Digital Performance in Las Vegas: What to Expect from Dynatrace Perform 2018

Original Entry by : Mark Evans

We’re excited to be returning to Dynatrace Perform this year and will be showcasing our products in the exhibition hall. The show runs from Monday 29th to Wednesday 31st January, and we are a gold sponsor again this year.

Our partner, Dynatrace, is expecting more than 3,000 digital performance experts from across the globe to gather at The Bellagio in Las Vegas – yes that’s the hotel with the famous fountain!

At Perform, attendees will find out what’s new and learn about the latest trends in digital performance management.

The three days will feature a combination of training classes, live speaker sessions and keynotes on a diverse range of topics, including:

  • Artificial intelligence and the Internet of Things
  • Cloud innovation and automation
  • Container and microservices monitoring
  • DevOps best practices and digital experiences
  • Unified enterprise monitoring

We really enjoyed last year’s event, where we had a lot of interest from DC RUM users wanting to hear about how EndaceProbes can be used to provide back-in-time analysis of historical performance. This is something that can be accomplished using the Playback function of EndaceProbes – and provides a powerful tool for investigating issues that may have been missed, or unreported when they initially occurred.

This year, we are looking forward to attending some of the sessions by speakers from leading global organizations, such as Microsoft, PayPal, Virgin Money, and Mastercard, to name a few.

If you’re attending Dynatrace Perform this year, stop by and meet the Endace team. We’ll be on-hand showing how Dynatrace’s Agentless Monitoring Device (AMD) can be hosted on EndaceProbe’s in Application Dock, and how by clicking on an alert in the Dynatrace Central Analysis Server (CAS), the packets relating to the alert can instantly be retrieved from EndaceProbes for analysis using Dynatrace Network Analyser (DNA) or Wireshark.

We’ll also be demonstrating how, together, EndaceProbes and Dynatrace’s DC RUM (Data Centre Real User Monitoring) streamline real-time application performance investigations and provide definitive evidence for troubleshooting network and application performance problems. And how EndaceProbes can also host, and integrate with, other analytics applications such as network security or performance monitoring tools.

We look forward to meeting you at Perform and explaining more about how Endace’s technology delivers a unique advantage to DevOps, NetOps, IT Operations and SecOps teams responsible for ensuring the performance, reliability, and security of applications.


Sharkfest Europe 2017: A week at Wireshark

Original Entry by : Mark Evans

It was an interesting week at SharkFest Europe 2017 this month. The Annual Sharkfest conference ran from 7th-10th November at the rather comfortable Palacio Estoril in Estoril, Portugal. Endace was there and our CTO, Dr. Stephen Donnelly, presented a session on packet capture meta-data.

This was the second Wireshark Europe event and was very well attended, attracting attendees from more than 30 countries. Congratulations to Janice and the team for an excellent event – and we look forward to hearing more about the inaugural Wireshark Asia in due course.

Stephen’s presentation, ‘Augmenting Packet Capture with Contextual Meta-Data: the What, Why & How’, was well received by the audience.

For those who couldn’t make SharkFest, here is a video of the presentation (if you’d like a copy of the full presentation please let us know)

Stephen outlined the importance of retaining context for packet capture files by pointing out that the oft-use line “Packets Don’t Lie” isn’t true if:

  • You don’t know where they came from
  • You don’t know if there was packet loss
  • You don’t know if they’ve been filtered
  • You don’t know if the time stamps are right

This becomes even important in environments where packet capture is happening in multiple places across a distributed network. Understanding where the packets came from, and what the state of the environment was like at the time, is crucial if you are to draw solid conclusions from examining the packet trace file.

The role of metadata, Stephen argues, is to provide this context. He went on to talk about some of the different types of packet capture metadata and what it can be useful for, outlining three main categories of metadata:

  • Static metadata: data about things that do not change over time, such as the host name of the system that captured the packets, the speed of the link and so on.
  • Dynamic metadata: data about environmental conditions that change over time – such as optical power levels or timing accuracy.
  • Post-capture metadata: data such as user comments, flow information, statistics and annotations from analytics applications that process the captured packet data.

Stephen took a deep dive into three common formats for packet trace files – pcap, pcagng (now the default format in Wireshark) and Provenance™ and approach to writing metadata used in Endace’s Extensible Record Format (ERF) (which is also compatible with Wireshark). The presentation looked at what each offers in terms of  recording packet capture metadata and how they go about associating it with packet trace files.

Provenance uses a different approach to writing metadata into packet capture files from either pcap or pcap ng. Provenace is designed to be able to record changing (dynamic data) that may change during the course of a packet capture. It works by writing a Provenance record into the ERF capture file once every second, as the diagram below shows.

Provenance metadata records written into an ERF format packet capture stream
Provenance metadata records written into an ERF format packet capture stream

One of the use cases for this is recording the accuracy of time stamping information over the course of a packet capture of high-frequency trade data. Under new MiFID 2 regulations which come into force in 2018, traders must record every trade and be able to demonstrate that the recorded trade data is timestamped accurately to a time-source that is synchronized to UTC with a maximum divergence of less than 100 microseconds. Provenance provides an easy way for them to record compliance with this regulatory obligation.

