Endace Packet Forensics Files: Episode #34

Original Entry by : Mark Evans

Michael talks to Rick Peters, CISO Operational Technology, Fortinet

By Michael Morris, Director of Global Business Development, Endace


Michael Morris, Director of Global Business Development, Endace

Increasingly, the security of Operational Technology (OT) – Industrial Control Systems and SCADA – is a major focus of concern. These systems are used in many environments across industries such as manufacturing, transportation, energy, critical infrastructure and many more, and are a juicy target for both sophisticated, nation-state attackers and cybercriminals.

In this episode of the Endace Packet Forensic files I talk with Rick Peters, CISO Operational Technology at Fortinet. With a long career in engineering and almost four decades in US Intelligence before taking on his role at Fortinet, Rick knows intimately how attackers can target OT systems and has spent many years helping to defend OT systems from cyber attackers.

Rick talks about the importance of being able to trust in OT environments: in their ability to continue to provide safe and continuous business, and how we can bring some of the discipline that has been developed in IT cyberdefense into the OT environment. He outlines the importance of “consequence-driven strategy” – a deep understanding of the risks and vulnerabilities that a given system presents, coupled with a thorough assessment of the consequences of a successful compromise. As well as the importance of having a well-planned, and tested, response plan that addresses both IT and OT systems.

Rick has some great advice for cybersecurity leaders about where to start building a robust OT security posture and the importance of having IT security and OT security working in parallel. You won’t want to miss this episode!

Other episodes in the Secure Networks video/audio podcast series are available here.


Multi-Tenancy introduced with OSm 7.1

Original Entry by : Cary Wright

Securely sharing packet capture infrastructure across multiple entities

By Cary Wright, VP Product Management, Endace


Cary Wright, VP Product Management, EndaceWe are proud to announce that EndaceProbe now supports Multi-Tenancy, “Woo-hoo” I hear you say! If you are an MSPP, MDR, Service Provider, or organisation with multiple departments, your SoC teams can now reap the benefits of having access to weeks or months of continuously recorded network traffic whilst sharing costs with many other likeminded SoC teams. Let’s dig into what Multi-Tenancy is and why it’s important.

At the most basic level, Multi-Tenancy is the ability to host multiple “entities” (e.g. multiple customers or multiple organizational divisions) on a single architecture at the same time. To put it another way, Multi-Tenancy offers a way to share the costs of a system or service across more than one entity. Multi-tenancy can mean different things depending on your domain of expertise:

  • Cloud providers are inherently multi-tenanted, serving millions of clients with shared compute
  • Operating systems often host multiple tenants on a single machine
  • Networks can supply connectivity to multiple teams or organizations via a single infrastructure.

All these scenarios have these necessary requirements in common:

  1. Each tenant’s data must remain private and accessible to only that authorized tenant, and
  2. Each tenant needs access to reliable, predictable, or contracted resources – such as bandwidth, compute, storage, security services, expertise, etc.

Multi-tenancy can help organizations to scale critical security services in a cost-efficient manner. A capable security architecture/service requires a significant capability investment and the expertise to operate it. By enabling this investment to be shared, it enables services to be made available to organizations that might otherwise not have been able to afford them.

A good example of where Multi-Tenancy can be extremely useful is the Security Operations Center (SoC). Typically, only large, well-funded organisations have the resources to build their own dedicated SoC. Multi-tenancy can enable multiple organizations to share a SoC, each benefiting from a strengthened security posture without carrying the full burden of the costs and effort involved.

This is the model underpinning outsourced MSSP services, for example. But it can also be an ideal model for larger organizations with multiple divisions that each need to maintain separation from each other. Or where multiple individual companies are owned by a common parent. It can also be a useful way to safely isolate a newly acquired company until its systems can be safely migrated or transferred over to the new owner’s infrastructure.

We see lots of areas where organizations are benefiting from this ability to  share infrastructure and services. So we are very pleased to announce that with the new OSm 7.1 software release, EndaceProbe Analytics Platform now also supports Multi-Tenancy for network recording.

