Author: Michael Morris

Endace Packet Forensics Files: Episode #54

Original Entry by : Michael Morris

Michael talks to “Malware Jake” Williams, about the concept of Zero Trust and its implications for enhancing your security posture.

By Michael Morris, Director of Global Business Development, Endace

Michael Morris, Director of Global Business Development, Endace

In this episode of the Endace Packet Forensics Files, I talk with cybersecurity expert Jake Williams, aka ‘MalwareJake’,  IANS faculty member, former SANS educator, computer science and information security expert and U.S. Army veteran, about the concept of Zero Trust and its implications for organizations striving to enhance their security posture.

Zero Trust challenges traditional security models by advocating for a “deny all, permit by exception” approach. Jake describes it as a mindset—a philosophy focused on continuous verification and least privilege access. Despite its potential benefits, embracing Zero Trust can be challenging. Jake highlights obstacles such as defining and operationalizing Zero Trust, legacy system dependencies, and cultural shifts within organizations.

Continuous verification is crucial in Zero Trust environments. Jake provides examples of verification challenges, emphasizing the importance of network visibility and packet capture in incident response and threat detection. He emphasizes the interconnectedness of networking and cybersecurity, citing Managed File Transfer appliances, Citrix NetScalers, and SSL VPNs as examples. These network security appliances often have extensive technical depth and may harbour unpatched vulnerabilities, presenting significant risks to organizations. He predicts increased targeting of network security appliances by threat actors, underscoring the importance of Zero Trust principles and network visibility in mitigating such threats.

Jake touches on the importance of tools like Wireshark for detailed analysis but also emphasises the need to understand the role network visibility plays and how it relates to business challenges. He recommends that analysts strengthen their networking fundamentals, while SOC directors should broaden their skill set by understanding business concepts for effective communication with stakeholders.

Finally, Jake suggests that embracing Zero Trust requires a holistic approach, encompassing technical ability, organizational buy-in, and a commitment to continuous improvement. His insights on this topic serve as valuable guidance on the path to cybersecurity resilience.

Follow Malware Jake on the below links. 

 

Also watch our series of Threat Investigation webinars with SANS and Jake Williams here – https://www2.endace.com/sans-webinar-series

Other episodes in the Secure Networks video/audio podcast series are available here. Or listen to the podcast here or on your favorite podcast platform.

Endace Packet Forensics Files: Episode #53

Original Entry by : Michael Morris

Michael talks to Tanya Janca, Head of Education and Community at Semgrep, Founder of WehackPurple.

By Michael Morris, Director of Global Business Development, Endace

Michael Morris, Director of Global Business Development, Endace

In this episode of the Endace Packet Forensics Files, I talk with Tanya Janca, Head of Education and Community at Semgrep, Founder of WehackPurple, and renowned cybersecurity expert, author and RSA Speaker.

Tanya shares her journey from software developer to penetration tester to application security specialist, to cybersecurity education evangelist. She stresses the value of hands-on experience in cybersecurity education and urges universities and training programs to keep pace with evolving threats.

Tanya discusses the skills gap in cybersecurity, suggesting there is inadequate education in secure coding and design. She believes industry practitioners should be involved in teaching to ensure relevance. Tanya also highlights the need for affordable training options to connect theory with real-world practice.

Tanya underscores the importance of varied perspectives and real diversity and inclusion for organizations to understand and counter modern threats. She challenges the notion of diversity as a mere checkbox and calls for organizations to create inclusive environments to address the skill shortage effectively.

Tanya emphasizes the importance of continuous learning and adaptation as vital for cybersecurity professionals to navigate the changing landscape.

Other episodes in the Secure Networks video/audio podcast series are available here. Or listen to the podcast here or on your favorite podcast platform.

Endace Packet Forensics Files: Episode #52

Original Entry by : Michael Morris

Michael talks to Tiktok influencer Caitlin Sarian, CEO of Cybersecurity Girl

By Michael Morris, Director of Global Business Development, Endace

Michael Morris, Director of Global Business Development, Endace

In this episode, I talk with to Tiktok and Instagram influencer Caitlin Sarian, CEO of Cybersecurity Girl, who discusses her journey into the cybersecurity field and her mission to break down stigmas surrounding the industry.

Emphasizing the importance of a love for learning and problem-solving over coding skills, Caitlin encourages individuals to explore diverse paths within cybersecurity, ranging from technical roles like ethical hacking to non-technical roles in data privacy.

The conversation highlights the need for continuous learning in the rapidly evolving cybersecurity landscape, with Caitlin recommending various channels for staying updated, including news alerts, newsletters, and professional groups. She addresses common misconceptions about coding requirements, debunking the idea that a specific educational background is essential, and stresses the value of gaining practical experience and obtaining certifications tailored to one’s chosen specialization.

