Author: Michael Morris

Endace Achieves Cisco Solution Plus Partner Status

Original Entry by : Michael Morris

By Michael Morris, Senior Director of Global Business Development, Endace

Michael Morris, Director of Global Business Development, Endace

I am excited to share that Endace has just achieved an amazing milestone. On March 17, 2026, Endace achieved Cisco Solution Plus Partner status.

This means our EndaceProbe™ Analytics Platform is now available on the Cisco Global Price List (GPL) and can be sold by Cisco sales teams and channel partners as a Cisco SKU (initially for USA-based customers only).

Solutions that are part of the Solution Plus Partner Program achieve that partnership level through strong sponsorship by a Cisco Business Unit that sees value in complementing Cisco’s solution offerings.

Endace’s tight integration with Cisco Security solutions, including Cisco Secure Network Analytics, Cisco Secure Firewall, and Cisco XDR, as well as Splunk Enterprise Security and Splunk SOAR, make Endace an extremely complementary solution for recording critical network forensic evidence for security and network teams.

Endace’s industry-leading platform – EndaceProbe – provides Always-On, full packet capture across on-prem, virtual, and cloud-native environments. With the ability to access and analyze recorded packet data quickly from a single-pane-of-glass, and full API integration with a wide range of security and performance monitoring solutions,

EndaceProbes make recording and using packet data easy for SOC, NOC and IT teams. The EndaceProbe platform’s scalability, performance, high-speed search and open architecture ensures customers can reliably record critical network evidence. Fast access to full packet data can be integrated directly into any SIEM, Firewall, NDR/XDR, SOAR or NPM solution, putting forensic evidence at analysts’ fingertips for incident investigation and threat hunting. Analysts can go directly from indicators of compromise to absolute network evidence with a single click.

Cisco selecting Endace as a complementary packet capture solution validates Endace as the BEST-IN-CLASS packet capture solution in network security.

Cisco Solution Plus Status listing is a testament to the scalability, reliability and usability of the EndaceProbe platform and the resiliency we’ve built into our solution by achieving compliance with military grade security standards such as FIPS 140-3, NIAP NDcPP, and US DOD APL.

Our goal is to ensure that customers have the ultimate network forensic evidence at their fingertips. Integrating this capability into Cisco Security and Splunk solutions enables SOC and NOC teams to quickly and accurately detect, investigate and remediate cyber threats and performance issues.

These integrations have been honed by real-life, hands-on, experience with our Engineers working alongside the Cisco and Splunk teams in SOCs at major events such as Cisco Live, RSAC, Black Hat and others.

This “in-the-field” experience has driven numerous product innovations for Endace, Cisco and Splunk, which ultimately benefits all customers. Our gratitude goes out to Jessica (Bair) Oppenheimer, Director SOC Integrations – Splunk Security, who worked with us to incorporate Endace packet capture as a fundamental component of Cisco’s SOC-in-a-Box architecture.

We are also grateful to be working with the amazing Cisco Solution Plus team, who see the value in Endace and have worked diligently to add EndaceProbe solutions to the Cisco SP+ portfolio.

Our team is excited and energised to help the Cisco and Splunk teams solve our customers’ toughest security challenges and protect some of the largest, most critical networks on the planet.

PCAP or It Didn’t Happen!

Please out to sales.cisco@endace.com or your Cisco Sales Rep for more information.

 

Episode #65 Andrew Cook from Recon Infosec discusses Incident Response and Threat Hunting

Original Entry by : Michael Morris

In the Packet Forensic Files, Episode 65, Michael talks to Andrew Cook, CTO at Recon InfoSec and host of the Thursday Defensive Webcast.

By Michael Morris, Senior Director of Global Business Development, Endace

Michael Morris, Director of Global Business Development, Endace

The Increasing Complexity of Incident Response
and Threat Hunting

In this episode of The Packet Forensic Files, I’m joined by Andrew Cook, CTO of Recon InfoSec – an Air Force cybersecurity veteran and seasoned DFIR expert – to discuss what it really takes to investigate and respond to today’s most complex cyber incidents.

