Endace Packet Forensics Files: Episode #59

Original Entry by : Michael Morris

Michael talks to Matt Bromiley about the importance of packet capture in threat hunting and how AI can improve detection and response.

By Michael Morris, Director of Global Business Development, Endace

Michael Morris, Director of Global Business Development, Endace

With limited network visibility and overwhelming data volumes, organizations struggle to detect and respond to advanced cyber threats.  

In this episode of the Endace Packet Forensics Files, I talk with Matt Bromiley, a veteran in threat hunting and incident response. With over a decade of experience and a role as a SANS instructor, Matt brings a wealth of practical knowledge to our discussion.

Matt highlights the importance of robust detection and response systems before beginning any threat hunt. He explains that even when a hunt doesn’t yield immediate results, the insights gained are invaluable for understanding the security landscape. Matt points out that proactive threat hunting is about deeply understanding network traffic, which offers significant advantages over more traditional reactive approaches.

During our conversation, Matt emphasised network packet data’s critical role in cybersecurity. He describes it as the “glue” that ties together various pieces of evidence, providing a comprehensive view of any potential attack. According to Matt, analyzing decrypted traffic and DNS logs is essential for uncovering hidden threats that might remain undetected.

Matt talks about the challenges of threat hunting, particularly when dealing with large volumes of packet data and navigating legal constraints. He stresses the necessity of having a skilled team and the right tools to manage these challenges effectively. He also shares his insights on the growing role of AI in threat hunting, predicting that it will increasingly help automate routine tasks, freeing up analysts to focus on more complex threats.

Matt’s expertise underscores the importance of a proactive approach, a deep understanding of network data, and the use of the right tools to stay ahead of cyber threats.

Don’t miss this insightful episode, where Matt provides actionable advice for enhancing your threat-hunting capabilities and strengthening your cybersecurity defenses.  

Follow Matt on Linkedin

Other episodes in the Secure Networks video/audio podcast series are available here. Or listen to the podcast here or on your favorite podcast platform.

Endace Packet Forensics Files: Episode #58

Original Entry by : Michael Morris

Michael talks with Stephen Donnelly about the importance of packet capture in cloud environments.

By Michael Morris, Director of Global Business Development, Endace

Michael Morris, Director of Global Business Development, Endace

In this episode of the Endace Packet Forensics Files, I talk with Stephen Donnelly, CTO of Endace, about why packet capture is essential in cloud environments. He shared an amusing anecdote about an executive claiming, “Cloud doesn’t have packets.” While humorous, it highlights a misunderstanding of cloud technology. Even though cloud networks are more abstract, they still rely heavily on network packets, just like traditional on-premises systems.

Why Packet Capture Matters in the Cloud

There are two main reasons why packet capture is as important in the cloud as it is on-premises:

  1. Network Operations: Packet data is crucial for diagnosing and troubleshooting issues like slow network speeds, downtime, and performance problems. Without packet capture, it becomes difficult to identify and resolve network challenges, even in cloud environments.
  2. Security: Cloud environments face the same security threats as traditional networks. Packet capture plays a vital role in security operations, including detecting threats, incident response, and maintaining overall security. “DEATH” (Detection Engineering and Threat Hunting) emphasizes the need for proactive security in cloud environments.
How to Capture Packets in the Cloud

Several methods exist for capturing packets in cloud environments, each with its own advantages and challenges:

  • Port Mirroring Services: Many cloud providers offer services that allow traffic from virtual machines or containers to be captured. However, these services often come with limitations, such as performance impacts and visibility gaps.
  • Cloud Packet Brokers: These tools use software agents installed on virtual machines to capture and forward traffic. While useful, this method can consume additional CPU and network resources.
  • In-line Devices: Firewalls and routers can mirror traffic for packet capture, but cloud-based devices may not offer all the features of their physical counterparts, requiring thorough research.
Conclusion

Capturing packets in the cloud brings challenges, including performance impacts, visibility gaps, and costs. These factors should be carefully considered when developing a packet capture strategy.

The belief that packet capture isn’t needed in cloud environments is a myth, and a dangerous one. Packet capture is just as important in the cloud as it is in traditional networks. It provides the visibility and security needed to effectively manage and protect cloud environments. As more organizations move to the cloud, the need for strong packet capture solutions only increases.

