How Endace Accelerates Threat Hunting
By Robert Salier, Product Manager, Endace
Despite having a variety of tools at their disposal, many organizations still struggle with detecting and investigating security threats effectively and efficiently. Inevitably, some threats are not detected because skilled hackers expend a great deal of effort avoiding security monitoring systems and removing the evidence of their activity by deleting or modifying logs and files. Even when threats are detected, organizations often lack sufficient visibility to ascertain the exact scope and nature of the threat: to be certain they have completely removed it and to be totally confident they can detect and prevent a recurrence.
This is the final post in our series on threat hunting (see here for part 1, part 2 and part 3).
In this post I take a look at how the EndaceProbe Analytics Platform can accelerate threat hunting: delivering deeper insight into network activity through rich network data that provides an independent and unadulterated view of activity in your environment. It also explains how the EndaceProbe’s open platform approach delivers significant productivity and cost benefits, breaking down traditional barriers to affordability and practicality.
Full Packet-Level Capture of Network History
Skilled hackers (and clever malware) routinely delete or modify logs and files containing traces of their malicious activity. However, it’s virtually impossible for them to remove traces of their presence from the traffic that traverses the network. So, monitoring, capturing and analyzing network traffic is often the difference between being able to detect an intruder, and not, and collecting the conclusive evidence you need to address the threat, or not.
When malicious activity is detected, the next challenge is to obtain a clear picture of what has occurred. This is critical for several reasons. Firstly, enterprises have regulatory or policy obligations such as complying with information security standards and breach disclosure regulations. Secondly, it’s critical to be able to keep stakeholders – including executive management, PR, Legal, HR suppliers, partners, and customers – informed and be able to accurately answer any questions. And last, but not least, having a clear, unambiguous picture of what has occurred is also essential to be able to confirm that the threat has been neutralized and for you to be confident that sufficient measures are put in place to prevent a re-occurrence.
As discussed in Part 2 of this series, log files and other data sources such as flow-based network data can provide valuable insight into activity. And they might enable you to detect a threat. The problem is these data sources often don’t contain sufficient detail to enable a clear picture of exactly what happened, how it happened and what the impact is. Server and firewall logs, for example, might reveal communication between a host on your network and a malicious external host. But they can’t tell you what the actual contents of that communication were.
Capturing and storing packet history, on the other hand, gives you a verbatim copy of communications over the network, allowing you to see precisely what was sent and received with zero loss of fidelity. Packets contain all the contents: allowing accurate reconstruction of the entire conversation including file and document contents, web page interactions, emails, audio and video streams, etc.
Research report from EMA identifies packet capture as a key enabler for stronger security
Enterprise Management Associates (EMA) surveys enterprises annually to report on the strategies leading organizations are adopting to strengthen their cyber defenses. In the 2019 edition of “Unlocking High Fidelity Security”, packet capture was highlighted as a key enabler of stronger cybersecurity.
Download a Free Copy
Open Platform Approach
EndaceProbes can host a range of third party security solutions including Intrusion Detection Systems, virtual next-gen firewalls, AI-based security tools, and many other commercial, open-source or custom security and network or application performance monitoring solutions. Because each EndaceProbe can host multiple tools, you only need to purchase and deploy packet capture hardware once. You then have the freedom to choose best-of-breed tools, and the agility to quickly deploy new and/or updated tools without changing the underlying hardware platform.
Threat hunters can also dramatically accelerate and streamline investigations thanks to pre-built integrations between EndaceProbes and many third-party tools. These integrations enable analysts to click on an alarm/event in any of these tools to quickly retrieve and analyze the related full packet data that is recorded on the EndaceProbes on the network.
For more details check out The Benefits of an Open Analytics Platform.
Breakthrough density and affordability
We’re very proud of our breakthrough density and price per petabyte, putting a month or more of network history within reach of many more organizations. Our EP-9200 EndaceProbes provide 40Gbps packet capture and built-in investigation tools, hosting capacity for up to 12 applications, and a petabyte of network history storage, all in a single appliance just four rack units high.
How do we do it? Well, it’s not just an efficient organization and economies of scale. We have smart engineers implementing proprietary hardware, real-time storage compression, and features such as our patented Smart Truncation™. For more, check out https://www.endace.com/endaceprobe.
We realize that storing network history is of limited use if it is too difficult, expensive or time consuming to extract value from it. We knew we had to provide a way to…
- Centrally manage estates of EndaceProbes that may be global in scale to reduce the operational cost and minimize management overheads.
- Enable SecOps, NetOps and IT teams to quickly and easily find packets of interest from within terabytes or petabytes of data that may be distributed across a global network. And do this from a central point without having to figure out where those packets were recorded or which EndaceProbe they are stored on.
- Meet the needs of large, complex, globally distributed networks, with the ability to scale to provide virtually unlimited storage capacity and monitor links of any speed.
So we developed the EndaceFabric™ architecture.
EndaceFabric allows multiple EndaceProbes to be deployed at various points throughout a network and seamlessly connected to form a network-wide packet capture, recording and hosting fabric. Analysts can perform investigations and search and mine recorded Network History across multiple EndaceProbes simultaneously from a single UI. Similarly, administrators can centrally manage estates of hundreds of connected EndaceProbes making it easy to configure, update and monitor the health and performance of the entire estate.
EndaceFabric provides more than a single pane of glass for administration, search and data-mining however. The architecture also allows EndaceProbes to be stacked or grouped to create logical EndaceProbes capable of capturing traffic at practically any line rate with no limits to storage capacity scalability.
EndaceFabric is also the key to amazingly fast searches for packets of interest. Due to the inherently distributed, parallel architecture, and our advanced search algorithms, search times remain constant regardless of the number of EndaceProbes involved. A needle-in-a-haystack search for specific packets-of-interest across a hundred EndaceProbes and a hundred petabytes of network history can take just seconds.
For more details, check out https://www.endace.com/EndaceFabric, our videos describing the EndaceFabric architecture, and a demo showing our amazingly fast search.
This was the final article in our series on threat hunting, and how the Endace Analytics Platform can increase the efficiency and conclusiveness of threat hunts. We hope you found it useful?
If you’d like to find out more, please don’t hesitate to reach out to your local Endace representative, or contact us at https://www.endace.com/contact.