PCAP Analysis blog featured image
Blog

Begin Your Visibility Journey Using PCAP Analysis

Jori VanAntwerp, CEO SynSaber
Jori VanAntwerp
CEO, SynSaber

You’ve heard it before: you can’t defend what you can’t see — and a fruitful visibility journey starts with network monitoring and PCAP analysis.

Network monitoring is core to protecting your operational technology (OT) environment and ensuring normal operations from the process, to the equipment.

Visibility Isn’t Optional (or Simple)

Gaining visibility in OT environments is incredibly challenging, with environmental, size, and power constraints adding layers of complexity. There is no one-size fits all solution for network monitoring, and the challenge that many security and operational teams face is how best to monitor network data and traffic.

The first step is understanding the options for these disparate and diverse environments. There are infinite combinations of hardware and software that organizations can use to monitor their network traffic. Some examples include:

  • Log collection and analysis
  • Intrusion and detection systems (IDS)
  • Packet capture (PCAP) collection and analysis

Your methods will depend on your organization’s requirements, environment, and infrastructure.

Some questions you’ll need to ask in order to determine the optimal methods for monitoring are:

  • Does your organization have any regulatory or compliance initiatives or requirements?
  • What equipment and/or infrastructure is available in your environment today?
  • What are the most expedient and efficient ways to gain access to network data?

In some cases, it may be challenging to answer these questions. However, an initial project to quickly gather data using your existing infrastructure can help you answer some, if not all, of these questions.

Using PCAP Analysis to Evolve in Your Visibility Journey

PCAPs are raw snapshots in time of all the traffic transmitted over a network saved into one or more files.

Packet captures can span fractions of seconds to days, and your organization can gain a wealth of information by analyzing them, such as:

  • Devices on the network
  • Associated metadata (IP, MAC, vendor, their class – OT or IT)
  • Subclass type (workstation, PLC, virtualization, etc.)

They can also be used to gain insight into network performance, identify bottlenecks, and provide evidence of compliance with security regulations and standards.

PCAPs are incredibly useful and powerful for assessment, response, and forensics. For example, analysts can inspect PCAP files to identify odd behavior or evidence of a suspected breach.

What better way to see if a device is functioning as intended or if a tool/policy meant to limit a specific type of traffic on your network is working than to validate it by analyzing the traffic itself?

🤷 But if they’re so useful, why don’t we all use packet captures?

PCAPs have a lot of valuable information. They contain all of the raw data from the segment where they were captured. But let’s be honest — they’re not easy to understand, read, or analyze. It requires a level of knowledge and skill, not to mention time, to read and gain insights from PCAPs.

Cue the OT PCAP Analyzer → OPA! 🎉

A Simple, Free PCAP Analysis Tool for the ICS Community

SynSaber’s OT PCAP Analyzer is a free tool that makes it easy to get a high-level breakdown of the networks, devices, and protocols in your packet capture file.

Device information and metadata, protocols, and communication networks are broken out by device into a simple, human-readable format, so security analysts, compliance teams, operators, and others can get quick visibility into the network offline.

SynSaber created OPA to simplify the network analysis process and allow analysts and operators to quickly gain insights into their environment without digging through the raw data and evolve their visibility journey.

If you’re interested in trying it out, the tool is free (forever). Get early access at https://synsaber.com/product/ot-pcap-analyzer/

PCAP Analysis blog featured image

This is just the beginning of the amazing adventures of SynSaber and Visibility.

Their journey has just begun and is destined to be packed with non-stop action, peril, and excitement.

PCAP Analysis blog - Visibility evolving into Observability

Together, they’ll encounter amazing friends and evil enemies.

As their journey unfolds, we will unlock the magic and mystery of a most wondrous place —

the incredible world of OT.

~~~~~

Stay tuned for our next episode…

What?

VISIBILITY is evolving!

VISIBILITY has evolved into OBSERVABILITY!

~Pokémon nerd, Jori 🤘⚔️