Endace Packet Forensics Files: Episode #14

Original Entry by : Michael Morris

Michael talks to Brett White, Cybersecurity Architect and Advisor.

By Michael Morris, Director of Global Business Development, Endace


Michael Morris, Director of Global Business Development, Endace

Looking for insights into how to improve your cybersecurity posture? You won’t want to miss our last episode of the Endace Packet Forensic Files for 2020. This episode features special guest Brett White, Cyber Security Advisor and Architect.

Brett has many years of experience at Juniper, Cisco and Palo Alto Networks architecting security solutions and advising clients on how to improve their security stacks and processes. He has also worked as both an in-house CISO and as a “CISO for hire”.

In this episode, Brett shares some recommended best practices for robust cybersecurity including the key foundational components of network-wide visibility and high-quality threat intelligence. He also highlights the importance of stepping back from focusing on technology alone and building a security strategy focused on your organization’s business goals, outcomes, and security imperatives.

Finally, Brett puts his predictions hat and suggests three future areas of cybersecurity to keep an eye on to improve your overall security strategy.

Packet Forensics Files will be back after the Christmas and New Year period with our next installment. In the meantime, we wish you a happy and safe Christmas and New Year. Take care.

Other episodes in the Secure Networks video/audio podcast series are available here.


Endace Packet Forensics Files: Episode #9

Original Entry by : Michael Morris

Michael talks to Shamus McGillicuddy, VP of Research for Enterprise Management Associates

By Michael Morris, Director of Global Business Development, Endace


Michael Morris, Director of Global Business Development, Endace

Want to hear the latest trends and challenges in the network performance management space?

Don’t miss our latest episode of the Endace Packet Forensic Files Vidcast/Podcast series with special guest Shamus McGillicuddy, VP of Research at Enterprise Management Associates (EMA).

Shamus is an industry-leading market research analyst with years of experience in the Network Operations space. He shares his insights on some of the biggest changes going on with NetOps teams and tools including the impact of the pandemic and the massive shift to remote workforces which is driving more complexity and creating performance challenges.

Shamus talks about the importance of both meta-data and full packet data in enabling NetOps teams to be faster and more accurate in solving network issues. Finally, he reveals some differentiators and trends in the monitoring of next-gen, software-defined networks and things to look out for over the next 18 months.

Other episodes in the Secure Networks video/audio podcast series are available here.


Endace Packet Forensics Files: Episode #8

Original Entry by : Michael Morris

Michael talks to Scott Register, VP of Security Solutions for KeySight Technologies

By Michael Morris, Director of Global Business Development, Endace


Michael Morris, Director of Global Business Development, Endace

Catch our latest episode of “Secure Networks – the Packet Forensic Files” vidcast/podcast series with this week’s special guest Scott Register, VP of Security Solutions for KeySight Technologies.

Scott, with his years of experience in building security solutions, shares some of the biggest challenges SecOps teams are facing in today’s environment and what they are doing to solve them.

He talks about the latest trends in the threat landscape and what security teams are doing to test and monitor for these attacks.  Hear how threat simulation can help both validate tool readiness and people processes to elevate your security prevention and response.

Finally, Scott shares his insights into implementing security in 5G and WiFi infrastructures as well as traditional networks and data centers.

Other episodes in the Secure Networks video/audio podcast series are available here.


Endace Packet Forensics Files: Episode #7

Original Entry by : Michael Morris

Michael talks to Travis Rosiek, CTO and Strategy Office at BluVector (a Comcast company)

By Michael Morris, Director of Global Business Development, Endace


Michael Morris, Director of Global Business Development, Endace

If you haven’t caught up with the insights from our “Secure Networks – the Packet Forensics Files” vidcast/podcast series yet, here is your chance to see what you have been missing out on. This week’s special guest is Travis Rosiek, CTO and Strategy Officer for BluVector (a Comcast company).

Travis, a long-time government cybersecurity specialist, shares his insights into what he sees companies and government agencies are missing from their security strategies.  He talks about how you can begin to move your security activity from being merely reactive to a more proactive approach.

Travis discusses some of the specific challenges and advantages government agencies face compared to enterprises and what both groups can do to elevate their security posture.  He also shares his insights into best practices to protect your IT infrastructure and things to look out for in the ever-changing security landscape.

Other episodes in the Secure Networks video/audio podcast series are available here.