If you have an interesting use case for packet capture metadata (particularly post-capture metadata use cases), we’d love to hear more. Let us know. We see this as a fascinating area for further development.

SharkFest was an excellent opportunity for the Endace team to meet like-minded members of the Wireshark global community, including the original creator of the Wireshark Core Developers, Gerald Combs, and to share knowledge of the best practices in packet analysis.

We’re looking forward to seeing how SharkFest continues to grow in scale and influence, with three SharkFest events taking place in 2018, including the first-ever SharkFest Asia in Singapore.


10th Anniversary SharkFest in Pittsburgh a great success

Original Entry by : Mark Evans

Last week saw the 10th Annual SharkFest conference held in Pittsburgh at Carnegie Mellon University.

SharkFest is a conference for developers and users of the open-source Wireshark application, and draws a varied audience including people from NetOps, SecOps, Telcos, Government, industrial plant operators and manufacturers as well as vendors.

One of the real strengths of SharkFest is that it’s not too big. While large enough to attract Wireshark users and developers from around the world, SharkFest still remains intimate enough for the attendees to have plenty of opportunity to engage with Wireshark’s creator and lead developer, Gerald Combs, and core Wireshark developers and to have input into the future direction of Wireshark.

Amongst all attendees there was general recognition of the growing importance of packet history in providing ground truth for investigating security events and troubleshooting network problems. There was also recognition of the growing importance of continuous – as opposed to ad-hoc – packet capture in providing evidence for security investigations, and a number of presentations referenced the challenges of multi-point packet capture.

Endace CTO, Dr Stephen Donnelly, spoke about augmenting packet capture with contextual metadata – which becomes especially critical when implementing multi-point continuous packet capture solutions. Metadata allows packet history to be self-describing, so its context can be carried along with the data wherever that data may be consumed. Stephen’s SharkFest presentation is online and can be viewed below.

SharkFest is always a very interesting and valuable conference. It is a great opportunity to be part of helping to shape what has become an incredibly important tool for our industry.

Endace was very pleased to be a sponsor at SharkFest 2017, and we’re looking forward to SharkFest Europe later in the year too. Thanks to the SharkFest team (and the fantastic Janice Spampinato) for all your help. Great job!

 

 


London’s magnificent Olympia plays host to Infosecurity Europe 2017

Original Entry by : Mark Evans

More than 18,000 Cybersecurity professionals from around the world gathered last week for the Infosecurity Europe 2017 at London’s magnificent Olympia.

Infosecurity Europe is one of Europe’s pre-eminent shows. It’s always an exciting event, and this year was no exception.

This year’s theme was entitled “Cybersecurity at the Speed of Business”  and there was an evident buzz in the air. The Endace team were kept busy on the stand for the entire three days with lots of visitors keen to talk about how to integrate network history with their security tools.

The conference featured keynote addresses from Dame Stella Rimington, the first female director of MI5, media personality and broadcaster Barry Paxman, and Lord Sebastian Coe, as well as presentations from more than 200 other speakers.

It was a great show, and we look forward over the next few weeks to catching up with everyone we met. It was great to catch up with the team from Plixer too. Infosecurity 2018 looks like it’ll be even bigger and better, and we’re already locking in a spot for next year.


Congratulations to the Hitech Awards Finalists for 2017

Original Entry by : Mark Evans

Well it’s official, the finalists for the 2017 New Zealand Hitech Awards have been announced. It was another record breaking year, with almost a third more entries than last year, and a great selection of both established and new companies amongst the finalists.

Attendees at the New Zealand Hitech Awards 2017 Finalist Announcement event in Auckland

Endace is proud to be a sponsor of the 2017 Hitech Awards, and we would like to congratulate all this year’s finalists and, in particular, the finalists in the Endace Innovative Hi-Tech Hardware Product category, a category obviously very dear to our heart!

NZ Hitech Awards Finalist event in Auckland
Attendees await the start of the announcements

So congratulations to Adherium, DARC Technologies, EROAD and Shotover Camera Systems. It’s a fantastic achievement to be a finalist amongst such strong competition. Well done for making the finals and we wish you the very best of luck.


How to protect against nation state attackers

Original Entry by : Mark Evans

“One of my worst nightmares [as an attacker] is that out-of-band network tap that really is capturing all the data, understanding anomalous behaviour going on. And someone’s paying attention to it.”
Rob Joyce, NSA: “Disrupting Nation State Attackers, Jan 2016” (22:10)

It’s great to see the efficacy of packet capture and network recording acknowledged by such an eminent cybersecurity Tsar as Rob Joyce.

If you haven’t already seen his video presentation on Disrupting Nation State Attackers, it’s well worth a watch. Before being shoulder-tapped to take up his new role as a cybersecurity advisor to Trump’s National Security Council, Joyce headed up the Tailored Access Operations division of the NSA.