Finally, Caitlin highlights the importance of advocating for diversity and inclusivity in cybersecurity. She emphasizes the need for mentorship, role models, and a supportive company culture to encourage women and minorities to enter and thrive in the industry. You won’t want to miss this episode if you’re looking for valuable insights about a career in cybersecurity. 

Other episodes in the Secure Networks video/audio podcast series are available here. Or listen to the podcast here or on your favorite podcast platform.

Endace Packet Forensics Files: Episode #51

Original Entry by : Michael Morris

In this episode, Michael talks to Eric Buchaus, Director of Sales at Niagara Networks

By Michael Morris, Director of Global Business Development, Endace

Michael Morris, Director of Global Business Development, Endace

Are SPAN ports sufficient to provide network traffic visibility for high-quality security (NDR) and network (NPM) investigations? What about cloud workloads?  What do you need to gain insights into cloud network activity?

In this episode of the Endace Packet Forensic Files, I talk with Eric Buchaus, Director of Sales at Niagara Networks. Eric outlines potential pitfalls and challenges associated with SPAN ports and highlights situations where they may fall short for network and security analysts.

Eric walks us through some alternative options, discussing the merits of network TAPS, network packet brokers, and in-line bypass solutions which can offer NoC / SoC teams more reliable, efficient, and scalable ways to get network packet data to the right tools in large-scale and complex environments.  He discusses some of the specific challenges of network visibility in cloud infrastructures and suggests some practical ways to overcome these obstacles.

Eric suggests things organizations should consider when exploring different packet brokers or TAP vendors and outlines the management and scrutiny that needs to be applied to encrypted traffic to achieve in-depth visibility securely.

Finally, Eric talks about how TAPs and packet brokers can help in dynamic SDN environments with high traffic volumes. He emphasizes why they are important for organizations looking to implement zero-trust infrastructures – particularly environments with many walled gardens and lots of VLANs for IOT/IOTM devices and technologies.

Don’t miss this informative episode as Eric demystifies the complexities of network visibility and supplies some valuable guidance for navigating the challenges posed by evolving network landscapes.

Other episodes in the Secure Networks video/audio podcast series are available here. Or listen to the podcast here or on your favorite podcast platform.

Endace Packet Forensics Files: Episode #50

Original Entry by : Michael Morris

In our 50th Episode, Michael talks to Martyn Crew, Senior Director, Solutions Marketing and Partner Technologies at Gigamon

By Michael Morris, Director of Global Business Development, Endace

Michael Morris, Director of Global Business Development, Endace

It’s my pleasure to welcome Martyn Crew from Gigamon for this 50th Episode of the Packet Forensics Files. It’s a great milestone to have reached, and the series continues to grow in popularity – thanks to people like Martyn who have joined me to share their valuable expertise and advice.

In this episode Martyn, a 30-year veteran in the cyber security and network management space shares his expertise on the limitations and risks associated with exclusively using log and meta-data as the primary resources for your security team’s investigations. He discusses various use cases where network traffic and full packet data can play a crucial role in security investigations, highlighting the potential oversights that could occur when you rely solely on log data.

We talk about how to address the scalability challenges of leveraging full-packet data and delve into the storage and retention obstacles that many organizations fear when looking at solution options.

Finally, Martyn suggests how to balance the telemetry sources and costs for your SOC team, and shares some key considerations for maintaining visibility in your hybrid cloud infrastructure encompassing both on-prem and public or private cloud environments.

.

Other episodes in the Secure Networks video/audio podcast series are available here. Or listen to the podcast here or on your favorite podcast platform.

Endace Packet Forensics Files: Episode #49

Original Entry by : Michael Morris

Michael talks to ICS and SCADA security expert, Lionel Jacobs

By Michael Morris, Director of Global Business Development, Endace

Michael Morris, Director of Global Business Development, Endace

In this episode, Michael talks to Lionel Jacobs, Senior Partner Engineer, ICS and SCADA security expert, at Palo Alto Networks. Lionel draws on his more than 25 years of experience in OT (Operational Technology) and almost a decade at Palo Alto Networks in discussing some of the challenges of securing OT, IoT and critical infrastructure from cyberattack.

Lionel talks about some of the unique challenges that OT systems present for security teams and why being prepared to defend against attacks on critical infrastructure is so crucial.

Nation-state actors obviously see critical infrastructure as a prime target for attacks. But so too do criminal actors who see critical infrastructure operators as potentially more vulnerable to extortion than other targets.

Lionel discusses the role of Zero Trust and limited access zoning in reducing the risk of attackers expanding their ability to move from OT environments into the enterprise network. Carefully mapping the network and assets and understanding the requirements for access between different areas of the infrastructure is key to this. Often legacy OT devices and control systems can’t be easily patched so placing these elements into a security zone with a remediating factor between that zone and other parts of the network is the only feasible way to protect them from attack.

