Category: Uncategorized

Threat actors are recording PCAPs, maybe you should too?

Original Entry by : Barry "Baz" Shaw

By Barry “Baz” Shaw, Senior Engineering Manager, Technology Partner Programs, Endace

Barry

On Aug 29th, Government Cybersecurity agencies from around the world released a joint advisory detailing how nation-state threat actors are compromising networks across the world, particularly in the US, Australia, Canada, New Zealand and the UK: www.cisa.gov/news-events/cybersecurity-advisories/aa25-239a www.darkreading.com/cybersecurity-operations/cisa-fbi-nsa-warn-chinese-global-espionage-system

These attacks are primarily focussed on telecommunications, government, lodging and military networks, and the tactics, techniques, and procedures (TTP) overlaps with APT (Advanced Persistent Threat) actors linked to multiple China-based entities. These threat actors are exploiting well-known vulnerabilities in VPN servers and web user interfaces on switches and routers.  Even devices not owned by targets of interest are being compromised in order to provide additional attack pathways to the intended targets.  Upon gaining a foothold in a network, persistence is achieved by modifying ACLs, opening services on non-standard ports to avoid detection, and tunnelling C2 and exfiltrated data to obfuscate malicious activity.

Of note in this particular instance is the use of PCAP collection on the target network by the threat actors.  Once they’ve gained a foothold on the network infrastructure, the native capability of some routers to record PCAPs is then used to capture TACACS+ (authentication) traffic.  When transmitted in clear text (or weakly encrypted) this authentication traffic exposes users credentials which can then be used to elevate the attacker’s access and enable them to move laterally across the network.

The use of network sniffing to extract credentials in authentication traffic is a common technique of threat actors (attack.mitre.org/versions/v17/techniques/T1040/).  As we continue to see the stubborn use of unencrypted and weakly-encrypted protocols on networks, these insecure communications remain prime targets for credential gathering.  Additionally, the uses of maliciously collected PCAP is evolving, with the ArcaneDoor campaign taking this a step further and exfiltrating captured PCAPs for remote analysis (attack.mitre.org/campaigns/C0046/).  Exfiltrated PCAPs may contain anything from authentication data to file objects.

PCAP data is the ground-truth for what is happening on the network, and it is the source that all other network and security telemetry is derived from.  Threat actors know this and value the raw unfiltered and unsampled intel that it provides about the target.  This begs the question: if your adversaries see value in collecting PCAPs off your network, shouldn’t you be capturing full PCAP too!? 

If you are not recording your network traffic, your security team has less visibility into network activity than your attackers – which makes the job of protecting your network impossibly difficult. With PCAP at their fingertips, SOC analysts can see exactly what’s happening on the network, making for faster, more accurate investigation and resolution of security incidents – as this excellent blog post from Cisco’s Steve Nowell describes.

That full PCAP data is so valuable to attackers also highlights a stark warning that wise defenders should heed. PCAP data must be protected and secured to the highest standards.  Can you trust packet capture solutions that aren’t FIPS and Common Criteria certified? Or packet capture sources that can’t be properly locked down and protected from access by attackers?

For more blogs in our Endace SOC series, see here:
https://blog.endace.com/tag/soc/ 

Network Visibility in Action: Endace and Cisco Drive SOC Defenses at RSAC 2025

Original Entry by : Cary Wright

By Cary Wright, VP Product Management, Endace

Cary Wright, VP Product Management, Endace

Uncovering insights from the 6th Annual Security Operations Center at RSA Conference

For the sixth consecutive year, a dedicated Security Operations Center (SOC) monitored the RSA Conference (RSAC) network, protecting a dynamic environment serving over 40,000 attendees.  A collaboration between Endace and Cisco (and other security partners), the SOC provided real-world insights into current threat landscapes and security challenges, and demonstrated the critical importance of comprehensive network monitoring and real-time threat detection in large-scale environments.

The 2025 SOC team consisted of:

  • 5 Endace analysts
  • 9 Cisco/Splunk analysts
  • 3 dedicated threat hunters
  • 3 managers

 

Network Monitoring at Unprecedented Scale

The SOC captured and analyzed an astounding volume of data flowing through the conference network:

  • 40+ billion packets captured (more than double the 19 billion from the previous year)
  • 33 TB of packet data (up from 17TB)
  • Peak bandwidth usage of 3.4 Gbps (up from 2.2 Gbps)
  • 615 million total sessions (increased from 383 million)
  • 793 million logs captured
  • 287,000 files extracted with 26,374 submitted for deeper analysis

Endace’s VP of Product Management Cary Wright explained the scope: “We tapped into the network and recorded everything—all the packets that traveled across that network—approximately 30 terabytes of data over the course of the whole conference.”

