How to protect against nation state attackers

Original Entry by : Mark Evans

“One of my worst nightmares [as an attacker] is that out-of-band network tap that really is capturing all the data, understanding anomalous behaviour going on. And someone’s paying attention to it.”
Rob Joyce, NSA: “Disrupting Nation State Attackers, Jan 2016” (22:10)

It’s great to see the efficacy of packet capture and network recording acknowledged by such an eminent cybersecurity Tsar as Rob Joyce.

If you haven’t already seen his video presentation on Disrupting Nation State Attackers, it’s well worth a watch. Before being shoulder-tapped to take up his new role as a cybersecurity advisor to Trump’s National Security Council, Joyce headed up the Tailored Access Operations division of the NSA.

The NSA’s TAO division is responsible for “providing tools and expertise in computer network exploitation to deliver foreign intelligence.” In other words, it is responsible for finding, and taking advantage of, the very network vulnerabilities that we’re all trying to protect against.

In his presentation at the Usenix Enigma conference last year, Joyce outlined key steps organizations can take to protect themselves against the sort of sophisticated techniques employed by Nation State attackers and criminal elements looking to attack your network.

Much of his advice is practical common sense. Know everything on your network, understand it, and update and patch everything. We all know this is critical, but all too often it doesn’t happen. Take patching for example. Joyce says that, in his experience, many organizations undertake security audits to identify known vulnerabilities, but frequently have still not fixed those vulnerabilities by the time the next audit rolls around months later.

Joyce also explodes a common myth – that sophisticated intruders rely on zero day threats. In fact, he says, zero day threats are far from being biggest danger to corporate networks. For any large network, he says:

Persistence and focus will get you in and achieve that exploitation without the zero days. There’s so many vectors that are easier, less risky and quite often more productive.

The cause of most intrusions, says Joyce, come down to one of things (the “Big Three”):

  • Email:  “a user clicked on something they shouldn’t have”
  • Malicious websites“they’ve gotten to a malicious website … and it’s either executed or they’ve run content from that website.”
  • Removable media – “where a user inserted contaminated media“. [As an aside, someone once told me the easiest way to get malware into an organization is to load it on a USB stick labelled “Payroll”, drop it in the carpark and leave the rest to curiosity!].

Joyce outlines the importance of making sure that sources of information about activity on the network – such as log files or network packet captures – are actually being monitored. “You’d be amazed at incident response teams that go in and there’s been some tremendous breach .. Yep, there it is right there in the logs.”

But perhaps the best piece of strategic advice he offers is this:

“Consider that you’re already penetrated. Do you have the means and methods to understand if somebody’s inside your network?”

That change in focus is important. Statistics show intrusions are becoming increasingly commonplace. Once organizations move from “we need to make sure we’re not penetrated” to “maybe we already are penetrated” they start to understand what tools, skills and processes they need to put in place to identify intrusions and stop an initial penetration from going on to become a more serious data breach. Or, if they have already been breached, what do they need to make sure they can identify how it happened and what was compromised?

Joyce’s presentation is a salient reminder that ensuring the basics of network security hygiene is critical. And that the battle to defend against attackers is an ongoing one. As fast as you tighten up your security, new vulnerabilities emerge that put you at risk.

Take a look at the video. You’ll find it’s 30 minutes of your time very well spent!

Cybersecurity Resources

Some of the useful resources that Joyce discusses and recommends are listed below

NOTE: The two links to the IAD site above require installing the DoD Root CA Certificates to avoid getting an “untrusted website” notification. More information here.

Australian Cyber Security Conference 2017

Original Entry by : Mark Evans

It’s a busy time for the Endace Australia team. Fresh back from exhibiting at the Australian Cyber Security Conference in Canberra last week, the team is off to Blackhat Asia in Singapore next week (March 28-21). We’ll report back on that event in due course.

The ACSC conference was very lively, with more than 1600 attendees descending on Canberra for the week.

We had a number of very interesting conversations with attendees from both government and commercial organizations. It was clear from many of these conversations that organizations are increasingly looking to packet capture and network recording as a crucial component of their cybersecurity toolset. Either they’re already doing some level of packet capture (often ad-hoc) and they’re interested in extending that capability. Or they’ve recognised the need for complete packet capture and are actively looking to include it as part of their cybersecurity arsenal.


This is great to hear. Our customers have recognised for a long time that packet-data is an unparalleled resource for cybersecurity investigations and it’s clear the wider market is moving in that direction too.

One of the common themes attendees talked about was how the proliferation in the number of security tools is making it difficult for them to get a coherent, single view of threats and activity on the network. We agree, and we talked with many attendees about the need for better integration between security solutions.

