CONFERENCE On Demand: Cyber AI & Automation Summit - Watch Now
Connect with us

Hi, what are you looking for?


Network Security

DPI: Still Effective for the Modern SOC?

There has been an ongoing debate in the security industry over the last decade or so about whether or not deep packet inspection (DPI) is dead.

There has been an ongoing debate in the security industry over the last decade or so about whether or not deep packet inspection (DPI) is dead. In fact, some have even playfully referred to it as a “dead piece of investment.” This debate has intensified more recently as the modern network has become increasingly dispersed, bringing us to a breaking point where tradeoffs are becoming unsustainable for many organizations.

Recent research (PDF) found that roughly 87 percent of enterprises are taking a multi-cloud approach which means that deploying solutions that can help security teams see what they have on their networks is getting increasingly tricky. And quite frankly, even in most physical, on-prem environments it’s also getting pretty tricky, particularly as more organizations move to Zero Trust models which require encryption. This makes it very difficult for DPI to see into the network traffic to inspect packets and any workarounds to it are typically expensive and hard to deploy.

That said, DPI is not, in fact, dead; but it is increasingly hard to scale. Historically networks were primarily made up of appliances in a controlled number of settings and locations. That made it considerably more manageable to deploy DPI everywhere. Now, the number of devices, taps, sensors and agents we have deployed across a range of diverse environments – from on-prem, to cloud and multi-cloud, even hybrid environments – makes it nearly impossible. Then add to that the sheer bandwidth and variety of traffic hitting all of those points and the compute resources it takes to inspect it all and we are looking at a prohibitively expensive endeavor for the majority of organizations.

This is especially true in Zero Trust environments: teams have to balance the cost of decrypting traffic with what they need to inspect. The financial costs involved with specialized technology necessary for inspecting traffic and the compute costs associated with it can further increase the bill. Then as the network expands, you have to add more DPI and the financial costs rise with it. 

Security teams have to take a risk-based approach to determining where it makes the most sense to deploy DPI. If they have a good understanding of what areas of their networks are high value targets for attackers – for example servers in the billing department that house sensitive customer financial information and that must comply with PCI regulations – they can implement and manage DPI for those areas. Making determinations like this is simply good security practice.

DPI can also aid in behavioral analysis, allowing security teams to identify abnormal network behavior that may not otherwise be detected with other security tools. It can also help analyze specific protocols and applications that are critical for understanding the types of traffic on the network.

As alluded to before however, where DPI really breaks down is in the ever-evolving dispersed network where cloud, multi-cloud, and on-prem environments really come into play. DPI in the cloud is simply not practical for a number of reasons ranging from privacy and security challenges and, in many cases, cloud providers don’t want to provide packets at scale. While packet tap aggregators for the cloud do exist, they are typically expensive and difficult to manage and maintain and even those require some level of decryption.

For those areas that do not require the same high-fidelity inspection that DPI provides, there are alternative technologies such as flow analysis that aggregates packets passed on common attributes such as IP address, ports and protocols. Flow analysis that also combines enriched metadata can also identify unusual or malicious behavior regardless of encryption. Flow can also be combined with logs from network application services, such as DNS to give an even greater depth of view into what is happening on the network. And it can be done completely in the cloud which makes automatic provisioning and auto-registration for visibility where and when teams need it without necessarily requiring appliances or other on-prem hardware deployment.

Advertisement. Scroll to continue reading.

DPI can still be useful in a modern SOC, but its effectiveness and relevance depend on the specific security needs of the organization. Teams would be wise to deploy it in the areas that pose the highest risks and use it in conjunction with other security technologies, like netflow and other traffic metadata log analysis. In combination with other security technologies, teams can strike a nice balance to DPI, create a comprehensive security strategy that ensures both network visibility and strong access controls while also achieving outcomes that will vastly lower TCO. 

Written By

Matt Wilson is the Vice President of Product Management at Netography. Over his 25+ year career, Matt has held senior technology leadership positions across numerous industries including Neustar, Verisign, and Prolexic Technologies. With a rich background in innovation and go-to-market strategies, Matt has been a critical leader in helping many companies conceptualize solutions from the customer lens and drive them to market with significant impact.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...