This is especially useful where multiple tenants share the same network. A single EndaceProbe, or a fabric of EndaceProbes, can now be securely shared across multiple different organisations or tenants, while keeping the data for each tenant secure and private. EndaceProbes continuously record all network data on the shared network, but only provide each tenant with access to their own data.

In this case the tenancies are defined by VLANs, where each tenant has a VLAN, or set of VLANs, that carries only their traffic. When a user needs to investigate a security threat in their tenancy, they simply log into InvestigationManager to search, inspect, and analyse only the traffic that belongs to that tenancy. It’s as if each tenant has its own, wholly separate, EndaceFabric, dedicated just to its own tenancy.

This new capability is important for large organisations that service multiple departments, agencies, or divisions. Service providers, MSPPs, and MDRs which service multiple clients will also benefit from Multi-Tenancy to give each of its clients ready access to its own recorded network traffic for fast, secure, and private, security incident response.

We are very excited that this new Multi-Tenancy feature can help make Network Recording accessible for many more organizations, helping them to resolve incidents faster and with greater confidence.

For more information on this great new feature, or to arrange a demonstration to show how Endace could help you, contact us.


Endace Packet Forensics Files: Episode #31

Original Entry by : Michael Morris

Michael talks to Kamal Khlefat, Product Manager, LinkShadow

By Michael Morris, Director of Global Business Development, Endace


Michael Morris, Director of Global Business Development, Endace

Modernizing the SOC is one of the latest trends cyber security teams are undertaking to stay current and on a level playing field against today’s threat actors. Whether it is adapting to simply keep up with the volume of threats or implementing AI and ML technologies to find and prevent more sophisticated threat vectors SecOps need to improve and upgrade.

In this episode of the Endace Packet Forensic files, I talk with seasoned SOC Director, Kamal Khlefat, now Product Manager at LinkShadow, who shares his perspectives on the movement to modernize the SOC.

Kamal gives his insight into where most SOC teams are struggling and the gaps organizations have in their cybersecurity defenses. He shares some observations about what customers are doing to handle ever-increasing alert volumes and the fatigue analysts suffer in their relentless effort to investigate and troubleshoot every indicator of compromise. And, finally, Kamal highlights some of the differences he is seeing between various industry verticals like governments, financial, energy and retail.

Other episodes in the Secure Networks video/audio podcast series are available here.


2021 awards season kicks off with nine new awards for Endace

Original Entry by : Endace

Endace Wins 9 New AwardsEndace and the EndaceProbe Analytics Platform have been honored with nine awards in two well-regarded industry awards programs: The Globee 17th Annual 2021 Cyber Security Global Excellence Awards and the 2021 Cybersecurity Excellence Awards. The award categories include Most Innovative Security Hardware, Hot Security Company of the Year, Hot Security Technology of the Year, and Cybersecurity Blogger of the Year. 

From the Globee 17th Annual 2021 Cyber Security Global Excellence Awards, Endace was selected as the winner in the following categories:

  • Grand Trophy Winner
  • Gold Award, Hot Security Company of the Year: Endace
  • Gold Award, Most Innovative Security Hardware of the Year: EndaceProbe Analytics Platform Product Suite and Fusion Partner Program
  • Gold Award, Hot Security Technology of the Year: EndaceProbe Analytics Platform Product Suite
  • Gold Award, Network Detection and Response: EndaceProbe Analytics Platform
  • Gold Award, Incident Analysis and Response Solution: EndaceProbe Analytics Platform Product Suite
  • Silver Award, Network Security and Management: EndaceProbe Analytics Platform with EndaceVision

From the 2021 Cybersecurity Excellence Awards, Endace won two silver awards in:

  • Best CyberSecurity Company, Asia (between 50-99 employees)
  • CyberSecurity Blogger of the Year, Asia (Endace Packet Forensics Files hosted by Michael Morris)

There was strong competition across both awards programs this year and Endace would like to congratulate all this year’s winners and nominees – in particular our partners and fellow winners: Darktrace, Palo Alto Networks and Keysight (Ixia).

