Endace Interns Tackle the Industry’s Biggest Challenges

Original Entry by : Endace

Our Summer Internship Programme is back and this year we are pleased to welcome three new interns to the Endace team.


New Endace Interns Puzzle Over Designing a Self-Propelled Vehicle from Found Objects
New Endace Interns Puzzle Over Designing a Self-Propelled Vehicle from Found Objects

Interns are paired with a mentor and on day one have a team-building exercise (with a little friendly competition). Using only what they can find in the office and their wits and ingenuity, they need to build a race-worthy vehicle that can propel itself across the lunchroom of our Hamilton R&D center.

Endace’s Engineering Managers will judge the event for creativity, innovation and artistic merit. There are two rules: it can’t cause harm to people or property (so no mini tanks, sorry guys) and it can’t use fire in any form (such as for a propellant).

The interns and their mentors have been challenged by the Auckland-team for a rematch at the end of their internship. So, let the games begin!

The Intern Programme

Throughout the next 12 weeks, our interns will be heavily involved with R&D projects that are designed to give them an edge in the technology industry and help shape the future of packet-capture and network monitoring technologies.

They will complete 1,500 hours of project-based R&D work, receive up to 100 dedicated mentoring hours and have the opportunity to prepare formal professional and career development plans.

They’re also given 64 hours of structured training which will give them an overview of running a technology business across different areas – including finance, supply chain, sales and quality control.

The culmination of the 12-week programme is a presentation and shared learning session between the interns and members of the senior leadership team, project managers and their mentors.

Endace is excited to welcome our new team of interns and looking forward to working with them on a number of projects. We are committed to ensuring their internship is a robust experience that supports their innovation, drive and talent development and that it is an experience that they’ll remember fondly. Endace is a committed member of the NZ Tech community.

We are proud of the Endace Internship Programme and see it as a great way to help computer science students and graduates build talent and experience and grow the industry. And it helps demonstrate why Endace is an employer of choice for IT and engineering graduates in New Zealand.

Endace Sponsors Royal Navy team at 2017 International Tattoo

Original Entry by : Steve Tsirtsonis
Birmingham Tattoo 2017
Endace sponsors Royal Navy team at the 2017 Tattoo in Birmingham

Endace was the proud sponsor of the Royal Navy at the Birmingham International Tattoo 2017.

For those not familiar with the pomp and ceremony of such events, the tattoo is an elaborate celebration of the military. It includes music, advanced drill, dance and, most importantly, a Field Gun competition.


Royal Navy team huddles before the field gun competition
Team huddle, The Royal Navy team prepares before the field gun competition

Endace was a previous sponsor of MOD Corsham’s Tri-Service Field Gun Crew, which won the Plate 1 Final at the Royal Navy Royal Marines Charity Field Gun Competition at HMS Collingwood. So when we were invited to be the sole sponsor of the Royal Navy at the 2017 International  Tattoo in Birmingham we were thrilled to accept the opportunity to support this highly enjoyable event.


The team from the Royal Navy performed admirably over the two days. Well done to everyone in what was an extremely tough competition!.

Take a look at the video below to see the team in action:

Black Hat Europe 2017: Where the Best Minds in Cybersecurity Meet

Original Entry by : Leah Jones

Christmas and New Year may be approaching fast, but the ever-changing and unpredictable world of Information Security continues at full speed.

From the 4th-7th of December, we’ll be exhibiting at Black Hat Europe at the ExCel, London.

Attended by cybersecurity professionals and enthusiasts from around the world, Black Hat Europe 2017 will bring the best and brightest in the industry together to share information on the latest research, developments and trends.

We’ll be at our at stand (booth 201) throughout the event to answer questions and to share thoughts and ideas with attendees, particularly on the major breaches of recent years and the impending GDPR legislation. With the May 2018 deadline not far away, organizations need to be aware of how to respond to potential data breaches quickly or face hefty fines if they are inadequately prepared.

