Why everyone should care about FIPS 140, NIAP NDcPP, and DoDIN APL.

Original Entry by : Cary Wright

By Cary Wright, VP Product Management, Endace


Cary Wright, VP Product Management, Endace

Weak security plagues far too many of the IT products we use today. The problem is, there is no unified mandate to compel vendors to invest in security hardening their products. Vendors are free to choose how heavily to invest in security. So it’s no surprise that many vendors don’t invest heavily enough in thoroughly security hardening their products.
 
However, in many industries – such as Government, defense or critical infrastructure – the potential impact of a security vulnerability in a product is just too serious for organizations to leave it to vendors to decide how to secure their products. For this reason, organizations in many of these industries mandate that vendors must submit their products to rigorous testing and certification processes to ensure the security of their products is iron clad.
 
At Endace we found out first-hand how difficult and rigorous these standards are to comply with. The effort took us the better part of a year and significant investment in software development, testing and validation, and certification. Armor plated security is a good way to describe what these standards require. Our recent OSm 7.2.1 release includes everything we had to do to comply with these standards.
 
The good news for customers – regardless of the industry you are in – is that this rigorous testing and validation process doesn’t just benefit Government, Defense and critical infrastructure organizations. Any organization that adopts products that have passed these certification processes can be confident those products have been independently evaluated to minimize the risk of security vulnerabilities and are fit-for-purpose for deployment in high-security environments.
 
By selecting a product with DoD level security compliance you reap the benefit of millions of dollars of investment in security testing and hardening that goes way beyond standard penetration tests and security scans. The testing process for each of these certifications involves delving deep into the product – comprehensive testing, source code reviews, and independent validation that the security controls of the product are robust and well designed.
 
 

What are these standards, and what do they test?

Complying with FIPS 140-3 is the fundamental first step in certification. FIPS mandates that products must use robust and secure encryption. This is not a bolt-on. Products must implement a validated cryptography module as a central software pillar to ensure all encrypted communications meet the NIST standard for strong cryptography, including HTTPS, SSL, and SSH.
 
Just including encrypted HDDs in a system – as some vendors do to claim compliance with FIPS – is not sufficient. Every communication to and from the system must be secured with FIPS validated cryptography before the system can be FIPS certified. Independent testing confirms that products comply with the FIPS standards.
 
NIAP NDcPP 2.2e, also known as Common Criteria, is an international standard agreed by 18 nations. It builds on FIPS to define security requirements that are expected to be implemented by all network devices. It goes extremely deep to validate a product has robust security. By deep, I mean months of extensive testing, inspection, and independent code reviews, conducted and signed off by government signatories who are usually security experts in defense departments.
 
DoDIN APL stands for the US Department of Defense Information Network Approved Products List. With FIPS and NIAP certification in hand and a US DoD sponsor, a vendor’s final step is undergo product testing by a US DoD lab against DoD cybersecurity requirements. Being listed on the APL is the last big stage of a long and intensive project but it’s not the end of the story. Ongoing maintenance and revalidation ensures that a product remains secure throughout its life.

OSm 7.2.1 is released and available for download.

I am very proud of the team at Endace for having delivered a huge release with OSm 7.2.1 . This release has focused on meeting all the requirements for these intensive – but extremely valuable – security standards. And I am glad to say that every Endace customer will benefit from this huge investment in product security hardening.

Combining Endace and Elastic delivers detailed visibility into real-time and historical network activity

Original Entry by : Cary Wright

By Cary Wright, VP Product Management, Endace


Cary Wright, VP Product Management, Endace

We’re pleased to announce our newest technical partnership with leading SIEM and observability platform provider, Elastic. By combining together EndaceProbe™ always-on Hybrid Cloud packet capture, Elastic™ Stack and Elastic™ Security, we’re providing the packet-level network visibility and detailed network metadata that Security and IT teams need when responding to security threats and network or application performance issues.

How Do We Work Together?

