APT’s are the New Cybersecurity Battle Front

Original Entry by : Michael Morris

By Michael Morris, Director of Global Business Development, Endace

Michael Morris, Director of Global Business Development, Endace

Join IBM, Gigamon and Endace
Tuesday, July 21, 2020

Don’t miss this informative webinar hosted by DataBreach Today.

Join Michael Morris (Endace), Russell Warren (IBM) and Martyn Crew (Gigamon) as they discuss strategies for detecting and protecting against APT’s.

Register Now

Advanced Persistent Threats (APTs) are the new battlefront for cybersecurity as threat actors combine multiple malware infiltration techniques to gain the most intelligence, cause the most damage, and ultimately reap the most financial rewards.  APT’s are the most sophisticated of threats, often difficult to detect and potentially lurking in your infrastructure for months or years before the real attack. Their motivations are political or financial, with a goal of maximum impact.

SecOps teams that are continually inundated with alerts and alarms don’t have time to connect the dots to realize some alarms point to APTs that are gaining a foothold. The sooner an APT can be identified and contained, the better the chance of minimizing the financial loss or brand damage your company experiences as a result.  This is easier said than done because skilled bad actors are constantly trying to cover their tracks, mask their existence, and hide the level of access they have gained and data they have collected.

Three pillars are key to effectively finding, containing, and mitigating APTs.  The first pillar is having visibility into everything that’s happening on your network. Getting the right network traffic to the right tools, including safely decrypting any TLS traffic, is critical for full visibility into threatening activity on the network. Other functions, such as deduplication, application filtering, and load-balancing traffic to multiple tools, are also important for an effective security stack.

The second pillar is implementing AI-based security analytics across all security-related telemetry data including Network, Endpoint, Application and Security logs. Bringing all this data together in one place enables the organization to create “baselines” of what is “normal behavior” versus “suspicious activity”. Leading analytics platforms can provide a single, correlated view of threatening activity and leverage integrations with third-party tools that accelerate the incident response process for SecOps teams.

The third pillar is recording enterprise-wide network history for in-depth investigations during incident response.  Many APTs implement wipers to erase evidence of their existence and cover their tracks, including modifying system logs, authentication records and other sources of evidence. However, bad actors can’t hide when enterprises implement continuous network traffic recording.  Recorded network history lets you see exactly what’s happening on the network so you can investigate and defend against even the most well-masked security threats. It provides tamper-proof evidence that lets teams understand the full extent of a threat including the ability to see into payloads that may have been collected and exfiltrated.

Join us on the webinar on July 21st to hear more. Register here.

Endace Packet Forensic Files: Episode #2

Original Entry by : Michael Morris

Michael talks to Doug Hurd, Senior Business Development Manager at Cisco Systems Security Solutions

By Michael Morris, Director of Global Business Development, Endace

Michael Morris, Director of Global Business Development, Endace

Tune for the latest episode of Endace Packet Forensic Files vidcast series with this week’s guest Doug Hurd, Senior Business Development Manager at Cisco Systems Security Solutions.

Doug shares experience and insights on some of the most robust security stacks by best in class companies.  He talks about some of the techniques companies are implementing to handle the sheer volume of threat alarms and efficiently work through them.

Finally, Doug shares his insights into where companies – and vendors – are heading to help security teams stay in front of the latest cybersecurity threats.

Other episodes in the Secure Networks video/audio podcast series are available here.

Endace Packet Forensics Files: Episode #1

Original Entry by : Michael Morris

Michael talks to Justin Fier, Director of Cyber Intelligence at Darktrace

By Michael Morris, Director of Global Business Development, Endace

Michael Morris, Director of Global Business Development, Endace

Join the new Endace Packet Forensics Files vidcast for an informative session with guest, Justin Fier, Director of Cyber Intelligence at Darktrace.

Justin shares his experience with the challenges SecOps teams are facing from the Covid-19 Pandemic and the massive shift to a remote workforce. Hear how cyber AI, anomalous network detection, and packet forensics can help you stay ahead of the latest threats.

Justin’s insights into industry verticals like Finance, Healthcare, and Government reveal the unique changes and challenges these environments are facing, and some of the best practices he is seeing to address those challenges.

Other episodes in the Secure Networks video/audio podcast series are available here.

