Secure Networks: Endace Packet Forensics Files

Michael Morris

"Secure Networks: Endace Packet Forensics Files" features interviews with leading cybersecurity and networking experts from companies such as Cisco, Darktrace, Palo Alto Networks, and others. It focuses on the issues that Security, Network Operations and DevOps teams face in securing and managing their networks and applications and provides insights into best practices and future developments.

read less
TechnologyTechnology
BusinessBusiness
NewsNews
Tech NewsTech News

Episodes

Episode 57: Ryan Chapman - SANS Author and Instructor | Veteran DFIR Expert
26-08-2024
Episode 57: Ryan Chapman - SANS Author and Instructor | Veteran DFIR Expert
Ransomware has shifted from simple, isolated attacks to coordinated, human-operated campaigns that target entire organizations.  In this episode of the Endace Packet Forensics Files, Michael Morris talks with Ryan Chapman, SANS Instructor and expert in Digital Forensic and Incident Response (DFIR) about these evolving threats.  Ryan explains how attackers are becoming more methodical and sophisticated, focusing on disabling EDR/XDR solutions to evade detection and leaving organizations vulnerable to advanced attacks.  One of the key challenges Ryan highlights is visibility. Without robust logging, packet capture, and monitoring tools, it’s nearly impossible to understand how an attack happened fully. Even encrypted traffic can reveal critical patterns if analyzed properly.   Ryan shares examples of organizations that suffered reinfections because they rushed to restore systems without identifying the original entry point. Packet capture data plays a vital role in pinpointing when and how attackers infiltrated, ensuring a safe recovery and minimizing disruption.  As ransomware tactics evolve, adopting a Zero-Trust approach is essential. Ryan discusses how limiting permissions and avoiding overly trusting software configurations can help prevent breaches. He cites the Kaseya attack, where some organizations avoided compromise by not blindly whitelisting trusted directories. As attackers increasingly use legitimate tools, verifying all network activity and following least privilege principles are critical defenses.   Don’t miss this insightful episode, where Ryan provides actionable advice for preparing your organization against today’s ransomware threats.
Episode 51: Eric Buchaus, Director of Sales at Niagara Networks
11-12-2023
Episode 51: Eric Buchaus, Director of Sales at Niagara Networks
Are SPAN ports sufficient to provide network traffic visibility for high-quality security (NDR) and network (NPM) investigations? What about cloud workloads?  What do you need to gain insights into cloud network activity?In this episode of the Endace Packet Forensic Files, I talk with Eric Buchaus, Director of Sales at Niagara Networks. Eric outlines potential pitfalls and challenges associated with SPAN ports and highlights situations where they may fall short for network and security analysts.Eric walks us through some alternative options, discussing the merits of network TAPS, network packet brokers, and in-line bypass solutions which can offer NoC / SoC teams more reliable, efficient, and scalable ways to get network packet data to the right tools in large-scale and complex environments.  He discusses some of the specific challenges of network visibility in cloud infrastructures and suggests some practical ways to overcome these obstacles.Eric suggests things organizations should consider when exploring different packet brokers or TAP vendors and outlines the management and scrutiny that needs to be applied to encrypted traffic to achieve in-depth visibility securely.Finally, Eric talks about how TAPs and packet brokers can help in dynamic SDN environments with high traffic volumes. He emphasizes why they are important for organizations looking to implement zero-trust infrastructures - particularly environments with many walled gardens and lots of VLANs for IOT/IOTM devices and technologies.
Episode 48: Endace Security Manager, Al Edgar
06-09-2023
Episode 48: Endace Security Manager, Al Edgar
In this Episode of Packet Forensics Files, Michael Morris asks Al Edgar, former Information Security Manager for Health Alliance - and now IT Security Manager at Endace - about some of the important areas a security leader needs to focus on and what new challenges they are facing.Firstly,  Al says, it’s important to take an holistic approach to cybersecurity, by looking at the three critical components for robust security: people, processes, and technology. He stresses the importance of Incident Response planning and why it’s so critical to define clear objectives, roles, and responsibilities as part of the plan.In order to stay ahead of emerging threats, Al says keeping up-to-date with cybersecurity trends is crucial. He recommends subscribing to cyber blogs, leveraging threat intelligence feeds, and mapping threat intelligence against your organizational infrastructure. He also highlights the importance of having a plan for managing third-party vendor risk.Al provides some valuable recommendations on where to start to ensure a more robust security posture, including maintaining a centralized inventory, conducting thorough risk assessments, cataloging and categorizing risks, and incorporating appropriate security clauses into contracts with suppliers and partners.Cybersecurity awareness training is another critical area, Al says. His view is that it's the responsibility of every individual in an organization to prioritize cybersecurity but he highlights the importance of support and training to enable them do this effectively. Lastly, Al talks about future cybersecurity threats, and calls out the potential risks associated with the weaponization of AI technology. He highlights the need for caution when sharing information with AI systems, reminding us to be mindful of potential privacy breaches and the risk that sensitive IP or data disclosed to AI tools may be misused or insufficiently protected.
