Cisco Live US 2025 SOC – PCAP or it didn’t happen!

Original Entry by : Barry "Baz" Shaw

By Barry “Baz” Shaw, Senior Engineering Manager, Technology Partner Programs, Endace


Barry

Elevating Incident Response with the Ultimate Network Forensics

After a successful SOC @ RSAC2025, our team was stoked to be invited to help Cisco run the SOC at Cisco Live US (CLUS). We jumped at the chance to work with the Cisco team again. It was a great opportunity to innovate while helping Cisco protect and educate the attendees of the conference. Plus, the Cisco team is a lot of fun to hang out with—there’s a very infectious vibe in the SOC that has everyone buzzing for the entire week.

Packet capture is essential in the SOC. It provides an indelible record of all network activity, which is invaluable to the SOC team when investigating threats or security risks—hence the phrase, “PCAP or it didn’t happen.” For CLUS, we deployed two EndaceProbes with a combined storage of 864TB to continuously record all network activity delivered via 2 x 10GbE SPAN ports. This gave us the capacity to record at least several weeks of full network packet data—covering more than the entire duration of the show.

Endace Fusion integrations provided the glue between the Cisco Security suite and the packet data on the EndaceProbes, enabling analysts to quickly pivot from Splunk Enterprise Security/Splunk Cloud, Cisco XDR, Cisco Firepower, and Cisco Secure Network Analytics (SNA) through to EndaceVision and hosted Wireshark. When access to historical full PCAP is available in a seamless integration, security analysts are empowered with the ease of contextual access, and this simplifies the use of PCAP data, where previously it could be seen to be cumbersome to use.

The EndaceProbes each hosted two VMs that were running Zeek and delivering critical log data into Splunk. Custom Zeek script additions provided additional valuable detail around clear text passwords in email and HTTP, shining a light on the heavy use of insecure protocols, and ultimately driving automation to manage the unexpected volume. File-carving was enabled, and over 750,000 files were reconstructed from packet data, with over 40,000 samples submitted to Splunk Attack Analyzer (SAA) via Endace’s automatic submission software. SAA then sent over 12,000 files to Secure Malware Analytics (formerly Threat Grid) for dynamic analysis of the behavior.

SOC Findings and Lessons Learned

The SOC team was surprised and initially overwhelmed at the volume of unencrypted traffic on the network. Logging of passwords was coupled with a Cisco XDR automation that created an incident on each detection. This resulted in a heavy workload identifying and notifying users to educate and protect them in the future. The Splunk team developed a creative automated solution to notify users that the SOC detected their use of insecure protocols.

We even found a version of POP that was news to us all—APOP. This hashes the server timestamp in the response header with the user’s password to create a password digest. While this obscures the password, it only delays its inevitable retrieval, all the while the actual message bodies are still transferred in plain text!

In the theme of plain text passwords, reviewing the connections associated with one of these sessions showed a large number of file downloads in the Zeek log generated on EndaceProbe.  This was one of many clients that used the free conference Wi-Fi to download Windows update files, but after filtering out the cab files in a Splunk search, we found a suspicious-looking file:

A search on this filename in SAA confirmed the presence of a malware download by this unfortunate user, whom the SOC team made every effort to identify.

There were also a few notable occasions where Secure Firewall alerts indicated intrusion attempts, which, after a pivot to EndaceVision, were pulled up in Wireshark for further analysis. One alert of note was a “BROWSER-IE Microsoft Internet Explorer Chakra.dll Array.filter type confusion attempt” indicating a malicious web server was trying to exploit a vulnerability in IE. 

A review of the PCAP noted that the target client was, in fact, running Safari on MacOS X.

This indicated that even if the web server was launching a legitimate attack, the client was not vulnerable to this attempt and therefore no further action was required. This highlights the value of full PCAP, packets in related sessions that don’t trigger alerts can offer valuable insight and context to security analysts. This allows rapid determinations to be made with confidence.

Read more about the SOC at CLUS 25 on Cisco’s Blog here:

https://blogs.cisco.com/security/cisco-live-san-diego-2025-soc

Acknowledgements

Our thanks to the Cisco team, led by Jessica Bair-Oppenheimer and Steve Fink, for the opportunity to include EndaceProbes in the Cisco Live SOC architecture. The SOC team is a collection of Cisco experts across many Cisco solutions who were a pleasure to work with and innovate with.  We came away with a great appreciation for the power and ease of use of the Cisco Security tools. The close collaboration resulted in the Endace team leaving with not only ideas for further integrations and workflow improvements, but also prototype integration extensions that were developed and proved out during the SOC.

To learn more about all the ways Endace integrates with Cisco, check out:  https://www.endace.com/cisco.