Endace + XSOAR = Nirvana for the SoC

Original Entry by : Cary Wright

Integrating Palo Alto Cortex XSOAR with the EndaceProbe Analytics Platform

By Cary Wright, VP Product Management, Endace

Cary Wright, VP Product Management, EndaceThis week we are announcing an exciting integration with Palo Alto Networks Cortex XSOAR, formerly Demisto. This integration provides XSOAR customers with automated playbooks that easily pull in packet-level evidence for fast, conclusive, and repeatable response to security incidents. This integration complements our existing partnership with Palo Alto Networks NGFW and Panorama so now you can access packet-level data across multiple Palo Alto solutions.

So what is this “Nirvana for the SoC” we are all striving for?

The most effective SoC teams I’ve seen are well-oiled machines, reviewing and resolving many potentially dangerous security incidents each day and neutralizing threats quickly and confidently. What makes these teams successful is a repeatable and well-understood process, based on evidence, backed by automation, with integrated workflows across a suite of best in class security tools.

These teams have a wide range of experience–from new recruits to seasoned experts–all highly motivated and working collaboratively to solve complex issues. This exceptional environment not only provides high levels of productivity and security, but it also is great for team morale, staff retention, and hiring. Adding new staff is streamlined because all the processes are documented and/or automated, workflows are simple, and less experienced hires can contribute quickly. I am sure you would agree this is the SoC team Nirvana that we are all striving for?

SoC teams are flying blind without network packet history at their fingertips. Sophisticated attackers do their best to cover their tracks by modifying server logs or deleting evidence. However,   packets don’t lie and can’t be tampered with. That’s why many SoC teams deploy EndaceProbe alongside their firewalls so they can turn to the packets to investigate their most challenging security incidents. It’s the evidence needed to know without a doubt what happened at 2pm last Tuesday afternoon when a security alert indicated a potential attack.

We integrated with Cortex XSOAR because we realized that many teams were missing the essential packet-level evidence required for fast and conclusive security investigations. XSOAR playbooks now automate the collection of packet evidence from any EndaceProbe in the deployment. Packet evidence is then archived and attached to a “case” or “war room” allowing multiple team members to contribute to the investigation at any time in the future.

The complete workflow can be integrated with the entire security tool suite including endpoint, network, SIEM, NGFW, and other security elements. And finally, these playbooks can be customized to suit the specific needs of the organization.

Check out the demo video on Palo Alto Network’s Fusion partner page to see this integration in action, and reach out if you’d like more information.

I am very proud of what our team has achieved with this integration to Cortex XSOAR. Our customers can now manage alerts across all sources using a standard process, take action on threat intel, and automate response for any security use case – resulting in significantly faster responses that require less manual review. I’m really looking forward to seeing our customers take advantage of this new capability to create their own SoC team Nirvana.

Happy hunting,

Cary

 

Packet Detectives Episode 2: The Case of the Unknown TLS Versions

Original Entry by : Michael Morris

Demystifying Network Investigations with Packet Data

By Michael Morris, Director of Global Business Development, Endace

Michael Morris, Director of Global Business Development, Endace

As we discussed with Ixia and Plixer recently in our How to Combat Encrypted Threats webinar (which you can watch here if you are interested) newer versions – 1.2 and 1.3 – of TLS should be preferred over older versions – 1.0 and 1.1 – because they’re much more secure, and better protect data in flight.

But removing older versions of TLS from your network can be challenging. First, identifying which versions are actually being used. Second, identifying which servers and clients are using outdated versions. And lastly, updating any servers inside your network that are using older TLS versions, and potentially blocking access to servers outside the network using older versions too, all without causing your users to scream!

It’s not just users you need to worry about either. Potentially you may have IoT devices on your network that are still using older TLS versions.

Thankfully, if you have access to recorded network traffic there’s an easy way …

In this second installment of Packet Detectives, industry-renowned SharkFest presenter and all-round Wireshark guru, Betty DuBois, shows how you can quickly answer all these questions using Wireshark to analyze the TLS traffic on your network to see which hosts and clients are using which versions. She has even created a special, custom Wireshark profile you can download to make the analysis even easier!

The truth is in the packets …

We hope you find this video useful. Please let us know if you have ideas for other examples you’d like to see.

