Michael Morris, Endace: “rapid changes to infrastructure resulted in attackers taking advantage of vulnerabilities”
Enterprises have always been cautious about cybercriminals, yet it’s quite popular to believe that it won’t happen to you. Yet, no one is immune, and with the switch to remote work, the attack surface has only increased.
There are a multitude of threats impacting the cyber world, from malware and data breaches to fraud and identity theft. Without the right precautions in place, the consequences can be detrimental for both users and businesses.
That is why implementing cybersecurity solutions is essential for everyone. Whether it’s getting an antivirus with a VPN or implementing a packet capture solution – investing in security tools can save an entire organization.
We invited Michael Morris, the Director of Technology Alliances and Business Development of Endace – a company that specializes in high-speed packet capture – to discuss the current cybersecurity environment, its threats, and prevention methods.
Endace has been in the industry for over two decades. How has the company changed and evolved throughout time?
Two decades ago, Endace redefined network packet capture with technology born out of the University of Waikato in New Zealand. Our unique hardware set the benchmark for 100% accurate high-speed capture at any speed or packet size. It was quickly adopted by OEMs and system builders for monitoring and recording networks in government, military, and private enterprise environments.
As Endace grew, we realized there was a strong need for a fully turnkey network recording platform. Many organizations lacked the expertise and resources required to build and maintain their own recording solutions, and so the EndaceProbe was born. EndaceProbe built on our unique capture technology to deliver an open platform that records weeks or months of network traffic. Extreme reliability and exceptional support allowed customers to deploy EndaceProbes for many years of reliable operation.
Around 5 years ago, we launched our Fusion partner program to provide an ecosystem of turnkey integrations with the variety of tools that our customers use. Now, our customers benefit from the most accurate and scalable network recording, available at a mouse click from within their existing workflows.
EndaceProbes are typically used by Security Operations, Network Operations, and IT teams to record a complete, full packet history of everything that happens on the network – so they can quickly investigate and resolve security threats, performance problems, and other critical network and security issues. We are proud to help defend many of the world’s most critical networks, including government, military, healthcare, finance, retail, and enterprise.
At Endace, packet capture is the main focus. Can you tell us more about this practice?
Our entire team lives and breathes packet capture. Always-on, high-speed packet capture that can run reliably for years on end is technically very difficult, especially when you need rapid search and the ability to scale across a large, geographically diverse network. We have developed a great deal of technology and know-how over the last two decades to ensure the EndaceProbe is best-in-class when it comes to recording everything that happens on a network.
We don’t get into reporting or analytics or try to be a SIEM or a SOAR tool. Our approach is having an ecosystem of partners that provide best-in-breed solutions for those functions. We work with these vendors to provide the industry’s best network recording and packet data management and enable tight workflow integration between their solutions and our Endace platform. We do this by giving users – such as security analysts and network engineers – rapid access directly from their security or performance tools to a complete record of the packet data relating to any alert or event those tools detect. That gives them access to the ultimate forensic evidence enabling them to significantly accelerate investigations and resolve issues with greater confidence because they can see precisely what happened.
Besides various solutions to enhance security, you also provide incident response. What does the recovery process usually look like?
Endace doesn’t provide incident response as such, but the forensic evidence that EndaceProbes record is a critical resource for incident response teams.
In the incident response process, the first step is to accurately reconstruct the attack to understand the full impact. It’s important to trace how the attacker evaded defenses, how far they penetrated, and what systems or data were compromised. Only then can you understand what needs to be done to respond and remediate the damage.
Security teams piece together evidence from a variety of sources – system and application logs, network metadata, threat feeds, and alerts detected by their security tools. These are important evidence sources, but none of these provide a complete record of what happened on the network. They provide a snapshot or summary of some of the events, with important details missing.
Just as a CCTV camera does for physical security, recorded network packet data lets the security team see exactly what transpired on the network and trace the steps of any threat actor. With access to full packet data, security teams can accurately reconstruct events, understand what data was stolen, know what systems have been compromised, and be sure about the impact of incidents.
We work closely with our partners – such as Cisco, Palo Alto Networks, Splunk, IBM, and many others – to integrate the data EndaceProbe platform records into their products. These integrations enable analysts to quickly drill down from events and alarms in these solutions to retrieve and analyze relevant packet data.
Did the COVID-19 pandemic present any new challenges in your field of work?
There have been both challenges and opportunities during the pandemic. The inability to travel was challenging for marketing and sales. Tradeshows and other events we typically rely on to meet new customers were canceled or moved to virtual-only events – which were often variable in quality. We ended up doing a lot more of our own online education, webinars, and other virtual activities.
Travel limitations were also challenging for technical and customer success teams. Onsite visits were often very difficult or impossible. But as a global business, we are used to collaborating remotely, so we adapted well. During the lockdown, we remotely helped customers deploy new systems and train their teams (including completing one of our largest customer deployments ever).
The pandemic also created opportunities. With the rapid move to remote work, network traffic patterns changed dramatically. As teams accessed corporate networks via VPNs, new performance issues and potential threats arose.
Cyber threats also ramped up as attackers took advantage of vulnerabilities resulting from rapid changes to infrastructure. And we saw many significant new zero-day vulnerabilities, such as Solarwinds Sunburst, Exchange Hafnium, and Log4J 2, which have further reinforced the importance of access to full packet data.
As a result of all this, many organizations realized they simply didn’t have sufficient visibility into the traffic on their networks and have purchased new solutions from us to remove the blind spots.
