Network Security and Management Challenges Blog Series – Part 4

Original Entry by : Endace

Driving Economic Efficiency in Cyber Defense

Key Research Findings

  • Available budget, freedom to choose the best solutions and platform fatigue are all impacting on the ability of system architects to design and deploy the best solutions to meet the organization’s needs.
  • 78% of system architects reported platform fatigue is a significant challenge with 29% rating the level of challenge as high.
  • More than 90% of respondents reported that the process of acquiring and deploying security, network or application performance platforms is challenging, with almost half reporting that it is either extremely or very challenging.

Most of what’s written about cybersecurity focuses on the mechanics of attacks and defense. But, as recent research shows, the economics of security is just as significant. It’s not just lack of available budget – departments always complain about that – but how they are forced to allocate their budgets.

Currently, security solutions are often hardware-based, which forces organizations into making multiple CAPEX investments – with accompanying complex, slow purchase processes.

More than three-quarters of respondents to the survey reported that “the challenge of constraints caused by CAPEX cycle (e.g. an inability to choose best possible solutions when the need arises) is significant.”Almost half reported being stuck with solutions that have “outlived their usefulness, locked into particular vendors or unable to choose best-of-breed solutions.

Speed of deployment is also a significant challenge for organizations, with more than 50% of respondents reporting that “deploying a new security, network or application performance platform takes six to twelve months or longer.” 

As outlined in the previous post, existing security solutions are expensive, inflexible, hardware-dependent and take too long to deploy or upgrade. The process of identifying a need, raising budget, testing, selecting and deploying hardware-based security and performance monitoring solutions simply takes too long. And the cost is too high.

Contrast this with cyber attackers, who don’t require costly hardware to launch their attacks. They are not hampered by having to negotiate slow, complex purchase and deployment cycles. And often they leverage their target’s own infrastructure for attacks. The truth is that the economics of cybersecurity is broken: with the balance radically favoring attackers at the expense of their victims.

Reshaping the economics of cyberdefense

Companies have a myriad of choices when it comes to possible security, network performance and application performance monitoring solutions. Typically, they deploy many different tools to meet their specific needs. 

As discussed in the previous post, the lack of a common hardware architecture for analytics tools has prevented organizations from achieving the same cost savings and agility in their network security and monitoring infrastructure that virtualizaton has enabled in other areas of their IT infrastructure. As a result, budgets are stretched, organizations don’t have the coverage they’d like (leading to blindspots in network visibility) and deploying and managing network security and performance monitoring tools is slow, cumbersome and expensive.

Consolidating tools onto a common hardware platform – such as our EndaceProbe – helps organizations overcome many of the economic challenges they face:

  • It lets them reduce their hardware expenditure, resulting in significant CAPEX and OPEX savings. 
  • Reduced hardware expenditure frees up budget that can be directed towards deploying more tools in more places on the network – to remove visibility blind spots – and deploying tools the company needs but couldn’t previously afford.
  • Teams gain the freedom to choose what tools they adopt without being locked into “single-stack” vendor solutions. 
  • Teams can update or replace security and performance monitoring functions by deploying software applications on the existing hardware platform without a rip-and-replace. This significantly reduces cost and enables much faster, more agile deployment.

The cost of the hardware infrastructure needed to protect and manage the networks can also be shared by SecOps, NetOps, DevOps and IT teams, further reducing OPEX and CAPEX costs and facilitating closer cooperation and collaboration between teams.

For architects, a common hardware platform becomes a network element that can be designed into the standard network blueprint – reducing complexity and ensuring visibility across the entire network. And for IT teams responsible for managing the infrastructure it avoids the platform fatigue that currently results from having to manage multiple different hardware appliances from multiple different vendors.

Because analytics functionality is abstracted from the underlying EndaceProbe hardware, that functionality can be changed or upgraded easily, enabling – as we saw in the last post – far more agile deployment and the freedom to deploy analytics tools that best meet the company’s needs rather than being locked into specific vendors’ offerings.

