Secure Networks: Endace Packet Forensics Files

In this episode of the @Endace, Packet Forensic Files, Michael Morris chats with Steve Fink, CTO and CISO of Secure Yeti and architect of the SOCs for Black Hat, RSA Conference, and Cisco Live, for an in-depth look at building effective Security Operations Centers (SOCs). With 26 years of cybersecurity experience, Fink shares strategies for leveraging packet data, integrating AI for automation, fostering vendor collaboration, and ensuring scalability and resilience. This expert-led discussion is a must-watch for cybersecurity professionals who want to learn how to optimize threat detection and avoid data swamps . ABOUT ENDACE ***************** Endace (https://www.endace.com) is a world leader in high-performance packet capture solutions for cybersecurity, network and application performance. EndaceProbes are deployed on some of the world's largest, fastest and most critical networks. EndaceProbe models are available for on-premise, private cloud and public cloud deployments - delivering complete hybrid cloud visibility from a single pane-of-glass. Endace’s open EndaceProbe Analytics appliances (https://www.endace.com/endaceprobe) can be deployed in on-premise locations and can also host third-party security and performance monitoring solutions while simultaneously recording a 100% accurate history of network activity. CHAPTERS 01:24 Why is your nickname 'Fink' and not Steve? 02:17 What foundational, architectural principles are essential when designing a next-gen SOC? 05:43 How do you approach scalability & modularity in NOC/SOC design to accommodate future growth? 08:57 How have you evolved to integrate cloud native technology or hybrid environments into your SOC and what were the challenges? 12:04 What role does packet data and centralized logging play in your SOC design and how do you ensure efficient data ingestion and retrieval? 14:45 How do you architect SOC to support real time threat detection and response across geographically distributed global infrastructures? 17:55 What strategies do you use for disaster recovery? 20:35 How do you incorporate AI, ML and automation capabilities into your SOC architecture to enhance threat hunting? 23:02 What are your best practices for integrating third-party tools?

Why NDR is Evolving—And What Enterprises Should Demand From It In this episode of the @Endace Packet Forensic Files, Michael Morris is joined by Jack Chan, VP of Product and Field CTO at Fortinet, to unpack what makes a truly effective Network Detection and Response (NDR) solution. Jack shares his perspective on why visibility, historical context, and deep threat hunting capabilities matter more than flashy features. They explore how AI and machine learning are transforming NDR—helping detect threats in encrypted traffic and reduce alert fatigue for SOC teams. Jack also talks about integrating NDR with firewalls and EDR tools to improve response decisions and streamline investigations. Finally, Jack leaves us with a powerful reminder: security starts with people. From secure coding to user awareness, the human element is often the weakest link—and the best place to strengthen your defences. ABOUT ENDACE ***************** Endace (https://www.endace.com) is a world leader in high-performance packet capture solutions for cybersecurity, network and application performance. EndaceProbes are deployed on some of the world's largest, fastest and most critical networks. EndaceProbe models are available for on-premise, private cloud and public cloud deployments - delivering complete hybrid cloud visibility from a 'single-pane-of-glass'. Endace’s open EndaceProbe Analytics appliances (https://www.endace.com/endaceprobe) can be deployed in on-prem locations and can also host third-party security and performance monitoring solutions while simultaneously recording a 100% accurate history of network activity.

What does it take to run a world-class Security Operations Center (SOC) in today’s high-stakes, high-speed cybersecurity landscape? In this episode of the @Endace, Packet Forensic Files, Michael Morris chats with Jessica (Bair) Oppenheimer, Cisco's Director of Security Operations, for an in-depth look at next-generation Security Operations Centers (SOCs). Jessica shares her expertise from securing high-stakes events like the Paris 2024 Olympics, NFL Super Bowl, Black Hat, and RSAC Conference. Discover how her team leverages AI, full packet capture with EndaceProbes, and integrations with Cisco XDR and Splunk to combat AI-driven threats and ensure rapid detection and response. This episode is a must-listen for cybersecurity professionals who want to stay ahead of evolving threats. It is packed with insights on balancing automation with human expertise and key KPIs for SOC success. ABOUT ENDACE ***************** Endace (https://www.endace.com) is a world leader in high-performance packet capture solutions for cybersecurity, network and application performance. EndaceProbes are deployed on some of the world's largest, fastest and most critical networks. EndaceProbe models are available for on-premise, private cloud and public cloud deployments - delivering complete hybrid cloud visibility from a single pane-of-glass. Endace’s open EndaceProbe Analytics appliances (https://www.endace.com/endaceprobe) can be deployed in on-premise locations and can also host third-party security and performance monitoring solutions while simultaneously recording a 100% accurate history of network activity.

