Network Security and
Management Challenges – Part 2: Visibility

Original Entry by : Endace

Stop Flying Blind: How to ensure Network Visibility

Network Visibility Essential to Network Security

Key Research Findings

  • 89% of organizations lack sufficient visibility into network activity certain about what is happening.
  • 88% of organizations are concerned about their ability to resolve security and performance problems quickly and accurately.

As outlined in the first post in this series, lack of visibility into network activity was one of the key challenges reported by organizations surveyed by VIB for the Challenges of Managing and Securing the Network 2019 research study. This wasn’t a huge surprise: we know all too well that a fundamental prerequisite for successfully protecting networks and applications is sufficient visibility into network activity. 

Sufficient visibility means being able to accurately monitor end-to-end activity across the entire network, and recording reliable evidence of this activity that allows SecOps, NetOps and DevOps teams to react quickly and confidently to any detected threats or performance issues. 

Context is Key

It might be tempting to suggest that lack of network visibility results from not collecting enough data. Actually, the problem is not possessing enough of the right data to provide the context that enables a coherent big-picture view of activity – and insufficient detail to enable accurate event reconstruction. This leaves organizations questioning their ability to adequately protect their networks.

Without context, data is just noise. Data tends to be siloed by department. What is visible to NetOps may not be visible to SecOps, and vice versa. It is often siloed inside specific tools too, forcing analysts to correlate data from multiple sources to investigate issues because they lack an independent and authoritative source of truth about network activity. 

Typically, organizations rely on data sources such as log files, and network metadata, which lack the detailed data necessary for definitive event reconstruction. For instance, while network metadata might show that a host on the network communicated with a suspect external host, it won’t give you the full details about what was transferred. For that, you need full packet data. 

In addition, network metadata and packet data are the only data sources that are immune to potential compromise. Log files and other data sources can be tampered with by cyber attackers to hide evidence of their presence and activity; or may simply not record the vital clues necessary to investigate a threat or issue.

Combining Network Metadata with Full Packet Data for 100% Visibility

The best possible solution to improving visibility is a combination of full packet data and rich network metadata. Metadata gives the big picture view of network activity and provides an index that allows teams to quickly locate relevant full packet data. Full packet data contains the “payload” that lets teams reconstruct, with certainty, what took place.

Collecting both types of data gives NetOps, DevOps and SecOps teams the information they need to quickly investigate threats or performance problems coupled with the ability to see precisely what happened so they know how to respond with confidence.

This combination provides the context needed to deliver both a holistic picture of network activity and the detailed granular data required to give certainty. It also provides an independent, authoritative source of network truth that makes it easy to correlate data from multiple sources – such as log files – and validate their accuracy.

With the right evidence at hand, teams can respond more quickly and accurately when events occur. 

In the next post in this series, we’ll look at how to make this evidence easily accessible to the teams and tools that need it – and how this can help organizations be more agile in responding to security threats and performance issues.


Introducing the Network Security and
Management Challenges Blog Series

Original Entry by : Endace

Recent research provides insight into overcoming the challenges of managing and securing the network

Network Security and Performance Management Research

A Big Thank-You

We’d like to take this opportunity to thank all of the companies and individuals that participated in both studies. Without your participation, it would not have been possible to produce these reports and the valuable insight they contain.

For those who didn’t get a chance to participate, please click here to register your interest in participating in our 2020 research projects.

Last year, Endace participated in two global research studies focusing on the challenges of protecting enterprise networks. The results of both provide powerful insights into the state of network security today, and what organizations can do to improve the security and reliability of their networks. In this series of blog posts, we’re going to take a deep dive into the results and their implications. 

We commissioned an independent, US-based research company, Virtual Intelligence Briefing (VIB) to conduct the research underpinning the Challenges of Managing and Securing the Network 2019 report. VIB surveyed senior executives and technical staff at more than 250 large, global enterprises to understand the challenges they face in protecting against cyberattacks threats and preventing network and application performance issues. 

Organizations from a range of industry verticals including Finance, Healthcare, Insurance and Retail participated. Annual revenues of participating companies were between $250M and $5B+, and respondents included senior executives such as CIOs and CISO, as well as technical management and technical roles. 

Our second research project was with Enterprise Management Associates (EMA) and was focused on looking at what leading organizations are doing to improve their cybersecurity and what tactical choices are making the biggest difference. This research was based on responses to a detailed survey of more than 250 large enterprises across a wide range of industries .

You can download a summary of EMA’s report here: “Unlocking High Fidelity Security 2019“.

So what did we find out? 

