Cisco Live US 2025 SOC – PCAP or it didn’t happen!

Original Entry by : Barry "Baz" Shaw

By Barry “Baz” Shaw, Senior Engineering Manager, Technology Partner Programs, Endace


Barry

Elevating Incident Response with the Ultimate Network Forensics

After a successful SOC @ RSAC2025, our team was stoked to be invited to help Cisco run the SOC at Cisco Live US (CLUS). We jumped at the chance to work with the Cisco team again. It was a great opportunity to innovate while helping Cisco protect and educate the attendees of the conference. Plus, the Cisco team is a lot of fun to hang out with—there’s a very infectious vibe in the SOC that has everyone buzzing for the entire week.

Packet capture is essential in the SOC. It provides an indelible record of all network activity, which is invaluable to the SOC team when investigating threats or security risks—hence the phrase, “PCAP or it didn’t happen.” For CLUS, we deployed two EndaceProbes with a combined storage of 864TB to continuously record all network activity delivered via 2 x 10GbE SPAN ports. This gave us the capacity to record at least several weeks of full network packet data—covering more than the entire duration of the show.

Endace Fusion integrations provided the glue between the Cisco Security suite and the packet data on the EndaceProbes, enabling analysts to quickly pivot from Splunk Enterprise Security/Splunk Cloud, Cisco XDR, Cisco Firepower, and Cisco Secure Network Analytics (SNA) through to EndaceVision and hosted Wireshark. When access to historical full PCAP is available in a seamless integration, security analysts are empowered with the ease of contextual access, and this simplifies the use of PCAP data, where previously it could be seen to be cumbersome to use.

The EndaceProbes each hosted two VMs that were running Zeek and delivering critical log data into Splunk. Custom Zeek script additions provided additional valuable detail around clear text passwords in email and HTTP, shining a light on the heavy use of insecure protocols, and ultimately driving automation to manage the unexpected volume. File-carving was enabled, and over 750,000 files were reconstructed from packet data, with over 40,000 samples submitted to Splunk Attack Analyzer (SAA) via Endace’s automatic submission software. SAA then sent over 12,000 files to Secure Malware Analytics (formerly Threat Grid) for dynamic analysis of the behavior.

SOC Findings and Lessons Learned

The SOC team was surprised and initially overwhelmed at the volume of unencrypted traffic on the network. Logging of passwords was coupled with a Cisco XDR automation that created an incident on each detection. This resulted in a heavy workload identifying and notifying users to educate and protect them in the future. The Splunk team developed a creative automated solution to notify users that the SOC detected their use of insecure protocols.

We even found a version of POP that was news to us all—APOP. This hashes the server timestamp in the response header with the user’s password to create a password digest. While this obscures the password, it only delays its inevitable retrieval, all the while the actual message bodies are still transferred in plain text!

In the theme of plain text passwords, reviewing the connections associated with one of these sessions showed a large number of file downloads in the Zeek log generated on EndaceProbe.  This was one of many clients that used the free conference Wi-Fi to download Windows update files, but after filtering out the cab files in a Splunk search, we found a suspicious-looking file:

A search on this filename in SAA confirmed the presence of a malware download by this unfortunate user, whom the SOC team made every effort to identify.

There were also a few notable occasions where Secure Firewall alerts indicated intrusion attempts, which, after a pivot to EndaceVision, were pulled up in Wireshark for further analysis. One alert of note was a “BROWSER-IE Microsoft Internet Explorer Chakra.dll Array.filter type confusion attempt” indicating a malicious web server was trying to exploit a vulnerability in IE. 

A review of the PCAP noted that the target client was, in fact, running Safari on MacOS X.

This indicated that even if the web server was launching a legitimate attack, the client was not vulnerable to this attempt and therefore no further action was required. This highlights the value of full PCAP, packets in related sessions that don’t trigger alerts can offer valuable insight and context to security analysts. This allows rapid determinations to be made with confidence.