In this episode of the @Endace Packet Forensics Files, I talk to Jean-Paul Bergeaux, Federal CTO at GuidePoint Security. We unravel the complex world of federal cybersecurity and discuss the critical importance of certifications, the game-changing M-21-31 directives, and how packet capture data is revolutionizing threat detection. We also uncover the potential risks and opportunities presented by generative AI in the cybersecurity landscape. From SolarWinds lessons to the emerging generative AI challenge, Jean-Paul provides unprecedented insights into how government agencies fight to stay ahead of sophisticated cyber threats. This episode offers a must-watch deep dive into the frontlines of digital defense. ABOUT ENDACE ***************** Endace (https://www.endace.com) is a world leader in high-performance packet capture solutions for cybersecurity, network and application performance. EndaceProbes are deployed on some of the world's largest, fastest and most critical networks. EndaceProbe models are available for on-premise, private cloud and public cloud deployments - delivering complete hybrid cloud visibility from a 'single-pane-of-glass'. Endace’s open EndaceProbe Analytics appliances (https://www.endace.com/endaceprobe) can be deployed in on-prem locations and can also host third-party security and performance monitoring solutions while simultaneously recording a 100% accurate history of network activity.

How Generative AI and Machine Learning are Revolutionizing Cybersecurity In this episode of the Endace Packet Forensic Files, Michael Morris explores how advanced technologies like AI and machine learning are transforming security operations with James Spiteri. With extensive experience in cybersecurity and security operations, including leading SOC teams and developing innovative solutions for AI and machine learning, James offers unparalleled insights. He delves into the growing sophistication of nation-state threats, the critical role of SIEM tools, and how AI-driven insights are enabling faster, smarter threat detection by prioritizing critical alerts, automating mundane tasks, analyzing complex data patterns, and operationalizing unstructured threat intelligence in real-time. Don’t miss this insightful episode, where James shares expert tips on leveraging cutting-edge technology to strengthen your cybersecurity defenses and stay ahead of evolving threats. ABOUT ENDACE ***************** Endace (https://www.endace.com) is a world leader in high-performance packet capture solutions for cybersecurity, network and application performance. For more than two decades, Endace has revolutionized enterprise-class, always-on packet capture. The scalable EndaceProbe Analytics Platform (https://www.endace.com/endaceprobe) delivers deep, unified visibility across on-premise, private, and public cloud networks. Get to forensic evidence quickly, with rapid search and powerful tool integration. Protect your network and accelerate investigation and response with Endace.

Unlock the Power of Network Packet Data in Cybersecurity In this episode of the Endace Packet Forensics Files, Michael Morris dives into the critical role of network packet data in cybersecurity with Matt Bromiley, a seasoned threat-hunting expert. Matt shares why robust detection systems and proactive threat hunting are essential, and how network data serves as the “glue” that ties together evidence in cybersecurity investigations. The challenges of managing large data volumes, the growing role of AI in threat detection, and the tools needed to stay ahead of emerging threats are explored. Matt provides practical steps to seamlessly integrate packet capture into a threat-hunting toolkit, enabling teams to uncover and respond to even the most elusive threats. Matt emphasizes the importance of implementing a comprehensive packet capture strategy and using advanced tools, including AI, to manage data and enhance detection. He also stresses the need for continuous team training to effectively interpret data and respond to real-time threats, strengthening your defense against complex threats. Don’t miss this insightful episode, where Matt shares expert tips on optimizing threat hunting and leveraging packet capture to strengthen your cybersecurity defenses.

