Cary Wright

Cisco Live Amsterdam 2026: IPv6’s Time is Finally Here, for Users and Threat Actors Alike

Original Entry by : Cary Wright

By Cary Wright, VP Product, Endace

Cisco Live Amsterdam 2026: IPv6 is finally here, along with the threats

At each SOC event, we capture and inspect every packet from start of show through to the very last hour, for the purpose of securing the attendees and conference, wiping the data at the end. This gives us a rare opportunity to understand how the traffic trends and threat landscape are changing. Each SOC event shows us new data and developing trends that are useful to dig into. The week of Cisco Live EMEA, we got to see a milestone with the transition to IPv6.

The Internet has technically been out of IPv4 addresses for years, yet global adoption of IPv6 — the modern protocol designed to replace it — continues to climb slowly. As of late 2025, worldwide IPv6 usage sits at roughly 49%, based on Google’s traffic metrics. While several countries have made remarkable progress, the global transition remains uneven and far behind early expectations.

Why IPv6 Matters

IPv4’s roughly 4.3 billion available addresses are nowhere near enough for today’s hyper‑connected world. In contrast, IPv6 offers a 128‑bit address space, providing 3.4 x 10³⁸ possible addresses — more than enough for decades of growth. Technologies like Network Address Translation (NAT), private addressing, and CIDR have extended IPv4 far beyond its natural lifespan. These workarounds give organizations a false sense that IPv4 is still sufficient, reducing the urgency to adopt IPv6.

What we observed in Amsterdam

In the Cisco Live EMEA SOC, we inspected 130 billion packets across 32,434 unique IP endpoint devices at the conference, using Splunk to query unique DHCP Client IDs to measure. These included devices connecting to the Wi-Fi and wired networks at the Cisco Live conference network, including attendee laptops, phones, and conference devices such as demo stations, cameras, IOT devices, displays, networking equipment, and any other IP connected device.

Of this traffic, 62% of the data travelled over IPv6, and only 38% over IPv4. This represents a tectonic shift in the move to IPv6. Perhaps this was because we were sitting just a few miles from the Regional Internet Registry for Europe, Middle East and Central Asia (RIPE NCC), or more likely this is because the world is finally ready and moving to IPv6.

Our heaviest day was Tuesday, with 25,609 devices that connected to the network.

Across all this traffic we observed 1.7 million unique IP addresses, most of which were external addresses accessed by attendees and conference devices. Those IP addresses were made up of 386,397 IPv4 addresses, and 1,339,329 IPv6 addresses.

Threat Actors — adopting IPv6 faster than anyone

In the SOC, we have no shortage of data to interrogate, interrogating our Splunk data highlight that threat actors are now heavily favoring IPv6 to conduct their attacks, hijack resources, or compromise systems. Over 99% of malicious URLs and crypto miners used IPv6, telling us that we need to ensure we properly secure our IPv6 infrastructure. Just 1% of our attacks involved IPv4. That indicates a trend that we all need to take notice of.

Splunk search of incidents at Cisco Live EMEA 2026

A Steady Shift — But an Inevitable One

Although the transition has taken decades, IPv6 momentum appears to have crossed an important threshold. With increasing digital demands, rising IPv4 costs, and rapidly expanding device ecosystems, IPv6 isn’t just beneficial — it’s essential.

The future of the Internet is unquestionably IPv6. The challenge now is how quickly the world can get there, and how well we secure it. At Cisco Live EMEA, we saw the world has taken a large and important step forward.

Acknowledgements

This important insight to IPv6 adoption would not have been possible without the great work done by the Cisco Live EMEA SOC team, led by Jessica Oppenheimer and Ivan Berlinson.