Endace Packet Forensics Files Ep 58 Thumbnail

Follow Stephen on LinkedIn

Other episodes in the Secure Networks video/audio podcast series are available here. Or listen to the podcast here or on your favorite podcast platform.

Encouraging Women in Tech

Original Entry by : Endace

For the past two years, Endace has proudly offered two Women in Tech Scholarships per year to outstanding University of Waikato students,  supporting the future of our industry by encouraging more women to pursue careers in technology.

“Endace is proud to empower young women to succeed in tech,” says Endace CEO, Stuart Wilson.  Two of our past winners (shown in the image ) have participated in our internship program and continue to contribute at Endace while pursuing their studies.  It’s inspiring to see what they’ve accomplished.

 Words from our Winners

Our scholarship recipients have shared their gratitude and experiences:

    • “I’m incredibly grateful for this scholarship. It’s amazing to see a company like Endace committed to supporting women in tech. I’m honoured to have been chosen.” – Emily (Year 1 Winner)
    • “This scholarship has significantly supported my studies, allowing me to graduate without financial worries. Endace’s initiatives are making a real difference in encouraging women to pursue degrees in technology.” – Rafeea (Year 2 Winner)

The four winners have excelled academically and are active, positive members of their student communities.

Looking Ahead

Our winners are excited about their future careers.  Rafeea is passionate about embedded systems and 3D web and VR development.  Year 2 winner, Hannah is heading to Melbourne, Australia to compete in the Formula-SAE Australasia for her honours project, saying, “Winning the Endace Woman in Tech scholarship has been a great opportunity that is allowing me to further my technical ability and life experiences.”

Year 1 scholarship winner Abbie remarked, “Support like this will go a long way to encouraging more women to enter technology.” We look forward to seeing our winners thrive in their careers and are committed to continuing our support for women in tech.

Continuing the Journey

At Endace, we’re passionate about creating opportunities and are committed to helping the next generation of women succeed in tech. We’re excited to keep supporting talented women through our scholarship program and look forward to seeing them make a real impact in the industry.

Endace Packet Forensics Files: Episode #57

Original Entry by : Michael Morris

Michael talks to Ryan Chapman about the growing complexity of ransomware – how to prepare, investigate and respond.

By Michael Morris, Director of Global Business Development, Endace

Michael Morris, Director of Global Business Development, Endace

Ransomware has shifted from simple, isolated attacks to coordinated, human-operated campaigns that target entire organizations.  

In this episode of the Endace Packet Forensics FilesI talk with Ryan Chapman, SANS Instructor and expert in Digital Forensic and Incident Response (DFIR) about these evolving threats.  

Ryan explains how attackers are becoming more methodical and sophisticated, focusing on disabling EDR/XDR solutions to evade detection and leaving organizations vulnerable to advanced attacks.  

One of the key challenges Ryan highlights is visibility. Without robust logging, packet capture, and monitoring tools, it’s nearly impossible to understand how an attack happened fully. Even encrypted traffic can reveal critical patterns if analyzed properly.   

Ryan shares examples of organizations that suffered reinfections because they rushed to restore systems without identifying the original entry point. Packet capture data plays a vital role in pinpointing when and how attackers infiltrated, ensuring a safe recovery and minimizing disruption.  

As ransomware tactics evolve, adopting a Zero-Trust approach is essential. Ryan discusses how limiting permissions and avoiding overly trusting software configurations can help prevent breaches. He cites the Kaseya attack, where some organizations avoided compromise by not blindly whitelisting trusted directories. As attackers increasingly use legitimate tools, verifying all network activity and following least privilege principles are critical defenses.   

Don’t miss this insightful episode, where Ryan provides actionable advice for preparing your organization against today’s ransomware threats.  

Follow Ryan on Linkedin

Other episodes in the Secure Networks video/audio podcast series are available here. Or listen to the podcast here or on your favorite podcast platform.

Endace Packet Forensics Files: Episode #56

Original Entry by : Michael Morris

Michael talks to Cary Wright about why security certifications such as FIPS, NIAP, and DoD APL are important across industries.

By Michael Morris, Director of Global Business Development, Endace

Michael Morris, Director of Global Business Development, Endace

In this episode of the Endace Packet Forensics Files, I talk with Cary Wright, VP, Product at Endace about the importance and impact of Federal security certifications such as FIPS, NIAP, and DoD APL  to ensure the robust security of cybersecurity tools.

