There has been an ongoing debate in the security industry over the last decade or so about whether or not deep packet inspection (DPI) is dead. In fact, some have even playfully referred to it as a “dead piece of investment.” This debate has intensified more recently as the modern network has become increasingly dispersed, bringing us to a breaking point where tradeoffs are becoming unsustainable for many organizations.

Recent research (PDF) found that roughly 87 percent of enterprises are taking a multi-cloud approach which means that deploying solutions that can help security teams see what they have on their networks is getting increasingly tricky. And quite frankly, even in most physical, on-prem environments it’s also getting pretty tricky, particularly as more organizations move to Zero Trust models which require encryption. This makes it very difficult for DPI to see into the network traffic to inspect packets and any workarounds to it are typically expensive and hard to deploy.

That said, DPI is not, in fact, dead; but it is increasingly hard to scale. Historically networks were primarily made up of appliances in a controlled number of settings and locations. That made it considerably more manageable to deploy DPI everywhere. Now, the number of devices, taps, sensors and agents we have deployed across a range of diverse environments – from on-prem, to cloud and multi-cloud, even hybrid environments – makes it nearly impossible. Then add to that the sheer bandwidth and variety of traffic hitting all of those points and the compute resources it takes to inspect it all and we are looking at a prohibitively expensive endeavor for the majority of organizations.

This is especially true in Zero Trust environments: teams have to balance the cost of decrypting traffic with what they need to inspect. The financial costs involved with specialized technology necessary for inspecting traffic and the compute costs associated with it can further increase the bill. Then as the network expands, you have to add more DPI and the financial costs rise with it. 

Security teams have to take a risk-based approach to determining where it makes the most sense to deploy DPI. If they have a good understanding of what areas of their networks are high value targets for attackers – for example servers in the billing department that house sensitive customer financial information and that must comply with PCI regulations – they can implement and manage DPI for those areas. Making determinations like this is simply good security practice.

DPI can also aid in behavioral analysis, allowing security teams to identify abnormal network behavior that may not otherwise be detected with other security tools. It can also help analyze specific protocols and applications that are critical for understanding the types of traffic on the network.

As alluded to before however, where DPI really breaks down is in the ever-evolving dispersed network where cloud, multi-cloud, and on-prem environments really come into play. DPI in the cloud is simply not practical for a number of reasons ranging from privacy and security challenges and, in many cases, cloud providers don’t want to provide packets at scale. While packet tap aggregators for the cloud do exist, they are typically expensive and difficult to manage and maintain and even those require some level of decryption.

For those areas that do not require the same high-fidelity inspection that DPI provides, there are alternative technologies such as flow analysis that aggregates packets passed on common attributes such as IP address, ports and protocols. Flow analysis that also combines enriched metadata can also identify unusual or malicious behavior regardless of encryption. Flow can also be combined with logs from network application services, such as DNS to give an even greater depth of view into what is happening on the network. And it can be done completely in the cloud which makes automatic provisioning and auto-registration for visibility where and when teams need it without necessarily requiring appliances or other on-prem hardware deployment.

DPI can still be useful in a modern SOC, but its effectiveness and relevance depend on the specific security needs of the organization. Teams would be wise to deploy it in the areas that pose the highest risks and use it in conjunction with other security technologies, like netflow and other traffic metadata log analysis. In combination with other security technologies, teams can strike a nice balance to DPI, create a comprehensive security strategy that ensures both network visibility and strong access controls while also achieving outcomes that will vastly lower TCO. 

https://www.securityweek.com/dpi-still-effective-for-the-modern-soc/