Read more about the SOC at CLUS 25 on Cisco’s Blog here:

https://blogs.cisco.com/security/cisco-live-san-diego-2025-soc

Acknowledgements

Our thanks to the Cisco team, led by Jessica Bair-Oppenheimer and Steve Fink, for the opportunity to include EndaceProbes in the Cisco Live SOC architecture. The SOC team is a collection of Cisco experts across many Cisco solutions who were a pleasure to work with and innovate with.  We came away with a great appreciation for the power and ease of use of the Cisco Security tools. The close collaboration resulted in the Endace team leaving with not only ideas for further integrations and workflow improvements, but also prototype integration extensions that were developed and proved out during the SOC.

To learn more about all the ways Endace integrates with Cisco, check out:  https://www.endace.com/cisco.


Helping Protect Cisco Live 2025 in San Diego

Original Entry by : Michael Morris

By Michael Morris, Senior Director of Technology Alliances


Building on our collaboration in the SOC at RSAC 2025, Endace was honoured to be invited by Cisco to provide EndaceProbe packet capture and a team of threat hunters to support the Cisco Live Security Operations Center (SOC). Our primary goal was to protect the network and attendees at Cisco Live San Diego 2025, our secondary goals were to educate and innovate.

Two EndaceProbes were deployed in Cisco’s SOC-in-a-Box, continuously recording all network traffic provided over two 10G SPAN ports.  We integrated with Splunk Enterprise Security and Cisco Security Cloud to deliver real-time network visibility. This enabled the SOC team to detect, locate, and address threats to attendees from external and internal sources, and helped to streamline and accelerate SOC investigation workflows.

The SOC at Cisco Live aims to protect the more than 23,000 attendees from threats on the conference network. When an attendee’s device is found to be compromised or unsecured, the SOC team makes every effort to identify, locate and help remediate the issue. The SOC team also provided public tours of the SOC to educate attendees about how the SOC is configured, the processes team members implemented, and the sorts of issues and threats that we uncovered.

Drawing on our experience at RSAC 2025 (where Endace captured 36 TB of data and 45 billion packets) we further optimized our approach for Cisco Live’s SOC.

The SOC was set up in two days, leveraging prior planning and our engineers’ experience at RSAC 2025.

At Cisco Live, Endace:

  • Captured 78.9 TB of traffic representing 99.5 billion packets
  • Reassembled more than 740,000 file objects in real time and sent 42,624 files to Splunk Attack Analyzer for further analysis
  • Detected 2,256 occurrences of cleartext passwords being used from 92 unique devices
  • Provided packet-level forensic evidence to all the SOC analysts for investigating and triaging a range of security events
  • Integrated with Cisco XDR, Splunk, Cisco Firepower IDS, Splunk Attack Analyser, Cisco Secure Malware Analytics, Cisco Secure Network Analytics to provide a seamless IR workflow
  • Innovated with new integrations that streamed additional metadata into Splunk, which sped up the investigation and remediation process

It was impressive to see the whole team of Cisco and Endace Engineers pivoting to the packet data to investigate an entire range of security incidents. Inspecting the packet data enabled fast decisions because the team could see exactly what was happening on the wire before, during, and after any event. As they say, PCAP or it didn’t happen!

Having complete packet data available at the SOC team’s fingertips really highlighted the incredible value of always-on packet capture; recording every packet and delivering complete, real-time visibility into threats, performance issues, and anomalous behaviour across the network.

There is an infectious energy that we get when working in a SOC environment like this, with Engineers from different teams and companies collaborating to track down threats, and share ideas on how to improve the SOC. The Endace team came away with many learnings that will improve EndaceProbe and our partner integrations.

We look forward to being a part of the SOC again at some more big upcoming events – stay tuned, details coming soon.