Data collected and analyzed was the result of a team, many thanks go to the following team members:

Network Operations Center Liaisons

Remco Kamerman, Luke Hebditch, Mark Bremner and Scott Neuman

Cisco Security and Splunk SOC Team

SOC in a Box: Adi Sankar
Splunk Security Integrations: Paul Pelletier and Kenneth Bouchard, with Josh Wilson and Duane Waddle
Splunk Threat Researchers: Nasreddine Bencherchali and Paul Pang
Breach Protection Suite: Mark Pleunes, Ibrahim Yusuf, Piotr Jarzynka, Matt Vander Horst, Yannis Steiakogiannakis and Eric Rennie, with Bilal Qamar
User Protection Suite: Aaron Woland
Firewall and Security Cloud Control: Adam Kilgore and Christopher Grabowski

Endace SOC Team

Co-SOC Leader: Cary Wright
Endace Engineering: Owen Gallagher, Sundarram Paravastu and Sam Brockelsby

Read related Cisco Team Blogs from the Cisco Live Europe 2026 SOC:
https://blogs.cisco.com/security/emea-soc-2026

For more Endace blogs in our SOC series, see here:
https://blog.endace.com/tag/soc/

Event SOC Website
Visit Cisco’s Event SOC website for full details of the SOC setup, and download the whitepaper written by Jessica Oppenheimer:
https://www.cisco.com/site/us/en/products/security/event-soc-report.html

What We’ve Learned After Five Incredible SOC Events

Original Entry by : Cary Wright

By Cary Wright, VP Product, Endace

Overview

Endace has supported Cisco with continuous packet capture at 5 major SOC events over the last year. The experience protecting RSAC 2025, Cisco Live USA, Cisco Live APJC, Black Hat USA, and GovWare has been energizing, insightful, educational, exhausting, and at times stressful, but most importantly it has been invaluable learning for the Endace team.
These events have pushed us to innovate and evolve at lightning speed as we strive to protect the attendees of these major events. This blog reflects on what we have learned and how the SOC architecture has evolved and improved over the course of the year.

Diverse Dataset over 5 Major Conferences

Over the five deployments the SOC architecture was subject to a variety of traffic in North America, Asia, and Australia, with attendees representing most regions. Some interesting stats from what we saw:

Attendees	109,500 (over 5 conferences)
Packets Captured (TB)	204.8 Terabytes (236 Billion packets)
Unique Hosts	129,021
Sessions	2.775 (Billion)
Files Extracted by Endace	1,461,000
Files submitted to Splunk Attack Analyzer	86,000
Files submitted to Secure Malware Analytics	24,700
Password in the clear events	9,527
Devices with Password in the clear	291
Logs sent to Splunk (M)	6.75 Billion
DNS requests	428 Million
Encrypted traffic	82%

Cisco Live APJC Endace Event Traffic Dashboard using Splunk

A Wide Variety of Threats

We’ve investigated and responded to a wide variety of threats, from simple passwords in the clear, to beaconing, RATs, port scanning, owned hosts, infected files, insecure applications, AI generated malicious domains, potential APTs obfuscating their C2 communications, exploits of known vulnerabilities and new novel threats.

There were also a bunch of false positives that we needed to run down. With Endace continuous packet capture integrated with the Cisco security stack we were able to dig deep to understand even the most challenging threats. By recording every packet from start of show to the very last moments we could arm the analysts with the evidence they needed to hunt down all manner of threats, if we were only capturing based on triggers or events we would have missed many of the threats that we did discover.

A great example of a threat we identified and responded to is captured by Daniel Lawson’s blog: Endace Full Packet Capture finds Active Directory Credentials in Clear Text.

Cisco Live APJC Dashboards Representing Threat and SOC Status Indicators

For these cybersecurity conferences our environment needed to be more permissive than a typical enterprise network, meaning that we shouldn’t block all detected threats. Our goal was to keep attendees safe while also allowing them to learn about cybersecurity concepts and techniques. This included allowing demonstration of cyber-attack and defense techniques in controlled ways and permitting classes to train attendees where participants can practice new found skills in a sandbox environment. What isn’t tolerated, however, is for participants to use these new skills to attack each other or attack any infrastructure. If it’s illegal in the real world, it’s still illegal in the conference and must be shut down.

Different Skill Levels

The team investigating these threats included a mix of experienced and new analysts, for some, this was their first time in a SOC and first time using the full SOC tool flow. In the SOC we had a few rules:

Leave your ego at the door
Be curious, ask questions, and dig deep
Share your knowledge and experience; everyone is an expert at something.