Episode 47: Network forensics and incident response specialist, Jasper Bongertz
08-08-2023
Episode 47: Network forensics and incident response specialist, Jasper Bongertz
What are some of the challenges of responding to a serious incident – such as a ransomware attack or advanced persistent attack? Where do you start, and what are the critical things you need to do?In this episode we are lucky to welcome Jasper Bongertz, Head of Digital Forensics and Incident Response at G DATA Advanced Analytics in Germany. Jasper has a wealth of experience from working in the front line of incident response at G DATA as well as in his previous role at Airbus. He also has a long background in network forensics – having been a Wireshark and network forensics instructor - and continues to be a very active member of the Wireshark community.Jasper starts by outlining some of the steps to mitigate “headless chicken mode” which is what he often sees when organization first uncovers a serious cybersecurity incident.The process starts with understanding exactly what has happened, and what the impact is so that a clear response plan and timeline for resolution can be established. This requires gathering the available evidence – including network packet data if it’s available. It’s important to be able to do this quickly – particularly in the case of ransomware attacks where the organization’s IT systems may be unavailable as a result of the attack. With ransomware, speed is crucial since the organization’s primary priority is typically to get back to an emergency operating state as quickly as possible. Jasper lists some of the tools that his team finds useful in rapidly gathering that critical evidence.Once the scope of the incident has been established, you need to have the specific expertise on hand to do the initial investigation to understand what happened and how it happened so you can identify the right response. Typically, Jasper says, that will involve having at least an incident response specialist, a forensic expert, and a malware reverse engineer, but depending on the scale of the event may involve many others too.Jasper outlines the most important steps organizations can take to protect themselves against ransomware attacks and ensure that in the event of a successful attack they can recover. The two most important of these are making sure domain administrator credentials are protected to prevent privilege escalation and ensuring backups are complete and protected from sabotage.Lastly, Jasper discusses the changing cyberthreat landscape. He outlines why he thinks data exfiltration and extortion will become more a common threat than ransomware and encryption, and why network data is critical to combat this growing risk.
Episode 46: Gerald Combs, Wireshark and Stephen Donnelly, Endace
14-06-2023
Episode 46: Gerald Combs, Wireshark and Stephen Donnelly, Endace
How did Wireshark come to be, and what’s made it so successful – not just as the pre-eminent tool for analyzing network packet data, but as an open-source project in general?In this episode Michael Morris talks to Wireshark founder, Gerald Combs, and Endace CTO, Stephen Donnelly, about the origins of Wireshark, and why packet capture data is so crucial for investigating and resolving network security threats and network or application performance issues.Gerald talks about the early days of Ethereal, a “packet sniffer” he originally created for his own use in his role at an ISP, but subsequently open-sourced as Wireshark. That fortuitous decision was key, Gerald says, to the subsequent ongoing growth and success of the Wireshark project – which will turn 25 years old in July! It enabled developers from around the world to contribute to the project, creating a Windows version in the process, and helping Wireshark to become the gold standard tool for network analysis, used by SecOps, NetOps and IT teams the world over.Stephen has been using Wireshark right from the earliest days – when it was still called Ethereal – and is one of the many contributors to the project.Stephen and Gerald both talk about why packet analysis is so important for cybersecurity and network performance analysis (the ubiquitous “Packets Don’t Lie” T-shirt – available from the Wireshark Foundation store – says it all really), and discuss examples of the many and varied problems that Wireshark is helping people to solve.Stephen outlines the differences between network flow data and packet capture data and why packet data is essential for solving some problems where flow data just doesn’t contain the level of detail required.Wireshark is continually evolving, with support for new protocols, and new UI enhancements that make it easier for analysts to slice-and-dice packet data. Gerald says that Wireshark is almost the perfect open-source project because it allows for a lot of parallel collaboration from contributors in creating new dissectors and ensuring that Wireshark continues to keep pace with the rapid pace of change in networking. Now that planning for Wireshark 5.x has started Gerald also looks ahead to some of the possible new features that might appear in future releases.And finally, Gerald talks about the new Wireshark Foundation (which Endace is a sponsor of) which has been setup to provide support for ongoing development of the Wireshark project and ensure it continues its resounding success into the future.Wireshark is coming up on its 25th birthday and still going from strength-to-strength. Don’t miss this fascinating interview with the leader of one of the most successful open-source projects around. Gerald and Stephen’s insightful commentary as well some fantastic tips-and-tricks make this a must-listen episode.