The Technical Architecture: Integration in Action

The SOC implemented a sophisticated, multi-layered security architecture centered around visibility and integration:

    1. Network Capture Layer: EndaceProbe appliances performed full packet capture, creating a complete record of all network activity.
    2. Log Generation and Analysis: The Endace systems generated metadata through tools like Zeek, which was then forwarded to Splunk and Cisco security tools for analysis.
    3. Threat Detection Systems: Cisco Secure Firewall provided intrusion detection (running in non-blocking mode to avoid disrupting vendor demonstrations while still identifying potential threats).
    4. Integration Layer: All components were interconnected, allowing analysts to pivot seamlessly from alerts directly to the relevant packet data, providing context for rapid investigation.
    5. File Analysis Pipeline: Files transmitted across the network were extracted and analyzed: 
      • 287,000+ files extracted from network traffic
      • 26,374 files sent to Splunk Attack Analyzer
      • 7,546 files forwarded to Cisco Malware Analytics for in-depth examination

Key Security Findings and Trends

The SOC’s monitoring revealed several concerning security trends:

1. Declining Encryption Levels

One surprising finding was a drop in the percentage of encrypted traffic, from approximately 80% in 2024 to 74% in 2025. This regression toward “the dark past” of unencrypted communications creates significant security vulnerabilities.

More troubling was the increase in weak encryption (TLS 1.0/1.1) to 40% of encrypted traffic, along with the continued presence of plaintext password transmission.

2. Plaintext Passwords Continue

Though trending downward over the years, plaintext passwords remain a persistent problem, showing that the power of a strong password is nothing without an encrypted communication protocol!

      • 2020: 96,361 cleartext passwords (2,178 unique accounts)
      • 2022: 55,525 cleartext passwords (2,210 unique accounts)
      • 2023: 36,910 cleartext passwords (424 unique accounts)
      • 2024: 20,916 cleartext passwords (99 unique accounts)
      • 2025: 1,807 cleartext passwords (87 unique accounts)
3. Legacy Protocol Persistence: POP3 Refuses to Die

The SOC discovered continued use of vulnerable legacy protocols:

      • POP3 (unencrypted email retrieval)
      • Non-secured SMTP (email transmission)
      • Unencrypted IMAP
4. Advanced Threat Techniques

The SOC identified several sophisticated attack techniques, including:

      • New domain generation algorithm (DGA) approaches using combinations of 2-3 random words
      • Command and control (C2) traffic
      • Cleartext transmission of sensitive data
      • Unsecured translation services transmitting text and audio in the clear
      • Exposed CCTV camera feeds

The Value of Complete Network Visibility

The collaborative SOC deployment at RSAC 2025 demonstrated the crucial role that full packet capture plays in modern security operations. By capturing and analyzing every packet traversing the network, security teams gained:

      • Complete visibility into all network communications
      • Contextual evidence for security investigations
      • Rapid response capabilities through integrated tools
      • Retrospective analysis of historical network data

The integration between Endace’s packet capture technology and Cisco’s security suite enabled a powerful workflow: alerts from security tools could be immediately investigated by pivoting directly to the relevant network traffic, dramatically reducing investigation time.

Key Takeaways for Security Teams

Based on the RSAC 2025 SOC experience, organizations should consider these best practices:

      • Deploy comprehensive network monitoring with full packet capture for complete visibility
      • Implement integrated security tools that work together seamlessly
      • Focus on encryption enforcement to protect sensitive data in transit
      • Eliminate legacy protocols that transmit data in cleartext
      • Use personal VPNs when connecting to public networks
      • Keep operating systems patched and maintain robust configuration management

The Endace and Cisco-powered SOC at RSAC 2025 demonstrated that comprehensive network visibility remains fundamental to effective security operations. As threats grow more sophisticated, the ability to see, analyze, and respond to every packet traversing the network becomes increasingly critical.

By integrating full packet capture with advanced security analytics, organizations can build security operations centers that provide both the breadth and depth of visibility needed to detect and respond to today’s most sophisticated threats.

This blog post is based on information shared during the “PROTECTED: The 6th Annual Report from the SOC at RSAC” session at RSA Conference 2025.