When it comes to securing their networks from cyberattacks, organizations find it hard to ‘see’ all the threats, making detection and resolution of security and performance issues cumbersome and often inconclusive. They lack sufficient visibility into network activity, with too few tools in too few places to be confident they can quickly and effectively respond to cyber threats and performance issues.

The need for greater agility was also a common challenge, with alert fatigue, tool fatigue and lack of integration between tools making the investigation and resolution process slow and resource-intensive. 

Organizations also face significant economic challenges in the way they are currently forced to purchase and deploy solutions. This leaves them unable to evolve quickly enough to meet the demands imposed by today’s fast-moving threat landscape and 24×7 network and application uptime requirements. 

In this series, we’ll explore each of these three challenges – Visibility, Agility and Economics – while also looking at how they are intrinsically inter-related. Understanding and addressing all of these challenges together revolutionizes network security and management, and enables organizations to realize greater efficiency while saving money.

Our next post will look at why organizations lack visibility into network activity and how they can overcome this challenge.


Packet Detectives Episode 1: The Case of the Retransmissions

Original Entry by : Michael Morris

Demystifying Network Investigations with Packet Data

By Michael Morris, Director of Global Business Development, Endace


Michael Morris, Director of Global Business Development, Endace

As I talk to security analysts, network operations engineers and applications teams around the world a common theme regularly emerges: that troubleshooting security or performance issues with log or flow data alone just doesn’t cut it.

Most folks report spending way too many hours troubleshooting problems only to realize they just don’t have enough detail to know exactly what happened. Often this results in more finger pointing and unresolved issues. Too much time spent investigating issues also causes other alerts to start piling up, resulting in stress and undue risk to the organisation from a backlog of alerts that never get looked at.

On the other hand, those that use full packet capture data to troubleshoot problems report significantly faster resolution times and greater confidence because they can see exactly what happened on the wire.

Many folks I talk to also say they don’t have the expertise necessary to troubleshoot issues using packet data. But it’s actually much easier than you might expect. Packet decode tools – like Wireshark – are powerful and quite self-explanatory. And there’s tons of resources available on the web to help you out. You don’t need to be a mystical, networking guru to gain valuable insights from packet data!

Getting to the relevant packets is quick and easy too thanks to the EndaceProbe platform’s integration with solutions from our Fusion Partners like Cisco, IBM, Palo Alto Networks, Splunk and many others. Analysts can quickly pivot from alerts in any of those tools directly to related packet data with a single click, gaining valuable insights into their problems quickly and confidently.

To help further, we thought it would be useful to kick-off a video series of “real-world” investigation scenarios to show just how easily packet data can be used to investigate and resolve difficult issues (security or performance-related) in your network.

So here’s the first video in what we hope to make a regular series. Watch as industry-renowned SharkFest presenter and all-round Wireshark guru, Betty Dubois, walks us through investigating an application slow-down that is problems for users. The truth is in the packets …

We hope you find this video useful. Please let us know if you have ideas for other examples you’d like to see.


Watch Endace on Cisco ThreatWise TV from RSA 2019

Original Entry by : Endace

It was a privilege to attend this year’s RSA cybersecurity event in San Francisco, and one of our top highlights was certainly the opportunity to speak to Cisco’s ThreatWise TV host Jason Wright. Watch the video on Cisco’s ThreatWise TV (or below) as Jason interviews our very own Michael Morris to learn more about how Cisco and Endace integrate to accelerate and improve cyber incident investigations.

In this short 4 minute video, Michael demonstrates how Cisco Firepower and Stealthwatch can be used together to investigate intrusion events, using Cisco dashboards and EndaceVision to drill down into events by priority and classification to show where threats come from, who has been affected and whether any lateral movement occurred, as well as conversation history and traffic profiles. Michael also explains how Cisco and Endace work together to ‘find a needle in a haystack’ across petabytes of network traffic.

A big thanks to Cisco and to Jason for giving us this spotlight opportunity. If you have any questions about how Cisco and Endace integrations can accelerate and improve cyber incident investigation, visit our Cisco partner page.


New OSm 6.5 brings ultra-fast, network-wide search to all EndaceProbe models

Original Entry by : Sebastian Mackay

OSm - Operating System for Monitoring

We are really excited to announce the release of OSm 6.5

This significant new release incorporates some major architectural changes and introduces a truly revolutionary feature – ultra-fast, network-wide search and data-mining – with the brand-new InvestigationManager™ application

Customers are always telling us how important it is to accelerate the investigation of security threats and performance issues so they can respond to them more quickly and more accurately.