Some of the major breaches that we’ll be discussing include:

  • Equifax, a victim of one of the largest hacks in recent memory. The company took two months to admit that the breach had taken place. Post-GDPR, Equifax would need to reduce their identification and reporting time from two months to just 72 hours.
  • Deloitte, where a cyberattack on the company’s Azure-hosted email server’s administration account resulted in confidential documents and emails being stolen. To prepare for GDPR, cloud providers need to prioritize network visibility, something that current cloud software structures often hinder.
  • TalkTalk, which announced in 2015 that a breach had taken place, erred on the side of caution by “over-reporting”, later discovering the breach was not as bad as first thought. Under GDPR, more companies may be inclined to over-report, given potential fines of up to 4% of their global revenue for under-reporting. In a post-GDPR world, precision in post-breach analysis and forensics is essential.

We’ll be demonstrating how our EndaceProbe Network Recorders can be integrated with security tools from partners like Cisco, Splunk, Plixer and Palo Alto Networks to accelerate the investigation of security alerts and help companies to identify and respond to intrusions before they can escalate into a major breach.

We’ll also be talking to attendees about why recording their network traffic provides the only truly reliable evidence for conclusively determining the cause and scope of security intrusions and breaches.

Attending Black Hat London 2017 and want to learn more about Endace? Visit our exhibition at booth 201 and meet our team. If you’re unable to attend Black Hat, visit our website to learn more about Endace and our EndaceProbe Network Recorders . Or follow us on Twitter or LinkedIn

Sharkfest Europe 2017: A week at Wireshark

Original Entry by : Mark Evans

It was an interesting week at SharkFest Europe 2017 this month. The Annual Sharkfest conference ran from 7th-10th November at the rather comfortable Palacio Estoril in Estoril, Portugal. Endace was there and our CTO, Dr. Stephen Donnelly, presented a session on packet capture meta-data.

This was the second Wireshark Europe event and was very well attended, attracting attendees from more than 30 countries. Congratulations to Janice and the team for an excellent event – and we look forward to hearing more about the inaugural Wireshark Asia in due course.

Stephen’s presentation, ‘Augmenting Packet Capture with Contextual Meta-Data: the What, Why & How’, was well received by the audience.

For those who couldn’t make SharkFest, here is a video of the presentation (if you’d like a copy of the full presentation please let us know)

Stephen outlined the importance of retaining context for packet capture files by pointing out that the oft-use line “Packets Don’t Lie” isn’t true if:

  • You don’t know where they came from
  • You don’t know if there was packet loss
  • You don’t know if they’ve been filtered
  • You don’t know if the time stamps are right

This becomes even important in environments where packet capture is happening in multiple places across a distributed network. Understanding where the packets came from, and what the state of the environment was like at the time, is crucial if you are to draw solid conclusions from examining the packet trace file.

The role of metadata, Stephen argues, is to provide this context. He went on to talk about some of the different types of packet capture metadata and what it can be useful for, outlining three main categories of metadata:

  • Static metadata: data about things that do not change over time, such as the host name of the system that captured the packets, the speed of the link and so on.
  • Dynamic metadata: data about environmental conditions that change over time – such as optical power levels or timing accuracy.
  • Post-capture metadata: data such as user comments, flow information, statistics and annotations from analytics applications that process the captured packet data.

Stephen took a deep dive into three common formats for packet trace files – pcap, pcagng (now the default format in Wireshark) and Provenance™ and approach to writing metadata used in Endace’s Extensible Record Format (ERF) (which is also compatible with Wireshark). The presentation looked at what each offers in terms of  recording packet capture metadata and how they go about associating it with packet trace files.

Provenance uses a different approach to writing metadata into packet capture files from either pcap or pcap ng. Provenace is designed to be able to record changing (dynamic data) that may change during the course of a packet capture. It works by writing a Provenance record into the ERF capture file once every second, as the diagram below shows.

Provenance metadata records written into an ERF format packet capture stream
Provenance metadata records written into an ERF format packet capture stream

One of the use cases for this is recording the accuracy of time stamping information over the course of a packet capture of high-frequency trade data. Under new MiFID 2 regulations which come into force in 2018, traders must record every trade and be able to demonstrate that the recorded trade data is timestamped accurately to a time-source that is synchronized to UTC with a maximum divergence of less than 100 microseconds. Provenance provides an easy way for them to record compliance with this regulatory obligation.

If you have an interesting use case for packet capture metadata (particularly post-capture metadata use cases), we’d love to hear more. Let us know. We see this as a fascinating area for further development.