Episode 45: Dimitri McKay, Splunk
17-05-2023
Episode 45: Dimitri McKay, Splunk
Increasingly complex systems, expanding threat landscape, and explosion in the number of potential entry points all make managing security at scale a daunting prospect. So what can you do to implement effective security at scale and what are some of the pitfalls to avoid?In this episode Michael Morris talks with Dimitri McKay, Principal Security Strategist and CISO Advisor at Splunk, about where to start addressing the challenges of security at scale. He highlights the importance of robust risk assessment, developing clear security goals and ensuring leadership buy-in to the organization’s security strategy. And the importance of balancing the needs of users with the need to secure the enterprise.Dimitri discusses some of the pitfalls organizations often fall into, and what security leaders can do – and where they should start – to avoid making the same mistakes. He talks about the importance of thinking strategically not just tactically, of being proactive rather than just reactive, and of creating a roadmap for where the organization’s security needs to be in a year, two years, three years into the future.Dimitri also highlights the need to collect the right data to ensure the organization can accomplish the security goals it has set, to enable high-fidelity threat detection and provide the necessary context for effective, and efficient, threat response. Security teams started by collecting what they had he says – firewall logs, authentication logs etc. – but this isn’t necessarily sufficient to enable them to accomplish their objectives because it focuses more on IT risks, rather than on the critical business risks.Finally, Dimitri puts on his futurist hat to predict what security teams should be on the look out for. Not surprisingly, he predicts the rapid development of AI tools like ChatGPT and OpenAI have the potential to offer huge benefits to cyber defenders. But they will also enable cyber attackers to create increasingly sophisticated threats and circumvent defences. AI is both an opportunity and a threat.
Episode 44: David Monahan, Business Information Security Officer
12-04-2023
Episode 44: David Monahan, Business Information Security Officer
Cyberthreats are something all organizations are facing. But Pharmaceutical and Healthcare Providers have some unique challenges and vulnerabilities and come in for more than their fair share of attention from threat actors. What can your SOC team learn from some of the best practices these organizations are implementing? Are you architecting your environment to separate IOT devices from other critical assets and are you managing them with the same level of scrutiny?In this episode I talk with David Monahan, a 30-year expert in cybersecurity and network management and former researcher at Enterprise Management Associates. David draws on his research background as well as his current experience working as the Business Information Security Officer at a large global pharmaceutical company.He talks about some of the similarities and differences the Healthcare and Pharmaceutical industries have with other industries. He shares his insights into why the Healthcare and Pharmaceutical industries are so strongly targeted by threat actors and things consumers or patients can do to help protect themselves and their information.David also discusses some of the unique challenges Healthcare organizations have around IOT devices and suggests ways to help manage these risks.  He shares some best practices your security organization can be leveraging and points out tools and solutions that are critical for any security stack.Finally, David talks about what training and skills are important to ensure your SOC analysts are as prepared as possible to defend against cyberthreats.
Episode 43: Jim Mandelbaum, Gigamon
15-03-2023
Episode 43: Jim Mandelbaum, Gigamon
In this episode of the Endace Packet Forensic files, Michael Morris talks to Jim Mandelbaum, Field CTO at Gigamon, about what “security at scale” means. Jim draws on more than a decade of experience as a CTO in the security industry, and shares best-practise tips to ensure that as your infrastructure evolves, your security posture keeps pace.Jim highlights the importance of leveraging automation to help deal with the increasingly complex network environment. Key to this is having visibility into exactly what’s happening on your network – including on-prem, cloud and hybrid-cloud environments – so you can make informed decisions about what traffic needs to be monitored and recorded. And what tasks can be automated to ensure threat visibility. It's also critical to break down team silos, Jim says. Otherwise, responsibility has a tendency to fall through the cracks. Teams need to collaborate closely and include the security team on IT strategy planning - and particularly cloud migration projects. That makes it easier to determine who is responsible for what parts of security from the get-go. When teams have the opportunity to discuss the challenges they face they can often leverage solutions that have been successfully implemented elsewhere in the organization – saving time, resources and budget as a result.Lastly, Jim highlights the importance of talking with your vendors about their future product strategies to ensure they align with your organization’s plans. Otherwise, there’s a risk of divergence which could prove very costly down the track.