InvestigationManager is a game-changer for analysts involved in the investigation process, allowing them to search across petabytes of globally-distributed Network History for specific “packets-of-interest” at lightning-speed, putting definitive evidence at their fingertips when they need it.

New Groundbreaking EndaceFabric Architecture 

Watch this short video for an overview of the architectural changes that OSm 6.5 introduces and how this new architecture underpins the amazing new, ultra-fast search capability that InvestigationManager brings to all EndaceProbe models.

InvestigationManager’s Ultra-Fast Search in Action

Watch this demo to see just how fast InvestigationManager can find specific “needle-in-the-haystack” packet from within more than a petabyte of Network History distributed across multiple EndaceProbes deployed around the world.

(Tip: prepare to be impressed!).

Want to Find Out More?

OSm 6.5 includes a number of other updates including:
• Real-time visualizations in both InvestigationManager and EndaceProbes (“Play Mode”)
• The ability to trigger, collect and export system and RAID dumps from one or more EndaceProbes at a time.

You can read more about the new features of OSm and the new InvestigationManager application on endace.com.

Or watch the video below for a deep-dive into the new features of OSm 6.5.2 and InvestigationManager and what the new ultra-fast search capability of InvestigationManager means for Threat Hunting.

How do I get hold of OSM 6.5?

OSm 6.5 is supported by all current EndaceProbe models.

The downloadable image and documentation for OSm will be available on the Endace Support Portal from early February, 2019.

If you wish to install this new release earlier, please contact your Endace account team.


Endace announced as double finalist in 2018 Computing Security Awards and UK IT Industry Awards

Original Entry by : Mark Evans

Computing Security Awards 2018

Our EndaceProbe™ Analytics Platform has been announced as a double finalist in the ‘Network Security Solution of the Year’ and the ‘Enterprise Security Solution of the Year’ categories for the 2018 Computing Security Awards.

The Computing Security Awards started in 2010 to recognize security champions and solutions throughout the UK IT industry. The winners of the awards will be announced on the 11th October at an awards ceremony dinner at the Radisson Blu Edwardian Hotel, London.

You can vote in all categories of the Computing Security Awards, here: http://www.computingsecurityawards.co.uk/?page=csa2018vote. If you can spare a minute to vote, we’d be very grateful for your support!

UK IT Industry Awards 2018

Endace has also been announced as a finalist in the 2018 UK IT Industry Awards in the ‘Security Innovation of the Year’ category.

The UK IT Industry Awards celebrates IT excellence and focuses on the contribution of individuals, projects, organizations and technologies that have excelled in the use, development and deployment of IT in the past 12 months. The award ceremony for the UK IT Industry Awards will take place on the 14th November in Battersea, London.

The EndaceProbe is the industry’s only, truly, open packet capture platform, allowing both hosting of and integration with commercial, open-source and custom analytics applications.

You can learn more about Endace’s network monitoring products, analytics platform, and network packet history recording solutions here.


How to protect against nation state attackers

Original Entry by : Mark Evans

“One of my worst nightmares [as an attacker] is that out-of-band network tap that really is capturing all the data, understanding anomalous behaviour going on. And someone’s paying attention to it.”
Rob Joyce, NSA: “Disrupting Nation State Attackers, Jan 2016” (22:10)

It’s great to see the efficacy of packet capture and network recording acknowledged by such an eminent cybersecurity Tsar as Rob Joyce.

If you haven’t already seen his video presentation on Disrupting Nation State Attackers, it’s well worth a watch. Before being shoulder-tapped to take up his new role as a cybersecurity advisor to Trump’s National Security Council, Joyce headed up the Tailored Access Operations division of the NSA.

The NSA’s TAO division is responsible for “providing tools and expertise in computer network exploitation to deliver foreign intelligence.” In other words, it is responsible for finding, and taking advantage of, the very network vulnerabilities that we’re all trying to protect against.

In his presentation at the Usenix Enigma conference last year, Joyce outlined key steps organizations can take to protect themselves against the sort of sophisticated techniques employed by Nation State attackers and criminal elements looking to attack your network.

Much of his advice is practical common sense. Know everything on your network, understand it, and update and patch everything. We all know this is critical, but all too often it doesn’t happen. Take patching for example. Joyce says that, in his experience, many organizations undertake security audits to identify known vulnerabilities, but frequently have still not fixed those vulnerabilities by the time the next audit rolls around months later.

Joyce also explodes a common myth – that sophisticated intruders rely on zero day threats. In fact, he says, zero day threats are far from being biggest danger to corporate networks. For any large network, he says:

Persistence and focus will get you in and achieve that exploitation without the zero days. There’s so many vectors that are easier, less risky and quite often more productive.