Equally importantly, it extends the useful life of the EndaceProbe hardware too. No longer does hardware have to be replaced in order to upgrade or change analytics functionality. And as network speeds and loads increase, older EndaceProbes can be redeployed to edge locations and replaced at the network core with newer models offering higher-speeds and greater storage density. This ensures companies get maximum return on their hardware investment.

Lastly, their modular architecture allows multiple, physical EndaceProbes to be stacked or grouped to form centrally-managed logical EndaceProbes capable of scaling to network speeds of hundreds of gigabits-per-second and storing petabytes of network history.

A Final Word

This blog series has looked at the three key challenges – Visibility, Agility and Economic Efficiency (this post) – that enterprises report they face in protecting their networks and applications from cyber threats and costly performance issues. These challenges are interrelated: it is only by addressing all three that organizations can achieve the level of confidence and certainty necessary to effectively protect their critical assets.


Network Security and Management
Challenges – Part 3: Agility

Original Entry by : Endace

The Need for Agile Cyberdefense – and How to Achieve it

Key Research Findings

  • 75% of organizations report significant challenges with alert fatigue and 82% report significant challenges with tool fatigue
  • 91% of respondents report significant challenges in “integrating solutions to streamline processes, increase productivity and reduce complexity”.
  • Investigations are often slow and resource-intensive, with 15% of issues taking longer than a day to investigate and involving four or more people in the process.

In part two of this series of blog posts, we looked at Visibility as one of the key challenges uncovered in the research study Challenges of Managing and Securing the Network 2019.

In this third post, we’ll be discussing another of the key challenges that organizations reported: Agility

From a cybersecurity and performance management perspective, the term “Agility” can mean two different things. In one sense it can mean the ability to investigate and respond quickly to cyber threats or performance issues. But it can also refer to the ability to rapidly deploy new or upgraded solutions in order to evolve the organization’s ability to defend against, or detect, new security threats or performance issues. 

To keep things clear let’s refer to these two different meanings for agility as “Agile Response” and “Agile Deployment.”

Enabling Agile Response

In the last post, we looked at the data sources organizations can use to improve their visibility into network activity – namely using network metadata, combined with full packet data, to provide the definitive evidence that enables analysts to quickly and conclusively investigate issues. 

In order to leverage this data, the next step is to make it readily available to the tools and teams that need access to it. Tools can access the data to more accurately detect issues, and teams get quick and easy access to the definitive evidence they need to investigate and resolve issues faster and more effectively. 

Organizations report that they are struggling with two significant issues when it comes to investigating and resolving security or performance issues. 

The first is they are drowning in the sheer volume of alerts being reported by their monitoring tools. Investigating each issue is a cumbersome and resource-intensive process, often involving multiple people. As a result there is typically a backlog of issues that never get looked at – representing an unknown level of risk to the organization.

The second issue, which is compounding the alert fatigue problem, is that the tools teams use are not well-integrated, making the investigation process slow and inefficient.  In fact, 91% of the organizations surveyed reported significant challenges in “integrating solutions to streamline processes, increase productivity and reduce complexity.” The result is analysts are forced to switch from tool to tool (also known as “swivel chair integration”) to try and piece together a “big-picture” view of what happened.

Integrating network metadata and packet data into security and performance monitoring tools is a way to overcome both these challenges:

  • It gives teams access to a shared, authoritative source of truth about network activity. Analysts can pivot from an alert, or a metadata query, directly to the related packets for conclusive verification of what took place. This simplifies and accelerates investigations, making teams dramatically more productive and eliminating alert fatigue.
  • It enables a standardized investigation process. Regardless of the tool an analyst is using, they can get directly from an alert or query to the forensic detail – the packets – in the same way every time. 
  • It enables data from multiple sources to be correlated more easily. This is typically what teams are looking to achieve through tighter tool integration. Network data provides the “glue” (IP addresses, ports, time, application information etc.) that enables data from other diverse sources (log files, SNMP alerts etc.) to be correlated more easily. 

By leveraging a common, authoritative source of packet-level evidence organizations can create a “community of interoperability” across all their security and performance monitoring tools that drives faster response and greater productivity.