We had a good mix of tier 1- 3 analysts and followed an escalation procedure where only some incidents were raised to the attention of the tier 3 analysts. Our goal was to handle as many incidents as possible with tier 1 and 2, allowing the tier 3 experts to spend more time on deep threat hunting, innovating, and automating the SOC.

We typically had only 1.5 days to set up the SOC operations, and less than a few hours to train everyone on the workflow and procedures. This emphasized the need for streamlined onboarding, integrated workflows, and automation where possible. Some of the Tier 1 analysts were able to identify, report, and block serious threats in their first few hours.

Day 0 Training for the SOC team after Setup

Sharing our learnings with others

Over the year we ran well over 100 tours of the SOC to share our learnings with others on all aspects of the SOC including People, Process and Technology used in the SOC, threats we have responded to, and security metrics that we gather. These sessions have been interactive with great questions and feedback: the level of interest has been extremely high.

People are curious as to what we see on the network and how we go about protecting each event. We always have something interesting – and perhaps a little frightening – to share at each event.

Innovations and Improvements to the SOC

We use these learnings to evolve the SOC architecture to help us be much more effective at these events. Many of these improvements are developed and deployed live during SOC operations. Each time we get together, it’s like an intense hackathon where new capabilities are introduced while we operate. Below is a summary of the Endace contributions to SOC innovation. There were many more that the Cisco team also added.

Improved Capture Density: The first SOCs deployed 864TB of HDD storage in 8RU of rack space, which was overkill for these 7-day events. After Cisco Live USA, we retrofitted the SOC-in-a-Box with 244TB of NVMe storage in 2RU of rack space using 2 of our latest generation EndaceProbe 94C8-G5 models. Using two appliances gives us redundancy in case something fails, and provides up to 200Gbps capture bandwidth, way more than we need at these events.
Real Time File Extraction and Submission with Deduplication: Initially deployed at RSAC and evolved at each new event, real time file extraction uses Zeek hosted on EndaceProbe to extract any files from packet data and submit to an external sandbox such as Splunk Attack Analyser. We’ve improved it further with filtering, additional mime types, deduplication, and robust redundancy. Deduplication was the most recent innovation at Cisco Live APJC, which resulted in a dramatic reduction in the number of files submitted to Splunk Attack Analyzer (SAA). See Caleb Millar’s blog for more details.
Automating Mundane Tasks: We overwhelmed the Tier 1 analysts at Cisco Live USA with more password events than they could handle, so the team set out to automate. Now when credentials are detected in the clear, our automation will send an email to the affected account owner. This was a huge productivity boost to the whole SOC team who could now focus on more challenging threats and other automation tasks.
New Endace Vault API and XDR integration: This new API allows us to permanently archive important PCAP’s and provide them to XDR users in the Worklog of the incident. This allowed our Tier 1/2 analysts to make use of packet evidence without having to be an expert in the Endace GUI, with just one click analysts can view packet data to fully understand threats.
Dark Mode GUI: Every SOC analyst needs dark mode, and now it’s a feature of Endace!
Splunk Dashboard representing Endace: Delivered with at first RSAC which we have continued to refine and improve at every SOC event.
Endace SSO integration via DUO: At Cisco Live APJC we prototyped our Duo integration using SAML to provide users with SSO. This significantly reduces the time taken to onboard the SOC team, most of whom are new at every event.
Automated Deployment: We’ve scripted more of the setup to shorten the time it takes to get up and running. It now takes just an hour or two to have all the Endace capability running at any SOC event.

Open Architecture Makes it Possible

This rapid pace of innovation was only possible because of the open architecture of the Cisco products we integrated with, especially Splunk ES and Cisco XDR. These products allowed us to develop new dashboards and workflows without needing help from the Cisco team, we were able to experiment on our own and bring new capability that we could further tune at the SOC. The resultant architecture has proven itself extremely effective and these innovations will be published for commercial customers to adopt.