By combining Endace and Elastic Stack, organizations gain accurate, highly detailed visibility into both real-time and historical network activity. Security and IT analysts can search network metadata in Elastic, and quickly pivot to full packet data for forensic investigations when they need to. The result is faster, more accurate incident investigation and resolution. The combination of Elastic Stack and EndaceProbe gives cybersecurity and IT teams the ability to see exactly what’s happening on their network in real-time. EndaceProbes can record weeks or months of full packet capture across hybrid cloud networks to provide a complete and accurate record of all network activity. The detailed full packet capture data recorded by EndaceProbes is a perfect complement to the rich logs and metadata collected by Elastic Stack. When analysts need to go back-in-time to investigate any incident they have a complete record of that activity at their fingertips. Beyond this, the ability to pivot from anomalies or security alerts directly to forensic examination of packet-level data lets analysts see exactly what’s happening. They can quickly respond to incidents and dramatically mitigate threat risk to their organizations.

EndaceFlow and Elastic Stack

In addition, EndaceProbe appliances can host EndaceFlow™, which generates extremely high-fidelity NetFlow data at full line rate. This NetFlow data can be ingested by Elastic Stack to provide detailed metadata for monitoring the security and performance of the network and interrogating network activity. Pre-built integration between EndaceProbes and Elastic Stack enables streamlined investigation workflows. Analysts can click on alerts in the Elastic UI to go directly to the related full packet data recorded by EndaceProbe. Analysts can quickly view traffic right down to individual packet level to see precisely what occurred before, during and after any event, with absolute certainty.

For more information about our Fusion Partner integrations, please visit www.endace.com/fusion-partners.

To see a demonstration of this Elastic Security integration in action please visit the Elastic partner page at https://www.endace.com/elastic-security.


Introducing EndaceProbe Cloud

Original Entry by : Cary Wright

Scalable Packet Capture for Hybrid Cloud

By Cary Wright, VP Product Management, Endace


Cary Wright, VP Product Management, Endace

The rapid growth of cloud vulnerabilities, hijacked cloud credentials, APTs targeting cloud, and lack of network layer visibility in cloud has made one thing clear: recorded network packet data is just as essential in the cloud as it is in physical networks. 

Enterprises know the value of our packet capture solutions, and they have told us they need the power of packets in the cloud as well. In many cases, they have moved – or plan to move – workloads to the cloud but have been hampered by an inability to gain the same visibility into activity in their public cloud infrastructure as they are used to relying on in on-premise environments.

Leveraging our 20-plus years of experience in delivering accurate, reliable packet capture for some of the world’s largest organizations, Endace developed EndaceProbe Cloud as the first truly scalable, enterprise-class solution for providing always-on packet capture in public cloud environments.

Unlike many solutions on the market, we’ve done it in a way that scales easily and delivers truly unified visibility that lets security, network and IT teams analyze packet data from across hybrid cloud and multi-cloud environments quickly and easily from a central console. 

EndaceProbe Cloud delivers packet-level visibility for public cloud that is critical for threat hunting, incident response and performance management in those environments. It operates seamlessly with EndaceProbe hardware appliances to deliver always-on packet capture across on-premise, private and public cloud infrastructure, to provide unified visibility across the entire network.

See it in Action

The demo below shows how easy it is to quickly search for packet data across a multi-cloud – AWS and Azure – environment, recreate files from packet data and drill-in to analyze the full packets. All from a single console.

EndaceProbe Cloud is a full-featured EndaceProbe, purpose-built for deployment in AWS and Microsoft Azure environments that provides the following benefits to customers in cloud and hybrid cloud environments:  

    • Continuous, zero-loss, packet capture in public and hybrid cloud environments that provides weeks or months of visibility 
    • A unified console for fast global search and analysis across on-premise, private and public cloud environments.  
    • Full visibility into North-South and East-West traffic 
    • Secure packet storage within the customers’ own virtual network or virtual private cloud (VPC). 
    • Powerful traffic analysis and investigation tools including file extraction, log generation, and hosted Wireshark™ 
    • Seamless workflow integration with an open API and strong ecosystem of third-party network and security tools (https://www.endace.com/fusion-partners) 
    • Subscription-based pricing that offers flexibility and scalability  

EndaceProbe Cloud complements Endace’s hardware appliances to provide unified and seamless visibility across the entire network.

 

 

Black Hat Europe 2017: Where the Best Minds in Cybersecurity Meet

Original Entry by : Leah Jones

Christmas and New Year may be approaching fast, but the ever-changing and unpredictable world of Information Security continues at full speed.

From the 4th-7th of December, we’ll be exhibiting at Black Hat Europe at the ExCel, London.

Attended by cybersecurity professionals and enthusiasts from around the world, Black Hat Europe 2017 will bring the best and brightest in the industry together to share information on the latest research, developments and trends.