By integrating this packet-level network history with their security tools, SecOps teams can pivot quickly from alerts to concrete evidence, reducing investigation times from hours or days to just minutes.

Endace’s EndaceProbe Analytics Platform does this by enabling solutions from leading security and performance analytics vendors – such as BluVector, Cisco, Darktrace, Dynatrace, Micro Focus, IBM, Ixia, Palo Alto Networks, Splunk and others – to beintegrated withand/or  hosted on the EndaceProbe platform. Hosted solutions can access analyze live packet data for real-time detection or analyze recorded data for back-in-time investigations. 

The EndaceProbe’s powerful API-based integration allows analysts to go from alerts in any of these tools directly to the related packet history for deep, contextual analysis with a single click. 

The Road to Agile Deployment

The research showed that many organizations report their lack of visibility is due to having “too few tools in too few places in the network.” There are two reasons for this. One is economic – and we’ll look at that in the next post. The other is that the process of selecting and deploying new security and performance monitoring solutions is very slow.

The reason deploying new solutions is so slow is that they are typically deployed as hardware-based appliances. And as we all know, the process of acquiring budget for, evaluating, selecting, purchasing and deploying hardware can take months. Moreover, appliance-based solutions are prone to obsolescence and are difficult or impossible to upgrade without complete replacement. 

All these things make for an environment that is static and slow-moving: precisely the opposite of what organizations need when seeking to be agile and evolve their infrastructure quickly to meet new needs. Teams cannot evolve systems quickly enough to meet changing needs – which is particularly problematic when it comes to security, because the threat landscape changes so rapidly. As a result, many organizations are left with security solutions that are past their use-by date but can’t be replaced until their CAPEX value has been written down.

The crux of the problem is that many analytics solutions rely on collecting and analyzing network data – which means every solution typically includes its own packet capture hardware. 

Unlike the datacenter, where server virtualization has delivered highly efficient resource utilization, agile deployment and significant cost savings, there isn’t – or rather hasn’t been until now – a common hardware platform that enables network security and performance analytics solutions to be virtualized in the same way. A standardized platform for these solutions needs to include the specialized, dedicated hardware necessary for reliable packet capture and recording at high speed.

This is why Endace designed the EndaceProbe™ Analytics Platform. Multiple EndaceProbes can be deployed across the network to provide a common hardware platform for recording full packet data while simultaneously hosting security and performance analytics tools that need to analyze packet data. 

Adopting a common hardware platform removes the hardware dependence that currently forces organizations to deploy multiple hardware appliances from multiple vendors and frees them up to deploy analytics solutions as virtualized software applications. This enables agile deployment and gives organizations the freedom to choose the security, application performance and network performance solutions that best suit their needs, independent of the underlying hardware.

In the next post, we’ll look at how a common platform can help address some of the economic challenges that organizations face in protecting their networks. 


Network Security and
Management Challenges – Part 2: Visibility

Original Entry by : Endace

Stop Flying Blind: How to ensure Network Visibility

Network Visibility Essential to Network Security

Key Research Findings

  • 89% of organizations lack sufficient visibility into network activity certain about what is happening.
  • 88% of organizations are concerned about their ability to resolve security and performance problems quickly and accurately.

As outlined in the first post in this series, lack of visibility into network activity was one of the key challenges reported by organizations surveyed by VIB for the Challenges of Managing and Securing the Network 2019 research study. This wasn’t a huge surprise: we know all too well that a fundamental prerequisite for successfully protecting networks and applications is sufficient visibility into network activity. 

Sufficient visibility means being able to accurately monitor end-to-end activity across the entire network, and recording reliable evidence of this activity that allows SecOps, NetOps and DevOps teams to react quickly and confidently to any detected threats or performance issues. 

Context is Key

It might be tempting to suggest that lack of network visibility results from not collecting enough data. Actually, the problem is not possessing enough of the right data to provide the context that enables a coherent big-picture view of activity – and insufficient detail to enable accurate event reconstruction. This leaves organizations questioning their ability to adequately protect their networks.