The NSA’s TAO division is responsible for “providing tools and expertise in computer network exploitation to deliver foreign intelligence.” In other words, it is responsible for finding, and taking advantage of, the very network vulnerabilities that we’re all trying to protect against.

In his presentation at the Usenix Enigma conference last year, Joyce outlined key steps organizations can take to protect themselves against the sort of sophisticated techniques employed by Nation State attackers and criminal elements looking to attack your network.

Much of his advice is practical common sense. Know everything on your network, understand it, and update and patch everything. We all know this is critical, but all too often it doesn’t happen. Take patching for example. Joyce says that, in his experience, many organizations undertake security audits to identify known vulnerabilities, but frequently have still not fixed those vulnerabilities by the time the next audit rolls around months later.

Joyce also explodes a common myth – that sophisticated intruders rely on zero day threats. In fact, he says, zero day threats are far from being biggest danger to corporate networks. For any large network, he says:

Persistence and focus will get you in and achieve that exploitation without the zero days. There’s so many vectors that are easier, less risky and quite often more productive.

The cause of most intrusions, says Joyce, come down to one of things (the “Big Three”):

  • Email:  “a user clicked on something they shouldn’t have”
  • Malicious websites“they’ve gotten to a malicious website … and it’s either executed or they’ve run content from that website.”
  • Removable media – “where a user inserted contaminated media“. [As an aside, someone once told me the easiest way to get malware into an organization is to load it on a USB stick labelled “Payroll”, drop it in the carpark and leave the rest to curiosity!].

Joyce outlines the importance of making sure that sources of information about activity on the network – such as log files or network packet captures – are actually being monitored. “You’d be amazed at incident response teams that go in and there’s been some tremendous breach .. Yep, there it is right there in the logs.”

But perhaps the best piece of strategic advice he offers is this:

“Consider that you’re already penetrated. Do you have the means and methods to understand if somebody’s inside your network?”

That change in focus is important. Statistics show intrusions are becoming increasingly commonplace. Once organizations move from “we need to make sure we’re not penetrated” to “maybe we already are penetrated” they start to understand what tools, skills and processes they need to put in place to identify intrusions and stop an initial penetration from going on to become a more serious data breach. Or, if they have already been breached, what do they need to make sure they can identify how it happened and what was compromised?

Joyce’s presentation is a salient reminder that ensuring the basics of network security hygiene is critical. And that the battle to defend against attackers is an ongoing one. As fast as you tighten up your security, new vulnerabilities emerge that put you at risk.

Take a look at the video. You’ll find it’s 30 minutes of your time very well spent!

Cybersecurity Resources

Some of the useful resources that Joyce discusses and recommends are listed below

NOTE: The two links to the IAD site above require installing the DoD Root CA Certificates to avoid getting an “untrusted website” notification. More information here.


Australian Cyber Security Conference 2017

Original Entry by : Mark Evans

It’s a busy time for the Endace Australia team. Fresh back from exhibiting at the Australian Cyber Security Conference in Canberra last week, the team is off to Blackhat Asia in Singapore next week (March 28-21). We’ll report back on that event in due course.

The ACSC conference was very lively, with more than 1600 attendees descending on Canberra for the week.

We had a number of very interesting conversations with attendees from both government and commercial organizations. It was clear from many of these conversations that organizations are increasingly looking to packet capture and network recording as a crucial component of their cybersecurity toolset. Either they’re already doing some level of packet capture (often ad-hoc) and they’re interested in extending that capability. Or they’ve recognised the need for complete packet capture and are actively looking to include it as part of their cybersecurity arsenal.


This is great to hear. Our customers have recognised for a long time that packet-data is an unparalleled resource for cybersecurity investigations and it’s clear the wider market is moving in that direction too.

One of the common themes attendees talked about was how the proliferation in the number of security tools is making it difficult for them to get a coherent, single view of threats and activity on the network. We agree, and we talked with many attendees about the need for better integration between security solutions.

Many were interested to hear that our EndaceProbe Network Recorders can integrate with the tools that they are already using – such as Cisco’s Firepower NG IPS, Plixer’s Scrutinizer and Splunk. This integration lets analysts jump directly from alerts in those tools to examine the underlying packet-level network history and see exactly what has taken place. This makes for streamlined investigations, and helps analysts to eliminate false positives, and identify, prioritize and respond to the real threats more quickly.

ACSC 2017 was a great conference, and we look forward to coming back to be part of ACSC 2018. Thanks to the ACSC team for making it a very successful event!


Endace opens new Australian office

Original Entry by : Mark Evans
Endace Australia Team
Endace Australia Team: from left to right Michael Barnett, Anthony Adamo, Lisa Ardern and Peter Watt

Well it’s official. Our new Australian office in Hawthorne in Melbourne is open. An official opening was held on Friday, March 10th.

Thank-you to all the customers who attended our housewarming soirée, it was fun!

If you weren’t able to make it to the opening party, do drop in and see us and have a look at our new space.