Helping Protect Cisco Live 2025 in San Diego

Original Entry by : Michael Morris

By Michael Morris, Senior Director of Technology Alliances


Building on our collaboration in the SOC at RSAC 2025, Endace was honoured to be invited by Cisco to provide EndaceProbe packet capture and a team of threat hunters to support the Cisco Live Security Operations Center (SOC). Our primary goal was to protect the network and attendees at Cisco Live San Diego 2025, our secondary goals were to educate and innovate.

Two EndaceProbes were deployed in Cisco’s SOC-in-a-Box, continuously recording all network traffic provided over two 10G SPAN ports.  We integrated with Splunk Enterprise Security and Cisco Security Cloud to deliver real-time network visibility. This enabled the SOC team to detect, locate, and address threats to attendees from external and internal sources, and helped to streamline and accelerate SOC investigation workflows.

The SOC at Cisco Live aims to protect the more than 23,000 attendees from threats on the conference network. When an attendee’s device is found to be compromised or unsecured, the SOC team makes every effort to identify, locate and help remediate the issue. The SOC team also provided public tours of the SOC to educate attendees about how the SOC is configured, the processes team members implemented, and the sorts of issues and threats that we uncovered.

Drawing on our experience at RSAC 2025 (where Endace captured 36 TB of data and 45 billion packets) we further optimized our approach for Cisco Live’s SOC.

The SOC was set up in two days, leveraging prior planning and our engineers’ experience at RSAC 2025.

At Cisco Live, Endace:

  • Captured 78.9 TB of traffic representing 99.5 billion packets
  • Reassembled more than 740,000 file objects in real time and sent 42,624 files to Splunk Attack Analyzer for further analysis
  • Detected 2,256 occurrences of cleartext passwords being used from 92 unique devices
  • Provided packet-level forensic evidence to all the SOC analysts for investigating and triaging a range of security events
  • Integrated with Cisco XDR, Splunk, Cisco Firepower IDS, Splunk Attack Analyser, Cisco Secure Malware Analytics, Cisco Secure Network Analytics to provide a seamless IR workflow
  • Innovated with new integrations that streamed additional metadata into Splunk, which sped up the investigation and remediation process

It was impressive to see the whole team of Cisco and Endace Engineers pivoting to the packet data to investigate an entire range of security incidents. Inspecting the packet data enabled fast decisions because the team could see exactly what was happening on the wire before, during, and after any event. As they say, PCAP or it didn’t happen!

Having complete packet data available at the SOC team’s fingertips really highlighted the incredible value of always-on packet capture; recording every packet and delivering complete, real-time visibility into threats, performance issues, and anomalous behaviour across the network.

There is an infectious energy that we get when working in a SOC environment like this, with Engineers from different teams and companies collaborating to track down threats, and share ideas on how to improve the SOC. The Endace team came away with many learnings that will improve EndaceProbe and our partner integrations.

We look forward to being a part of the SOC again at some more big upcoming events – stay tuned, details coming soon.

Read more about the SOC at CLUS 25 on Cisco’s Blog here:

https://blogs.cisco.com/security/cisco-live-san-diego-2025-soc


Endace Packet Forensics Files: Episode #61

Original Entry by : Michael Morris

In Episode 61, Michael talks to JP Bergeaux, Federal CTO at GuidePoint Security

By Michael Morris, Director of Global Business Development, Endace


Michael Morris, Director of Global Business Development, Endace

In my latest episode of the Endace Packet Forensic Files, I sit down with Jean-Paul (JP) Bergeaux, Federal CTO for GuidePoint Security, to explore federal cybersecurity. Our conversation dives into the challenges, technologies, and approaches reshaping how government agencies protect their digital infrastructure.

The critical importance of certifications like FIPS 140 and NIAP becomes clear. These aren’t bureaucratic checkboxes–they’re safeguards that ensure the reliability and security of technological solutions across federal networks. JP’s insights show how these standards help maintain the integrity of government systems.

The M-21-31 directives also emerge as a game-changer. Introduced in repsonse to the SolarWinds breach, these guidelines are transforming how agencies approach network forensics. Packet capture (PCAP) data is now considered the gold standard for threat detection, providing what JP calls “ground truth” in cybersecurity investigations. The real-world examples he shares are particularly compelling, especially cases where PCAP data reveals hidden threats.

We also tackle the challenges posed by generative AI. JP describes the “generative AI arms race”, where threat actors innovate rapidly, while government agencies must proceed with caution. It’s a balance between innovation and security that will define cybersecurity’s future.

One thing is clear from our conversation: the federal cybersecurity landscape is dynamic and demanding. Reactive security models are giving way to proactive approaches that integrate security across every layer of infrastructure.

Don’t miss this episode as JP shared valuable  insights into the front lines of federal cybersecurity and the tools, policies, and mindsets needed to stay ahead.

Other episodes in the Secure Networks video/audio podcast series are available here. Or listen to the podcast here or on your favorite podcast platform.