Read more about the SOC at CLUS 25 on Cisco’s Blog here:

https://blogs.cisco.com/security/cisco-live-san-diego-2025-soc


Endace Packet Forensics Files: Episode #61

Original Entry by : Michael Morris

In Episode 61, Michael talks to JP Bergeaux, Federal CTO at GuidePoint Security

By Michael Morris, Director of Global Business Development, Endace


Michael Morris, Director of Global Business Development, Endace

In my latest episode of the Endace Packet Forensic Files, I sit down with Jean-Paul (JP) Bergeaux, Federal CTO for GuidePoint Security, to explore federal cybersecurity. Our conversation dives into the challenges, technologies, and approaches reshaping how government agencies protect their digital infrastructure.

The critical importance of certifications like FIPS 140 and NIAP becomes clear. These aren’t bureaucratic checkboxes–they’re safeguards that ensure the reliability and security of technological solutions across federal networks. JP’s insights show how these standards help maintain the integrity of government systems.

The M-21-31 directives also emerge as a game-changer. Introduced in repsonse to the SolarWinds breach, these guidelines are transforming how agencies approach network forensics. Packet capture (PCAP) data is now considered the gold standard for threat detection, providing what JP calls “ground truth” in cybersecurity investigations. The real-world examples he shares are particularly compelling, especially cases where PCAP data reveals hidden threats.

We also tackle the challenges posed by generative AI. JP describes the “generative AI arms race”, where threat actors innovate rapidly, while government agencies must proceed with caution. It’s a balance between innovation and security that will define cybersecurity’s future.

One thing is clear from our conversation: the federal cybersecurity landscape is dynamic and demanding. Reactive security models are giving way to proactive approaches that integrate security across every layer of infrastructure.

Don’t miss this episode as JP shared valuable  insights into the front lines of federal cybersecurity and the tools, policies, and mindsets needed to stay ahead.

Other episodes in the Secure Networks video/audio podcast series are available here. Or listen to the podcast here or on your favorite podcast platform.


Endace and Cisco in the SoC at RSAC™ 2025

Original Entry by : Endace

Endace and Cisco® are co-sponsors of the SOC at RSAC™ 2025: providing SOC services for the conference, and monitoring traffic on the Moscone wireless network for security threats.

Experts in the SOC will be running Cisco Security Cloud, with Cisco Breach Protection Suite, Cisco User Protection Suite, and Cisco Secure Firewall; with Splunk Enterprise Security as the SIEM platform. EndaceProbe will provide always-on packet capture, recording network traffic in real-time.

As a long-time member of the Cisco Security Technical Alliance, our EndaceProbe Analytics Platform integrates with Cisco Firewall, XDR, Secure Network Analytics and Splunk.

Book a Tour of the SoC at RSAC™ 2025

Tours are offered Tuesday, Wednesday and Thursday at the times listed below and advance registration is highly recommended.  An Expo Pass is all you need to join the tour.

Tour Times:

Tuesday, April 29 – 10:10am, 3:00pm and 4:30pm

Wednesday, April 30 – 10:10am, 3:00pm and 5:00pm

Thursday, May 1 – 10:10am and 1:00pm

Book a SoC Tour

Visit Endace’s Booth at RSAC™ 2025

In addition to being in the SoC, the Endace team is also exhibiting at RSAC™ 2025. Come and see us at Booth #5176, located in the North Hall.

We will be showcasing our highly-scalable, always-on packet capture solutions for private cloud, public cloud and on-prem environments. Come and find out about:

  • The value of Always-on packet capture as a definitive source of evidence
  • Why packets are a such a critical source of truth for cybersecurity and network reliability
  • How to integrate definitive packet-level network history into your SoC and NoC teams’ network security tools for faster, more accurate incident forensics.

Apple Airpods MaxPLUS

Enter our booth raffle and you could win a pair of Apple Airpods Max headphones (two pairs to be won).

 

Don’t miss PROTECTED:
The Findings Report from the SOC at RSAC™ 2025.

If you have a full Conference Pass, we encourage you to join Cary Wright, Endace VP Product, Jessica Oppenheimer, Cisco’s Director of Security Operations, and Steve Fink, CTO and CISO at Secure Yeti, as they share security observations from the SoC at RSAC™ 2025.