Evolved SOC Architecture after 5 Major Events During 2025

Acknowledgements

Once again, our thanks go to the Cisco team led by @Jessica Bair Oppenheimer for the opportunity to include EndaceProbes in the Cisco Live APJC SOC architecture. The SOC team is a collection of Cisco experts across many domains who were a pleasure to work and innovate with, and we came away with a great appreciation for the power of the Cisco Security tools. The Endace team was able to prove integration of innovations from previous SOC events and test these in earnest in a real-world environment in preparation for making them generally available to the market.

Read related Cisco Team Blogs from the Cisco Live APJC SOC: https://blogs.cisco.com/security/cisco-live-melbourne-2025-soc

For more Endace blogs in our SOC series, see here:
https://blog.endace.com/tag/soc/

Network Visibility in Action: Endace and Cisco Drive SOC Defenses at RSAC 2025

Original Entry by : Cary Wright

By Cary Wright, VP Product Management, Endace

Uncovering insights from the 6th Annual Security Operations Center at RSA Conference

For the sixth consecutive year, a dedicated Security Operations Center (SOC) monitored the RSA Conference (RSAC) network, protecting a dynamic environment serving over 40,000 attendees. A collaboration between Endace and Cisco (and other security partners), the SOC provided real-world insights into current threat landscapes and security challenges, and demonstrated the critical importance of comprehensive network monitoring and real-time threat detection in large-scale environments.

The 2025 SOC team consisted of:

5 Endace analysts
9 Cisco/Splunk analysts
3 dedicated threat hunters
3 managers

Network Monitoring at Unprecedented Scale

The SOC captured and analyzed an astounding volume of data flowing through the conference network:

40+ billion packets captured (more than double the 19 billion from the previous year)
33 TB of packet data (up from 17TB)
Peak bandwidth usage of 3.4 Gbps (up from 2.2 Gbps)
615 million total sessions (increased from 383 million)
793 million logs captured
287,000 files extracted with 26,374 submitted for deeper analysis

Endace’s VP of Product Management Cary Wright explained the scope: “We tapped into the network and recorded everything—all the packets that traveled across that network—approximately 30 terabytes of data over the course of the whole conference.”

The Technical Architecture: Integration in Action

The SOC implemented a sophisticated, multi-layered security architecture centered around visibility and integration:

1. Network Capture Layer: EndaceProbe appliances performed full packet capture, creating a complete record of all network activity.
2. Log Generation and Analysis: The Endace systems generated metadata through tools like Zeek, which was then forwarded to Splunk and Cisco security tools for analysis.
3. Threat Detection Systems: Cisco Secure Firewall provided intrusion detection (running in non-blocking mode to avoid disrupting vendor demonstrations while still identifying potential threats).
4. Integration Layer: All components were interconnected, allowing analysts to pivot seamlessly from alerts directly to the relevant packet data, providing context for rapid investigation.
5. File Analysis Pipeline: Files transmitted across the network were extracted and analyzed:

1. - 287,000+ files extracted from network traffic
  - 26,374 files sent to Splunk Attack Analyzer
  - 7,546 files forwarded to Cisco Malware Analytics for in-depth examination

Key Security Findings and Trends

The SOC’s monitoring revealed several concerning security trends:

1. Declining Encryption Levels

One surprising finding was a drop in the percentage of encrypted traffic, from approximately 80% in 2024 to 74% in 2025. This regression toward “the dark past” of unencrypted communications creates significant security vulnerabilities.

More troubling was the increase in weak encryption (TLS 1.0/1.1) to 40% of encrypted traffic, along with the continued presence of plaintext password transmission.

2. Plaintext Passwords Continue

Though trending downward over the years, plaintext passwords remain a persistent problem, showing that the power of a strong password is nothing without an encrypted communication protocol!