We’ll be at our at stand (booth 201) throughout the event to answer questions and to share thoughts and ideas with attendees, particularly on the major breaches of recent years and the impending GDPR legislation. With the May 2018 deadline not far away, organizations need to be aware of how to respond to potential data breaches quickly or face hefty fines if they are inadequately prepared.

Some of the major breaches that we’ll be discussing include:

  • Equifax, a victim of one of the largest hacks in recent memory. The company took two months to admit that the breach had taken place. Post-GDPR, Equifax would need to reduce their identification and reporting time from two months to just 72 hours.
  • Deloitte, where a cyberattack on the company’s Azure-hosted email server’s administration account resulted in confidential documents and emails being stolen. To prepare for GDPR, cloud providers need to prioritize network visibility, something that current cloud software structures often hinder.
  • TalkTalk, which announced in 2015 that a breach had taken place, erred on the side of caution by “over-reporting”, later discovering the breach was not as bad as first thought. Under GDPR, more companies may be inclined to over-report, given potential fines of up to 4% of their global revenue for under-reporting. In a post-GDPR world, precision in post-breach analysis and forensics is essential.

We’ll be demonstrating how our EndaceProbe Network Recorders can be integrated with security tools from partners like Cisco, Splunk, Plixer and Palo Alto Networks to accelerate the investigation of security alerts and help companies to identify and respond to intrusions before they can escalate into a major breach.

We’ll also be talking to attendees about why recording their network traffic provides the only truly reliable evidence for conclusively determining the cause and scope of security intrusions and breaches.

Attending Black Hat London 2017 and want to learn more about Endace? Visit our exhibition at booth 201 and meet our team. If you’re unable to attend Black Hat, visit our website to learn more about Endace and our EndaceProbe Network Recorders . Or follow us on Twitter or LinkedIn


NEW: EndaceProbe 114 Branch Office Network Recorders

Original Entry by : Endace

Launching at Black Hat this week, the EndaceProbe 114 is purpose-built for deployment in remote locations or branch offices. It offers the same 100% accurate recording, centralized management data mining and retrieval and application hosting as the rest of the EndaceProbe family but comes in a compact, short-depth format that makes it ideal for deployment in branch offices.

The EndaceProbe 114 allows organizations to cost-effectively extend their network visibility right out to the network edge and eradicate the blind spots that can make branch office locations an attractive target for attackers.


EndaceProbe 9000-XS: Industry-leading storage density provides extended back-in-time network history for forensic analysis

Original Entry by : Endace

With up to 192TB of storage per appliance, the new EndaceProbe™ 9000-XS series network recorders provide a highly scalable network recording solution, offering Petabytes of clustered and/or distributed storage capable of storing weeks, or months, of network history.

The massive storage of the 9000-XS EndaceProbes makes them an ideal choice as always-on recorders capturing a detailed history of network activity for forensic analysis of data breaches and speeding up the investigation and resolution of network security or performance issues.

See our press release about the new XS series and check out the complete range of EndaceProbe 100% accurate, high-speed network recorders.

Or download the EndaceProbe 9000 series datasheet.


Finding session-related problems using EndaceVision

Original Entry by : Endace

Network monitoring tends to focus heavily on bandwidth, addressing the question, “Do I have the capacity to carry the traffic that my business requires?” Capacity, however, must include session count and lifecycle, which are often overlooked until they become a problem. That’s why EndaceVisionTM 6.0 Network Visibility Software has added two new tools to deal with sessions: TCP Flags view and client/server breakdown.

Continue reading “Finding session-related problems using EndaceVision”


Improving network monitoring performance with the next generation EndaceProbes

Original Entry by : Erez Birenzwig

When the current EndaceProbe® Network Recorder product range was introduced more than five years ago, most enterprise networks were only starting to think about upgrading to 10Gb Ethernet (10GbE) speeds.  Since then, most IT departments use 10GbE in their core, 1GbE to the desktop and laptop has become standard, and many are organizations are looking to move up to 25GbE, 40GbE or higher speeds.  At the time, EndaceProbes were the highest performing and most reliable network packet capture device available, helping our customers migrate their monitoring from 1GbE to 10GbE.  In the same way that we enabled that migration, we are now introducing the next generation of network recording products as enterprises incorporate higher network speeds.

Continue reading “Improving network monitoring performance with the next generation EndaceProbes”