Although these standards are primarily applied in Federal Government, the rigorous testing that products must undergo to be compliant is extensive.  Regardless of your industry, you can be confident that products certified to these standards are robust and have been thoroughly tested and scrutinized.

Cary explores the detailed testing procedures these certifications entail and their role in enhancing network device security. The standards are continuously updated to ensure that they continue to address new cybersecurity challenges that emerge. We discuss the relevance of these standards for Government and Defense sectors as well as how they can provide surety for large enterprises looking to improve their security measures.

Cary explains what these certifications test in order to validate cybersecurity tools’ encryption strength and overall security robustness. He also talks about the challenges and costs to manufacturers of achieving these standards, and the real-world benefits this testing delivers – such as improved protocol security.

Don’t miss this episode as Cary provides valuable insights into the impact of Federal security certifications and the critical role they play in helping ensure best practices in  cybersecurity.

Follow Cary on Linkedin

Other episodes in the Secure Networks video/audio podcast series are available here. Or listen to the podcast here or on your favorite podcast platform.

Endace Packet Forensics Files: Episode #55

Original Entry by : Michael Morris

Michael talks to Taran Singh about network observability.

By Michael Morris, Director of Global Business Development, Endace

Michael Morris, Director of Global Business Development, Endace

In this episode of the Endace Packet Forensics Files, I talk with Taran Singh, VP, Product Management at Keysight Technologies.

Taran sheds light on how network observability differs from traditional network monitoring by consolidating data sources to provide a comprehensive view of network activity.  This is crucial when it comes to validating zero-trust architectures.  

We talk about the challenges organizations face in achieving clear network visibility amidst complex IT environments and evolving threats. Taran emphasizes the pivotal role of network visibility in incident response and investigation, particularly for thoroughly verifying network activity. He stresses the importance of historical lookback and analyzing packet-level data for incident response and cybersecurity investigations, highlighting the value of packet evidence.  

Taran also explains how scalability and historical data-analysis significantly improve cybersecurity posture. He talks about Keysight’s strategy for network visibility, emphasizing reliability and scalability tailored to the demands of sizable corporations and hybrid-cloud setups. 

Finally, Taran talks about the escalating threat landscape, discussing recent cyberattacks and ransomware incidents, and emphasizing the importance of prioritizing network security measures. By treating networks as valuable assets, leveraging enriched data, analytics, and advanced tools, and adopting proactive approaches, organizations can enhance their readiness to combat cyberthreats more effectively.  

Don’t miss this informative episode as Taran shares his invaluable insights into network observability and its critical role in modern cybersecurity practices. 

Follow Taran on Linkedin 

Other episodes in the Secure Networks video/audio podcast series are available here. Or listen to the podcast here or on your favorite podcast platform.

Why everyone should care about FIPS 140, NIAP NDcPP, and DoDIN APL.

Original Entry by : Cary Wright

By Cary Wright, VP Product Management, Endace

Cary Wright, VP Product Management, Endace

Weak security plagues far too many of the IT products we use today. The problem is, there is no unified mandate to compel vendors to invest in security hardening their products. Vendors are free to choose how heavily to invest in security. So it’s no surprise that many vendors don’t invest heavily enough in thoroughly security hardening their products.
 
However, in many industries – such as Government, defense or critical infrastructure – the potential impact of a security vulnerability in a product is just too serious for organizations to leave it to vendors to decide how to secure their products. For this reason, organizations in many of these industries mandate that vendors must submit their products to rigorous testing and certification processes to ensure the security of their products is iron clad.
 
At Endace we found out first-hand how difficult and rigorous these standards are to comply with. The effort took us the better part of a year and significant investment in software development, testing and validation, and certification. Armor plated security is a good way to describe what these standards require. Our recent OSm 7.2.1 release includes everything we had to do to comply with these standards.
 
The good news for customers – regardless of the industry you are in – is that this rigorous testing and validation process doesn’t just benefit Government, Defense and critical infrastructure organizations. Any organization that adopts products that have passed these certification processes can be confident those products have been independently evaluated to minimize the risk of security vulnerabilities and are fit-for-purpose for deployment in high-security environments.
 