Every year, this is an extremely popular conference session.


Endace Packet Forensics Files: Episode #60

Original Entry by : Michael Morris

In our 60th Episode, Michael talks to James Spiteri, Director of Product Management for Security Analytics at Elastic

By Michael Morris, Director of Global Business Development, Endace


Michael Morris, Director of Global Business Development, Endace

It’s my pleasure to welcome James Spiteri from Elastic for this 60th Episode of the Packet Forensics Files. It’s a great milestone to have reached, and the series continues to grow in popularity – thanks to people like James who have joined me to share their valuable expertise and advice.

In this episode James brings a wealth of experience, having worked in cybersecurity and security operations for many years. From leading SOC teams to developing advanced solutions for generative AI and machine learning, his expertise is second to none.

We dive into the evolving landscape of nation-state cybersecurity threats. According to James, these attacks are highly sophisticated, leveraging bespoke malware, supply chain compromises, and cloud infrastructure. For SIEM vendors, this means platforms must provide comprehensive visibility and support diverse data sources to detect these threats effectively. Modern techniques like entity analytics, user behavior monitoring, and generative AI are essential in addressing these challenges.

Evolving cybersecurity regulations like GDPR and DORA demand effective data management and integrity. James highlights the role of AI in simplifying these processes, from validating data to automating complex tasks like incident reporting. Additionally, integrating SIEMs with legacy systems in critical infrastructure requires creative solutions, such as monitoring network events around outdated devices, to maintain visibility.

As we look to the future, James underscores the transformative role of generative AI in cybersecurity, both as a tool for defending against attacks and a potential weapon in the hands of cybercriminals. By staying ahead of these trends and embracing innovation, SIEM vendors can ensure organizations are better equipped to tackle the sophisticated threats of tomorrow.

Don’t miss this essential conversation—tune in for expert insights on how to fortify your defenses in the face of an increasingly complex cyber landscape.

Other episodes in the Secure Networks video/audio podcast series are available here. Or listen to the podcast here or on your favorite podcast platform.


Endace Activity Challenge 2025: Pushing Limits for a Cause

Original Entry by : Steve Tsirtsonis

Following the success of the Endace Around the World Challenge, Endace is continuing its commitment to fitness, endurance, and charitable giving with a new activity challenge for 2025. This year’s event introduces an exciting new format, combining a global team challenge with an individual endurance test inspired by one of the world’s toughest rowing races.

The Endace Activity Challenge has always been about more than covering kilometres—it’s about resilience, teamwork, and a shared commitment to making a difference. Participants will engage in a variety of physical activities, from running, cycling, and rowing to skiing, swimming, and paddleboarding, tracking their progress through a digital platform.

A Challenge in Two Parts

Endace Group Challenge – A Global Journey

Building on the foundation of previous challenges, the Endace team will once again attempt to collectively circumnavigate the globe—covering 39,885 kilometres. The route includes key locations where Endace has a presence, stopping in Austin, Reading, Riyadh, Chennai, Melbourne, Auckland, Hamilton, and back to Austin.

Reinforcing its commitment to making a difference, Endace will donate NZ 50c per kilometre of each leg completed, with proceeds continuing to support the Glaucoma Foundation.

Endace Individual Challenge – Inspired by the World’s Toughest Row

Taking inspiration from HMS Oardacious Valkyries, the all-women’s team that Endace sponsored in the World’s Toughest Row, the individual challenge mirrors their remarkable Atlantic crossing, an endurance race spanning more than 3,000 miles (4,800 kilometres) from San Sebastián de La Gomera in the Canary Islands to English Harbour in Antigua and Barbuda. A true test of physical and mental resilience, this event serves as a fitting inspiration for the Endace Individual Challenge, which embodies the same spirit of perseverance.