Ransomware has shifted from simple, isolated attacks to coordinated, human-operated campaigns that target entire organizations. In this episode of the Endace Packet Forensics Files, Michael Morris talks with Ryan Chapman, SANS Instructor and expert in Digital Forensic and Incident Response (DFIR) about these evolving threats. Ryan explains how attackers are becoming more methodical and sophisticated, focusing on disabling EDR/XDR solutions to evade detection and leaving organizations vulnerable to advanced attacks. One of the key challenges Ryan highlights is visibility. Without robust logging, packet capture, and monitoring tools, it’s nearly impossible to understand how an attack happened fully. Even encrypted traffic can reveal critical patterns if analyzed properly. Ryan shares examples of organizations that suffered reinfections because they rushed to restore systems without identifying the original entry point. Packet capture data plays a vital role in pinpointing when and how attackers infiltrated, ensuring a safe recovery and minimizing disruption. As ransomware tactics evolve, adopting a Zero-Trust approach is essential. Ryan discusses how limiting permissions and avoiding overly trusting software configurations can help prevent breaches. He cites the Kaseya attack, where some organizations avoided compromise by not blindly whitelisting trusted directories. As attackers increasingly use legitimate tools, verifying all network activity and following least privilege principles are critical defenses. Don’t miss this insightful episode, where Ryan provides actionable advice for preparing your organization against today’s ransomware threats.

In this episode, I chat with Taran Singh, VP of Product Management at Keysight Technologies, about network observability. Taran explains its importance within the zero-trust architecture and discusses the challenges organizations face in achieving clear network visibility. He highlights the role of historical data analysis in cybersecurity and outlines Keysight's approach to network visibility. Don’t miss this insightful discussion on network observability and its significance in modern cybersecurity. Follow Taran here on LinkedIn - https://www.linkedin.com/in/taransingh/

In this episode of the Endace Packet Forensics Files, Michael chats with Jake Williams, aka @MalwareJake who delves into the concept of Zero Trust and its significance for organizations seeking to bolster their security defences. Discover how Zero Trust challenges traditional security models and learn about the crucial role of continuous verification and network visibility in mitigating threats. Gain valuable insights into networking fundamentals and the integration of cybersecurity principles from an industry veteran. Don't miss out on this opportunity to enhance your cybersecurity knowledge and stay ahead of evolving threats.

In this episode of Secure Networks, Michael chats with Tanya Janka, aka SheHacksPurple, head of education and community at Semgrep and founder of We Hack Purple. Tanya discusses her transition from developer to security expert, the real issues behind the cybersecurity skills gap, and strategies for employee retention. She also dives into the implications of emerging technologies on security practices and the balance between automation and human expertise. Don’t miss these valuable insights. Visit Tanya's websites: ► We Hack Purple - [https://wehackpurple.com/] ► Semgrep - [https://semgrep.dev/]

In this episode of the Endace Packet Forensic Files, Michael Morris chats with Cybersecurity Tiktok and Instagram influencer Caitlin Sarian, CEO of Cybersecurity Girl LLC, who discusses her journey into the cybersecurity field and her mission to break down stigmas surrounding the industry. Caitlin highlights the need for continuous learning in the rapidly evolving cybersecurity landscape and recommends various channels for staying updated, including news alerts, newsletters, and professional groups. She addresses common misconceptions about coding requirements, debunking the idea that a specific educational background is essential, and stresses the value of gaining practical experience and obtaining certifications tailored to one's chosen specialization. Lastly, Caitlin advocates for diversity and inclusivity in cybersecurity. She emphasizes the need for mentorship, role models, and a supportive company culture to encourage women and minorities to enter and thrive in the industry. This episode provides valuable insights for those considering a career in cybersecurity and underscores the importance of fostering a diverse and inclusive environment within the field.