Network Security and Management Challenges Blog Series – Part 4

Original Entry by : Endace

Driving Economic Efficiency in Cyber Defense

Key Research Findings

  • Available budget, freedom to choose the best solutions and platform fatigue are all impacting on the ability of system architects to design and deploy the best solutions to meet the organization’s needs.
  • 78% of system architects reported platform fatigue is a significant challenge with 29% rating the level of challenge as high.
  • More than 90% of respondents reported that the process of acquiring and deploying security, network or application performance platforms is challenging, with almost half reporting that it is either extremely or very challenging.

Most of what’s written about cybersecurity focuses on the mechanics of attacks and defense. But, as recent research shows, the economics of security is just as significant. It’s not just lack of available budget – departments always complain about that – but how they are forced to allocate their budgets.

Currently, security solutions are often hardware-based, which forces organizations into making multiple CAPEX investments – with accompanying complex, slow purchase processes.

More than three-quarters of respondents to the survey reported that “the challenge of constraints caused by CAPEX cycle (e.g. an inability to choose best possible solutions when the need arises) is significant.”Almost half reported being stuck with solutions that have “outlived their usefulness, locked into particular vendors or unable to choose best-of-breed solutions.

Speed of deployment is also a significant challenge for organizations, with more than 50% of respondents reporting that “deploying a new security, network or application performance platform takes six to twelve months or longer.” 

As outlined in the previous post, existing security solutions are expensive, inflexible, hardware-dependent and take too long to deploy or upgrade. The process of identifying a need, raising budget, testing, selecting and deploying hardware-based security and performance monitoring solutions simply takes too long. And the cost is too high.

Contrast this with cyber attackers, who don’t require costly hardware to launch their attacks. They are not hampered by having to negotiate slow, complex purchase and deployment cycles. And often they leverage their target’s own infrastructure for attacks. The truth is that the economics of cybersecurity is broken: with the balance radically favoring attackers at the expense of their victims.

Reshaping the economics of cyberdefense

Companies have a myriad of choices when it comes to possible security, network performance and application performance monitoring solutions. Typically, they deploy many different tools to meet their specific needs. 

As discussed in the previous post, the lack of a common hardware architecture for analytics tools has prevented organizations from achieving the same cost savings and agility in their network security and monitoring infrastructure that virtualization has enabled in other areas of their IT infrastructure. As a result, budgets are stretched, organizations don’t have the coverage they’d like (leading to blindspots in network visibility) and deploying and managing network security and performance monitoring tools is slow, cumbersome and expensive.

Consolidating tools onto a common hardware platform – such as our EndaceProbe – helps organizations overcome many of the economic challenges they face:

  • It lets them reduce their hardware expenditure, resulting in significant CAPEX and OPEX savings. 
  • Reduced hardware expenditure frees up budget that can be directed towards deploying more tools in more places on the network – to remove visibility blind spots – and deploying tools the company needs but couldn’t previously afford.
  • Teams gain the freedom to choose what tools they adopt without being locked into “single-stack” vendor solutions. 
  • Teams can update or replace security and performance monitoring functions by deploying software applications on the existing hardware platform without a rip-and-replace. This significantly reduces cost and enables much faster, more agile deployment.

The cost of the hardware infrastructure needed to protect and manage the networks can also be shared by SecOps, NetOps, DevOps and IT teams, further reducing OPEX and CAPEX costs and facilitating closer cooperation and collaboration between teams.

For architects, a common hardware platform becomes a network element that can be designed into the standard network blueprint – reducing complexity and ensuring visibility across the entire network. And for IT teams responsible for managing the infrastructure it avoids the platform fatigue that currently results from having to manage multiple different hardware appliances from multiple different vendors.

Because analytics functionality is abstracted from the underlying EndaceProbe hardware, that functionality can be changed or upgraded easily, enabling – as we saw in the last post – far more agile deployment and the freedom to deploy analytics tools that best meet the company’s needs rather than being locked into specific vendors’ offerings.

Equally importantly, it extends the useful life of the EndaceProbe hardware too. No longer does hardware have to be replaced in order to upgrade or change analytics functionality. And as network speeds and loads increase, older EndaceProbes can be redeployed to edge locations and replaced at the network core with newer models offering higher-speeds and greater storage density. This ensures companies get maximum return on their hardware investment.

Lastly, their modular architecture allows multiple, physical EndaceProbes to be stacked or grouped to form centrally-managed logical EndaceProbes capable of scaling to network speeds of hundreds of gigabits-per-second and storing petabytes of network history.