For more blogs in our Endace SOC series, see here:
https://blog.endace.com/tag/soc/ 

Cisco Live US 2025 SOC – PCAP or it didn’t happen!

Original Entry by : Barry "Baz" Shaw

By Barry “Baz” Shaw, Senior Engineering Manager, Technology Partner Programs, Endace

Barry

Elevating Incident Response with the Ultimate Network Forensics

After a successful SOC @ RSAC2025, our team was stoked to be invited to help Cisco run the SOC at Cisco Live US (CLUS). We jumped at the chance to work with the Cisco team again. It was a great opportunity to innovate while helping Cisco protect and educate the attendees of the conference. Plus, the Cisco team is a lot of fun to hang out with—there’s a very infectious vibe in the SOC that has everyone buzzing for the entire week.

Packet capture is essential in the SOC. It provides an indelible record of all network activity, which is invaluable to the SOC team when investigating threats or security risks—hence the phrase, “PCAP or it didn’t happen.” For CLUS, we deployed two EndaceProbes with a combined storage of 864TB to continuously record all network activity delivered via 2 x 10GbE SPAN ports. This gave us the capacity to record at least several weeks of full network packet data—covering more than the entire duration of the show.

Endace Fusion integrations provided the glue between the Cisco Security suite and the packet data on the EndaceProbes, enabling analysts to quickly pivot from Splunk Enterprise Security/Splunk Cloud, Cisco XDR, Cisco Firepower, and Cisco Secure Network Analytics (SNA) through to EndaceVision and hosted Wireshark. When access to historical full PCAP is available in a seamless integration, security analysts are empowered with the ease of contextual access, and this simplifies the use of PCAP data, where previously it could be seen to be cumbersome to use.

The EndaceProbes each hosted two VMs that were running Zeek and delivering critical log data into Splunk. Custom Zeek script additions provided additional valuable detail around clear text passwords in email and HTTP, shining a light on the heavy use of insecure protocols, and ultimately driving automation to manage the unexpected volume. File-carving was enabled, and over 750,000 files were reconstructed from packet data, with over 40,000 samples submitted to Splunk Attack Analyzer (SAA) via Endace’s automatic submission software. SAA then sent over 12,000 files to Secure Malware Analytics (formerly Threat Grid) for dynamic analysis of the behavior.

SOC Findings and Lessons Learned

The SOC team was surprised and initially overwhelmed at the volume of unencrypted traffic on the network. Logging of passwords was coupled with a Cisco XDR automation that created an incident on each detection. This resulted in a heavy workload identifying and notifying users to educate and protect them in the future. The Splunk team developed a creative automated solution to notify users that the SOC detected their use of insecure protocols.

We even found a version of POP that was news to us all—APOP. This hashes the server timestamp in the response header with the user’s password to create a password digest. While this obscures the password, it only delays its inevitable retrieval, all the while the actual message bodies are still transferred in plain text!

In the theme of plain text passwords, reviewing the connections associated with one of these sessions showed a large number of file downloads in the Zeek log generated on EndaceProbe.  This was one of many clients that used the free conference Wi-Fi to download Windows update files, but after filtering out the cab files in a Splunk search, we found a suspicious-looking file:

A search on this filename in SAA confirmed the presence of a malware download by this unfortunate user, whom the SOC team made every effort to identify.

There were also a few notable occasions where Secure Firewall alerts indicated intrusion attempts, which, after a pivot to EndaceVision, were pulled up in Wireshark for further analysis. One alert of note was a “BROWSER-IE Microsoft Internet Explorer Chakra.dll Array.filter type confusion attempt” indicating a malicious web server was trying to exploit a vulnerability in IE. 

A review of the PCAP noted that the target client was, in fact, running Safari on MacOS X.

This indicated that even if the web server was launching a legitimate attack, the client was not vulnerable to this attempt and therefore no further action was required. This highlights the value of full PCAP, packets in related sessions that don’t trigger alerts can offer valuable insight and context to security analysts. This allows rapid determinations to be made with confidence.

Read more about the SOC at CLUS 25 on Cisco’s Blog here:

https://blogs.cisco.com/security/cisco-live-san-diego-2025-soc

Acknowledgements

Our thanks to the Cisco team, led by Jessica Bair-Oppenheimer and Steve Fink, for the opportunity to include EndaceProbes in the Cisco Live SOC architecture. The SOC team is a collection of Cisco experts across many Cisco solutions who were a pleasure to work with and innovate with.  We came away with a great appreciation for the power and ease of use of the Cisco Security tools. The close collaboration resulted in the Endace team leaving with not only ideas for further integrations and workflow improvements, but also prototype integration extensions that were developed and proved out during the SOC.