Drawing from his years of frontline experience handling major breaches and ransomware events, Andrew shares how real-world incidents have reshaped his investigative mindset. One area he starts with is the “human impact” of working through a security incident.  Cyber breaches have impacts on people who may experience guilt for having been the one who clicked on that phishing email, or anxiety and stress for the people who are trying to quickly defend, investigate, and remediate a breach to get their company back online.  Their experiences are not unlike those of crime victims on the street. Or first responders facing high-pressure situations.

We walked through Andrew’s incident response workflow, focusing on the steps he considers most critical when time, clarity, and confidence are most important. He talks about the importance of “timelining” to accurately build a timeline of evidence, events, and data to fully understand the breadth and depth of a breach.

Andrew shares some of his tools of choice for incident response investigations when he doesn’t have the luxury of his company’s full security stack. He gives examples of how packet data, when combined with endpoint logs, SIEM alerts, and threat intelligence, enables investigators to build a far more complete and defensible picture of incidents. Packet-level visibility, in particular, remains a cornerstone of high-fidelity investigations—often revealing attacker behavior, lateral movement, or data exfiltration activity that traditional logs and other telemetry may miss.

We also explored how different types of incidents should be prioritized and categorized to ensure the right resources are applied at the right time. Andrew highlighted the need for clear decision-making frameworks that balance technical severity, business impact, and regulatory considerations.  He talks through the concept of thinking about the potential risks and thinking backward from that outcome of what would be needed to prevent or solve that problem as you build and design your SOC architectures.

Looking ahead, Andrew shares his perspective on emerging trends shaping digital forensics and incident response, including the increasing sophistication of adversaries, growing data volumes, and how leveraging AI can help SOC analysts make sense of the complexity. Ensuring forensic rigor while meeting regulatory and legal requirements remains a non-negotiable aspect of modern DFIR work.

Finally, Andrew shares what he thinks is key to look out for over the next 6–18 months: Attackers using AI-assistance to leverage threat vectors – for example using application extensions – that drive data loss. And AI plugins given access to sensitive data that are leveraging prompt injections and PowerShell programs to compromise environments.  The sophistication of threat actors with the help of AI is only getting more advanced.

PFF Ep 65 Andrew Cook, Recon Infosec

Other episodes in the Secure Networks video/audio podcast series are available here. Or listen to the podcast here or on your favorite podcast platform.

Episode #64 with Steve Fink talking about building next-Gen SOCs with AI, automation, and resilience

Original Entry by : Michael Morris

In the Packet Forensic Files, Episode 64, Michael talks to Steve “Fink”, CTO and CISO at Secure Yeti

By Michael Morris, Director of Global Business Development, Endace

Michael Morris, Director of Global Business Development, Endace

Building Next-Gen SOCs with AI, Automation, and Resilience

In this episode of The Packet Forensic Files, I’m joined by Steve “Fink” Fink, CTO and CISO at Secure Yeti, and the mastermind behind the Security Operations Centers (SOCs) and Networks Operations Centers (NOCs) that power some of the biggest cybersecurity events in the world, including Black Hat, RSA Conference, and Cisco Live.

With more than 26 years in cybersecurity, beginning with pen-testing the FBI, Fink has built and operated some of the most complex SOCs in the world. He shared his insights into what it takes to design resilient, scalable, and future-ready security environments.

It All Starts with the Packets

Fink believes that true visibility begins at the packet level:

“If you don’t have the context of your network, it’s almost impossible to conduct a valid investigation or build an effective response plan.”

By combining full packet capture with contextual data and up-to-date asset inventories, analysts gain the visibility necessary to detect and respond in real-time.

Automation, AI, and Resilience

At Secure Yeti, Fink has automated nearly every SOC function up to Tier 4 using agentic AI, handling over 97% of the workload. This automation enables scalability, consistency, and around-the-clock response, freeing human analysts to focus on higher-level investigations.