Commitment to Community and Charity

Beyond personal and team achievements, the challenge reflects Endace’s ongoing dedication to charitable causes, with funds raised through every kilometre covered. The connection between sport, endurance, and giving back lies at the heart of this initiative, reinforcing a culture of generosity and effort.

As the challenge unfolds, regular updates will highlight collective and individual achievements, showcasing milestones along the way.

From the endurance of a lone rower crossing the Atlantic to the power of a global team working together, the Endace Activity Challenge continues to push boundaries in sport and philanthropy.


Thrills and Skills at the UKAFWSA Slopestyle Final in Méribel

Original Entry by : Steve Tsirtsonis

 

 

 

 

 

 

 

Last week, the UK Armed Forces Winter Sports Association (UKAFWSA) Slopestyle Final in Méribel delivered an incredible display of talent, courage, and relentless determination. Competitors from the Army, Royal Navy, and Royal Air Force took to the slopes, pushing boundaries and showcasing the true spirit of adventure and camaraderie that defines military sport.

With daring aerial tricks, perfectly executed rail transitions, and an unwavering drive to excel, athletes from all three services battled it out on the demanding slopestyle course. The Royal Air Force emerged victorious, claiming both the men’s and women’s team titles, but the road to victory was anything but easy.  The Army and Royal Navy delivered some exceptional performances and kept the competition fierce throughout the final.

The event wasn’t just about podium finishes—it was about pushing boundaries, adapting to challenging conditions, and supporting fellow teammates and competitors. Every trick, turn, and landing reflected the discipline, resilience, and teamwork that military athletes bring to every challenge on the slopes and in service.

As a proud supporter of UKAFWSA, Endace congratulates every competitor who participated. The slopestyle final showcased the very best of military winter sports, and we’re excited to see how these incredible athletes continue to push the limits of what’s possible.

Watch the video

For more about what we do at Endace and how we’re driving innovation in network visibility and security, visit www.endace.com. 


Endace 2024/25 Internship Program Wraps Up

Original Entry by : Katrina Schollum

By Katrina Schollum, HR Manager, Endace


Our 12-week summer internship program at our R&D centre in Hamilton recently wrapped up for another successful year.  Four interns from different universities joined us, working on individual projects, gaining industry experience, and seeing the commercial relevance of their achievements.

Showcasing Success

The last day of the program is Presentations Day. Our interns presented the results of their projects to a live audience in Hamilton, NZ, and the presentations were also streamed live to the global Endace team.

Endace 2024/2025 Interns

Despite a few well-hidden nerves, our interns did a fantastic job—providing insight into their individual journeys, outlining the objectives of their projects, talking about some of the challenges they faced and overcame, and demonstrating the solutions they built. Each presentation concluded with suggestions from the interns on how their projects could be further enhanced to provide additional benefits to the business. There was also a live Q&A session where the interns did a great job fielding a variety of questions from the audience.

Program Highlights

It is rewarding to see the growth of our interns as they build on their technical skills in a professional setting. Endace’s Intern Program gives them invaluable insight into how a global tech business operates. It’s a great opportunity to put their university knowledge into practice, further develop their technical skills, and learn about teamwork in a collaborative environment. They also gain exposure to all areas of our business, from operations and finance to sales and marketing.

The benefits of the program flow in both directions. Each Intern is supported by a dedicated manager and mentor, who also benefits from sharing their knowledge and expertise to guide the projects and help interns transition from studying to the workplace.

“Being a mentor for the interns was a challenging but also incredibly rewarding journey. It was an honour to be allowed to help them grow from overwhelmed newcomers to developers competently progressing their project” said Norbert Abel, our mentor from the Firmware team.

Feedback from our interns at the end of the program was very positive. Our interns were motivated by the projects’ real-world implications. They learned a lot and felt well supported in achieving their project goals.

Equipped with new skills and hands-on experience, we look forward to following our interns’ future achievements. We are proud to continue our strong tradition of working closely with tertiary education providers to ensure Endace remains an employer of choice for IT and engineering graduates in New Zealand.