Endace Packet Forensics Files: Episode #6

Original Entry by : Michael Morris

Michael talks to Betty Dubois, Founder and CEO of Packet Detectives

By Michael Morris, Director of Global Business Development, Endace


Michael Morris, Director of Global Business Development, Endace

Don’t miss the latest episode of our Endace Packet Forensic Files Vidcast/Podcast series with this week’s special guest Betty Dubois, CEO /Founder of Packet Detectives and renowned Sharkfest Speaker.

Betty talks about the challenges NetOps and SecOps teams are facing in today’s IT environment. She highlights best practices teams are adopting to adjust to today’s environments and shares her recommendations about how NetOps and SecOps teams can elevate their network investigation skills and processes.

Betty also gives some great tips on how to become a packet capture and Wireshark “power-user” and addresses some of the misconceptions about PCAP data.

Other episodes in the Secure Networks video/audio podcast series are available here.


Endace Packet Forensics Files: Episode #5

Original Entry by : Michael Morris

Michael talks to Gerard Martir, Network Solutions Team Specialist at Keysight Technologies

By Michael Morris, Director of Global Business Development, Endace


Michael Morris, Director of Global Business Development, Endace

Tune in for the latest episode of our Endace Packet Forensic Files Vidcast/Podcast series with this week’s special guest Gerard Martir, Network Solutions Team Specialist for KeySight Technologies.

Gerard’s years of experience in the telecom space give him great insight as to how carriers are addressing cybersecurity along with how the roll out 5G will deliver better performance and tighter security.

Gerard talks about some of the adjustments telecom providers are making in the era of the global pandemic and the changing priorities cause by massive shifts to remote workforces across the globe. He also provides insight into some of the technology best practices carriers are implementing to ensure performance, resiliency and security across their cutting-edge networks.

Other episodes in the Secure Networks video/audio podcast series are available here.


Wireshark without the wait!

Original Entry by : Cary Wright

With Wireshark on EndaceProbe you can quickly search hundreds of Terabytes of packet data to analyze important packets in Wireshark

By Cary Wright, VP Product Management, Endace


Cary Wright, VP Product Management, Endace

Who can afford to wait when responding to a critical security incident? With Wireshark now hosted on EndaceProbe we have eliminated all the waiting around to see packet evidence. Reviewing captured network history will often reveal vital evidence needed to remediate a threat, evidence that may have been wiped from system logs.

Unfortunately, if you’re using Wireshark on your desktop to view that evidence you know it can be a very slow process. Just downloading a multi-GB capture file from your capture appliance can take a while, and then loading it up on your desktop can also be a lengthy process.  All this waiting and context switching is a productivity hit for you and your team– not to mention a data privacy risk if those PCAPs are sitting on your desktop or laptop.

I’m excited to say there will be no more waiting around to view packets with our newly released OSm 7.0 software! A full instance of native Wireshark is now hosted right on each EndaceProbe appliance so you can review captured network traffic quickly and securely. We have also included WireShark on each Endace InvestigationManager instance, allowing you to search over up to 100 EndaceProbes in parallel and present a single merged packet view inside Wireshark.

There is no need to download large PCAPs over the network, and no need to store them insecurely on your desktop PC or laptop to view in Wireshark. Viewing network packet captures is now lightning fast because EndaceProbe high-performance hardware serves the packets from the local RAID directly to a Wireshark instance hosted on the EndaceProbe.

If you’re a regular Wireshark user you will know that Wireshark doesn’t handle large PCAPs very well, just loading a 1GB file can take forever let alone a 100TB pcap. With Wireshark on EndaceProbe you can now quickly search hundreds of Terabytes of packet data to view or analyze important packets in Wireshark. The workflow is much faster and more secure. And Wireshark power users will be glad to know it’s a full Wireshark instance with all the useful features and decodes that you’ve come to know and love.

Here’s a sneak preview:

Wireshark on EndaceProbe with OSm7
With OSm 7.0, now you can go directly from EndaceVision to Wireshark hosted on EndaceProbes – without having to download large pcap trace files.

Endace + XSOAR = Nirvana for the SoC

Original Entry by : Cary Wright

Integrating Palo Alto Cortex XSOAR with the EndaceProbe Analytics Platform

By Cary Wright, VP Product Management, Endace


Cary Wright, VP Product Management, EndaceThis week we are announcing an exciting integration with Palo Alto Networks Cortex XSOAR, formerly Demisto. This integration provides XSOAR customers with automated playbooks that easily pull in packet-level evidence for fast, conclusive, and repeatable response to security incidents. This integration complements our existing partnership with Palo Alto Networks NGFW and Panorama so now you can access packet-level data across multiple Palo Alto solutions.