1. - 2020: 96,361 cleartext passwords (2,178 unique accounts)
  - 2022: 55,525 cleartext passwords (2,210 unique accounts)
  - 2023: 36,910 cleartext passwords (424 unique accounts)
  - 2024: 20,916 cleartext passwords (99 unique accounts)
  - 2025: 1,807 cleartext passwords (87 unique accounts)

3. Legacy Protocol Persistence: POP3 Refuses to Die

The SOC discovered continued use of vulnerable legacy protocols:

1. - POP3 (unencrypted email retrieval)
  - Non-secured SMTP (email transmission)
  - Unencrypted IMAP

4. Advanced Threat Techniques

The SOC identified several sophisticated attack techniques, including:

1. - New domain generation algorithm (DGA) approaches using combinations of 2-3 random words
  - Command and control (C2) traffic
  - Cleartext transmission of sensitive data
  - Unsecured translation services transmitting text and audio in the clear
  - Exposed CCTV camera feeds

The Value of Complete Network Visibility

The collaborative SOC deployment at RSAC 2025 demonstrated the crucial role that full packet capture plays in modern security operations. By capturing and analyzing every packet traversing the network, security teams gained:

1. - Complete visibility into all network communications
  - Contextual evidence for security investigations
  - Rapid response capabilities through integrated tools
  - Retrospective analysis of historical network data

The integration between Endace’s packet capture technology and Cisco’s security suite enabled a powerful workflow: alerts from security tools could be immediately investigated by pivoting directly to the relevant network traffic, dramatically reducing investigation time.

Key Takeaways for Security Teams

Based on the RSAC 2025 SOC experience, organizations should consider these best practices:

1. - Deploy comprehensive network monitoring with full packet capture for complete visibility
  - Implement integrated security tools that work together seamlessly
  - Focus on encryption enforcement to protect sensitive data in transit
  - Eliminate legacy protocols that transmit data in cleartext
  - Use personal VPNs when connecting to public networks
  - Keep operating systems patched and maintain robust configuration management

The Endace and Cisco-powered SOC at RSAC 2025 demonstrated that comprehensive network visibility remains fundamental to effective security operations. As threats grow more sophisticated, the ability to see, analyze, and respond to every packet traversing the network becomes increasingly critical.

By integrating full packet capture with advanced security analytics, organizations can build security operations centers that provide both the breadth and depth of visibility needed to detect and respond to today’s most sophisticated threats.

This blog post is based on information shared during the “PROTECTED: The 6th Annual Report from the SOC at RSAC” session at RSA Conference 2025.

For more blogs in our Endace SOC series, see here:
https://blog.endace.com/tag/soc/

Why everyone should care about FIPS 140, NIAP NDcPP, and DoDIN APL.

Original Entry by : Cary Wright

By Cary Wright, VP Product Management, Endace

Weak security plagues far too many of the IT products we use today. The problem is, there is no unified mandate to compel vendors to invest in security hardening their products. Vendors are free to choose how heavily to invest in security. So it’s no surprise that many vendors don’t invest heavily enough in thoroughly security hardening their products.

However, in many industries – such as Government, defense or critical infrastructure – the potential impact of a security vulnerability in a product is just too serious for organizations to leave it to vendors to decide how to secure their products. For this reason, organizations in many of these industries mandate that vendors must submit their products to rigorous testing and certification processes to ensure the security of their products is iron clad.

At Endace we found out first-hand how difficult and rigorous these standards are to comply with. The effort took us the better part of a year and significant investment in software development, testing and validation, and certification. Armor plated security is a good way to describe what these standards require. Our recent OSm 7.2.1 release includes everything we had to do to comply with these standards.

The good news for customers – regardless of the industry you are in – is that this rigorous testing and validation process doesn’t just benefit Government, Defense and critical infrastructure organizations. Any organization that adopts products that have passed these certification processes can be confident those products have been independently evaluated to minimize the risk of security vulnerabilities and are fit-for-purpose for deployment in high-security environments.

By selecting a product with DoD level security compliance you reap the benefit of millions of dollars of investment in security testing and hardening that goes way beyond standard penetration tests and security scans. The testing process for each of these certifications involves delving deep into the product – comprehensive testing, source code reviews, and independent validation that the security controls of the product are robust and well designed.

What are these standards, and what do they test?

Complying with FIPS 140-3 is the fundamental first step in certification. FIPS mandates that products must use robust and secure encryption. This is not a bolt-on. Products must implement a validated cryptography module as a central software pillar to ensure all encrypted communications meet the NIST standard for strong cryptography, including HTTPS, SSL, and SSH.