It’s great to see such a vibrant community of cybersecurity companies in the market. Our combined contributions are critically important to further improving cyber defense and helping organizations around the world protect critical infrastructure and private data from criminal and nation-state-sponsored attacks.


Endace Packet Forensics Files: Episode #11

Original Entry by : Michael Morris

Michael talks to Kate Kuehn, Senior VP at vArmour.

By Michael Morris, Director of Global Business Development, Endace


Michael Morris, Director of Global Business Development, EndaceWhat are some of the top things on the minds of CISOs in today’s COVID-affected, remote-working, rapidly digitally transforming world?

If you want to hear what’s dominating their thinking then don’t miss our latest episode of the Endace Packet Forensic Files Vidcast/Podcast series with special guest Kate Kuehn, SVP at vArmour.

Kate is a seasoned security executive with years of experience as a CISO herself as well as working alongside many other CISOs. In this episode, Kate talks about what she sees are some of the biggest challenges that CISOs and their security teams face in response to digital transformation and rapid changes to their hybrid cloud and on-premise environments.

Kate shares her insights into what SecOps teams are doing to address those challenges and what things she thinks they are still missing. Finally, she reveals some must-haves for every CISO to consider as they select security tools and the gaps many organizations still have in their security stacks.

Don’t miss the chance to learn from Kate’s exceptional security insights.

Other episodes in the Secure Networks video/audio podcast series are available here.


Endace + XSOAR = Nirvana for the SoC

Original Entry by : Cary Wright

Integrating Palo Alto Cortex XSOAR with the EndaceProbe Analytics Platform

By Cary Wright, VP Product Management, Endace


Cary Wright, VP Product Management, EndaceThis week we are announcing an exciting integration with Palo Alto Networks Cortex XSOAR, formerly Demisto. This integration provides XSOAR customers with automated playbooks that easily pull in packet-level evidence for fast, conclusive, and repeatable response to security incidents. This integration complements our existing partnership with Palo Alto Networks NGFW and Panorama so now you can access packet-level data across multiple Palo Alto solutions.

So what is this “Nirvana for the SoC” we are all striving for?

The most effective SoC teams I’ve seen are well-oiled machines, reviewing and resolving many potentially dangerous security incidents each day and neutralizing threats quickly and confidently. What makes these teams successful is a repeatable and well-understood process, based on evidence, backed by automation, with integrated workflows across a suite of best in class security tools.

These teams have a wide range of experience–from new recruits to seasoned experts–all highly motivated and working collaboratively to solve complex issues. This exceptional environment not only provides high levels of productivity and security, but it also is great for team morale, staff retention, and hiring. Adding new staff is streamlined because all the processes are documented and/or automated, workflows are simple, and less experienced hires can contribute quickly. I am sure you would agree this is the SoC team Nirvana that we are all striving for?

SoC teams are flying blind without network packet history at their fingertips. Sophisticated attackers do their best to cover their tracks by modifying server logs or deleting evidence. However,   packets don’t lie and can’t be tampered with. That’s why many SoC teams deploy EndaceProbe alongside their firewalls so they can turn to the packets to investigate their most challenging security incidents. It’s the evidence needed to know without a doubt what happened at 2pm last Tuesday afternoon when a security alert indicated a potential attack.

We integrated with Cortex XSOAR because we realized that many teams were missing the essential packet-level evidence required for fast and conclusive security investigations. XSOAR playbooks now automate the collection of packet evidence from any EndaceProbe in the deployment. Packet evidence is then archived and attached to a “case” or “war room” allowing multiple team members to contribute to the investigation at any time in the future.

The complete workflow can be integrated with the entire security tool suite including endpoint, network, SIEM, NGFW, and other security elements. And finally, these playbooks can be customized to suit the specific needs of the organization.

Check out the demo video on Palo Alto Network’s Fusion partner page to see this integration in action, and reach out if you’d like more information.