SharkFest was an excellent opportunity for the Endace team to meet like-minded members of the Wireshark global community, including the original creator of the Wireshark Core Developers, Gerald Combs, and to share knowledge of the best practices in packet analysis.

We’re looking forward to seeing how SharkFest continues to grow in scale and influence, with three SharkFest events taking place in 2018, including the first-ever SharkFest Asia in Singapore.

The Cybersecurity Threat at Russia World Cup 2018

Original Entry by : James Barrett

For all nations attending the Russia World Cup, the risk of hooliganism isn’t the only issue that they face. The World Cup is a hacker’s gold mine, with recent news reporting that the FA is to beef up cybersecurity if England qualifies for Russia World Cup 2018. Given the profile and asset class of the people and teams there—including the USA, France and Spain—who have been burnt by previous cyber-attacks, it will be vital for attending nations to secure their networks.

Whereas other World Cup events have caused concern about the physical safety of players, staff, and spectators, Russia’s World Cup has raised considerable concern about online threats. The football industry is facing huge challenges in defending networks in the build-up to such a global event, and organizations need to have a complete programme of preparedness in the event of a breach.

Preparing for the worst

Events like the World Cup entice criminals, including online hackers and cybercriminals. When it comes to the Russian World Cup, football associations are worried about a specific hacker group, Fancy Bears (which has targeted the FA and Olympics in the past), but the risk is not limited to a single group of cybercriminals.

Football federations around the world have already begun planning for the World Cup, and this year preparing to protect against cybersecurity risks is an essential part of the overall planning process. Some plans have already put in place, including installing anti-hacking software on the phones of players, and ensuring staff and players use the FA Wi-Fi. The US government has banned the use of Kaspersky—a Russian cyber-security software—and it may not be long before other countries or officials follow suit.

Risky behaviour

So, what could cybercriminals take if they successfully hacked into data at the event? Valuable personal data will be accessible, with players’ personal details, medical records, and performance data, among others, stored online. If these assets are stolen, important information will be at risk of being shared or sold.

However, it isn’t just the players’ confidential data at risk. Spectators and staff are also being advised not to use open Wi-Fi while in Russia, as these networks could put their personal data in jeopardy. The team hotels are now known—although those details are not yet public—so cybercriminals can already begin to plan and set-up cyber traps.

With some guidelines and advice already in place for both players and spectators, federations need to educate themselves on how to safeguard their data, including early warning signs of what to look out for, and how to minimise the impact of an attack if one is detected. Football federations must learn from past scandals, including WADA and IAAF, and introduce technology and skills to reach faster and more certain conclusions when investigating and potential threats or incidents.

The Equifax Breach: Lessons for EU Organisations

Original Entry by : Stuart Wilson

Recently, the credit scoring company Equifax revealed it had been the victim of a dramatic breach,
potentially putting the data of up to 143 million US customers at risk. As we watched the story
unfold, things quickly turned from bad to worse. Days after the incident was announced, we learned
of the Apache Struts vulnerability and a huge configuration error in Argentina, and late last week we
discovered that up to 400,000 UK-based customers could be affected: key details behind this are yet
to be made clear.

The Equifax breach was not the biggest incident of its kind in recent years – but it’s certainly one of
the most dangerous. Millions of customers’ sensitive, personal data (including Social Security
numbers) is now at the whim of fraudsters seeking to steal identities. Even more frighteningly, it
took two months for the organisation to confess, meaning individuals were totally oblivious to being
at risk.

With just over eight months to go until new European personal data regulations come into force,
organisations can look to incidents, such as the Equifax breach, to learn some valuable lessons.

Compliance is key

With GDPR legislation in place from 25 th May 2018, keepers of personal data will no longer have the
luxury of taking months to craft a self-serving response to notify customers of a breach. In a GDPR
world, companies will need to provide notification of an incident within 72 hours. Failing to do this,
businesses risk being fined 4% of their global revenue – not to mention multiple, hefty fraud
penalties often demanded by the FCA.

Additionally, Equifax should be a lesson in awareness for all organisations who have become data
businesses. For several years, the limits of IT departments all over Europe have been tested due to
dealing with an overload of regulations, in addition to the constant pressure to ensure networks are
over achieving to meet increasingly high customer experience expectations.