By selecting a product with DoD level security compliance you reap the benefit of millions of dollars of investment in security testing and hardening that goes way beyond standard penetration tests and security scans. The testing process for each of these certifications involves delving deep into the product – comprehensive testing, source code reviews, and independent validation that the security controls of the product are robust and well designed.
 
 

What are these standards, and what do they test?

Complying with FIPS 140-3 is the fundamental first step in certification. FIPS mandates that products must use robust and secure encryption. This is not a bolt-on. Products must implement a validated cryptography module as a central software pillar to ensure all encrypted communications meet the NIST standard for strong cryptography, including HTTPS, SSL, and SSH.
 
Just including encrypted HDDs in a system – as some vendors do to claim compliance with FIPS – is not sufficient. Every communication to and from the system must be secured with FIPS validated cryptography before the system can be FIPS certified. Independent testing confirms that products comply with the FIPS standards.
 
NIAP NDcPP 2.2e, also known as Common Criteria, is an international standard agreed by 18 nations. It builds on FIPS to define security requirements that are expected to be implemented by all network devices. It goes extremely deep to validate a product has robust security. By deep, I mean months of extensive testing, inspection, and independent code reviews, conducted and signed off by government signatories who are usually security experts in defense departments.
 
DoDIN APL stands for the US Department of Defense Information Network Approved Products List. With FIPS and NIAP certification in hand and a US DoD sponsor, a vendor’s final step is undergo product testing by a US DoD lab against DoD cybersecurity requirements. Being listed on the APL is the last big stage of a long and intensive project but it’s not the end of the story. Ongoing maintenance and revalidation ensures that a product remains secure throughout its life.

OSm 7.2.1 is released and available for download.

I am very proud of the team at Endace for having delivered a huge release with OSm 7.2.1 . This release has focused on meeting all the requirements for these intensive – but extremely valuable – security standards. And I am glad to say that every Endace customer will benefit from this huge investment in product security hardening.

Endace Packet Forensics Files: Episode #54

Original Entry by : Michael Morris

Michael talks to “Malware Jake” Williams, about the concept of Zero Trust and its implications for enhancing your security posture.

By Michael Morris, Director of Global Business Development, Endace

Michael Morris, Director of Global Business Development, Endace

In this episode of the Endace Packet Forensics Files, I talk with cybersecurity expert Jake Williams, aka ‘MalwareJake’,  IANS faculty member, former SANS educator, computer science and information security expert and U.S. Army veteran, about the concept of Zero Trust and its implications for organizations striving to enhance their security posture.

Zero Trust challenges traditional security models by advocating for a “deny all, permit by exception” approach. Jake describes it as a mindset—a philosophy focused on continuous verification and least privilege access. Despite its potential benefits, embracing Zero Trust can be challenging. Jake highlights obstacles such as defining and operationalizing Zero Trust, legacy system dependencies, and cultural shifts within organizations.

Continuous verification is crucial in Zero Trust environments. Jake provides examples of verification challenges, emphasizing the importance of network visibility and packet capture in incident response and threat detection. He emphasizes the interconnectedness of networking and cybersecurity, citing Managed File Transfer appliances, Citrix NetScalers, and SSL VPNs as examples. These network security appliances often have extensive technical depth and may harbour unpatched vulnerabilities, presenting significant risks to organizations. He predicts increased targeting of network security appliances by threat actors, underscoring the importance of Zero Trust principles and network visibility in mitigating such threats.

Jake touches on the importance of tools like Wireshark for detailed analysis but also emphasises the need to understand the role network visibility plays and how it relates to business challenges. He recommends that analysts strengthen their networking fundamentals, while SOC directors should broaden their skill set by understanding business concepts for effective communication with stakeholders.

Finally, Jake suggests that embracing Zero Trust requires a holistic approach, encompassing technical ability, organizational buy-in, and a commitment to continuous improvement. His insights on this topic serve as valuable guidance on the path to cybersecurity resilience.

Follow Malware Jake on the below links. 

 

Also watch our series of Threat Investigation webinars with SANS and Jake Williams here – https://www2.endace.com/sans-webinar-series

Other episodes in the Secure Networks video/audio podcast series are available here. Or listen to the podcast here or on your favorite podcast platform.