I am very proud of what our team has achieved with this integration to Cortex XSOAR. Our customers can now manage alerts across all sources using a standard process, take action on threat intel, and automate response for any security use case – resulting in significantly faster responses that require less manual review. I’m really looking forward to seeing our customers take advantage of this new capability to create their own SoC team Nirvana.

Happy hunting,

Cary

 


The Importance of Network Data to Threat Hunting (Part 4)

Original Entry by : Robert Salier

How Endace Accelerates Threat Hunting

By Robert Salier, Product Manager, Endace


Robert Salier, Product Manager, Endace

Despite having a variety of tools at their disposal, many organizations still struggle with detecting and investigating security threats effectively and efficiently.  Inevitably, some threats are not detected because skilled hackers expend a great deal of effort avoiding security monitoring systems and removing the evidence of their activity by deleting or modifying logs and files. Even when threats are detected, organizations often lack sufficient visibility to ascertain the exact scope and nature of the threat: to be certain they have completely removed it and to be totally confident they can detect and prevent a recurrence.

This is the final post in our series on threat hunting (see here for part 1, part 2 and part 3).

In this post I take a look at how the EndaceProbe Analytics Platform can accelerate threat hunting: delivering deeper insight into network activity through rich network data that provides an independent and unadulterated view of activity in your environment.  It also explains how the EndaceProbe’s open platform approach delivers significant productivity and cost benefits, breaking down traditional barriers to affordability and practicality.

Full Packet-Level Capture of Network History

Skilled hackers (and clever malware) routinely delete or modify logs and files containing traces of their malicious activity.  However, it’s virtually impossible for them to remove traces of their presence from the traffic that traverses the network.  So, monitoring, capturing and analyzing network traffic is often the difference between being able to detect an intruder, and not, and collecting the conclusive evidence you need to address the threat, or not.

When malicious activity is detected, the next challenge is to obtain a clear picture of what has occurred.  This is critical for several reasons. Firstly, enterprises have regulatory or policy obligations such as complying with information security standards and breach disclosure regulations. Secondly, it’s critical to be able to keep stakeholders – including executive management, PR, Legal, HR suppliers, partners, and customers – informed and be able to accurately answer any questions.  And last, but not least, having a clear, unambiguous picture of what has occurred is also essential to be able to confirm that the threat has been neutralized and for you to be confident that sufficient measures are put in place to prevent a re-occurrence.

As discussed in Part 2 of this series, log files and other data sources such as flow-based network data can provide valuable insight into activity. And they might enable you to detect a threat. The problem is these data sources often don’t contain sufficient detail to enable a clear picture of exactly what happened, how it happened and what the impact is. Server and firewall logs, for example, might reveal communication between a host on your network and a malicious external host. But they can’t tell you what the actual contents of that communication were.

Capturing and storing packet history, on the other hand, gives you a verbatim copy of communications over the network, allowing you to see precisely what was sent and received with zero loss of fidelity. Packets contain all the contents: allowing accurate reconstruction of the entire conversation including file and document contents, web page interactions, emails, audio and video streams, etc.

Research report from EMA identifies packet capture as a key enabler for stronger security

Enterprise Management Associates (EMA) surveys enterprises annually to report on the strategies leading organizations are adopting to strengthen their cyber defenses. In the 2019 edition of “Unlocking High Fidelity Security”, packet capture was highlighted as a key enabler of stronger cybersecurity.

 

Download a Free Copy

 

Open Platform Approach

EndaceProbes can host a range of third party security solutions including Intrusion Detection Systems, virtual next-gen firewalls, AI-based security tools, and many other commercial, open-source or custom security and network or application performance monitoring solutions.  Because each EndaceProbe can host multiple tools, you only need to purchase and deploy packet capture hardware once.  You then have the freedom to choose best-of-breed tools, and the agility to quickly deploy new and/or updated tools without changing the underlying hardware platform.