Further complexity equates to further vulnerability. Compliance and performance are now at the top
of operational agendas, but security is still significantly falling behind the increased performance
mandate. As businesses begin to consolidate data centres, or move to the cloud in some instances,
the complexity of their enterprise networks will grow.

It’s crucial that as networks increase in complexity, visibility improves to aid management and
troubleshooting. For example, you wouldn’t shift to dense 10Gb Ethernet or higher network speeds
in order to deal with elevated network demand without making sure you had visibility of the
increased flow of information, would you?

The message for organisations is clear: increased complexity must be approached with increased
security and transparency as to the daily, internal happenings of a network. This does not exclude
third parties: cyber risk underwriters do not necessarily assign a lower score to companies that use
outsourced providers and other third parties to manage infrastructure and take care of, for example,

Attitudes towards security can often be gauged from the way a company handles third parties and
the quality of this relationship. However, it’s essential that the processes surrounding dealing with
third parties are correctly defined and understood in the first place.

Prepare now, or pay later

GDPR demands that data handlers must implement “security by design and by default”. This means
that systems must be designed from the outset to deliver the right levels of resilience and security.
In this respect, there won’t be any room for maneuver.

The harsh reality is that it’s likely every business will experience a data breach at some point, if they
haven’t already. So when the inevitable happens, in order to be compliant, organisations will need to
know, understand and communicate the breach within the 72 hour ‘critical period’. For this to
happen, they will need to be able to have a transparent view of network activity in real-time, with
the ability to identify the cause of issues quickly and prevent them from escalating further.

10th Anniversary SharkFest in Pittsburgh a great success

Original Entry by : Mark Evans

Last week saw the 10th Annual SharkFest conference held in Pittsburgh at Carnegie Mellon University.

SharkFest is a conference for developers and users of the open-source Wireshark application, and draws a varied audience including people from NetOps, SecOps, Telcos, Government, industrial plant operators and manufacturers as well as vendors.

One of the real strengths of SharkFest is that it’s not too big. While large enough to attract Wireshark users and developers from around the world, SharkFest still remains intimate enough for the attendees to have plenty of opportunity to engage with Wireshark’s creator and lead developer, Gerald Combs, and core Wireshark developers and to have input into the future direction of Wireshark.

Amongst all attendees there was general recognition of the growing importance of packet history in providing ground truth for investigating security events and troubleshooting network problems. There was also recognition of the growing importance of continuous – as opposed to ad-hoc – packet capture in providing evidence for security investigations, and a number of presentations referenced the challenges of multi-point packet capture.

Endace CTO, Dr Stephen Donnelly, spoke about augmenting packet capture with contextual metadata – which becomes especially critical when implementing multi-point continuous packet capture solutions. Metadata allows packet history to be self-describing, so its context can be carried along with the data wherever that data may be consumed. Stephen’s SharkFest presentation is online and can be viewed below.

SharkFest is always a very interesting and valuable conference. It is a great opportunity to be part of helping to shape what has become an incredibly important tool for our industry.

Endace was very pleased to be a sponsor at SharkFest 2017, and we’re looking forward to SharkFest Europe later in the year too. Thanks to the SharkFest team (and the fantastic Janice Spampinato) for all your help. Great job!



London’s magnificent Olympia plays host to Infosecurity Europe 2017

Original Entry by : Mark Evans

More than 18,000 Cybersecurity professionals from around the world gathered last week for the Infosecurity Europe 2017 at London’s magnificent Olympia.

Infosecurity Europe is one of Europe’s pre-eminent shows. It’s always an exciting event, and this year was no exception.

This year’s theme was entitled “Cybersecurity at the Speed of Business”  and there was an evident buzz in the air. The Endace team were kept busy on the stand for the entire three days with lots of visitors keen to talk about how to integrate network history with their security tools.

The conference featured keynote addresses from Dame Stella Rimington, the first female director of MI5, media personality and broadcaster Barry Paxman, and Lord Sebastian Coe, as well as presentations from more than 200 other speakers.

It was a great show, and we look forward over the next few weeks to catching up with everyone we met. It was great to catch up with the team from Plixer too. Infosecurity 2018 looks like it’ll be even bigger and better, and we’re already locking in a spot for next year.

Congratulations to the Hitech Awards Finalists for 2017

Original Entry by : Mark Evans

Well it’s official, the finalists for the 2017 New Zealand Hitech Awards have been announced. It was another record breaking year, with almost a third more entries than last year, and a great selection of both established and new companies amongst the finalists.