Just including encrypted HDDs in a system – as some vendors do to claim compliance with FIPS – is not sufficient. Every communication to and from the system must be secured with FIPS validated cryptography before the system can be FIPS certified. Independent testing confirms that products comply with the FIPS standards.

NIAP NDcPP 2.2e, also known as Common Criteria, is an international standard agreed by 18 nations. It builds on FIPS to define security requirements that are expected to be implemented by all network devices. It goes extremely deep to validate a product has robust security. By deep, I mean months of extensive testing, inspection, and independent code reviews, conducted and signed off by government signatories who are usually security experts in defense departments.

DoDIN APL stands for the US Department of Defense Information Network Approved Products List. With FIPS and NIAP certification in hand and a US DoD sponsor, a vendor’s final step is undergo product testing by a US DoD lab against DoD cybersecurity requirements. Being listed on the APL is the last big stage of a long and intensive project but it’s not the end of the story. Ongoing maintenance and revalidation ensures that a product remains secure throughout its life.

OSm 7.2.1 is released and available for download.

I am very proud of the team at Endace for having delivered a huge release with OSm 7.2.1 . This release has focused on meeting all the requirements for these intensive – but extremely valuable – security standards. And I am glad to say that every Endace customer will benefit from this huge investment in product security hardening.

Combining Endace and Elastic delivers detailed visibility into real-time and historical network activity

Original Entry by : Cary Wright

By Cary Wright, VP Product Management, Endace

We’re pleased to announce our newest technical partnership with leading SIEM and observability platform provider, Elastic. By combining together EndaceProbe™ always-on Hybrid Cloud packet capture, Elastic™ Stack and Elastic™ Security, we’re providing the packet-level network visibility and detailed network metadata that Security and IT teams need when responding to security threats and network or application performance issues.

How Do We Work Together?

By combining Endace and Elastic Stack, organizations gain accurate, highly detailed visibility into both real-time and historical network activity. Security and IT analysts can search network metadata in Elastic, and quickly pivot to full packet data for forensic investigations when they need to. The result is faster, more accurate incident investigation and resolution. The combination of Elastic Stack and EndaceProbe gives cybersecurity and IT teams the ability to see exactly what’s happening on their network in real-time. EndaceProbes can record weeks or months of full packet capture across hybrid cloud networks to provide a complete and accurate record of all network activity. The detailed full packet capture data recorded by EndaceProbes is a perfect complement to the rich logs and metadata collected by Elastic Stack. When analysts need to go back-in-time to investigate any incident they have a complete record of that activity at their fingertips. Beyond this, the ability to pivot from anomalies or security alerts directly to forensic examination of packet-level data lets analysts see exactly what’s happening. They can quickly respond to incidents and dramatically mitigate threat risk to their organizations.

EndaceFlow and Elastic Stack

In addition, EndaceProbe appliances can host EndaceFlow™, which generates extremely high-fidelity NetFlow data at full line rate. This NetFlow data can be ingested by Elastic Stack to provide detailed metadata for monitoring the security and performance of the network and interrogating network activity. Pre-built integration between EndaceProbes and Elastic Stack enables streamlined investigation workflows. Analysts can click on alerts in the Elastic UI to go directly to the related full packet data recorded by EndaceProbe. Analysts can quickly view traffic right down to individual packet level to see precisely what occurred before, during and after any event, with absolute certainty.

For more information about our Fusion Partner integrations, please visit www.endace.com/fusion-partners.

To see a demonstration of this Elastic Security integration in action please visit the Elastic partner page at https://www.endace.com/elastic-security.

Introducing EndaceProbe Cloud

Original Entry by : Cary Wright

Scalable Packet Capture for Hybrid Cloud

By Cary Wright, VP Product Management, Endace

The rapid growth of cloud vulnerabilities, hijacked cloud credentials, APTs targeting cloud, and lack of network layer visibility in cloud has made one thing clear: recorded network packet data is just as essential in the cloud as it is in physical networks.