To learn more about all the ways Endace integrates with Cisco, check out:  https://www.endace.com/cisco.

For more blogs in our Endace SOC series, see here:
https://blog.endace.com/tag/soc/ 

Helping Protect Cisco Live 2025 in San Diego

Original Entry by : Michael Morris

By Michael Morris, Senior Director of Technology Alliances

Building on our collaboration in the SOC at RSAC 2025, Endace was honoured to be invited by Cisco to provide EndaceProbe packet capture and a team of threat hunters to support the Cisco Live Security Operations Center (SOC). Our primary goal was to protect the network and attendees at Cisco Live San Diego 2025, our secondary goals were to educate and innovate.

Two EndaceProbes were deployed in Cisco’s SOC-in-a-Box, continuously recording all network traffic provided over two 10G SPAN ports.  We integrated with Splunk Enterprise Security and Cisco Security Cloud to deliver real-time network visibility. This enabled the SOC team to detect, locate, and address threats to attendees from external and internal sources, and helped to streamline and accelerate SOC investigation workflows.

The SOC at Cisco Live aims to protect the more than 23,000 attendees from threats on the conference network. When an attendee’s device is found to be compromised or unsecured, the SOC team makes every effort to identify, locate and help remediate the issue. The SOC team also provided public tours of the SOC to educate attendees about how the SOC is configured, the processes team members implemented, and the sorts of issues and threats that we uncovered.

Drawing on our experience at RSAC 2025 (where Endace captured 36 TB of data and 45 billion packets) we further optimized our approach for Cisco Live’s SOC.

The SOC was set up in two days, leveraging prior planning and our engineers’ experience at RSAC 2025.

At Cisco Live, Endace:

  • Captured 78.9 TB of traffic representing 99.5 billion packets
  • Reassembled more than 740,000 file objects in real time and sent 42,624 files to Splunk Attack Analyzer for further analysis
  • Detected 2,256 occurrences of cleartext passwords being used from 92 unique devices
  • Provided packet-level forensic evidence to all the SOC analysts for investigating and triaging a range of security events
  • Integrated with Cisco XDR, Splunk, Cisco Firepower IDS, Splunk Attack Analyser, Cisco Secure Malware Analytics, Cisco Secure Network Analytics to provide a seamless IR workflow
  • Innovated with new integrations that streamed additional metadata into Splunk, which sped up the investigation and remediation process

It was impressive to see the whole team of Cisco and Endace Engineers pivoting to the packet data to investigate an entire range of security incidents. Inspecting the packet data enabled fast decisions because the team could see exactly what was happening on the wire before, during, and after any event. As they say, PCAP or it didn’t happen!

Having complete packet data available at the SOC team’s fingertips really highlighted the incredible value of always-on packet capture; recording every packet and delivering complete, real-time visibility into threats, performance issues, and anomalous behaviour across the network.

There is an infectious energy that we get when working in a SOC environment like this, with Engineers from different teams and companies collaborating to track down threats, and share ideas on how to improve the SOC. The Endace team came away with many learnings that will improve EndaceProbe and our partner integrations.

We look forward to being a part of the SOC again at some more big upcoming events – stay tuned, details coming soon.

Read more about the SOC at CLUS 25 on Cisco’s Blog here:

https://blogs.cisco.com/security/cisco-live-san-diego-2025-soc

For more blogs in our Endace SOC series, see here:
https://blog.endace.com/tag/soc/ 

Endace 2024/25 Internship Program Wraps Up

Original Entry by : Katrina Schollum

By Katrina Schollum, HR Manager, Endace

Our 12-week summer internship program at our R&D centre in Hamilton recently wrapped up for another successful year.  Four interns from different universities joined us, working on individual projects, gaining industry experience, and seeing the commercial relevance of their achievements.

Showcasing Success

The last day of the program is Presentations Day. Our interns presented the results of their projects to a live audience in Hamilton, NZ, and the presentations were also streamed live to the global Endace team.

Endace 2024/2025 Interns

Despite a few well-hidden nerves, our interns did a fantastic job—providing insight into their individual journeys, outlining the objectives of their projects, talking about some of the challenges they faced and overcame, and demonstrating the solutions they built. Each presentation concluded with suggestions from the interns on how their projects could be further enhanced to provide additional benefits to the business. There was also a live Q&A session where the interns did a great job fielding a variety of questions from the audience.