Endace and Cisco in the SoC at RSAC™ 2025

Original Entry by : Endace

Endace and Cisco® are co-sponsors of the SOC at RSAC™ 2025: providing SOC services for the conference, and monitoring traffic on the Moscone wireless network for security threats.

Experts in the SOC will be running Cisco Security Cloud, with Cisco Breach Protection Suite, Cisco User Protection Suite, and Cisco Secure Firewall; with Splunk Enterprise Security as the SIEM platform. EndaceProbe will provide always-on packet capture, recording network traffic in real-time.

As a long-time member of the Cisco Security Technical Alliance, our EndaceProbe Analytics Platform integrates with Cisco Firewall, XDR, Secure Network Analytics and Splunk.

Book a Tour of the SoC at RSAC™ 2025

Tours are offered Tuesday, Wednesday and Thursday at the times listed below and advance registration is highly recommended.  An Expo Pass is all you need to join the tour.

Tour Times:

Tuesday, April 29 – 10:10am, 3:00pm and 4:30pm

Wednesday, April 30 – 10:10am, 3:00pm and 5:00pm

Thursday, May 1 – 10:10am and 1:00pm

Book a SoC Tour

Visit Endace’s Booth at RSAC™ 2025

In addition to being in the SoC, the Endace team is also exhibiting at RSAC™ 2025. Come and see us at Booth #5176, located in the North Hall.

We will be showcasing our highly-scalable, always-on packet capture solutions for private cloud, public cloud and on-prem environments. Come and find out about:

  • The value of Always-on packet capture as a definitive source of evidence
  • Why packets are a such a critical source of truth for cybersecurity and network reliability
  • How to integrate definitive packet-level network history into your SoC and NoC teams’ network security tools for faster, more accurate incident forensics.

Apple Airpods MaxPLUS

Enter our booth raffle and you could win a pair of Apple Airpods Max headphones (two pairs to be won).

 

Don’t miss PROTECTED:
The Findings Report from the SOC at RSAC™ 2025.

If you have a full Conference Pass, we encourage you to join Cary Wright, Endace VP Product, Jessica Oppenheimer, Cisco’s Director of Security Operations, and Steve Fink, CTO and CISO at Secure Yeti, as they share security observations from the SoC at RSAC™ 2025.

Every year, this is an extremely popular conference session.


Endace Packet Forensics Files: Episode #60

Original Entry by : Michael Morris

In our 60th Episode, Michael talks to James Spiteri, Director of Product Management for Security Analytics at Elastic

By Michael Morris, Director of Global Business Development, Endace


Michael Morris, Director of Global Business Development, Endace

It’s my pleasure to welcome James Spiteri from Elastic for this 60th Episode of the Packet Forensics Files. It’s a great milestone to have reached, and the series continues to grow in popularity – thanks to people like James who have joined me to share their valuable expertise and advice.

In this episode James brings a wealth of experience, having worked in cybersecurity and security operations for many years. From leading SOC teams to developing advanced solutions for generative AI and machine learning, his expertise is second to none.

We dive into the evolving landscape of nation-state cybersecurity threats. According to James, these attacks are highly sophisticated, leveraging bespoke malware, supply chain compromises, and cloud infrastructure. For SIEM vendors, this means platforms must provide comprehensive visibility and support diverse data sources to detect these threats effectively. Modern techniques like entity analytics, user behavior monitoring, and generative AI are essential in addressing these challenges.

Evolving cybersecurity regulations like GDPR and DORA demand effective data management and integrity. James highlights the role of AI in simplifying these processes, from validating data to automating complex tasks like incident reporting. Additionally, integrating SIEMs with legacy systems in critical infrastructure requires creative solutions, such as monitoring network events around outdated devices, to maintain visibility.

As we look to the future, James underscores the transformative role of generative AI in cybersecurity, both as a tool for defending against attacks and a potential weapon in the hands of cybercriminals. By staying ahead of these trends and embracing innovation, SIEM vendors can ensure organizations are better equipped to tackle the sophisticated threats of tomorrow.

Don’t miss this essential conversation—tune in for expert insights on how to fortify your defenses in the face of an increasingly complex cyber landscape.

Other episodes in the Secure Networks video/audio podcast series are available here. Or listen to the podcast here or on your favorite podcast platform.


Endace Packet Forensics Files: Episode #59

Original Entry by : Michael Morris

Michael talks to Matt Bromiley about the importance of packet capture in threat hunting and how AI can improve detection and response.

By Michael Morris, Director of Global Business Development, Endace


Michael Morris, Director of Global Business Development, Endace

With limited network visibility and overwhelming data volumes, organizations struggle to detect and respond to advanced cyber threats.  

In this episode of the Endace Packet Forensics Files, I talk with Matt Bromiley, a veteran in threat hunting and incident response. With over a decade of experience and a role as a SANS instructor, Matt brings a wealth of practical knowledge to our discussion.