A Final Word

This blog series has looked at the three key challenges – Visibility, Agility and Economic Efficiency (this post) – that enterprises report they face in protecting their networks and applications from cyber threats and costly performance issues. These challenges are interrelated: it is only by addressing all three that organizations can achieve the level of confidence and certainty necessary to effectively protect their critical assets.

Endace Honored with Ten Accolades in
Security Industry Awards Sweep

Original Entry by : Endace

Last month was officially our most successful month for awards ever! Maybe it’s got something to do with it being February in a Leap Year?

Whatever the reason, we’re thrilled to report that Endace received no less than ten industry awards last week, winning three top spots at the Cyber Defense Magazine InfoSec Awards and a further seven awards at the Info Security Product Guide Global Excellence Awards.

Endace's Cary Wright (left) and Michael Morris (right) accept the award for "Best Product, Packet Capture Platform" from Cyber Defense Magazine
Endace’s Cary Wright (left) and Michael Morris (right) accept the award for “Best Product, Packet Capture Platform” from Cyber Defense Magazine

CYBER DEFENSE MAGAZINE (CDM) is the industry’s leading electronic information security magazine. Rolling out the red carpet at RSA in San Francisco this week, CDM’s panel of judges voted the EndaceProbe Analytics Platform Product Suite best in class for the following categories:

  • Most Innovative, Network Security and Management
  • Best Product, Packet Capture Platform
  • Hot Company, Security Investigation Platform

INFO SECURITY PRODUCTS GUIDE is the industry’s leading information security research and advisory guide. The awards panel, which includes 35 judges from around the world, recognized Endace in the following categories

  • Grand Trophy Winner
  • Best Security Hardware (Gold): EndaceProbe Analytics Platform Product Suite
  • Most Innovative Security Hardware of the Year (Gold): EndaceProbe Analytics Platform Product Suite and Fusion Partner Program
  • Network Security and Management (Gold): EndaceProbe Analytics Platform with EndaceVision
  • Critical Infrastructure Security (Gold): EndaceProbe Analytics Platform Product Suite
  • Best Security Solution (Silver): EndaceProbe Analytics Platform Product Suite and Fusion Partner Program
  • Network Visibility, Security & Testing (Silver): EndaceProbe Analytics Platform with EndaceVision

We’re looking forward to attending the Info Security Product Guide Awards 2020 presentation ceremony and dinner in October to celebrate the Grand Trophy win and the six other awards.

We’d like to extend a big thank you to the judging panels for both award programs. And congratulations to fellow 2020 winners including Endace Fusion Partners Cisco, Ixia (a Keysight company), Darktrace and Gigamon.

Network Security and Management
Challenges – Part 3: Agility

Original Entry by : Endace

The Need for Agile Cyberdefense – and How to Achieve it

Key Research Findings

  • 75% of organizations report significant challenges with alert fatigue and 82% report significant challenges with tool fatigue
  • 91% of respondents report significant challenges in “integrating solutions to streamline processes, increase productivity and reduce complexity”.
  • Investigations are often slow and resource-intensive, with 15% of issues taking longer than a day to investigate and involving four or more people in the process.

In part two of this series of blog posts, we looked at Visibility as one of the key challenges uncovered in the research study Challenges of Managing and Securing the Network 2019.

In this third post, we’ll be discussing another of the key challenges that organizations reported: Agility

From a cybersecurity and performance management perspective, the term “Agility” can mean two different things. In one sense it can mean the ability to investigate and respond quickly to cyber threats or performance issues. But it can also refer to the ability to rapidly deploy new or upgraded solutions in order to evolve the organization’s ability to defend against, or detect, new security threats or performance issues. 

To keep things clear let’s refer to these two different meanings for agility as “Agile Response” and “Agile Deployment.”

Enabling Agile Response

In the last post, we looked at the data sources organizations can use to improve their visibility into network activity – namely using network metadata, combined with full packet data, to provide the definitive evidence that enables analysts to quickly and conclusively investigate issues. 

In order to leverage this data, the next step is to make it readily available to the tools and teams that need access to it. Tools can access the data to more accurately detect issues, and teams get quick and easy access to the definitive evidence they need to investigate and resolve issues faster and more effectively. 

Organizations report that they are struggling with two significant issues when it comes to investigating and resolving security or performance issues. 