Lionel talks about the challenge of detecting attacks in OT environments, how to spot unusual activity, and the importance of having a reference baseline to compare against. He highlights the importance of packet data in providing insight into what is happening on OT networks.

Lionel also stresses the importance of close collaboration between OT security teams and the operators of OT networks. It’s crucial to ensure that the safe and effective operation of critical infrastructure isn’t adversely impacted by security teams that don’t understand the operational processes and procedures that are designed to ensure the safety of the plant and the people that work there.

Lastly, Lionel reiterates the importance of gathering reliable evidence, and enabling security analysts to quickly get to the evidence that’s pertinent to their investigation. It’s not just about collecting data, but about making sure that data is relevant and easy to access.

Other episodes in the Secure Networks video/audio podcast series are available here. Or listen to the podcast here or on your favorite podcast platform.

Endace Packet Forensics Files: Episode #48

Original Entry by : Michael Morris

Michael talks to Endace’s IT Security Manager, Al Edgar.

By Michael Morris, Director of Global Business Development, Endace

Michael Morris, Director of Global Business Development, EndaceIn this Episode of Packet Forensics Files, I ask Al Edgar, former Information Security Manager for Health Alliance – and now IT Security Manager at Endace – about some of the important areas a security leader needs to focus on and what new challenges they are facing.

Firstly, Al says, it’s important to take an holistic approach to cybersecurity, by looking at the three critical components for robust security: people, processes, and technology. He stresses the importance of Incident Response planning and why it’s so critical to define clear objectives, roles, and responsibilities as part of the plan.

In order to stay ahead of emerging threats, Al says keeping up-to-date with cybersecurity trends is crucial. He recommends subscribing to cyber blogs, leveraging threat intelligence feeds, and mapping threat intelligence against your organizational infrastructure. He also highlights the importance of having a plan for managing third-party vendor risk.

Al provides some valuable recommendations on where to start to ensure a more robust security posture, including maintaining a centralized inventory, conducting thorough risk assessments, cataloging and categorizing risks, and incorporating appropriate security clauses into contracts with suppliers and partners.

Cybersecurity awareness training is another critical area, Al says. His view is that it’s the responsibility of every individual in an organization to prioritize cybersecurity but he highlights the importance of support and training to enable them do this effectively.

Lastly, Al talks about future cybersecurity threats, and calls out the potential risks associated with the weaponization of AI technology. He highlights the need for caution when sharing information with AI systems, reminding us to be mindful of potential privacy breaches and the risk that sensitive IP or data disclosed to AI tools may be misused or insufficiently protected.

Other episodes in the Secure Networks video/audio podcast series are available here. Or listen to the podcast here or on your favorite podcast platform.

Endace Packet Forensics Files: Episode #47

Original Entry by : Michael Morris

Michael talks to network forensics and incident response specialist, Jasper Bongertz.

By Michael Morris, Director of Global Business Development, Endace

Michael Morris, Director of Global Business Development, Endace

What are some of the challenges of responding to a serious incident – such as a ransomware attack or advanced persistent attack? Where do you start, and what are the critical things you need to do?

In this episode we are lucky to welcome Jasper Bongertz, Head of Digital Forensics and Incident Response at G DATA Advanced Analytics in Germany. Jasper has a wealth of experience from working in the front line of incident response at G DATA as well as in his previous role at Airbus. He also has a long background in network forensics – having been a Wireshark and network forensics instructor, and continues to be a very active member of the Wireshark community.

Jasper starts by outlining some of the steps to mitigate “headless chicken mode” which is what he often sees when organization first encounters a serious incident.

The process starts with understanding exactly what has happened, and what the impact is so that a clear response plan and timeline for resolution can be established. This requires gathering the available evidence – including network packet data if it’s available. It’s important to be able to do this quickly – particularly in the case of ransomware attacks where the organization’s IT systems may be unavailable as a result of the attack. With ransomware, speed is crucial since the organization’s primary priority is typically to get back to an emergency operating state as quickly as possible. Jasper lists some of the tools that his team finds useful in rapidly gathering that critical evidence.

Once the scope of the incident has been established, you need to have the specific expertise on hand to investigate and understand what happened and how it happened so you can identify the right response. Typically, Jasper says, that will involve having at least an incident response specialist, a forensic expert, and a malware reverse engineer, but depending on the scale of the event may involve many others too.

Jasper outlines the most important steps organizations can take to protect themselves against ransomware attacks and ensure that in the event of a successful attack they can recover. The two most important of these being to make sure domain administrator credentials are protected to prevent privilege escalation and ensuring your backups are complete and protected from sabotage.

Lastly, Jasper discusses the changing cyberthreat landscape. He outlines why he thinks data exfiltration and extortion will become more common than ransomware and encryption, and why network data is critical to combat this growing threat.

Other episodes in the Secure Networks video/audio podcast series are available here. Or listen to the podcast here or on your favorite podcast platform.