Program Highlights

It is rewarding to see the growth of our interns as they build on their technical skills in a professional setting. Endace’s Intern Program gives them invaluable insight into how a global tech business operates. It’s a great opportunity to put their university knowledge into practice, further develop their technical skills, and learn about teamwork in a collaborative environment. They also gain exposure to all areas of our business, from operations and finance to sales and marketing.

The benefits of the program flow in both directions. Each Intern is supported by a dedicated manager and mentor, who also benefits from sharing their knowledge and expertise to guide the projects and help interns transition from studying to the workplace.

“Being a mentor for the interns was a challenging but also incredibly rewarding journey. It was an honour to be allowed to help them grow from overwhelmed newcomers to developers competently progressing their project” said Norbert Abel, our mentor from the Firmware team.

Feedback from our interns at the end of the program was very positive. Our interns were motivated by the projects’ real-world implications. They learned a lot and felt well supported in achieving their project goals.

Equipped with new skills and hands-on experience, we look forward to following our interns’ future achievements. We are proud to continue our strong tradition of working closely with tertiary education providers to ensure Endace remains an employer of choice for IT and engineering graduates in New Zealand.

Endace 2024/25 Internship Program Begins

Original Entry by : Katrina Schollum

By Katrina Schollum, HR Manager, Endace

The Endace Summer Internship program has been a great success in previous years, and we are excited to announce its return for another year! This summer, we are delighted to welcome four talented interns to our R&D centre in Hamilton, NZ, after receiving an incredible amount of interest from students across New Zealand. We look forward to supporting our new interns as they progress through the program.

Induction Day

The first day of the program is all about introducing our interns to “Life at Endace” and how we work.

Our interns learned about Endace’s history and our innovative products and began building strong connections with their mentors and managers. The day included opportunities to engage with senior managers, gain insight into their roles and projects, and network with members of the engineering team over lunch. It’s safe to say our interns had plenty to absorb and are excited for the journey ahead.

As part of the induction, our interns participated in the team-building activities with their mentors. One of our new mentors, Joel Shepherd —himself a former intern — shared his enthusiasm for the program:

“Being an intern at Endace was a great way to start my career, providing an opportunity to experience what it is like to work in the industry. It helped extend my knowledge beyond what I could learn at university in a relatively short time. Now, as a mentor, I’m thrilled to provide the same opportunity I once received and to see how much our new interns will learn and achieve over the summer.”

It’s amazing to see the full cycle, as previous interns become employees and eventually become mentors themselves, creating a pipeline of talent development at all levels.

Our Program

Over the course of 13 weeks, the intern program focuses on commercially relevant, individual projects and provides structured training including sessions with Endace’s leadership team members about the broader business, presentation skills training, and professional development, creating a well-rounded experience. The program ends with the interns presenting their individual projects.

Endace is proud of our ties to tertiary education and is committed to developing talent for IT and Engineering students aspiring to join our industry positioning Endace as an employer of choice. By providing hands-on experience and intentional learning opportunities, we give students the chance to build technical capabilities while gaining insight into how a global tech organisation operates.

We’re excited to support our new interns as they continue to learn and develop, and look forward to celebrating their future achievements.

Why everyone should care about FIPS 140, NIAP NDcPP, and DoDIN APL.

Original Entry by : Cary Wright

By Cary Wright, VP Product Management, Endace

Cary Wright, VP Product Management, Endace

Weak security plagues far too many of the IT products we use today. The problem is, there is no unified mandate to compel vendors to invest in security hardening their products. Vendors are free to choose how heavily to invest in security. So it’s no surprise that many vendors don’t invest heavily enough in thoroughly security hardening their products.
 
However, in many industries – such as Government, defense or critical infrastructure – the potential impact of a security vulnerability in a product is just too serious for organizations to leave it to vendors to decide how to secure their products. For this reason, organizations in many of these industries mandate that vendors must submit their products to rigorous testing and certification processes to ensure the security of their products is iron clad.
 
At Endace we found out first-hand how difficult and rigorous these standards are to comply with. The effort took us the better part of a year and significant investment in software development, testing and validation, and certification. Armor plated security is a good way to describe what these standards require. Our recent OSm 7.2.1 release includes everything we had to do to comply with these standards.
 