So what is this “Nirvana for the SoC” we are all striving for?

The most effective SoC teams I’ve seen are well-oiled machines, reviewing and resolving many potentially dangerous security incidents each day and neutralizing threats quickly and confidently. What makes these teams successful is a repeatable and well-understood process, based on evidence, backed by automation, with integrated workflows across a suite of best in class security tools.

These teams have a wide range of experience–from new recruits to seasoned experts–all highly motivated and working collaboratively to solve complex issues. This exceptional environment not only provides high levels of productivity and security, but it also is great for team morale, staff retention, and hiring. Adding new staff is streamlined because all the processes are documented and/or automated, workflows are simple, and less experienced hires can contribute quickly. I am sure you would agree this is the SoC team Nirvana that we are all striving for?

SoC teams are flying blind without network packet history at their fingertips. Sophisticated attackers do their best to cover their tracks by modifying server logs or deleting evidence. However,   packets don’t lie and can’t be tampered with. That’s why many SoC teams deploy EndaceProbe alongside their firewalls so they can turn to the packets to investigate their most challenging security incidents. It’s the evidence needed to know without a doubt what happened at 2pm last Tuesday afternoon when a security alert indicated a potential attack.

We integrated with Cortex XSOAR because we realized that many teams were missing the essential packet-level evidence required for fast and conclusive security investigations. XSOAR playbooks now automate the collection of packet evidence from any EndaceProbe in the deployment. Packet evidence is then archived and attached to a “case” or “war room” allowing multiple team members to contribute to the investigation at any time in the future.

The complete workflow can be integrated with the entire security tool suite including endpoint, network, SIEM, NGFW, and other security elements. And finally, these playbooks can be customized to suit the specific needs of the organization.

Check out the demo video on Palo Alto Network’s Fusion partner page to see this integration in action, and reach out if you’d like more information.

I am very proud of what our team has achieved with this integration to Cortex XSOAR. Our customers can now manage alerts across all sources using a standard process, take action on threat intel, and automate response for any security use case – resulting in significantly faster responses that require less manual review. I’m really looking forward to seeing our customers take advantage of this new capability to create their own SoC team Nirvana.

Happy hunting,

Cary

 


Packet Detectives Episode 2: The Case of the Unknown TLS Versions

Original Entry by : Michael Morris

Demystifying Network Investigations with Packet Data

By Michael Morris, Director of Global Business Development, Endace


Michael Morris, Director of Global Business Development, Endace

As we discussed with Ixia and Plixer recently in our How to Combat Encrypted Threats webinar (which you can watch here if you are interested) newer versions – 1.2 and 1.3 – of TLS should be preferred over older versions – 1.0 and 1.1 – because they’re much more secure, and better protect data in flight.

But removing older versions of TLS from your network can be challenging. First, identifying which versions are actually being used. Second, identifying which servers and clients are using outdated versions. And lastly, updating any servers inside your network that are using older TLS versions, and potentially blocking access to servers outside the network using older versions too, all without causing your users to scream!

It’s not just users you need to worry about either. Potentially you may have IoT devices on your network that are still using older TLS versions.

Thankfully, if you have access to recorded network traffic there’s an easy way …

In this second installment of Packet Detectives, industry-renowned SharkFest presenter and all-round Wireshark guru, Betty DuBois, shows how you can quickly answer all these questions using Wireshark to analyze the TLS traffic on your network to see which hosts and clients are using which versions. She has even created a special, custom Wireshark profile you can download to make the analysis even easier!

The truth is in the packets …

We hope you find this video useful. Please let us know if you have ideas for other examples you’d like to see.


Network Security and Management Challenges Blog Series – Part 4

Original Entry by : Endace

Driving Economic Efficiency in Cyber Defense

Key Research Findings

  • Available budget, freedom to choose the best solutions and platform fatigue are all impacting on the ability of system architects to design and deploy the best solutions to meet the organization’s needs.
  • 78% of system architects reported platform fatigue is a significant challenge with 29% rating the level of challenge as high.
  • More than 90% of respondents reported that the process of acquiring and deploying security, network or application performance platforms is challenging, with almost half reporting that it is either extremely or very challenging.