Without context, data is just noise. Data tends to be siloed by department. What is visible to NetOps may not be visible to SecOps, and vice versa. It is often siloed inside specific tools too, forcing analysts to correlate data from multiple sources to investigate issues because they lack an independent and authoritative source of truth about network activity. 

Typically, organizations rely on data sources such as log files, and network metadata, which lack the detailed data necessary for definitive event reconstruction. For instance, while network metadata might show that a host on the network communicated with a suspect external host, it won’t give you the full details about what was transferred. For that, you need full packet data. 

In addition, network metadata and packet data are the only data sources that are immune to potential compromise. Log files and other data sources can be tampered with by cyber attackers to hide evidence of their presence and activity; or may simply not record the vital clues necessary to investigate a threat or issue.

Combining Network Metadata with Full Packet Data for 100% Visibility

The best possible solution to improving visibility is a combination of full packet data and rich network metadata. Metadata gives the big picture view of network activity and provides an index that allows teams to quickly locate relevant full packet data. Full packet data contains the “payload” that lets teams reconstruct, with certainty, what took place.

Collecting both types of data gives NetOps, DevOps and SecOps teams the information they need to quickly investigate threats or performance problems coupled with the ability to see precisely what happened so they know how to respond with confidence.

This combination provides the context needed to deliver both a holistic picture of network activity and the detailed granular data required to give certainty. It also provides an independent, authoritative source of network truth that makes it easy to correlate data from multiple sources – such as log files – and validate their accuracy.

With the right evidence at hand, teams can respond more quickly and accurately when events occur. 

In the next post in this series, we’ll look at how to make this evidence easily accessible to the teams and tools that need it – and how this can help organizations be more agile in responding to security threats and performance issues.


Introducing the Network Security and
Management Challenges Blog Series

Original Entry by : Endace

Recent research provides insight into overcoming the challenges of managing and securing the network

Network Security and Performance Management Research

A Big Thank-You

We’d like to take this opportunity to thank all of the companies and individuals that participated in both studies. Without your participation, it would not have been possible to produce these reports and the valuable insight they contain.

For those who didn’t get a chance to participate, please click here to register your interest in participating in our 2020 research projects.

Last year, Endace participated in two global research studies focusing on the challenges of protecting enterprise networks. The results of both provide powerful insights into the state of network security today, and what organizations can do to improve the security and reliability of their networks. In this series of blog posts, we’re going to take a deep dive into the results and their implications. 

We commissioned an independent, US-based research company, Virtual Intelligence Briefing (VIB) to conduct the research underpinning the Challenges of Managing and Securing the Network 2019 report. VIB surveyed senior executives and technical staff at more than 250 large, global enterprises to understand the challenges they face in protecting against cyberattacks threats and preventing network and application performance issues. 

Organizations from a range of industry verticals including Finance, Healthcare, Insurance and Retail participated. Annual revenues of participating companies were between $250M and $5B+, and respondents included senior executives such as CIOs and CISO, as well as technical management and technical roles. 

Our second research project was with Enterprise Management Associates (EMA) and was focused on looking at what leading organizations are doing to improve their cybersecurity and what tactical choices are making the biggest difference. This research was based on responses to a detailed survey of more than 250 large enterprises across a wide range of industries .

You can download a summary of EMA’s report here: “Unlocking High Fidelity Security 2019“.

So what did we find out? 

When it comes to securing their networks from cyberattacks, organizations find it hard to ‘see’ all the threats, making detection and resolution of security and performance issues cumbersome and often inconclusive. They lack sufficient visibility into network activity, with too few tools in too few places to be confident they can quickly and effectively respond to cyber threats and performance issues.

The need for greater agility was also a common challenge, with alert fatigue, tool fatigue and lack of integration between tools making the investigation and resolution process slow and resource-intensive. 

Organizations also face significant economic challenges in the way they are currently forced to purchase and deploy solutions. This leaves them unable to evolve quickly enough to meet the demands imposed by today’s fast-moving threat landscape and 24×7 network and application uptime requirements. 