The good news for customers – regardless of the industry you are in – is that this rigorous testing and validation process doesn’t just benefit Government, Defense and critical infrastructure organizations. Any organization that adopts products that have passed these certification processes can be confident those products have been independently evaluated to minimize the risk of security vulnerabilities and are fit-for-purpose for deployment in high-security environments.
 
By selecting a product with DoD level security compliance you reap the benefit of millions of dollars of investment in security testing and hardening that goes way beyond standard penetration tests and security scans. The testing process for each of these certifications involves delving deep into the product – comprehensive testing, source code reviews, and independent validation that the security controls of the product are robust and well designed.
 
 

What are these standards, and what do they test?

Complying with FIPS 140-3 is the fundamental first step in certification. FIPS mandates that products must use robust and secure encryption. This is not a bolt-on. Products must implement a validated cryptography module as a central software pillar to ensure all encrypted communications meet the NIST standard for strong cryptography, including HTTPS, SSL, and SSH.
 
Just including encrypted HDDs in a system – as some vendors do to claim compliance with FIPS – is not sufficient. Every communication to and from the system must be secured with FIPS validated cryptography before the system can be FIPS certified. Independent testing confirms that products comply with the FIPS standards.
 
NIAP NDcPP 2.2e, also known as Common Criteria, is an international standard agreed by 18 nations. It builds on FIPS to define security requirements that are expected to be implemented by all network devices. It goes extremely deep to validate a product has robust security. By deep, I mean months of extensive testing, inspection, and independent code reviews, conducted and signed off by government signatories who are usually security experts in defense departments.
 
DoDIN APL stands for the US Department of Defense Information Network Approved Products List. With FIPS and NIAP certification in hand and a US DoD sponsor, a vendor’s final step is undergo product testing by a US DoD lab against DoD cybersecurity requirements. Being listed on the APL is the last big stage of a long and intensive project but it’s not the end of the story. Ongoing maintenance and revalidation ensures that a product remains secure throughout its life.

OSm 7.2.1 is released and available for download.

I am very proud of the team at Endace for having delivered a huge release with OSm 7.2.1 . This release has focused on meeting all the requirements for these intensive – but extremely valuable – security standards. And I am glad to say that every Endace customer will benefit from this huge investment in product security hardening.

Combining Endace and Elastic delivers detailed visibility into real-time and historical network activity

Original Entry by : Cary Wright

By Cary Wright, VP Product Management, Endace

Cary Wright, VP Product Management, Endace

We’re pleased to announce our newest technical partnership with leading SIEM and observability platform provider, Elastic. By combining together EndaceProbe™ always-on Hybrid Cloud packet capture, Elastic™ Stack and Elastic™ Security, we’re providing the packet-level network visibility and detailed network metadata that Security and IT teams need when responding to security threats and network or application performance issues.

How Do We Work Together?

By combining Endace and Elastic Stack, organizations gain accurate, highly detailed visibility into both real-time and historical network activity. Security and IT analysts can search network metadata in Elastic, and quickly pivot to full packet data for forensic investigations when they need to. The result is faster, more accurate incident investigation and resolution. The combination of Elastic Stack and EndaceProbe gives cybersecurity and IT teams the ability to see exactly what’s happening on their network in real-time. EndaceProbes can record weeks or months of full packet capture across hybrid cloud networks to provide a complete and accurate record of all network activity. The detailed full packet capture data recorded by EndaceProbes is a perfect complement to the rich logs and metadata collected by Elastic Stack. When analysts need to go back-in-time to investigate any incident they have a complete record of that activity at their fingertips. Beyond this, the ability to pivot from anomalies or security alerts directly to forensic examination of packet-level data lets analysts see exactly what’s happening. They can quickly respond to incidents and dramatically mitigate threat risk to their organizations.

EndaceFlow and Elastic Stack

In addition, EndaceProbe appliances can host EndaceFlow™, which generates extremely high-fidelity NetFlow data at full line rate. This NetFlow data can be ingested by Elastic Stack to provide detailed metadata for monitoring the security and performance of the network and interrogating network activity. Pre-built integration between EndaceProbes and Elastic Stack enables streamlined investigation workflows. Analysts can click on alerts in the Elastic UI to go directly to the related full packet data recorded by EndaceProbe. Analysts can quickly view traffic right down to individual packet level to see precisely what occurred before, during and after any event, with absolute certainty.

For more information about our Fusion Partner integrations, please visit www.endace.com/fusion-partners.

To see a demonstration of this Elastic Security integration in action please visit the Elastic partner page at https://www.endace.com/elastic-security.