Most of what’s written about cybersecurity focuses on the mechanics of attacks and defense. But, as recent research shows, the economics of security is just as significant. It’s not just lack of available budget – departments always complain about that – but how they are forced to allocate their budgets.

Currently, security solutions are often hardware-based, which forces organizations into making multiple CAPEX investments – with accompanying complex, slow purchase processes.

More than three-quarters of respondents to the survey reported that “the challenge of constraints caused by CAPEX cycle (e.g. an inability to choose best possible solutions when the need arises) is significant.”Almost half reported being stuck with solutions that have “outlived their usefulness, locked into particular vendors or unable to choose best-of-breed solutions.

Speed of deployment is also a significant challenge for organizations, with more than 50% of respondents reporting that “deploying a new security, network or application performance platform takes six to twelve months or longer.” 

As outlined in the previous post, existing security solutions are expensive, inflexible, hardware-dependent and take too long to deploy or upgrade. The process of identifying a need, raising budget, testing, selecting and deploying hardware-based security and performance monitoring solutions simply takes too long. And the cost is too high.

Contrast this with cyber attackers, who don’t require costly hardware to launch their attacks. They are not hampered by having to negotiate slow, complex purchase and deployment cycles. And often they leverage their target’s own infrastructure for attacks. The truth is that the economics of cybersecurity is broken: with the balance radically favoring attackers at the expense of their victims.

Reshaping the economics of cyberdefense

Companies have a myriad of choices when it comes to possible security, network performance and application performance monitoring solutions. Typically, they deploy many different tools to meet their specific needs. 

As discussed in the previous post, the lack of a common hardware architecture for analytics tools has prevented organizations from achieving the same cost savings and agility in their network security and monitoring infrastructure that virtualization has enabled in other areas of their IT infrastructure. As a result, budgets are stretched, organizations don’t have the coverage they’d like (leading to blindspots in network visibility) and deploying and managing network security and performance monitoring tools is slow, cumbersome and expensive.

Consolidating tools onto a common hardware platform – such as our EndaceProbe – helps organizations overcome many of the economic challenges they face:

  • It lets them reduce their hardware expenditure, resulting in significant CAPEX and OPEX savings. 
  • Reduced hardware expenditure frees up budget that can be directed towards deploying more tools in more places on the network – to remove visibility blind spots – and deploying tools the company needs but couldn’t previously afford.
  • Teams gain the freedom to choose what tools they adopt without being locked into “single-stack” vendor solutions. 
  • Teams can update or replace security and performance monitoring functions by deploying software applications on the existing hardware platform without a rip-and-replace. This significantly reduces cost and enables much faster, more agile deployment.

The cost of the hardware infrastructure needed to protect and manage the networks can also be shared by SecOps, NetOps, DevOps and IT teams, further reducing OPEX and CAPEX costs and facilitating closer cooperation and collaboration between teams.

For architects, a common hardware platform becomes a network element that can be designed into the standard network blueprint – reducing complexity and ensuring visibility across the entire network. And for IT teams responsible for managing the infrastructure it avoids the platform fatigue that currently results from having to manage multiple different hardware appliances from multiple different vendors.

Because analytics functionality is abstracted from the underlying EndaceProbe hardware, that functionality can be changed or upgraded easily, enabling – as we saw in the last post – far more agile deployment and the freedom to deploy analytics tools that best meet the company’s needs rather than being locked into specific vendors’ offerings.

Equally importantly, it extends the useful life of the EndaceProbe hardware too. No longer does hardware have to be replaced in order to upgrade or change analytics functionality. And as network speeds and loads increase, older EndaceProbes can be redeployed to edge locations and replaced at the network core with newer models offering higher-speeds and greater storage density. This ensures companies get maximum return on their hardware investment.

Lastly, their modular architecture allows multiple, physical EndaceProbes to be stacked or grouped to form centrally-managed logical EndaceProbes capable of scaling to network speeds of hundreds of gigabits-per-second and storing petabytes of network history.

A Final Word

This blog series has looked at the three key challenges – Visibility, Agility and Economic Efficiency (this post) – that enterprises report they face in protecting their networks and applications from cyber threats and costly performance issues. These challenges are interrelated: it is only by addressing all three that organizations can achieve the level of confidence and certainty necessary to effectively protect their critical assets.