Enterprises know the value of our packet capture solutions, and they have told us they need the power of packets in the cloud as well. In many cases, they have moved – or plan to move – workloads to the cloud but have been hampered by an inability to gain the same visibility into activity in their public cloud infrastructure as they are used to relying on in on-premise environments.

Leveraging our 20-plus years of experience in delivering accurate, reliable packet capture for some of the world’s largest organizations, Endace developed EndaceProbe Cloud as the first truly scalable, enterprise-class solution for providing always-on packet capture in public cloud environments.

Unlike many solutions on the market, we’ve done it in a way that scales easily and delivers truly unified visibility that lets security, network and IT teams analyze packet data from across hybrid cloud and multi-cloud environments quickly and easily from a central console.

EndaceProbe Cloud delivers packet-level visibility for public cloud that is critical for threat hunting, incident response and performance management in those environments. It operates seamlessly with EndaceProbe hardware appliances to deliver always-on packet capture across on-premise, private and public cloud infrastructure, to provide unified visibility across the entire network.

See it in Action

The demo below shows how easy it is to quickly search for packet data across a multi-cloud – AWS and Azure – environment, recreate files from packet data and drill-in to analyze the full packets. All from a single console.

EndaceProbe Cloud is a full-featured EndaceProbe, purpose-built for deployment in AWS and Microsoft Azure environments that provides the following benefits to customers in cloud and hybrid cloud environments:

- Continuous, zero-loss, packet capture in public and hybrid cloud environments that provides weeks or months of visibility

- A unified console for fast global search and analysis across on-premise, private and public cloud environments.

- Full visibility into North-South and East-West traffic

- Secure packet storage within the customers’ own virtual network or virtual private cloud (VPC).

- Powerful traffic analysis and investigation tools including file extraction, log generation, and hosted Wireshark™

- Seamless workflow integration with an open API and strong ecosystem of third-party network and security tools (https://www.endace.com/fusion-partners)

- Subscription-based pricing that offers flexibility and scalability

EndaceProbe Cloud complements Endace’s hardware appliances to provide unified and seamless visibility across the entire network.

Data Sheet

Learn More

Making Packet Forensics Easy

Original Entry by : Cary Wright

Extracting files and other information from recorded packet data

By Cary Wright, VP Product Management, Endace

Recorded network traffic often holds vital clues required to resolve serious Cyber Incidents, or difficult network or application issues. The challenge has been locating a packet guru with the skills to search and analyse recorded traffic to extract the vital evidence needed to resolve the issue at hand. Such skilful analysts can be a rare breed, so we have taken that expertise and packaged it into our latest EndaceProbe software.

Recorded network traffic is now faster to search from within existing security tools such as SIEM or SOAR, and extraction of files and other important information can be done by any team member with the click of a mouse.

Getting to the Packets Faster

Our integrations with partner solutions focus on making it quicker and easier for analysts to find and analyze the packet data they need to investigate and resolve incidents.

Analysts can go from an issue or alert in their security or performance monitoring tools directly to the related packet data in InvestigationManager™ with a click of the mouse. That can save hours of time extracting, downloading and carving-up massive .pcap files so they can be opened up in Wireshark®.

With EndaceVision, analysts can rapidly zoom the timeline in-and-out to look at pre-cursor or post event activity to understand the full scope of any event or alert. Analysis of packet data is done on EndaceProbe appliances at the place it was recorded using hosted Wireshark without having to download or transfer large .pcap files across your network.

Making packet data even more useful

In the past packet analysis has required deep expertise and experience with tools like Wireshark or Zeek used to extract essential information from the recorded packet data. This has made it difficult for less experienced analysts to extract value from packet data and often meant issues requiring packet forensics piled up on the desks of senior analysts to investigate.

With our latest software release (OSm 7.1), we’ve made it easy for even junior analysts to extract useful information from recorded packet data without requiring deep knowledge of packet structures and decode tools. Simply select traffic of interest in EndaceVision and with a single click extract malicious files, or generate detailed log data from all the selected packets. This makes investigating historical events fast, and far more efficient. And it does not require deep expertise – which means even junior analysts can perform packet forensics tasks.