Threat hunters can also dramatically accelerate and streamline investigations thanks to pre-built integrations between EndaceProbes and many third-party tools.  These integrations enable analysts to click on an alarm/event in any of these tools to quickly retrieve and analyze the related full packet data that is recorded on the EndaceProbes on the network.

For more details check out The Benefits of an Open Analytics Platform.

Breakthrough density and affordability

We’re very proud of our breakthrough density and price per petabyte, putting a month or more of network history within reach of many more organizations.  Our EP-9200 EndaceProbes provide 40Gbps packet capture and built-in investigation tools, hosting capacity for up to 12 applications, and a petabyte of network history storage, all in a single appliance just four rack units high.

How do we do it?  Well, it’s not just an efficient organization and economies of scale.  We have smart engineers implementing proprietary hardware, real-time storage compression, and features such as our patented Smart Truncation™.  For more, check out https://www.endace.com/endaceprobe.

Breakthrough practicality

We realize that storing network history is of limited use if it is too difficult, expensive or time consuming to extract value from it.  We knew we had to provide a way to…

  • Centrally manage estates of EndaceProbes that may be global in scale to reduce the operational cost and minimize management overheads.
  • Enable SecOps, NetOps and IT teams to quickly and easily find packets of interest from within terabytes or petabytes of data that may be distributed across a global network. And do this from a central point without having to figure out where those packets were recorded or which EndaceProbe they are stored on.
  • Meet the needs of large, complex, globally distributed networks, with the ability to scale to provide virtually unlimited storage capacity and monitor links of any speed.

So we developed the EndaceFabric™ architecture.

EndaceFabric allows multiple EndaceProbes to be deployed at various points throughout a network and seamlessly connected to form a network-wide packet capture, recording and hosting fabric.  Analysts can perform investigations and search and mine recorded Network History across multiple EndaceProbes simultaneously from a single UI.  Similarly, administrators can centrally manage estates of hundreds of connected EndaceProbes making it easy to configure, update and monitor the health and performance of the entire estate.

EndaceFabric provides more than a single pane of glass for administration, search and data-mining however.  The architecture also allows EndaceProbes to be stacked or grouped to create logical EndaceProbes capable of capturing traffic at practically any line rate with no limits to storage capacity scalability.

EndaceFabric is also the key to amazingly fast searches for packets of interest.  Due to the inherently distributed, parallel architecture, and our advanced search algorithms, search times remain constant regardless of the number of EndaceProbes involved.  A needle-in-a-haystack search for specific packets-of-interest across a hundred EndaceProbes and a hundred petabytes of network history can take just seconds.

For more details, check out https://www.endace.com/EndaceFabric, our videos describing the EndaceFabric architecture, and a demo showing our amazingly fast search.

And finally

This was the final article in our series on threat hunting, and how the Endace Analytics Platform can increase the efficiency and conclusiveness of threat hunts. We hope you found it useful?

If you’d like to find out more, please don’t hesitate to reach out to your local Endace representative, or contact us at https://www.endace.com/contact.


Watch Endace on Cisco ThreatWise TV from RSA 2019

Original Entry by : Endace

It was a privilege to attend this year’s RSA cybersecurity event in San Francisco, and one of our top highlights was certainly the opportunity to speak to Cisco’s ThreatWise TV host Jason Wright. Watch the video on Cisco’s ThreatWise TV (or below) as Jason interviews our very own Michael Morris to learn more about how Cisco and Endace integrate to accelerate and improve cyber incident investigations.

In this short 4 minute video, Michael demonstrates how Cisco Firepower and Stealthwatch can be used together to investigate intrusion events, using Cisco dashboards and EndaceVision to drill down into events by priority and classification to show where threats come from, who has been affected and whether any lateral movement occurred, as well as conversation history and traffic profiles. Michael also explains how Cisco and Endace work together to ‘find a needle in a haystack’ across petabytes of network traffic.

A big thanks to Cisco and to Jason for giving us this spotlight opportunity. If you have any questions about how Cisco and Endace integrations can accelerate and improve cyber incident investigation, visit our Cisco partner page.