Resilience is also a core design principle. Fink ensures redundancy at every level, emphasizing that even if one component fails, “the whole thing shouldn’t descend into chaos.”

Collaboration and Interoperability

At events like Black Hat and RSA, Fink brings together traditionally competing vendors, from firewalls and SIEMs to XDR and packet capture platforms, to collaborate within a single SOC. That cooperation, he says, fuels product innovation and real-world interoperability.

At Endace, we share Fink’s philosophy that packets provide the ultimate source of truth for understanding what’s happening on the network and driving smarter, faster investigations.

Don’t miss this episode as Fink shares how operational excellence and AI-driven security are being redefined.

PFF Ep 64 Steve Fink Video Thumbnail

Other episodes in the Secure Networks video/audio podcast series are available here. Or listen to the podcast here or on your favorite podcast platform.

Endace Packet Forensics Files: Episode #63

Original Entry by : Michael Morris

In Episode 63, Michael talks to Jack Chan, Vice President, Product Management at Fortinet

By Michael Morris, Director of Global Business Development, Endace

Michael Morris, Director of Global Business Development, Endace

Why NDR is Evolving—And What Enterprises Should Demand From It

In this episode of The Packet Forensic Files, I spoke with Jack Chan, VP of Product and Field CTO at Fortinet, about what sets a strong Network Detection and Response (NDR) solution apart. Jack explained that while many vendors claim to offer NDR, the best solutions help security teams see deep into their networks, spot threats early, and look back in time to understand what really happened before and after an incident.

Jack pointed out that most companies already have too many security tools creating alerts. That’s why it’s so important for NDR to work well with other tools like EDR—so SOC teams know which alerts really matter. He also shared how AI and machine learning are helping to detect threats even in encrypted traffic, and how newer tech like generative AI is making it easier for analysts to investigate issues without writing complex queries.

We talked about the benefits of using NDR alongside firewalls. Since NDR is passive, it can show you how clean or risky your network is without disrupting anything. But when NDR spots a threat, teams need to decide—should it trigger an automatic response or wait for human approval? Jack recommends using automation carefully, with some human oversight.

Finally, Jack reminded us that technology alone isn’t enough. Security starts with people—whether it’s developers writing secure code or staff avoiding risky clicks. No matter how advanced your tools are, the human factor still plays a huge role in keeping networks safe.

Don’t miss this episode as Jack shares practical tips, real-world examples, and a clear-eyed view of where the NDR space is heading.

 

Other episodes in the Secure Networks video/audio podcast series are available here. Or listen to the podcast here or on your favorite podcast platform.

Black Hat 2025 NOC

Original Entry by : Michael Morris

Elevating Incident Response with the Ultimate Network Forensics – PCAP Or It Didn’t Happen

By Michael Morris, Director of Global Business Development, Endace and Barry Shaw, Senior Engineering Manager, Technology Partner Programs in Fusion Integration, Endace

This year, the Black Hat NOC team was armed with a new cyber-superpower. Always-on full packet capture was deployed to record the entire conference traffic to support the Black Hat NOC/SOC directives of Protect, Educate, and Innovate.  Full packet capture provides an indelible record of all network activity, which is critical for security operations’ investigations.

Two EndaceProbes with a combined storage of 266 TB were installed in the Black Hat US 2025 NOC to capture every packet in full, from show start to the final closing. Fast access to full packet data for any event allowed the talented Black Hat NOC team to quickly understand threats and security risks for the attendees of the Black Hat conference. 62TB of captured network packet data was heavily leveraged by the Black Hat NOC security analysts with more than 1000 PCAP downloads from Endace systems during the 6 days of network operation.