Some examples of tasks that are made easier with the latest Endace software release include:

Reconstructing malware file downloads or transfers so you can submit them to a sandbox or virus tool.
Understanding exactly what data left your network by reconstructing file exfiltration events.
Easily generating logs from recorded traffic to look for things like unusual DNS activity, port scans, DDoS events, or other threatening activity.

See how easy this is in the short 10 minute demonstration below (file extraction is at 08:15):

For more information on these great new features, or to arrange a demonstration to show how Endace could help you, contact us.

Multi-Tenancy introduced with OSm 7.1

Original Entry by : Cary Wright

Securely sharing packet capture infrastructure across multiple entities

By Cary Wright, VP Product Management, Endace

We are proud to announce that EndaceProbe now supports Multi-Tenancy, “Woo-hoo” I hear you say! If you are an MSPP, MDR, Service Provider, or organisation with multiple departments, your SoC teams can now reap the benefits of having access to weeks or months of continuously recorded network traffic whilst sharing costs with many other likeminded SoC teams. Let’s dig into what Multi-Tenancy is and why it’s important.

At the most basic level, Multi-Tenancy is the ability to host multiple “entities” (e.g. multiple customers or multiple organizational divisions) on a single architecture at the same time. To put it another way, Multi-Tenancy offers a way to share the costs of a system or service across more than one entity. Multi-tenancy can mean different things depending on your domain of expertise:

Cloud providers are inherently multi-tenanted, serving millions of clients with shared compute
Operating systems often host multiple tenants on a single machine
Networks can supply connectivity to multiple teams or organizations via a single infrastructure.

All these scenarios have these necessary requirements in common:

Each tenant’s data must remain private and accessible to only that authorized tenant, and
Each tenant needs access to reliable, predictable, or contracted resources – such as bandwidth, compute, storage, security services, expertise, etc.

Multi-tenancy can help organizations to scale critical security services in a cost-efficient manner. A capable security architecture/service requires a significant capability investment and the expertise to operate it. By enabling this investment to be shared, it enables services to be made available to organizations that might otherwise not have been able to afford them.

A good example of where Multi-Tenancy can be extremely useful is the Security Operations Center (SoC). Typically, only large, well-funded organisations have the resources to build their own dedicated SoC. Multi-tenancy can enable multiple organizations to share a SoC, each benefiting from a strengthened security posture without carrying the full burden of the costs and effort involved.

This is the model underpinning outsourced MSSP services, for example. But it can also be an ideal model for larger organizations with multiple divisions that each need to maintain separation from each other. Or where multiple individual companies are owned by a common parent. It can also be a useful way to safely isolate a newly acquired company until its systems can be safely migrated or transferred over to the new owner’s infrastructure.

We see lots of areas where organizations are benefiting from this ability to share infrastructure and services. So we are very pleased to announce that with the new OSm 7.1 software release, EndaceProbe Analytics Platform now also supports Multi-Tenancy for network recording.

This is especially useful where multiple tenants share the same network. A single EndaceProbe, or a fabric of EndaceProbes, can now be securely shared across multiple different organisations or tenants, while keeping the data for each tenant secure and private. EndaceProbes continuously record all network data on the shared network, but only provide each tenant with access to their own data.

In this case the tenancies are defined by VLANs, where each tenant has a VLAN, or set of VLANs, that carries only their traffic. When a user needs to investigate a security threat in their tenancy, they simply log into InvestigationManager to search, inspect, and analyse only the traffic that belongs to that tenancy. It’s as if each tenant has its own, wholly separate, EndaceFabric, dedicated just to its own tenancy.

This new capability is important for large organisations that service multiple departments, agencies, or divisions. Service providers, MSPPs, and MDRs which service multiple clients will also benefit from Multi-Tenancy to give each of its clients ready access to its own recorded network traffic for fast, secure, and private, security incident response.

We are very excited that this new Multi-Tenancy feature can help make Network Recording accessible for many more organizations, helping them to resolve incidents faster and with greater confidence.

For more information on this great new feature, or to arrange a demonstration to show how Endace could help you, contact us.