Are SPAN ports sufficient to provide network traffic visibility for high-quality security (NDR) and network (NPM) investigations? What about cloud workloads? What do you need to gain insights into cloud network activity? In this episode of the Endace Packet Forensic Files, I talk with Eric Buchaus, Director of Sales at Niagara Networks. Eric outlines potential pitfalls and challenges associated with SPAN ports and highlights situations where they may fall short for network and security analysts. Eric walks us through some alternative options, discussing the merits of network TAPS, network packet brokers, and in-line bypass solutions which can offer NoC / SoC teams more reliable, efficient, and scalable ways to get network packet data to the right tools in large-scale and complex environments. He discusses some of the specific challenges of network visibility in cloud infrastructures and suggests some practical ways to overcome these obstacles. Eric suggests things organizations should consider when exploring different packet brokers or TAP vendors and outlines the management and scrutiny that needs to be applied to encrypted traffic to achieve in-depth visibility securely. Finally, Eric talks about how TAPs and packet brokers can help in dynamic SDN environments with high traffic volumes. He emphasizes why they are important for organizations looking to implement zero-trust infrastructures - particularly environments with many walled gardens and lots of VLANs for IOT/IOTM devices and technologies.

In this episode of the Endace Packet Forensics Files, Michael Morris talks with Martyn Crew, Senior Director, Solutions Marketing and Partner Technologies at Gigamon, a 30-year veteran in the cyber security and network management space. Martyn shares his expertise on the limitations and risks associated with exclusively using log and meta-data as the primary resources for your security team's investigations. He discusses various use cases where network traffic and full packet data can play a crucial role in security investigations, highlighting the potential oversights that could occur when teams rely solely on log data. Martyn recommends how to address the scalability challenges of leveraging full-packet data and delves into the storage and retention obstacles that many organizations fear when looking at solution options. Finally, Martyn suggests how to achieve a balance with telemetry sources and costs for your SOC team, and shares some key considerations for maintaining visibility in your hybrid cloud infrastructure - encompassing both on-prem and public or private cloud environments.

In this Episode of Packet Forensics Files, Endace's Michael Morris talks to Lionel Jacobs, Senior Partner Engineer, ICS and SCADA security expert, at Palo Alto Networks. Lionel draws on his more than 25 years of experience in OT and almost a decade at Palo Alto Networks in discussing some of the challenges of securing OT, IoT and critical infrastructure from cyber-attack. Lionel talks about the challenge of detecting attacks in OT environments, how to spot unusual activity, and the importance of having a reference baseline to compare against. He highlights the importance of packet data in providing insight into what is happening on OT networks. Lionel also stresses the importance of close collaboration between OT security teams and the operators of OT networks. It’s crucial to ensure that the safe and effective operation of critical infrastructure isn’t adversely impacted by security teams that don’t understand the operational processes and procedures that are designed to ensure the safety of the plant and the people that work there. Lastly, Lionel reiterates the importance of gathering reliable evidence, and enabling security analysts to quickly get to the evidence that’s pertinent to their investigation. It’s not just about collecting data, but about making sure that data is relevant and easy to access.

In this Episode of Packet Forensics Files, Michael Morris asks Al Edgar, former Information Security Manager for Health Alliance - and now IT Security Manager at Endace - about some of the important areas a security leader needs to focus on and what new challenges they are facing. Firstly, Al says, it’s important to take an holistic approach to cybersecurity, by looking at the three critical components for robust security: people, processes, and technology. He stresses the importance of Incident Response planning and why it’s so critical to define clear objectives, roles, and responsibilities as part of the plan. In order to stay ahead of emerging threats, Al says keeping up-to-date with cybersecurity trends is crucial. He recommends subscribing to cyber blogs, leveraging threat intelligence feeds, and mapping threat intelligence against your organizational infrastructure. He also highlights the importance of having a plan for managing third-party vendor risk. Al provides some valuable recommendations on where to start to ensure a more robust security posture, including maintaining a centralized inventory, conducting thorough risk assessments, cataloging and categorizing risks, and incorporating appropriate security clauses into contracts with suppliers and partners. Cybersecurity awareness training is another critical area, Al says. His view is that it's the responsibility of every individual in an organization to prioritize cybersecurity but he highlights the importance of support and training to enable them do this effectively. Lastly, Al talks about future cybersecurity threats, and calls out the potential risks associated with the weaponization of AI technology. He highlights the need for caution when sharing information with AI systems, reminding us to be mindful of potential privacy breaches and the risk that sensitive IP or data disclosed to AI tools may be misused or insufficiently protected.