Attendees at the New Zealand Hitech Awards 2017 Finalist Announcement event in Auckland

Endace is proud to be a sponsor of the 2017 Hitech Awards, and we would like to congratulate all this year’s finalists and, in particular, the finalists in the Endace Innovative Hi-Tech Hardware Product category, a category obviously very dear to our heart!

NZ Hitech Awards Finalist event in Auckland
Attendees await the start of the announcements

So congratulations to Adherium, DARC Technologies, EROAD and Shotover Camera Systems. It’s a fantastic achievement to be a finalist amongst such strong competition. Well done for making the finals and we wish you the very best of luck.

How to protect against nation state attackers

Original Entry by : Mark Evans

“One of my worst nightmares [as an attacker] is that out-of-band network tap that really is capturing all the data, understanding anomalous behaviour going on. And someone’s paying attention to it.”
Rob Joyce, NSA: “Disrupting Nation State Attackers, Jan 2016” (22:10)

It’s great to see the efficacy of packet capture and network recording acknowledged by such an eminent cybersecurity Tsar as Rob Joyce.

If you haven’t already seen his video presentation on Disrupting Nation State Attackers, it’s well worth a watch. Before being shoulder-tapped to take up his new role as a cybersecurity advisor to Trump’s National Security Council, Joyce headed up the Tailored Access Operations division of the NSA.

The NSA’s TAO division is responsible for “providing tools and expertise in computer network exploitation to deliver foreign intelligence.” In other words, it is responsible for finding, and taking advantage of, the very network vulnerabilities that we’re all trying to protect against.

In his presentation at the Usenix Enigma conference last year, Joyce outlined key steps organizations can take to protect themselves against the sort of sophisticated techniques employed by Nation State attackers and criminal elements looking to attack your network.

Much of his advice is practical common sense. Know everything on your network, understand it, and update and patch everything. We all know this is critical, but all too often it doesn’t happen. Take patching for example. Joyce says that, in his experience, many organizations undertake security audits to identify known vulnerabilities, but frequently have still not fixed those vulnerabilities by the time the next audit rolls around months later.

Joyce also explodes a common myth – that sophisticated intruders rely on zero day threats. In fact, he says, zero day threats are far from being biggest danger to corporate networks. For any large network, he says:

Persistence and focus will get you in and achieve that exploitation without the zero days. There’s so many vectors that are easier, less risky and quite often more productive.

The cause of most intrusions, says Joyce, come down to one of things (the “Big Three”):

  • Email:  “a user clicked on something they shouldn’t have”
  • Malicious websites“they’ve gotten to a malicious website … and it’s either executed or they’ve run content from that website.”
  • Removable media – “where a user inserted contaminated media“. [As an aside, someone once told me the easiest way to get malware into an organization is to load it on a USB stick labelled “Payroll”, drop it in the carpark and leave the rest to curiosity!].

Joyce outlines the importance of making sure that sources of information about activity on the network – such as log files or network packet captures – are actually being monitored. “You’d be amazed at incident response teams that go in and there’s been some tremendous breach .. Yep, there it is right there in the logs.”

But perhaps the best piece of strategic advice he offers is this:

“Consider that you’re already penetrated. Do you have the means and methods to understand if somebody’s inside your network?”

That change in focus is important. Statistics show intrusions are becoming increasingly commonplace. Once organizations move from “we need to make sure we’re not penetrated” to “maybe we already are penetrated” they start to understand what tools, skills and processes they need to put in place to identify intrusions and stop an initial penetration from going on to become a more serious data breach. Or, if they have already been breached, what do they need to make sure they can identify how it happened and what was compromised?

Joyce’s presentation is a salient reminder that ensuring the basics of network security hygiene is critical. And that the battle to defend against attackers is an ongoing one. As fast as you tighten up your security, new vulnerabilities emerge that put you at risk.

Take a look at the video. You’ll find it’s 30 minutes of your time very well spent!

Cybersecurity Resources

Some of the useful resources that Joyce discusses and recommends are listed below

NOTE: The two links to the IAD site above require installing the DoD Root CA Certificates to avoid getting an “untrusted website” notification. More information here.