Episode 42: RoseAnn Guttierrez, IBM
08-02-2023
Episode 42: RoseAnn Guttierrez, IBM
In this episode of the Endace Packet Forensic files, Michael Morris talks with RoseAnn Guttierrez, Technical Enablement Specialist BM at IBM Security and a former SOC analyst.Rose shares her experience of what a day in the life of a SOC engineer is really like. She discusses the best practices she and her team put in place to manage the day-to-day challenges and improve their security posture. She also highlights some of the tools that were most valued in their daily operations and the critical importance of interoperability and integrated workflows to ensure efficiency and simplicity for SOC teams.Rose's combination of SOC experience and deep knowledge of the security landscape has given her unique insight into the importance of having an interoperable ecosystem of tools and vendors that enables SOC teams to build resiliency and efficiency into their DNA.You can catch previous episodes in the Secure Networks Series here: https://blog.endace.com/category/pack...Or hit Subscribe to be notified when we post new episodes.ABOUT ENDACE *****************Endace (https://www.endace.com) is a world leader in high-performance packet capture solutions for cybersecurity, network and application performance. Endace’s open EndaceProbe Analytics Platform (https://www.endace.com/endaceprobe) can host 3rd-party analytics solutions while simultaneously recording a 100% accurate history of network activity. EndaceProbes are deployed on some of the world's largest, fastest and most critical networks.
Episode 41: Andrew Stewart, Senior National Security and Government Strategist, Cisco
07-12-2022
Episode 41: Andrew Stewart, Senior National Security and Government Strategist, Cisco
In this episode of the Endace Packet Forensic files, Michael Morris talks with Andrew Stewart, Senior National Security and Government Strategist at Cisco.  Andrew, CAPT, USN (Ret.) is a Senior Federal Strategist at Cisco where he implements strategies to support innovative cybersecurity and AI/ML solutions across the Federal Government.  He also served as the Commanding Officer and Program Manager at the Navy Cyber Warfare Development Group (NCWDG).With Andrew’s experience in national security and government agencies, Michael asks him for his thoughts about all the new Whitehouse mandates, and cybersecurity policies from CISA such as the emphasis on Zero Trust and other important initiatives.  We discuss whether what organizations are doing is sufficient given the risks posed by nation-state threat actors.Andrew highlights some cybersecurity trends, including the ever-changing nature of threats as hybrid cloud operating environments continue to expand the threat spectrum and transform the way we work.  Visibility, he says, remains the key to mastering and controlling such a dynamic threat environment.ABOUT ENDACE*****************Endace (https://www.endace.com) is a world leader in high-performance packet capture solutions for cybersecurity, network and application performance.Endace’s open EndaceProbe Analytics Platform (https://www.endace.com/endaceprobe) can host 3rd-party analytics solutions while simultaneously recording a 100% accurate history of network activity. EndaceProbes are deployed on some of the world's largest, fastest and most critical networks.
Episode 40: Chris Greer, Packet Pioneer
02-11-2022
Episode 40: Chris Greer, Packet Pioneer
Threat hunting is a critical cybersecurity activity that is growing in importance and prevalence around the globe.  Are your SOC analysts developing the skills and toolsets they need to enable more efficient and effective threat hunting?  What are the inhibitors your teams face and do you have the right tools and processes in place?In this episode of the Endace Packet Forensic files, Michael Morris talks with Chris Greer of Packet Pioneer.Chris is an experienced protocol analyst and forensics expert. He is a renowned instructor for Wireshark University as well as the host of a popular YouTube channel where he shares insights into threat hunting and demonstrates the importance of understanding how to investigate and resolve issues using packet analysis. In this episode, In this episode, Chris talks about some of the problems or threats you can only see as part of your incident response investigation processes and workflows if you have access to full packet dataFinally, Chris highlights some of the gaps that organizations have in their security stacks that make it hard for them to confirm or deny false positives and how to resolve this visibility issue. He offers recommendations for training and suggests how to improve your organization’s threat-hunting capability.ABOUT ENDACE*****************Endace (https://www.endace.com) is a world leader in high-performance packet capture solutions for cybersecurity, network and application performance.Endace’s open EndaceProbe Analytics Platform (https://www.endace.com/endaceprobe) can host 3rd-party analytics solutions while simultaneously recording a 100% accurate history of network activity. EndaceProbes are deployed on some of the world's largest, fastest and most critical networks.