Many were interested to hear that our EndaceProbe Network Recorders can integrate with the tools that they are already using – such as Cisco’s Firepower NG IPS, Plixer’s Scrutinizer and Splunk. This integration lets analysts jump directly from alerts in those tools to examine the underlying packet-level network history and see exactly what has taken place. This makes for streamlined investigations, and helps analysts to eliminate false positives, and identify, prioritize and respond to the real threats more quickly.

ACSC 2017 was a great conference, and we look forward to coming back to be part of ACSC 2018. Thanks to the ACSC team for making it a very successful event!

Endace opens new Australian office

Original Entry by : Mark Evans
Endace Australia Team
Endace Australia Team: from left to right Michael Barnett, Anthony Adamo, Lisa Ardern and Peter Watt

Well it’s official. Our new Australian office in Hawthorne in Melbourne is open. An official opening was held on Friday, March 10th.

Thank-you to all the customers who attended our housewarming soirée, it was fun!

If you weren’t able to make it to the opening party, do drop in and see us and have a look at our new space.

Cisco Live Europe 2017 A Great Success

Original Entry by : Mark Evans

Upwards of 12,000 people packed Messe Berlin for the Cisco Live Europe 2017 event last week. It was a busy, exciting and noisy atmosphere and a lot of fun to attend. As a Cisco Solutions Partner, Endace was pleased to be invited to be one of the vendors exhibiting in the Cisco Security Partner Village.

Cybersecurity was a hot topic at Cisco Live, and the Security Partner Village was bustling, with lots of attendees interested in seeing the latest cybersecurity solutions.

Endace’s Sandrine Kubach and Rob Earley were inundated with people interested to find out how we integrate our full packet capture solutions with Cisco’s security solutions.

Sandrine and Rob demonstrated the integration between our EndaceProbe Network Recorders and Cisco’s Firepower NG-IPS.

Endace’s Fusion Connector for Firepower allows security analysts to click from an alert in the Firepower Management Console to instantly view and analyze related network packets recorded on EndaceProbes. This streamlined workflow dramatically reduces investigation times and provides definitive evidence of exactly what has happened so analysts can respond appropriately.

It was great to have another of our partners, Plixer, demonstrating the integration between Scrutinizer and EndaceProbes at a stand just metres away from our own too!

Cisco Live Europe was a fantastic event. To all those who stopped by our stand, thank-you for making the time. It was great to meet you and we look forward to talking to you again soon.

Thanks to the Cisco team for their wonderful organization and support. We’re excited about being at Cisco Live US in Las Vegas later in the year!

If you weren’t able to make it to Berlin, check out the great highlights reel that Cisco has put together – it gives a great sense what a busy event it was:

Dynatrace Perform 2017

Original Entry by : Mark Evans

Endace was an exhibiting partner at Dynatrace Perform in Las Vegas this month. Perform is the annual conference for Dynatrace users and attracts attendees from all over the world.

Attendees at Dynatrace Perform 2017 in Las Vegas

The conference sessions were packed, and our booth in the partner area was swamped during the partner sessions!

In fact it was so busy we didn’t have time to take photos of our booth! So here’s one of Dynatrace’s photos instead. And if you want more, there’s a big gallery of photos on this page.

In the Partner Lounge, Blaine Deutsch and Tom Leahy demonstrated how EndaceProbes integrate with Dynatrace DC RUM to provide instant access to network packet history as definitive evidence for troubleshooting application performance issues. They also showed how using EndaceProbes to Playback recorded history to an instance of the virtual AMD agent hosted in Application Dock offers new options for deep investigation of historical events.

If you weren’t able to make the event, here are the presentations:

We thoroughly enjoyed being at Perform 2017. And being in Las Vegas on Superbowl Sunday prior to the conference was certainly an experience too.

Thanks to all the attendees who came to our stand. We had some really interesting conversations which we look forward to picking up with you again very soon.

And thanks to Nathan, Mike, Paula and the team from Dynatrace for making us welcome and ensuring we had everything we needed too. A great event guys!

Cool Runnings with Endace

Original Entry by : Endace

bobsleigh-2-1000Back in 2015 Emma Garner was looking for a fresh challenge to push her both physically and mentally. Taking inspiration from 90s comedy Cool Runnings she decided to try out for the Royal Air Force Bobsleigh Team. The RAF compete in two-person bobsleighs crewed by a driver and brakeman. Invited to attend novice training as a brakeman at Igls in Austria, she soon found herself careening down the course on her first ever week on ice.

