Smart PCAP: A time machine for the SOC

Anyone familiar with packet forensics or packet recording knows you can spend hours poring over bulk information and waiting for a response. With Smart PCAP,…

Peri Storey profile picture

Peri Storey

January 20, 20234 minutes read

Anyone familiar with packet forensics or packet recording knows you can spend hours poring over bulk information and waiting for a response. With Smart PCAP, you get information that is instant, meaningful, and finely tuned to your needs.  

Smart PCAP solutions provide a more intelligent way to diagnose and solve network problems. OpenText’s Network Detection and Response (NDR) integrates Smart PCAP to give your security teams the power to create and test countermeasures in minutes, not hours. At the same time, it greatly increases your lookback window for comparing past, present, and potential future threats to security.  

The “It Technology” is Smart PCAP—the approach to packet capture that employs machine learning to increase the speed and accuracy of standard-issue PCAP. 

Threat hunters love the “instant gratification” it gives them. Forensic analysts love its grasp of history.  

The challenge of total visibility 

Smart PCAP cuts through the “noise” that comes with total visibility.  

Standard PCAP provides total network visibility by intercepting all data packets moving through the network, allowing them to be stored and analyzed. It’s a terrific SOC tool to catch suspected or potential security breaches, as well as to identify network performance issues like congestion and packet loss. 

But, for network security analysts, the biggest challenge with PCAP is that it can mean wading through hundreds, even thousands, of alerts every day. They’re then required to make a quick determination on whether an issue requires further investigation and possible countermeasures. This takes precious time and effort, including chasing down false alarms that should have been triaged out. 

A smarter way to PCAP 

Smart PCAP captures relevant raw data from packet transfers associated with security alerts, using Zeek-aware protocol analyzers to understand what’s in those packets. The machine learning is trained to link logs and extracted files to security history and insights, giving analysts immediate context around detected threats. The evidence is retrievable through an organization’s Security Information and Event Management (SIEM) solution.  

When our Smart PCAP triggers an alert for unusual network activity—such as a significant, but unexpected, software installation, or disk erase operation—it simultaneously and intelligently begins to target the packets in the stream of known interest. This provides SOCs with the means to search the right packets immediately after receiving an alert, optimizing their threat hunting and triage efforts.  

Building a better time machine 

Smart PCAP does more than capture the moment. It allows your analysts to learn from the past, replaying historical threat scenarios while using new information, strategies, and tools. 

PCAP previously required organizations to retain massive inventories of data for a very short time, sometimes just days, due to high storage costs. Smart PCAP also allows for a more selective process that results in retaining fewer packets for a longer time—up to a year or more.  

Our Smart PCAP’s back tracing capability enables users to replay previous packet captures against current threat intelligence to identify incidents that would not have been previously visible. It scans retained packets against the latest global threat intelligence signatures, detecting threats that slipped by before the new signature was available. This means you can apply “if I knew then what I know now” thinking to past incidents. 

Does your organization need Smart PCAP? 

To answer that question, you need to ask yourself these questions: 

  • Is my current PCAP wasting SOC time and storage costs with too much irrelevant data? 
  • Would I benefit from faster and more accurate threat hunting and incident response? 
  • Do I need to be able to identify, replay, and solve previously undetected threats that may come again? 

If you find yourself nodding “yes,” then you already know Smart PCAP is for you. It’s part of what makes OpenText Network Detection & Response the only end-to-end NDR platform that allows your entire enterprise to collaborate better, reduce security risk, and solve network problems faster than ever before.  

For more information 

OpenText can help your business stay prepared and in a trusted state by identifying and eliminating blind spots in the network. Learn more about OpenText’s threat detection and response solutions and try OpenText NDR for free today to search, hunt and explore real data in a cloud lab environment. 

Contact us at any time to speak with one of our security experts

Share this post

Share this post to x. Share to linkedin. Mail to
Peri Storey avatar image

Peri Storey

Peri Storey is the Senior Product Marketing Manager for OpenText Digital Forensic solutions. Having spent her marketing career in the technology sector, Peri has focused on delivering brand recognition, go-to-market plans and lead-generation programs on a global scale. With a voice-of-the-customer approach, Peri is focused on solving the challenges associated with explosive data growth in a digital world.

See all posts

More from the author

Streamlining Data Collection for Investigations and eDiscovery

Streamlining Data Collection for Investigations and eDiscovery

Organizations are practically drowning in data today, which makes using that data effectively more challenging than ever. Additionally, the risks associated with protecting that data…

September 22, 2023 2 minutes read
Digital forensic device duplication – the next step

Digital forensic device duplication – the next step

Digital forensic imaging is defined as the processes and tools used in copying a physical storage device for conducting investigations and gathering evidence. This copy doesn’t…

February 17, 2023 3 minutes read
Introducing the OpenText Tableau Forensic TD4 Duplicator 

Introducing the OpenText Tableau Forensic TD4 Duplicator 

In today’s technology-centric world, more than 80% of the evidence collected in a criminal investigation includes the digital evidence contained on a laptop, computer or…

February 16, 2023 5 minutes read

Stay in the loop!

Get our most popular content delivered monthly to your inbox.