In this series, we’ll explore each of these three challenges – Visibility, Agility and Economics – while also looking at how they are intrinsically inter-related. Understanding and addressing all of these challenges together revolutionizes network security and management, and enables organizations to realize greater efficiency while saving money.

Our next post will look at why organizations lack visibility into network activity and how they can overcome this challenge.


Watch Endace on Cisco ThreatWise TV from RSA 2019

Original Entry by : Endace

It was a privilege to attend this year’s RSA cybersecurity event in San Francisco, and one of our top highlights was certainly the opportunity to speak to Cisco’s ThreatWise TV host Jason Wright. Watch the video on Cisco’s ThreatWise TV (or below) as Jason interviews our very own Michael Morris to learn more about how Cisco and Endace integrate to accelerate and improve cyber incident investigations.

In this short 4 minute video, Michael demonstrates how Cisco Firepower and Stealthwatch can be used together to investigate intrusion events, using Cisco dashboards and EndaceVision to drill down into events by priority and classification to show where threats come from, who has been affected and whether any lateral movement occurred, as well as conversation history and traffic profiles. Michael also explains how Cisco and Endace work together to ‘find a needle in a haystack’ across petabytes of network traffic.

A big thanks to Cisco and to Jason for giving us this spotlight opportunity. If you have any questions about how Cisco and Endace integrations can accelerate and improve cyber incident investigation, visit our Cisco partner page.


New OSm 6.5 brings ultra-fast, network-wide search to all EndaceProbe models

Original Entry by : Sebastian Mackay

OSm - Operating System for Monitoring

We are really excited to announce the release of OSm 6.5

This significant new release incorporates some major architectural changes and introduces a truly revolutionary feature – ultra-fast, network-wide search and data-mining – with the brand-new InvestigationManager™ application

Customers are always telling us how important it is to accelerate the investigation of security threats and performance issues so they can respond to them more quickly and more accurately.

InvestigationManager is a game-changer for analysts involved in the investigation process, allowing them to search across petabytes of globally-distributed Network History for specific “packets-of-interest” at lightning-speed, putting definitive evidence at their fingertips when they need it.

New Groundbreaking EndaceFabric Architecture 

Watch this short video for an overview of the architectural changes that OSm 6.5 introduces and how this new architecture underpins the amazing new, ultra-fast search capability that InvestigationManager brings to all EndaceProbe models.

InvestigationManager’s Ultra-Fast Search in Action

Watch this demo to see just how fast InvestigationManager can find specific “needle-in-the-haystack” packet from within more than a petabyte of Network History distributed across multiple EndaceProbes deployed around the world.

(Tip: prepare to be impressed!).

Want to Find Out More?

OSm 6.5 includes a number of other updates including:
• Real-time visualizations in both InvestigationManager and EndaceProbes (“Play Mode”)
• The ability to trigger, collect and export system and RAID dumps from one or more EndaceProbes at a time.

You can read more about the new features of OSm and the new InvestigationManager application on endace.com.

Or watch the video below for a deep-dive into the new features of OSm 6.5.2 and InvestigationManager and what the new ultra-fast search capability of InvestigationManager means for Threat Hunting.

How do I get hold of OSM 6.5?

OSm 6.5 is supported by all current EndaceProbe models.

The downloadable image and documentation for OSm will be available on the Endace Support Portal from early February, 2019.

If you wish to install this new release earlier, please contact your Endace account team.


Endace announced as double finalist in 2018 Computing Security Awards and UK IT Industry Awards

Original Entry by : Mark Evans

Computing Security Awards 2018

Our EndaceProbe™ Analytics Platform has been announced as a double finalist in the ‘Network Security Solution of the Year’ and the ‘Enterprise Security Solution of the Year’ categories for the 2018 Computing Security Awards.

The Computing Security Awards started in 2010 to recognize security champions and solutions throughout the UK IT industry. The winners of the awards will be announced on the 11th October at an awards ceremony dinner at the Radisson Blu Edwardian Hotel, London.

You can vote in all categories of the Computing Security Awards, here: http://www.computingsecurityawards.co.uk/?page=csa2018vote. If you can spare a minute to vote, we’d be very grateful for your support!

