI-driven approach. Instead of relying on static, unmanageable thresholds, their platform uses machine learning to establish a baseline of normal behavior by location, application, and time of day/week, considering all collected metrics (e.g., duration, data volume, latency, connection failures). This allows cPacket to identify subtle anomalies, such as unusually long session durations for specific services or traffic between groups that shouldn’t be communicating, which are indicative of unknown threats like slow-drift exfiltration or lateral movement.
cPacket’s AI capabilities are showcased through examples like detecting exfiltration and lateral movement. For exfiltration, the system can identify both burst and slow-drift data transfers by monitoring session lengths and data volumes, flagging attempts to steal sensitive information. For lateral movement, it detects traffic between unusual or unauthorized network segments. These advanced detections are typically performed on data collected by the packet capture devices (C-Store), where billions of sessions are analyzed. The metrics from these sessions are fed into an S3 bucket, allowing cPacket’s AI model to continuously establish baselines and detect deviations, which are then aggregated into “insights.” These insights provide concise descriptions of anomalous behavior, including when, where, and potentially why they occurred, helping security teams quickly understand and triage potential threats.
The cPacket platform provides a live, real-time view of network activity, with the AI engine continuously generating “insight cards” that group related incidents, such as scanning activity. These cards provide detailed information, including source IP addresses, countries of origin, and communication attempts, which can be further investigated by drilling down to the packet level. While cPacket does not decrypt encrypted traffic, it can still detect numerous indicators of compromise that occur in the clear. Their system is designed for network observability, and its security benefits, such as detecting unusual scanning patterns or unexpected external connections, emerged as a valuable, albeit initially unintended, outcome. This comprehensive approach, including the ability to pull full packet captures for deep forensic analysis, significantly enhances proactive cybersecurity and incident response capabilities.
Personnel: Andy Barnes, Ron Nevo
cPacket Network Observability for Incident Response
Watch on YouTube
Watch on Vimeo
cPacket powers real-time incident response with lossless packet capture, high-speed indexing, and seamless integration with SOC tools. Acting as the network’s digital black box, it enables rapid forensic analysis, root cause identification, and response automation across hybrid cloud, data center, and enterprise environments—ensuring cybersecurity teams can quickly investigate and neutralize advanced threats. cPacket emphasizes the critical role of packet capture in digital forensics, drawing a parallel to the black box in aviation to highlight its importance in understanding and preventing security incidents. Unlike other forensic methods, packet capture provides complete, tamper-proof context, showing the actual data exchanged during an attack. cPacket’s solution is designed to be pervasive, capturing packets from any point in a hybrid environment at high speeds (up to 200 gigabits per second), and scalable, capable of handling large data volumes while maintaining the ability to quickly index and retrieve relevant packets.
The architecture involves deploying monitoring points across the network, including cloud environments, where the same packet capture software is used as on-premise. This setup allows for centralized control and analysis, even in highly distributed networks. cPacket prioritizes ease of integration with existing security tools, featuring open APIs for seamless data exchange with solutions like DataDog and ServiceNow. Their focus is on providing the raw data and context that security teams need to conduct thorough investigations, rather than attempting to replace existing security systems.
A key capability is the ability to quickly retrieve and analyze captured packets, facilitating rapid root cause analysis and response automation. For example, when a third-party NDR solution detects an SQL injection, cPacket can provide access to the relevant PCAP data directly within the NDR’s interface, allowing security analysts to examine the attack payload and understand the full scope of the incident. This approach enables security teams to move beyond simply detecting threats to understanding their nature and impact, ultimately improving incident response effectiveness.
Personnel: Andy Barnes, Ron Nevo
cPacket Network Observability for Incident Validation and Compliance
Watch on YouTube
Watch on Vimeo
cPacket enables continuous security validation and compliance auditing with deep packet inspection, TLS certificate verification, and external domain access analysis. Its AI-enhanced observability platform ensures regulatory readiness, detects misconfigurations, and identifies policy drift across hybrid cloud and enterprise networks—helping security teams maintain an up-to-date posture and pass audits with real-time, actionable insights. cPacket’s solution focuses on ensuring that security postures don’t deteriorate over time due to new threats, outdated rules, misconfigurations, or broken integrations, which can lead to compliance breakdowns, especially in regulated industries like financial services and healthcare. They achieve this through Deep Packet Inspection (DPI) in their C-Store, which breaks down protocols like HTTPS, DNS, and LDAP to extract relevant metadata and performance data. This DPI capability, distinct from simple string matching, allows cPacket to understand protocol details and extract information crucial for security.
One key application of this capability is ensuring server compliance. cPacket’s dashboard provides real-time visibility into factors like TLS certificate status, cipher suite usage (e.g., ensuring adherence to TLS 1.2/1.3 and detecting insecure cipher suites), and the presence of expired certificates. This detailed monitoring helps organizations proactively identify and address compliance issues before they lead to regulatory scrutiny. Another powerful feature is DNS monitoring, which uses AI-enhanced agents to identify “unknown domains” by comparing accessed domains against known CSPs, CDNs, and top legitimate sites. This helps detect potentially malicious domains generated by Domain Generation Algorithms (DGAs) that might indicate a compromise.
cPacket is also developing AI-driven agents that can query their observability data using natural language, making it easier for security experts to analyze complex network activity without needing to master query languages. These agents are designed with controls to prevent improper operations, ensuring data integrity and security. While still in the lab and not yet in production, this capability holds significant promise for intuitive data exploration. Furthermore, cPacket’s platform allows for the analysis of external PCAP files, enabling security teams to leverage cPacket’s robust analytics tools on data captured by other systems, though a direct UI upload option is not yet readily available. Overall, cPacket aims to augment security postures by providing pervasive, real-time network observability that informs validation, ensures compliance, and aids in rapid incident response.
Personnel: Andy Barnes, Ron Nevo