What are some of the challenges of responding to a serious incident – such as a ransomware attack or advanced persistent attack? Where do you start, and what are the critical things you need to do? In this episode we are lucky to welcome Jasper Bongertz, Head of Digital Forensics and Incident Response at G DATA Advanced Analytics in Germany. Jasper has a wealth of experience from working in the front line of incident response at G DATA as well as in his previous role at Airbus. He also has a long background in network forensics – having been a Wireshark and network forensics instructor - and continues to be a very active member of the Wireshark community. Jasper starts by outlining some of the steps to mitigate “headless chicken mode” which is what he often sees when organization first uncovers a serious cybersecurity incident. The process starts with understanding exactly what has happened, and what the impact is so that a clear response plan and timeline for resolution can be established. This requires gathering the available evidence – including network packet data if it’s available. It’s important to be able to do this quickly – particularly in the case of ransomware attacks where the organization’s IT systems may be unavailable as a result of the attack. With ransomware, speed is crucial since the organization’s primary priority is typically to get back to an emergency operating state as quickly as possible. Jasper lists some of the tools that his team finds useful in rapidly gathering that critical evidence. Once the scope of the incident has been established, you need to have the specific expertise on hand to do the initial investigation to understand what happened and how it happened so you can identify the right response. Typically, Jasper says, that will involve having at least an incident response specialist, a forensic expert, and a malware reverse engineer, but depending on the scale of the event may involve many others too. Jasper outlines the most important steps organizations can take to protect themselves against ransomware attacks and ensure that in the event of a successful attack they can recover. The two most important of these are making sure domain administrator credentials are protected to prevent privilege escalation and ensuring backups are complete and protected from sabotage. Lastly, Jasper discusses the changing cyberthreat landscape. He outlines why he thinks data exfiltration and extortion will become more a common threat than ransomware and encryption, and why network data is critical to combat this growing risk.

How did Wireshark come to be, and what’s made it so successful – not just as the pre-eminent tool for analyzing network packet data, but as an open-source project in general? In this episode Michael Morris talks to Wireshark founder, Gerald Combs, and Endace CTO, Stephen Donnelly, about the origins of Wireshark, and why packet capture data is so crucial for investigating and resolving network security threats and network or application performance issues. Gerald talks about the early days of Ethereal, a “packet sniffer” he originally created for his own use in his role at an ISP, but subsequently open-sourced as Wireshark. That fortuitous decision was key, Gerald says, to the subsequent ongoing growth and success of the Wireshark project – which will turn 25 years old in July! It enabled developers from around the world to contribute to the project, creating a Windows version in the process, and helping Wireshark to become the gold standard tool for network analysis, used by SecOps, NetOps and IT teams the world over. Stephen has been using Wireshark right from the earliest days – when it was still called Ethereal – and is one of the many contributors to the project.Stephen and Gerald both talk about why packet analysis is so important for cybersecurity and network performance analysis (the ubiquitous “Packets Don’t Lie” T-shirt – available from the Wireshark Foundation store – says it all really), and discuss examples of the many and varied problems that Wireshark is helping people to solve. Stephen outlines the differences between network flow data and packet capture data and why packet data is essential for solving some problems where flow data just doesn’t contain the level of detail required. Wireshark is continually evolving, with support for new protocols, and new UI enhancements that make it easier for analysts to slice-and-dice packet data. Gerald says that Wireshark is almost the perfect open-source project because it allows for a lot of parallel collaboration from contributors in creating new dissectors and ensuring that Wireshark continues to keep pace with the rapid pace of change in networking. Now that planning for Wireshark 5.x has started Gerald also looks ahead to some of the possible new features that might appear in future releases. And finally, Gerald talks about the new Wireshark Foundation (which Endace is a sponsor of) which has been setup to provide support for ongoing development of the Wireshark project and ensure it continues its resounding success into the future. Wireshark is coming up on its 25th birthday and still going from strength-to-strength. Don’t miss this fascinating interview with the leader of one of the most successful open-source projects around. Gerald and Stephen’s insightful commentary as well some fantastic tips-and-tricks make this a must-listen episode.