UK IT Industry Awards 2018

Endace has also been announced as a finalist in the 2018 UK IT Industry Awards in the ‘Security Innovation of the Year’ category.

The UK IT Industry Awards celebrates IT excellence and focuses on the contribution of individuals, projects, organizations and technologies that have excelled in the use, development and deployment of IT in the past 12 months. The award ceremony for the UK IT Industry Awards will take place on the 14th November in Battersea, London.

The EndaceProbe is the industry’s only, truly, open packet capture platform, allowing both hosting of and integration with commercial, open-source and custom analytics applications.

You can learn more about Endace’s network monitoring products, analytics platform, and network packet history recording solutions here.


Endace Team Winners at Cyber Challenge

Original Entry by : Mark Evans

This year’s Cyber Challenge, run by the University of Waikato, attracted a wide range of participants from around the country with participants attending from schools and tertiary institutions as well as industry.

The youngest competitor was just twelve-years-old!

As a longtime sponsor of the event, Endace this year decided to enter three teams in the challenge.

Teams participated in a series of challenges, including capture-the-flag challenges and a drone challenge. Endace team, Team Dark Arts (consisting of Deepak Ramaprasad, Leo Liu and Dr. Andreas Löf) took line honours after Rounds 1 and 2, taking out the prize for the winning team for Rounds 1 and 2.

Team Dark Arts donated their prize to the runners-up after Rounds 1 and 2, Team Arcton (Jeremy Symon and Grady Hooker, another industry team). Which then graciously donated the prize to the third-placed team, Team Purple (James Donaldson and Tom Crisp), another industry team.

However overall glory, and bragging rights for 2018, fell to Team Elliptic Curveballs (Jacob Cheatley, Michael Jang and Logan Krippner – all University of Waikato computer science students). Congratulations guys!

Associate Professor, Dr. Ryan Ko, Head of Cyber Security Lab and Director, New Zealand Institute for Security and Crime Science, said this year’s Cyber Challenge was the toughest yet.

“The standard of competitors keeps getting higher, but we’re also creating more challenging tasks. It speaks well for the future cybersecurity landscape, and the University of Waikato,” Dr. Ko said.

Congratulations to all the participants in this year’s Cyber Challenge, and our thanks to the team at the University of Waikato for hosting the event.

And to all the Endace participants, from all the teams: “well done, you did us proud!”


Black Hat Europe 2017: Where the Best Minds in Cybersecurity Meet

Original Entry by : Leah Jones

Christmas and New Year may be approaching fast, but the ever-changing and unpredictable world of Information Security continues at full speed.

From the 4th-7th of December, we’ll be exhibiting at Black Hat Europe at the ExCel, London.

Attended by cybersecurity professionals and enthusiasts from around the world, Black Hat Europe 2017 will bring the best and brightest in the industry together to share information on the latest research, developments and trends.

We’ll be at our at stand (booth 201) throughout the event to answer questions and to share thoughts and ideas with attendees, particularly on the major breaches of recent years and the impending GDPR legislation. With the May 2018 deadline not far away, organizations need to be aware of how to respond to potential data breaches quickly or face hefty fines if they are inadequately prepared.

Some of the major breaches that we’ll be discussing include:

  • Equifax, a victim of one of the largest hacks in recent memory. The company took two months to admit that the breach had taken place. Post-GDPR, Equifax would need to reduce their identification and reporting time from two months to just 72 hours.
  • Deloitte, where a cyberattack on the company’s Azure-hosted email server’s administration account resulted in confidential documents and emails being stolen. To prepare for GDPR, cloud providers need to prioritize network visibility, something that current cloud software structures often hinder.
  • TalkTalk, which announced in 2015 that a breach had taken place, erred on the side of caution by “over-reporting”, later discovering the breach was not as bad as first thought. Under GDPR, more companies may be inclined to over-report, given potential fines of up to 4% of their global revenue for under-reporting. In a post-GDPR world, precision in post-breach analysis and forensics is essential.