Endace Fusion integrations provided the glue between the Cisco Security suite, Palo Alto Networks, Corelight and the packet data on the EndaceProbes, enabling analysts to quickly pivot from Splunk/Splunk Cloud, Cisco XDR, Cisco Firepower, Cisco SNA, Palo Alto Networks XSIAM, Panorama NGFWs, and Corelight Investigator through to EndaceVision and hosted Wireshark.  When access to historical full PCAP is available in a seamless integration, security analysts are empowered with the ease of contextual access, and this simplifies the use of PCAP data, where previously it could be seen to be cumbersome to use.

The EndaceProbes each hosted two VMs that were running Zeek and delivering critical log data into Splunk.  Custom Zeek script additions provided additional valuable detail around clear text passwords in email and HTTP, shining a light on the surprisingly persistent use of insecure protocols, and ultimately driving automation to streamline the response to these.

NOC Innovations

At the Black Hat 2025 NOC, a number of key innovations were developed and enhanced with Endace and integrations we have with Cisco, Palo Alto Networks, and Corelight. These innovations advanced and simplified the use of Endace packet data in incident response and threat hunting investigations. Endace packet data is an invaluable forensic tool for NOC/SOC analysts in getting to the root cause of complex threat investigations to be 100% sure of the impact of malicious activity.

The first integration innovation developed by Matt Vander Horst – Cisco and Barry (Baz) Shaw – Endace, and Anantha Srinivasan -Endace was a Cisco XDR automation that gathered up and preserved the packet evidence for each security alert. Links to the packet evidence and flow records CSV appear in the XDR worklog, and a link to the Endace Investigation is provided should the analyst need to investigate other related packet evidence, see screenshot below. This required new APIs on Endace, and a new workflow automation within XDR, that were both developed during the days and nights of the Black Hat NOC week.

The second integration innovation, developed by Josh Randall (#Mr Mongo) – Palo Alto Networks and Anantha  Srinivasan – Endace, created a direct pivot from any Palo Alto Networks XSIAM incident that launches an EndaceVision investigation focused on the packets related to that security event. This integration enabled analysts leveraging the power of the XSIAM SIEM platform to get directly to Endace ‘s packet-level forensics in the context of any XSIAM incident.   You can see the pivot integration in the bottom right of the Cortex XSIAM screenshot below.

The third integration innovation involved streaming packet Metadata from EndaceProbe into Splunk Cloud to create a dashboard with various insights. This included Encrypted vs Unencrypted traffic volumes, passwords in the clear, Encryption Strength, and general network traffic levels. We displayed this on a central dashboard for everyone to view during the conference, see below.

The final innovation we brought to the NOC was a change to the Endace packet search capability that resulted in a near x50 improvement in packet search and download times. With fast and easy access to full PCAP and a little instruction on how to use EndaceVision, the enthusiasm for using packet data to understand and resolve incidents really took off.

SOC Findings and Lessons Learned

The feedback we received from many NOC team members is that streamlining access to full packet data opened new possibilities for threat hunting and incident response. Fast and easy access to packet data from the other security tools in the NOC really helped our understanding of many incidents.

We found there is still too much information carried across the network in the clear, with around 8% unencrypted. This leaves users vulnerable to information leakage, credential stealing, account hijacking, social engineering and outright fraud.  The use of POP, IMAP, HTTP and other encrypted protocols is still too high.

Our biggest learning was the power of collaboration is dramatically amplified when everyone is together in a dark room, with pumping music, audio free 90s movies playing in the background, with the common goals of protect, educate and innovate! It is amazing how well everyone worked together, such collaboration between different vendors is incredible to experience and will only strengthen cybersecurity for all our users.

Acknowledgements

Our thanks to the Black Hat NOC team, led by Grifter, Bart, and Fink, for the opportunity to include EndaceProbes in the Black Hat NOC architecture.  Also, a special thank you to Jessica Bair Oppenheimer for including Endace in the Cisco security stack architecture for Black Hat, sharing the Cisco screens and space in the NOC. The NOC team includes some of the most experienced security experts across the industry. Everyone was a pleasure to work and innovate with and we came away with a great appreciation for the power of working in such a welcoming and open environment.  The close collaboration resulted in the Endace team leaving with not only ideas for further integrations and workflow improvements, but also working prototypes that were developed and proved out during the SOC.

