How to protect against nation state attackers

Original Entry by : Mark Evans

“One of my worst nightmares [as an attacker] is that out-of-band network tap that really is capturing all the data, understanding anomalous behaviour going on. And someone’s paying attention to it.”
Rob Joyce, NSA: “Disrupting Nation State Attackers, Jan 2016” (22:10)

It’s great to see the efficacy of packet capture and network recording acknowledged by such an eminent cybersecurity Tsar as Rob Joyce.

If you haven’t already seen his video presentation on Disrupting Nation State Attackers, it’s well worth a watch. Before being shoulder-tapped to take up his new role as a cybersecurity advisor to Trump’s National Security Council, Joyce headed up the Tailored Access Operations division of the NSA.

The NSA’s TAO division is responsible for “providing tools and expertise in computer network exploitation to deliver foreign intelligence.” In other words, it is responsible for finding, and taking advantage of, the very network vulnerabilities that we’re all trying to protect against.

In his presentation at the Usenix Enigma conference last year, Joyce outlined key steps organizations can take to protect themselves against the sort of sophisticated techniques employed by Nation State attackers and criminal elements looking to attack your network.

Much of his advice is practical common sense. Know everything on your network, understand it, and update and patch everything. We all know this is critical, but all too often it doesn’t happen. Take patching for example. Joyce says that, in his experience, many organizations undertake security audits to identify known vulnerabilities, but frequently have still not fixed those vulnerabilities by the time the next audit rolls around months later.

Joyce also explodes a common myth – that sophisticated intruders rely on zero day threats. In fact, he says, zero day threats are far from being biggest danger to corporate networks. For any large network, he says:

Persistence and focus will get you in and achieve that exploitation without the zero days. There’s so many vectors that are easier, less risky and quite often more productive.

The cause of most intrusions, says Joyce, come down to one of things (the “Big Three”):

  • Email:  “a user clicked on something they shouldn’t have”
  • Malicious websites“they’ve gotten to a malicious website … and it’s either executed or they’ve run content from that website.”
  • Removable media – “where a user inserted contaminated media“. [As an aside, someone once told me the easiest way to get malware into an organization is to load it on a USB stick labelled “Payroll”, drop it in the carpark and leave the rest to curiosity!].

Joyce outlines the importance of making sure that sources of information about activity on the network – such as log files or network packet captures – are actually being monitored. “You’d be amazed at incident response teams that go in and there’s been some tremendous breach .. Yep, there it is right there in the logs.”

But perhaps the best piece of strategic advice he offers is this:

“Consider that you’re already penetrated. Do you have the means and methods to understand if somebody’s inside your network?”

That change in focus is important. Statistics show intrusions are becoming increasingly commonplace. Once organizations move from “we need to make sure we’re not penetrated” to “maybe we already are penetrated” they start to understand what tools, skills and processes they need to put in place to identify intrusions and stop an initial penetration from going on to become a more serious data breach. Or, if they have already been breached, what do they need to make sure they can identify how it happened and what was compromised?

Joyce’s presentation is a salient reminder that ensuring the basics of network security hygiene is critical. And that the battle to defend against attackers is an ongoing one. As fast as you tighten up your security, new vulnerabilities emerge that put you at risk.

Take a look at the video. You’ll find it’s 30 minutes of your time very well spent!

Cybersecurity Resources

Some of the useful resources that Joyce discusses and recommends are listed below

NOTE: The two links to the IAD site above require installing the DoD Root CA Certificates to avoid getting an “untrusted website” notification. More information here.


Dynatrace Perform 2017

Original Entry by : Mark Evans

Endace was an exhibiting partner at Dynatrace Perform in Las Vegas this month. Perform is the annual conference for Dynatrace users and attracts attendees from all over the world.

Attendees at Dynatrace Perform 2017 in Las Vegas

The conference sessions were packed, and our booth in the partner area was swamped during the partner sessions!

In fact it was so busy we didn’t have time to take photos of our booth! So here’s one of Dynatrace’s photos instead. And if you want more, there’s a big gallery of photos on this page.

In the Partner Lounge, Blaine Deutsch and Tom Leahy demonstrated how EndaceProbes integrate with Dynatrace DC RUM to provide instant access to network packet history as definitive evidence for troubleshooting application performance issues. They also showed how using EndaceProbes to Playback recorded history to an instance of the virtual AMD agent hosted in Application Dock offers new options for deep investigation of historical events.

If you weren’t able to make the event, here are the presentations:

We thoroughly enjoyed being at Perform 2017. And being in Las Vegas on Superbowl Sunday prior to the conference was certainly an experience too.

Thanks to all the attendees who came to our stand. We had some really interesting conversations which we look forward to picking up with you again very soon.

And thanks to Nathan, Mike, Paula and the team from Dynatrace for making us welcome and ensuring we had everything we needed too. A great event guys!


