CDN Product Roadmap: High Performance Packet Capture

This is the first part of my product roadmap series for CDNs. I’ll evaluate products being used inside and outside the CDN market, and discuss creative ways in which CDNs may incorporate them into their infrastructure to improve security and performance, or make them a part of the product portfolio, to be offered as a feature to clients for a monthly fee.

Market Opportunity

Splunk, the log management company is on a hot streak right now. They have created a big market for their service. As of 2/13/14, Splunk has a market cap of $8.9B on revenues of $200M. Splunk is more valuable than Level 3, who generates $6B+ in annual revenue. A new crop of Splunk copycats have popped up all over the place. There is definitely a huge market for this type of service. Splunk offers a log management application that collects data from devices and software, correlates it, and provides detailed KPI’s, and analytics on specific metrics relating to product sales, market trends, customer behavior, buying patterns, security events, and the like.

CDN SIEM Feature

One of the key features of Splunk is the security SIEM functionality. SIEM is a robust tool that is used by security specialist in most major enterprises. One key ingredient of SIEM is packet capture. An IPS/IDS is one of the components of a SIEM that deals with packet capture. Some products are better than others, when it comes to packet capture, and then there is the leader in high performance packet capture, Endace (acquired by Emulex).

Endace has created an appliance that does capture of inbound/outbound packets (netflow) traveling through the network, or in our case the CDN POP internetwork. Then it correlates the data, and provides security based analytics on network behavior, traffic anomalies, threats, applications in use, protocol reporting, and so on

Endace, Packet Capture and Analysis

The Endace INR (Intelligent Network Recorders) is one of the leading high performance packet capture products in the market today. The INR is a carrier grade appliance used by enterprises, carriers, and ISPs that is able to ingest and track packets traveling in big volumes, whether its 10Gbps or 10Tbps. The INR is a probe that sits in a data center. For a CDN, it would sit right alongside the caching servers or routers. That means a CDN with 20 POPs, requires 20 probes in total.

The INR enables CDNs to capture 100% of the unfiltered packets (netflow) that travels through their global network, and creates drill downs to the customer level, via an IP address, session, protocol, or other metric. If there is a breach into the customer website or web application, the INR, in conjunction with other tools, visualizes the breach in real time, in order to spot irregular patterns and track the packets back to the offending device.

The coolest part of the INR, it’s 100% accurate with zero packet lost. For a CDN, with 20 POPs, pushing hundreds of Gbps, zero packet loss is unheard of. Neil Livingston, the former Chief Product Officer of Endace stated “Our research shows that competitive IDS solutions can miss up to 40 percent of traffic, which is shocking. Our 100 percent packet capture technology is the foundation for our IDS approach.”

CDN Security based Analytics – $25k/mo.

The CDN feature that can be developed from packet capture is security based analytics. This feature would be a high end feature, offered for $10K to $25k per month, that is suited for the individual customer. There can be different levels of analytics, from the entry level security analytics, to the very advanced analytics. The target prospect for this service are online banking, ecommerce, online gaming, and online retail properties. Any CDN that implements this type of feature, would leap frog all other CDNs when it comes to SIEM based analytics. That’s taking analytics to a whole new level.