About Black Hat
Black Hat is the cybersecurity industry’s most established and in-depth security event series. Founded in 1997, these annual, multi-day events provide attendees with the latest in cybersecurity research, development, and trends. Driven by the needs of the community, Black Hat events showcase content directly from the community through Briefings presentations, Trainings courses, Summits, and more. As the event series where all career levels and academic disciplines convene to collaborate, network, and discuss the cybersecurity topics that matter most to them, attendees can find Black Hat events in the United States, Canada, Europe, Middle East and Africa, and Asia. For more information, please visit www.Black Hat.com.

For more blogs in our Endace SOC series, see here:
https://blog.endace.com/tag/soc/

Endace Packet Forensics Files: Episode #62

Original Entry by : Michael Morris

In Episode 62, Michael talks to Jessica (Bair) Oppenheimer, Cisco’s Director of Security Operations

By Michael Morris, Director of Global Business Development, Endace

Michael Morris, Director of Global Business Development, Endace

What does it take to run a world-class Security Operations Center (SOC) in today’s high-stakes, high-speed cybersecurity landscape?

In this episode of the Packet Forensic Files, I talk with Jessica (Bair) Oppenheimer, Cisco’s Director of Security Operations, for an in-depth look at next-generation Security Operations Centers (SOCs). Jessica shares her expertise from securing high-stakes events like the Paris 2024 Summer Olympics, the NFL Super Bowl, Black Hat, Cisco Live and RSAC Conferences, as well as years of experience at Guidance Software, ThreatGrid and Cisco.

I asked Jessica what differentiates the “next gen” SOC from traditional SOC models. She talks about some of the “high-visibility “SOCs that she’s been working with as part of the Cisco Security Operations team, and her experience bringing together highly-skilled people from multiple organizations, keeping them motivated, equipping them with all the tools and telemetry they need, so they can collaborate and innovate.

Jessica talks about why people, innovation, and smart use of AI as an enabler for SOC teams are critical to creating an agile and responsive SOC team. She sees AI’s key role is in speeding up analysis, detection, and threat-hunting, and providing analysts with detailed context around incidents so they can make informed decisions more quickly. It can also help analysts to quickly build automation tasks in response to threats they’re seeing so they can respond faster. That makes analysts more productive and effective, and in turn frees them up to do more proactive threat hunting like investigating some of the less obvious signals that might indicate potentially serious threats.

This episode is a must-watch for cybersecurity professionals who want to stay ahead of evolving threats – particularly those in security operations. It is jam-packed with insights on balancing automation with human expertise and establishing the key KPIs for SOC success.

Other episodes in the Secure Networks video/audio podcast series are available here. Or listen to the podcast here or on your favorite podcast platform.

Helping Protect Cisco Live 2025 in San Diego

Original Entry by : Michael Morris

By Michael Morris, Senior Director of Technology Alliances

Building on our collaboration in the SOC at RSAC 2025, Endace was honoured to be invited by Cisco to provide EndaceProbe packet capture and a team of threat hunters to support the Cisco Live Security Operations Center (SOC). Our primary goal was to protect the network and attendees at Cisco Live San Diego 2025, our secondary goals were to educate and innovate.

Two EndaceProbes were deployed in Cisco’s SOC-in-a-Box, continuously recording all network traffic provided over two 10G SPAN ports.  We integrated with Splunk Enterprise Security and Cisco Security Cloud to deliver real-time network visibility. This enabled the SOC team to detect, locate, and address threats to attendees from external and internal sources, and helped to streamline and accelerate SOC investigation workflows.

The SOC at Cisco Live aims to protect the more than 23,000 attendees from threats on the conference network. When an attendee’s device is found to be compromised or unsecured, the SOC team makes every effort to identify, locate and help remediate the issue. The SOC team also provided public tours of the SOC to educate attendees about how the SOC is configured, the processes team members implemented, and the sorts of issues and threats that we uncovered.