“I remember the anticipation the first time I was nudged off the start and the exhilaration at making it down the track first time without my novice driver crashing. Some people weren’t so lucky.”

Continue reading “Cool Runnings with Endace”

FIC 9th International Cybersecurity Forum 2017 packs out Lille Grand Palais

Original Entry by : Mark Evans

Endace at FTC 2017 in LilleEndace recently exhibited at the FTC International Cybersecurity Forum, which was held in Lille, France.

It was a very busy event, and attracted more than 7000 cybersecurity and IT professionals from France and further afield. Our indomitable team of Sandrine Kubach and Rob Earley were there to fly the Endace flag at our booth.

Sandrine and Rob showed Forum attendees how EndaceProbe™ Network Recorders can be integrated with security solutions from Cisco, Splunk, Plixer and other vendors to enable security analysts to quickly access a definitive source of network history for cybersecurity investigations. The also talked about the EndaceProbe’s ability to host network security and network performance monitoring applications in the ApplicationDock™ hosting environment

The Top 5 topics of interest for attendees at the conference were:

  1. Data Security
  2. Network Security
  3. Tackling Cybercrime
  4. Managing IT weakness
  5. Cloud Security
FTC 9th Annual Cybersecurity Forum 2017 in pictures

It was great to see such strong interest in cybersecurity at the conference, and we were really pleased to see how many organizations recognized the importance of capturing network history for security breach investigation.

If you would like to know more about the Forum, FTC has put together a great infographic which gives a visual overview of the event. Thanks to the FTC organizers for a well run event and to all those attendees who stopped by our stand. We really enjoyed talking with you and we’ll be in touch.

Sold out Suricon demonstrates strong interest in Suricata

Original Entry by : Endace

Suricata

Having been one of the original sponsors of the OISF, we were thrilled to be involved again as a community partner sponsor at Suricon 2016.  The conference ran Nov 9-10 and with an international contingent of attendees and sponsors, Washington DC on election night was a very unique way to kick off the conference! 

It was great to reacquaint with old friends at the OSIF. Kelley Misata and the Core team did a fantastic job of organizing the conference.  There were some really interesting presentations from Core team presenters and the Suricata community. Check out the conference highlights here for links to some of the presentation slides.

suricon_booth

We had a lot of interest from attendees interested in using Endace DAG cards to improve the performance and fidelity of Suricata. For anyone wanting to find out how to use Suricata with DAG, we put together a technical brief which you can download here.

To celebrate Endace’s return as a sponsor, we offered attendees a special 2-for-1 deal on our DAG 10X2-S cards.  We think this card really hits the price/performance mark, providing a professional capture card at a very attractive price. And judging by level of the interest we saw at the conference, attendees agreed (a reminder to conference attendees, the offer closes Dec 15th, so don’t forget to return your claim form!)

Suricon 2016 was completely sold out and it’s great to see the attendance and interest growing so strongly.  Endace is looking forward to sponsoring Suricon 2017 in Prague which promises to be even bigger and better again!

Inaugural Sharkfest Europe a great success

Original Entry by : Endace

endace-sharkfest-standEurope got its own Sharkfest in October and the inaugural Wireshark Developer and User Conference was a great success with strong attendance from the user and developer community across Europe. Congratulations to Sharkfest Europe for a great launch to what is sure to be a fantastic annual event.

There was a great program of speakers over the three days. Kicking things off with the pre-conference course was Wireshark University’s Laura Chappell. Her Troubleshooting with Wireshark tutorial was well attended and included invaluable tips for working with Wireshark using workflows which make optimal use of Wireshark to quickly highlight potential issues.

Continue reading “Inaugural Sharkfest Europe a great success”

Provenance™️ helps firms meet new MFID 2 regulatory technology standards

Original Entry by : Stuart Wilson

We attended the Fall STAC summits in Chicago and London recently, and will be at STAC New York on November 7th. At STAC we’ve been talking about Provenance™️, a new feature available now in all our DAG™️10X cards and coming to our EndaceProbe™️ Network Recorders early next year.

New MFID 2 regulatory technology standards (known as RTS 25) for recording trade data will impose tough new standards on HFT firms operating in the European market. Under the new regulations, traders must ensure that timestamps on recorded trade data are accurate to at least 1 microsecond granularity and synchronised to UTC with a maximum divergence of less than 100 microseconds. They must also be able to demonstrate traceability to UTC by documenting the system design, functioning and specifications. There’s a few technical hurdles to clear to meet those requirements and Provenance is how we ensure you don’t knock any over.

Continue reading “Provenance™️ helps firms meet new MFID 2 regulatory technology standards”