Increasingly complex systems, expanding threat landscape, and explosion in the number of potential entry points all make managing security at scale a daunting prospect. So what can you do to implement effective security at scale and what are some of the pitfalls to avoid? In this episode Michael Morris talks with Dimitri McKay, Principal Security Strategist and CISO Advisor at Splunk, about where to start addressing the challenges of security at scale. He highlights the importance of robust risk assessment, developing clear security goals and ensuring leadership buy-in to the organization’s security strategy. And the importance of balancing the needs of users with the need to secure the enterprise. Dimitri discusses some of the pitfalls organizations often fall into, and what security leaders can do – and where they should start – to avoid making the same mistakes. He talks about the importance of thinking strategically not just tactically, of being proactive rather than just reactive, and of creating a roadmap for where the organization’s security needs to be in a year, two years, three years into the future. Dimitri also highlights the need to collect the right data to ensure the organization can accomplish the security goals it has set, to enable high-fidelity threat detection and provide the necessary context for effective, and efficient, threat response. Security teams started by collecting what they had he says – firewall logs, authentication logs etc. – but this isn’t necessarily sufficient to enable them to accomplish their objectives because it focuses more on IT risks, rather than on the critical business risks. Finally, Dimitri puts on his futurist hat to predict what security teams should be on the look out for. Not surprisingly, he predicts the rapid development of AI tools like ChatGPT and OpenAI have the potential to offer huge benefits to cyber defenders. But they will also enable cyber attackers to create increasingly sophisticated threats and circumvent defences. AI is both an opportunity and a threat.

Cyberthreats are something all organizations are facing. But Pharmaceutical and Healthcare Providers have some unique challenges and vulnerabilities and come in for more than their fair share of attention from threat actors. What can your SOC team learn from some of the best practices these organizations are implementing? Are you architecting your environment to separate IOT devices from other critical assets and are you managing them with the same level of scrutiny? In this episode I talk with David Monahan, a 30-year expert in cybersecurity and network management and former researcher at Enterprise Management Associates. David draws on his research background as well as his current experience working as the Business Information Security Officer at a large global pharmaceutical company. He talks about some of the similarities and differences the Healthcare and Pharmaceutical industries have with other industries. He shares his insights into why the Healthcare and Pharmaceutical industries are so strongly targeted by threat actors and things consumers or patients can do to help protect themselves and their information. David also discusses some of the unique challenges Healthcare organizations have around IOT devices and suggests ways to help manage these risks. He shares some best practices your security organization can be leveraging and points out tools and solutions that are critical for any security stack. Finally, David talks about what training and skills are important to ensure your SOC analysts are as prepared as possible to defend against cyberthreats.

In this episode of the Endace Packet Forensic files, Michael Morris talks to Jim Mandelbaum, Field CTO at Gigamon, about what “security at scale” means. Jim draws on more than a decade of experience as a CTO in the security industry, and shares best-practise tips to ensure that as your infrastructure evolves, your security posture keeps pace. Jim highlights the importance of leveraging automation to help deal with the increasingly complex network environment. Key to this is having visibility into exactly what’s happening on your network – including on-prem, cloud and hybrid-cloud environments – so you can make informed decisions about what traffic needs to be monitored and recorded. And what tasks can be automated to ensure threat visibility. It's also critical to break down team silos, Jim says. Otherwise, responsibility has a tendency to fall through the cracks. Teams need to collaborate closely and include the security team on IT strategy planning - and particularly cloud migration projects. That makes it easier to determine who is responsible for what parts of security from the get-go. When teams have the opportunity to discuss the challenges they face they can often leverage solutions that have been successfully implemented elsewhere in the organization – saving time, resources and budget as a result. Lastly, Jim highlights the importance of talking with your vendors about their future product strategies to ensure they align with your organization’s plans. Otherwise, there’s a risk of divergence which could prove very costly down the track.