The first is they are drowning in the sheer volume of alerts being reported by their monitoring tools. Investigating each issue is a cumbersome and resource-intensive process, often involving multiple people. As a result there is typically a backlog of issues that never get looked at – representing an unknown level of risk to the organization.

The second issue, which is compounding the alert fatigue problem, is that the tools teams use are not well-integrated, making the investigation process slow and inefficient.  In fact, 91% of the organizations surveyed reported significant challenges in “integrating solutions to streamline processes, increase productivity and reduce complexity.” The result is analysts are forced to switch from tool to tool (also known as “swivel chair integration”) to try and piece together a “big-picture” view of what happened.

Integrating network metadata and packet data into security and performance monitoring tools is a way to overcome both these challenges:

  • It gives teams access to a shared, authoritative source of truth about network activity. Analysts can pivot from an alert, or a metadata query, directly to the related packets for conclusive verification of what took place. This simplifies and accelerates investigations, making teams dramatically more productive and eliminating alert fatigue.
  • It enables a standardized investigation process. Regardless of the tool an analyst is using, they can get directly from an alert or query to the forensic detail – the packets – in the same way every time. 
  • It enables data from multiple sources to be correlated more easily. This is typically what teams are looking to achieve through tighter tool integration. Network data provides the “glue” (IP addresses, ports, time, application information etc.) that enables data from other diverse sources (log files, SNMP alerts etc.) to be correlated more easily. 

By leveraging a common, authoritative source of packet-level evidence organizations can create a “community of interoperability” across all their security and performance monitoring tools that drives faster response and greater productivity.

By integrating this packet-level network history with their security tools, SecOps teams can pivot quickly from alerts to concrete evidence, reducing investigation times from hours or days to just minutes.

Endace’s EndaceProbe Analytics Platform does this by enabling solutions from leading security and performance analytics vendors – such as BluVector, Cisco, Darktrace, Dynatrace, Micro Focus, IBM, Ixia, Palo Alto Networks, Splunk and others – to be integrated with and/or hosted on the EndaceProbe platform. Hosted solutions can access analyze live packet data for real-time detection or analyze recorded data for back-in-time investigations. 

The EndaceProbe’s powerful API-based integration allows analysts to go from alerts in any of these tools directly to the related packet history for deep, contextual analysis with a single click. 

The Road to Agile Deployment

The research showed that many organizations report their lack of visibility is due to having “too few tools in too few places in the network.” There are two reasons for this. One is economic – and we’ll look at that in the next post. The other is that the process of selecting and deploying new security and performance monitoring solutions is very slow.

The reason deploying new solutions is so slow is that they are typically deployed as hardware-based appliances. And as we all know, the process of acquiring budget for, evaluating, selecting, purchasing and deploying hardware can take months. Moreover, appliance-based solutions are prone to obsolescence and are difficult or impossible to upgrade without complete replacement. 

All these things make for an environment that is static and slow-moving: precisely the opposite of what organizations need when seeking to be agile and evolve their infrastructure quickly to meet new needs. Teams cannot evolve systems quickly enough to meet changing needs – which is particularly problematic when it comes to security, because the threat landscape changes so rapidly. As a result, many organizations are left with security solutions that are past their use-by date but can’t be replaced until their CAPEX value has been written down.

The crux of the problem is that many analytics solutions rely on collecting and analyzing network data – which means every solution typically includes its own packet capture hardware. 

Unlike the datacenter, where server virtualization has delivered highly efficient resource utilization, agile deployment and significant cost savings, there isn’t – or rather hasn’t been until now – a common hardware platform that enables network security and performance analytics solutions to be virtualized in the same way. A standardized platform for these solutions needs to include the specialized, dedicated hardware necessary for reliable packet capture and recording at high speed.

This is why Endace designed the EndaceProbe™ Analytics Platform. Multiple EndaceProbes can be deployed across the network to provide a common hardware platform for recording full packet data while simultaneously hosting security and performance analytics tools that need to analyze packet data. 

Adopting a common hardware platform removes the hardware dependence that currently forces organizations to deploy multiple hardware appliances from multiple vendors and frees them up to deploy analytics solutions as virtualized software applications. This enables agile deployment and gives organizations the freedom to choose the security, application performance and network performance solutions that best suit their needs, independent of the underlying hardware.

In the next post, we’ll look at how a common platform can help address some of the economic challenges that organizations face in protecting their networks.