We’ll be demonstrating how our EndaceProbe Network Recorders can be integrated with security tools from partners like Cisco, Splunk, Plixer and Palo Alto Networks to accelerate the investigation of security alerts and help companies to identify and respond to intrusions before they can escalate into a major breach.

We’ll also be talking to attendees about why recording their network traffic provides the only truly reliable evidence for conclusively determining the cause and scope of security intrusions and breaches.

Attending Black Hat London 2017 and want to learn more about Endace? Visit our exhibition at booth 201 and meet our team. If you’re unable to attend Black Hat, visit our website to learn more about Endace and our EndaceProbe Network Recorders . Or follow us on Twitter or LinkedIn


How to protect against nation state attackers

Original Entry by : Mark Evans

“One of my worst nightmares [as an attacker] is that out-of-band network tap that really is capturing all the data, understanding anomalous behaviour going on. And someone’s paying attention to it.”
Rob Joyce, NSA: “Disrupting Nation State Attackers, Jan 2016” (22:10)

It’s great to see the efficacy of packet capture and network recording acknowledged by such an eminent cybersecurity Tsar as Rob Joyce.

If you haven’t already seen his video presentation on Disrupting Nation State Attackers, it’s well worth a watch. Before being shoulder-tapped to take up his new role as a cybersecurity advisor to Trump’s National Security Council, Joyce headed up the Tailored Access Operations division of the NSA.

The NSA’s TAO division is responsible for “providing tools and expertise in computer network exploitation to deliver foreign intelligence.” In other words, it is responsible for finding, and taking advantage of, the very network vulnerabilities that we’re all trying to protect against.

In his presentation at the Usenix Enigma conference last year, Joyce outlined key steps organizations can take to protect themselves against the sort of sophisticated techniques employed by Nation State attackers and criminal elements looking to attack your network.

Much of his advice is practical common sense. Know everything on your network, understand it, and update and patch everything. We all know this is critical, but all too often it doesn’t happen. Take patching for example. Joyce says that, in his experience, many organizations undertake security audits to identify known vulnerabilities, but frequently have still not fixed those vulnerabilities by the time the next audit rolls around months later.

Joyce also explodes a common myth – that sophisticated intruders rely on zero day threats. In fact, he says, zero day threats are far from being biggest danger to corporate networks. For any large network, he says:

Persistence and focus will get you in and achieve that exploitation without the zero days. There’s so many vectors that are easier, less risky and quite often more productive.

The cause of most intrusions, says Joyce, come down to one of things (the “Big Three”):

  • Email:  “a user clicked on something they shouldn’t have”
  • Malicious websites“they’ve gotten to a malicious website … and it’s either executed or they’ve run content from that website.”
  • Removable media – “where a user inserted contaminated media“. [As an aside, someone once told me the easiest way to get malware into an organization is to load it on a USB stick labelled “Payroll”, drop it in the carpark and leave the rest to curiosity!].

Joyce outlines the importance of making sure that sources of information about activity on the network – such as log files or network packet captures – are actually being monitored. “You’d be amazed at incident response teams that go in and there’s been some tremendous breach .. Yep, there it is right there in the logs.”

But perhaps the best piece of strategic advice he offers is this:

“Consider that you’re already penetrated. Do you have the means and methods to understand if somebody’s inside your network?”

That change in focus is important. Statistics show intrusions are becoming increasingly commonplace. Once organizations move from “we need to make sure we’re not penetrated” to “maybe we already are penetrated” they start to understand what tools, skills and processes they need to put in place to identify intrusions and stop an initial penetration from going on to become a more serious data breach. Or, if they have already been breached, what do they need to make sure they can identify how it happened and what was compromised?

Joyce’s presentation is a salient reminder that ensuring the basics of network security hygiene is critical. And that the battle to defend against attackers is an ongoing one. As fast as you tighten up your security, new vulnerabilities emerge that put you at risk.

Take a look at the video. You’ll find it’s 30 minutes of your time very well spent!

Cybersecurity Resources

Some of the useful resources that Joyce discusses and recommends are listed below

NOTE: The two links to the IAD site above require installing the DoD Root CA Certificates to avoid getting an “untrusted website” notification. More information here.