Matt highlights the importance of robust detection and response systems before beginning any threat hunt. He explains that even when a hunt doesn’t yield immediate results, the insights gained are invaluable for understanding the security landscape. Matt points out that proactive threat hunting is about deeply understanding network traffic, which offers significant advantages over more traditional reactive approaches.

During our conversation, Matt emphasised network packet data’s critical role in cybersecurity. He describes it as the “glue” that ties together various pieces of evidence, providing a comprehensive view of any potential attack. According to Matt, analyzing decrypted traffic and DNS logs is essential for uncovering hidden threats that might remain undetected.

Matt talks about the challenges of threat hunting, particularly when dealing with large volumes of packet data and navigating legal constraints. He stresses the necessity of having a skilled team and the right tools to manage these challenges effectively. He also shares his insights on the growing role of AI in threat hunting, predicting that it will increasingly help automate routine tasks, freeing up analysts to focus on more complex threats.

Matt’s expertise underscores the importance of a proactive approach, a deep understanding of network data, and the use of the right tools to stay ahead of cyber threats.

Don’t miss this insightful episode, where Matt provides actionable advice for enhancing your threat-hunting capabilities and strengthening your cybersecurity defenses.  

Follow Matt on Linkedin

Other episodes in the Secure Networks video/audio podcast series are available here. Or listen to the podcast here or on your favorite podcast platform.


Endace Packet Forensics Files: Episode #57

Original Entry by : Michael Morris

Michael talks to Ryan Chapman about the growing complexity of ransomware – how to prepare, investigate and respond.

By Michael Morris, Director of Global Business Development, Endace


Michael Morris, Director of Global Business Development, Endace

Ransomware has shifted from simple, isolated attacks to coordinated, human-operated campaigns that target entire organizations.  

In this episode of the Endace Packet Forensics FilesI talk with Ryan Chapman, SANS Instructor and expert in Digital Forensic and Incident Response (DFIR) about these evolving threats.  

Ryan explains how attackers are becoming more methodical and sophisticated, focusing on disabling EDR/XDR solutions to evade detection and leaving organizations vulnerable to advanced attacks.  

One of the key challenges Ryan highlights is visibility. Without robust logging, packet capture, and monitoring tools, it’s nearly impossible to understand how an attack happened fully. Even encrypted traffic can reveal critical patterns if analyzed properly.   

Ryan shares examples of organizations that suffered reinfections because they rushed to restore systems without identifying the original entry point. Packet capture data plays a vital role in pinpointing when and how attackers infiltrated, ensuring a safe recovery and minimizing disruption.  

As ransomware tactics evolve, adopting a Zero-Trust approach is essential. Ryan discusses how limiting permissions and avoiding overly trusting software configurations can help prevent breaches. He cites the Kaseya attack, where some organizations avoided compromise by not blindly whitelisting trusted directories. As attackers increasingly use legitimate tools, verifying all network activity and following least privilege principles are critical defenses.   

Don’t miss this insightful episode, where Ryan provides actionable advice for preparing your organization against today’s ransomware threats.  

Follow Ryan on Linkedin

Other episodes in the Secure Networks video/audio podcast series are available here. Or listen to the podcast here or on your favorite podcast platform.


Endace Packet Forensics Files: Episode #56

Original Entry by : Michael Morris

Michael talks to Cary Wright about why security certifications such as FIPS, NIAP, and DoD APL are important across industries.

By Michael Morris, Director of Global Business Development, Endace


Michael Morris, Director of Global Business Development, Endace

In this episode of the Endace Packet Forensics Files, I talk with Cary Wright, VP, Product at Endace about the importance and impact of Federal security certifications such as FIPS, NIAP, and DoD APL  to ensure the robust security of cybersecurity tools.

Although these standards are primarily applied in Federal Government, the rigorous testing that products must undergo to be compliant is extensive.  Regardless of your industry, you can be confident that products certified to these standards are robust and have been thoroughly tested and scrutinized.

Cary explores the detailed testing procedures these certifications entail and their role in enhancing network device security. The standards are continuously updated to ensure that they continue to address new cybersecurity challenges that emerge. We discuss the relevance of these standards for Government and Defense sectors as well as how they can provide surety for large enterprises looking to improve their security measures.

Cary explains what these certifications test in order to validate cybersecurity tools’ encryption strength and overall security robustness. He also talks about the challenges and costs to manufacturers of achieving these standards, and the real-world benefits this testing delivers – such as improved protocol security.

Don’t miss this episode as Cary provides valuable insights into the impact of Federal security certifications and the critical role they play in helping ensure best practices in  cybersecurity.

Follow Cary on Linkedin

Other episodes in the Secure Networks video/audio podcast series are available here. Or listen to the podcast here or on your favorite podcast platform.