Digital forensics seems to be gaining a lot of traction recently. However, it is still a little-known practice. Could you tell us more about this cybersecurity field?
Digital forensics is fast becoming a must-have capability for any cybersecurity team.
Imagine you are in law enforcement and trying to investigate a crime. But you don’t have access to surveillance camera footage, fingerprints, or DNA evidence from the crime scene. It would be nearly impossible to build a case and find the perpetrators without these critical pieces of evidence.
Similarly, digital forensics relies on many sources of data: user access and authentication logs, system, application, and firewall logs, network metadata, and full packet data. All of these provide crucial insights into the activity of a threat actor. But full packet data is unique because it provides both the “DNA” (payload) containing the detail of what actually happened (what data was taken, what systems were compromised, and how) and an accurate timeline of activity that lets you tie all of the other evidence together and reconstruct a complete, step-by-step picture of an attacker’s activity.
It's crucial that security teams understand that if you lack access to critical evidence that dramatically reduces your security posture and resiliency. Packet data can provide the detailed evidence you need to understand some of the most challenging cyber threats, such as zero-day and advanced persistent attacks, lateral movement, obfuscated command and control (C2) activity, and stealthy data exfiltration. While other sources of evidence can help detect when something malicious occurs, often full packet data provides the only way to accurately reconstruct exactly what happened.
In your opinion, what are some of the worst cybersecurity mistakes organizations make that, eventually, lead to data breaches?
The biggest mistake is not being ready to respond to a threat, never having practiced with a fire/security drill. Breaches will happen to most if not all organizations, so it’s important to practice in a safe environment without the spotlight on you. And when you practice your security drills, it’s critical to learn and improve, so your teams can respond quickly and accurately when the real threat lands inside your organization.
When teams practice security drills, they usually learn they are missing vital evidence that would allow them to properly understand and respond to the threat. By putting in place systems to be ready for the next attack they find their teams become more productive and more skilled at remediating threats.
We had one customer in healthcare tell us that putting in place packet capture saved them weeks of paperwork and HIPPA related penalties because they were able to confirm that an attack was unsuccessful and did not compromise any patient data. Without the visibility provided by full packet capture, they would have had to report potential loss of patient data and suffer the consequences of financial penalties and brand damage.
Collecting all the evidence you need is critical. In the event of a successful breach, that evidence will enable teams to quickly detect, investigate, and respond to the threat, and be confident they have successfully remediated the attack.
What new threats do you think companies should be ready to tackle in 2022? What tools should they have in place?
I expect there will continue to be many more zero-day vulnerabilities across supply-chain tools, applications, and infrastructure elements. To me, these types of threats are the scariest because you don’t know about them until the vulnerability is announced.
Then there’s a rush to patch the vulnerability and try to identify whether you’ve fallen victim to it. That can be very difficult too. Attackers may have been present in your systems for weeks or months and planted tools that allow them to come back later while they currently lie low to avoid detection. That is why network-wide monitoring and continuous recording of evidence across the entire network are so crucial. Network recording allows you to go back in time and review whether you were hit by a zero-day exploit or supply chain vulnerability.
In terms of tools, SOAR tools are becoming essential. They can help security teams automate evidence collection, data correlation, analysis, and many security functions to free analysts up to concentrate on the more difficult threats and focus on proactive threat hunting.
Finally, I think continuous packet capture is becoming business-critical. Many organizations have written it off as being too costly or think packet analysis is too complicated for their security teams. But that simply isn’t true any longer. Modern packet capture solutions are both affordable and usable – particularly when integrated with the tools you already use. Most importantly, when you really need packet data, they are indispensable.
As for individual users, what personal cybersecurity tools do you think everyone should invest in?
People should definitely enable firewall capabilities on their devices and home networks and install one of the many excellent end-point security tools that are available. This is the absolute minimum for protecting endpoint devices and systems.
Another recommendation is to ensure good hygiene when it comes to usernames and passwords. Using a password manager helps make it easy to use unique, complex passwords for every service. That way, if your access to one account or service is compromised, attackers can’t leverage that data to gain access to the other services you use. Also, enable multi-factor authentication wherever possible and use Google Authenticator, Authy, or other similar mobile authentication tools to make it easy.
I’d also suggest everyone takes a basic course on what constitutes good cybersecurity practice. So many threat actors gain access by taking advantage of basic mistakes you make – regardless of the security defenses you have in place. Email-based phishing attacks are still the number one security threat out there in terms of volume and prevalence so people really need to know how to avoid falling for these attacks – which can often be extremely convincing.
Share with us, what’s next for Endace?
We are continuing to enhance our ability to deliver the scalability, reliability, and performance that our largest customers need to protect their networks. And we are also continuing to focus on making it easy for security and network teams to access and work with packet data. We’ve recently introduced new features like the ability to automatically reassemble files from packet data and re-analyze historical traffic to extract highly detailed metadata or go back and determine whether you were impacted by a zero-day threat before patches or new detection rules were available.
We have added new functionality, such as multi-tenancy, which enables MSSPs and large multi-division or multi-company organizations to share infrastructure while keeping each entity’s data separate and secure. This is opening up new opportunities for Endace with service providers such as MDR specialists, which is very exciting.
And finally, Endace is also expanding its capability into cloud and hybrid cloud environments. We have had a virtual EndaceProbe for some time, and we are extending this capability to enable cloud-native deployment in AWS and Azure environments. This gives customers the ability to record and access network traffic seamlessly across on-prem, private cloud, and public cloud environments.
There’s always lots to do and that’s what makes Endace an exciting place to work.