NEW: EndaceProbe 114 Branch Office Network Recorders

Original Entry by : Endace

Launching at Black Hat this week, the EndaceProbe 114 is purpose-built for deployment in remote locations or branch offices. It offers the same 100% accurate recording, centralized management data mining and retrieval and application hosting as the rest of the EndaceProbe family but comes in a compact, short-depth format that makes it ideal for deployment in branch offices.

The EndaceProbe 114 allows organizations to cost-effectively extend their network visibility right out to the network edge and eradicate the blind spots that can make branch office locations an attractive target for attackers.


New Partners – Plixer and Cisco

Original Entry by : Endace

plixer-logoLast month we announced a partnership with Plixer to provide integration between EndaceProbe™️ Network Recorders and Plixer’s Scrutinizer™️ NetFlow Analytics suite. This leverages Endace Fusion’s API to enable SOC and NOC teams to pivot directly from Scrutinizer alerts to packet-level detail in traffic recorded on EndaceProbes across the network, delivering the detailed data that enables analysts to quickly investigate and establish the root cause of an alert.

cisco-logoWe have also joined the Cisco Solution Partner program. This partnership provides customers using Cisco’s Firepower™ Management Console with single-click access to EndaceVision for powerful visualization of network traffic and rapid drill down to recorded network packets using Endace Fusion’s Pivot to Vision and Pivot to Packets API functions.

Are you a Cisco Firepower or Plixer Scrutinizer user?

Contact sales@endace.com to organize a demo so you can see how this integration can dramatically speed up your investigations.


Come see us at Black Hat

Original Entry by : Endace

black-hat-logoIt seems everyone is in Las Vegas for Black Hat this week. We’re excited. Yes, we’re here too and we’d love to see you.

So drop in and see us at Booth #1572 where you’ll be able to check out our new EndaceProbe 114 Branch Office Network Recorder, see demos of our Cisco® FireSIGHT™ Management Center and Splunk™ integrations and we’ll also be showing off the new features of EndaceVision 2.0.

Plus we have some handsome battery packs and notebooks to give away. So swing by and say Hi.


EndaceProbe 9000-XS: Industry-leading storage density provides extended back-in-time network history for forensic analysis

Original Entry by : Endace

With up to 192TB of storage per appliance, the new EndaceProbe™ 9000-XS series network recorders provide a highly scalable network recording solution, offering Petabytes of clustered and/or distributed storage capable of storing weeks, or months, of network history.

The massive storage of the 9000-XS EndaceProbes makes them an ideal choice as always-on recorders capturing a detailed history of network activity for forensic analysis of data breaches and speeding up the investigation and resolution of network security or performance issues.

See our press release about the new XS series and check out the complete range of EndaceProbe 100% accurate, high-speed network recorders.

Or download the EndaceProbe 9000 series datasheet.


Finding session-related problems using EndaceVision

Original Entry by : Endace

Network monitoring tends to focus heavily on bandwidth, addressing the question, “Do I have the capacity to carry the traffic that my business requires?” Capacity, however, must include session count and lifecycle, which are often overlooked until they become a problem. That’s why EndaceVisionTM 6.0 Network Visibility Software has added two new tools to deal with sessions: TCP Flags view and client/server breakdown.

Continue reading “Finding session-related problems using EndaceVision”


Improving network monitoring performance with the next generation EndaceProbes

Original Entry by : Erez Birenzwig

When the current EndaceProbe® Network Recorder product range was introduced more than five years ago, most enterprise networks were only starting to think about upgrading to 10Gb Ethernet (10GbE) speeds.  Since then, most IT departments use 10GbE in their core, 1GbE to the desktop and laptop has become standard, and many are organizations are looking to move up to 25GbE, 40GbE or higher speeds.  At the time, EndaceProbes were the highest performing and most reliable network packet capture device available, helping our customers migrate their monitoring from 1GbE to 10GbE.  In the same way that we enabled that migration, we are now introducing the next generation of network recording products as enterprises incorporate higher network speeds.

Continue reading “Improving network monitoring performance with the next generation EndaceProbes”


NetPod: Dynatrace and Endace Team to Modernize AA-NPM

Original Entry by : Jeff Brown

By Jeff Brown and Gary Kaiser (Dynatrace)

So what’s going on?

Dynatrace and Endace have announced NetPod™, a fully integrated solution that combines Dynatrace’s Data Center Real-User Monitoring and Endace’s EndaceProbe™ Network Recorder. It is no small thing when two independent companies agree to take their market-leading products and create a new branded offering, so you have to figure there is something valuable going on here.

Continue reading “NetPod: Dynatrace and Endace Team to Modernize AA-NPM”


On decreasing incident response time

Original Entry by : Boni Bruno

Seems like security incidents are occurring more often with mild to significant impact on consumers and various organizations, such as Target and Sony.

Referring to the Verizon Data Breach Report year after year confirms that incident response times to such incidents are increasing, rather than decreasing, with root cause identification of the problems not occurring for months after the security incident in many cases. This can cause a pessimistic view among many security teams, however, there are a lot of good things happening in the security space that I want to share with you.

Continue reading “On decreasing incident response time”