The cause of most intrusions, says Joyce, come down to one of things (the “Big Three”):

  • Email:  “a user clicked on something they shouldn’t have”
  • Malicious websites“they’ve gotten to a malicious website … and it’s either executed or they’ve run content from that website.”
  • Removable media – “where a user inserted contaminated media“. [As an aside, someone once told me the easiest way to get malware into an organization is to load it on a USB stick labelled “Payroll”, drop it in the carpark and leave the rest to curiosity!].

Joyce outlines the importance of making sure that sources of information about activity on the network – such as log files or network packet captures – are actually being monitored. “You’d be amazed at incident response teams that go in and there’s been some tremendous breach .. Yep, there it is right there in the logs.”

But perhaps the best piece of strategic advice he offers is this:

“Consider that you’re already penetrated. Do you have the means and methods to understand if somebody’s inside your network?”

That change in focus is important. Statistics show intrusions are becoming increasingly commonplace. Once organizations move from “we need to make sure we’re not penetrated” to “maybe we already are penetrated” they start to understand what tools, skills and processes they need to put in place to identify intrusions and stop an initial penetration from going on to become a more serious data breach. Or, if they have already been breached, what do they need to make sure they can identify how it happened and what was compromised?

Joyce’s presentation is a salient reminder that ensuring the basics of network security hygiene is critical. And that the battle to defend against attackers is an ongoing one. As fast as you tighten up your security, new vulnerabilities emerge that put you at risk.

Take a look at the video. You’ll find it’s 30 minutes of your time very well spent!

Cybersecurity Resources

Some of the useful resources that Joyce discusses and recommends are listed below

NOTE: The two links to the IAD site above require installing the DoD Root CA Certificates to avoid getting an “untrusted website” notification. More information here.


Dynatrace Perform 2017

Original Entry by : Mark Evans

Endace was an exhibiting partner at Dynatrace Perform in Las Vegas this month. Perform is the annual conference for Dynatrace users and attracts attendees from all over the world.

Attendees at Dynatrace Perform 2017 in Las Vegas

The conference sessions were packed, and our booth in the partner area was swamped during the partner sessions!

In fact it was so busy we didn’t have time to take photos of our booth! So here’s one of Dynatrace’s photos instead. And if you want more, there’s a big gallery of photos on this page.

In the Partner Lounge, Blaine Deutsch and Tom Leahy demonstrated how EndaceProbes integrate with Dynatrace DC RUM to provide instant access to network packet history as definitive evidence for troubleshooting application performance issues. They also showed how using EndaceProbes to Playback recorded history to an instance of the virtual AMD agent hosted in Application Dock offers new options for deep investigation of historical events.

If you weren’t able to make the event, here are the presentations:

We thoroughly enjoyed being at Perform 2017. And being in Las Vegas on Superbowl Sunday prior to the conference was certainly an experience too.

Thanks to all the attendees who came to our stand. We had some really interesting conversations which we look forward to picking up with you again very soon.

And thanks to Nathan, Mike, Paula and the team from Dynatrace for making us welcome and ensuring we had everything we needed too. A great event guys!


NEW: EndaceProbe 114 Branch Office Network Recorders

Original Entry by : Endace

Launching at Black Hat this week, the EndaceProbe 114 is purpose-built for deployment in remote locations or branch offices. It offers the same 100% accurate recording, centralized management data mining and retrieval and application hosting as the rest of the EndaceProbe family but comes in a compact, short-depth format that makes it ideal for deployment in branch offices.

The EndaceProbe 114 allows organizations to cost-effectively extend their network visibility right out to the network edge and eradicate the blind spots that can make branch office locations an attractive target for attackers.


New Partners – Plixer and Cisco

Original Entry by : Endace

plixer-logoLast month we announced a partnership with Plixer to provide integration between EndaceProbe™️ Network Recorders and Plixer’s Scrutinizer™️ NetFlow Analytics suite. This leverages Endace Fusion’s API to enable SOC and NOC teams to pivot directly from Scrutinizer alerts to packet-level detail in traffic recorded on EndaceProbes across the network, delivering the detailed data that enables analysts to quickly investigate and establish the root cause of an alert.

cisco-logoWe have also joined the Cisco Solution Partner program. This partnership provides customers using Cisco’s Firepower™ Management Console with single-click access to EndaceVision for powerful visualization of network traffic and rapid drill down to recorded network packets using Endace Fusion’s Pivot to Vision and Pivot to Packets API functions.

Are you a Cisco Firepower or Plixer Scrutinizer user?

Contact sales@endace.com to organize a demo so you can see how this integration can dramatically speed up your investigations.