Drawing on our experience at RSAC 2025 (where Endace captured 36 TB of data and 45 billion packets) we further optimized our approach for Cisco Live’s SOC.

The SOC was set up in two days, leveraging prior planning and our engineers’ experience at RSAC 2025.

At Cisco Live, Endace:

  • Captured 78.9 TB of traffic representing 99.5 billion packets
  • Reassembled more than 740,000 file objects in real time and sent 42,624 files to Splunk Attack Analyzer for further analysis
  • Detected 2,256 occurrences of cleartext passwords being used from 92 unique devices
  • Provided packet-level forensic evidence to all the SOC analysts for investigating and triaging a range of security events
  • Integrated with Cisco XDR, Splunk, Cisco Firepower IDS, Splunk Attack Analyser, Cisco Secure Malware Analytics, Cisco Secure Network Analytics to provide a seamless IR workflow
  • Innovated with new integrations that streamed additional metadata into Splunk, which sped up the investigation and remediation process

It was impressive to see the whole team of Cisco and Endace Engineers pivoting to the packet data to investigate an entire range of security incidents. Inspecting the packet data enabled fast decisions because the team could see exactly what was happening on the wire before, during, and after any event. As they say, PCAP or it didn’t happen!

Having complete packet data available at the SOC team’s fingertips really highlighted the incredible value of always-on packet capture; recording every packet and delivering complete, real-time visibility into threats, performance issues, and anomalous behaviour across the network.

There is an infectious energy that we get when working in a SOC environment like this, with Engineers from different teams and companies collaborating to track down threats, and share ideas on how to improve the SOC. The Endace team came away with many learnings that will improve EndaceProbe and our partner integrations.

We look forward to being a part of the SOC again at some more big upcoming events – stay tuned, details coming soon.

Read more about the SOC at CLUS 25 on Cisco’s Blog here:

https://blogs.cisco.com/security/cisco-live-san-diego-2025-soc

For more blogs in our Endace SOC series, see here:
https://blog.endace.com/tag/soc/ 

Endace Packet Forensics Files: Episode #61

Original Entry by : Michael Morris

In Episode 61, Michael talks to JP Bergeaux, Federal CTO at GuidePoint Security

By Michael Morris, Director of Global Business Development, Endace

Michael Morris, Director of Global Business Development, Endace

In my latest episode of the Endace Packet Forensic Files, I sit down with Jean-Paul (JP) Bergeaux, Federal CTO for GuidePoint Security, to explore federal cybersecurity. Our conversation dives into the challenges, technologies, and approaches reshaping how government agencies protect their digital infrastructure.

The critical importance of certifications like FIPS 140 and NIAP becomes clear. These aren’t bureaucratic checkboxes–they’re safeguards that ensure the reliability and security of technological solutions across federal networks. JP’s insights show how these standards help maintain the integrity of government systems.

The M-21-31 directives also emerge as a game-changer. Introduced in repsonse to the SolarWinds breach, these guidelines are transforming how agencies approach network forensics. Packet capture (PCAP) data is now considered the gold standard for threat detection, providing what JP calls “ground truth” in cybersecurity investigations. The real-world examples he shares are particularly compelling, especially cases where PCAP data reveals hidden threats.

We also tackle the challenges posed by generative AI. JP describes the “generative AI arms race”, where threat actors innovate rapidly, while government agencies must proceed with caution. It’s a balance between innovation and security that will define cybersecurity’s future.

One thing is clear from our conversation: the federal cybersecurity landscape is dynamic and demanding. Reactive security models are giving way to proactive approaches that integrate security across every layer of infrastructure.

Don’t miss this episode as JP shared valuable  insights into the front lines of federal cybersecurity and the tools, policies, and mindsets needed to stay ahead.

Other episodes in the Secure Networks video/audio podcast series are available here. Or listen to the podcast here or on your favorite podcast platform.