The Future of Infosec: Virtualization Will Complement Real-Time Packet Capture

This is the second of two articles on packet capture and its vital role in network cybersecurity.   The focus is on why organizations should move their InfoSec tools to an open analytics platform which incorporates accurate line rate packet capture; one that is open, flexible and powerful enough to handle the demands of tomorrow’s infosec needs.

The first article emphasized the importance of effective packet capture in cyber security, including liability, risk management, insurance coverage, and regulatory compliance.  Building on that foundation, the focus of this article is on adopting a cyber security system based on flexibility and compatibility, on which a full array of detection and protection tools can be implemented in the most effective way to meet the needs of the individual organization.

The Effective Cyber Security Platform of Tomorrow Requires both Openness and Agility

The rich selection of innovative and powerful security tools and techniques being marketed to today’s security teams are little akin to a delicious box of chocolates that are just out of reach.  The rapid pace of infosec innovation promises tantalizing glimpses of potential to those defending against skilled and agile assailants. They might offer a silver bullet in the defense against new classes of threats, promise to elevate team productivity to new levels, offer faster threat detection and containment, and deliver greater insight into tomorrow’s new emerging threats.  Open source developments underpin many of these innovations, delivering a new velocity to the evolution of infosec tool capabilities. The confluence of open source and commercial innovation, each supporting the other, is resulting in a plethora of new solutions with huge potential to aid us in combatting cybersecurity threats.

The quandary that security teams face is how to rapidly select, trial, and deploy the most appropriate innovations across their environment in a scalable and agile way – given limited financial and human capital. Innovations are thrust out of reach if they are delivered on a closed, proprietary platform that is dedicated to a single purpose and incompatible with other solutions. Closed platforms are self-limiting to existing technologies. They are by their nature exclusive, making integration with other solutions difficult or impossible and as a result the well-integrated ecosystem of best-of-breed solutions that security teams yearn for remains an unachievable pipe dream.

By contrast, an open platform approach facilitates the rapid testing and deployment of new and innovative infosec tools. Proprietary solutions that once required the costly purchase of dedicated, hardware-based appliances, and took many weeks or months of planning before deployment, can now be deployed quickly and easily onto a powerful, shared, and open, platform. What’s more, both new and legacy solutions can be deployed side-by-side in the same environment on the same platform. This duality supports the desire to trial new solutions while retaining, and not disturbing, legacy solutions teams have come to rely on.

Leveraging a powerful, hardware-based packet capture platform as the basis for an open analytics platform is the obvious choice, because it is already positioned to monitor key points in the network. The definitive, packet-level evidence that it records also provides a shared source of truth for both security teams and the analytics tools they use, supporting the rapid investigation and resolution of security incidents – as we saw in the first article in this series.

Integration capability, and support for a wide range of commercial, open source and custom-developed security tools is critical to ensuring a common platform can enable the connected, well-integrated ecosystem of tools that security teams are desperately hoping for – the chocolate box of treats that is tantalizingly just out of reach at present. This connected ecosystem of tools enables more efficient workflows, greatly improved productivity, and infinitely deeper insight into threat activity on the network – allowing security teams to detect and investigate threats more effectively and respond to them with speed and confidence.

Leveraging the Virtualization Phenomenon

In practice, security function virtualization is the migration of network security functions from proprietary – usually single-function – hardware appliances to software applications or virtualized machine images that can be deployed on an open compute platform in a private datacenter or cloud environment.

Now that many infosec tool vendors commonly provide virtualized editions of their solutions, virtualization offers a potential “common ground” upon which organizations can build an open ecosystem of analytics capabilities. It is critical that the hardware platform used to host virtualized security analytics functions can deliver sufficient performance to deal with the increasingly challenging velocity and volume of network data that needs to be captured, analyzed and recorded in order to detect cyberthreats. This requires that the resources and datapaths of the hardware platform are highly-optimized to enable it to handle the demands of high-speed networking data-flows and compute-intensive analytics tasks.

General purpose hypervisor platforms are typically unsuitable for this because they are not designed specifically for networking tasks – they lack the purpose-built hardware needed to capture, process and store traffic at high-speed without packet loss. A hardware platform specifically designed for lossless packet capture, on the other hand, makes an ideal platform on which to host virtualized analytics tools. It can provide hosted applications with access to real-time or recorded traffic for analysis and via API-integration allows organizations to connect all their tools together to create a complete and holistic ecosystem of analytics functionality without the limitations inherent in deploying multiple, different appliance-based solutions.

Endace’s Open Analytics Platform

Endace is a company pioneering this open platform approach with its range of EndaceProbe™ Analytics Platforms. EndaceProbes provide full packet capture and recording, with zero packet loss, on network links from 10Mbps to 100Gbps and beyond, allowing organizations to capture, index and store a 100% accurate record of network activity. EndaceProbes are the industry’s only truly open packet capture platform, allowing both hosting of, and integration with, commercial, open-source and custom analytics applications.

Endace’s Fusion Partners Program

One of the unique advantages of Endace’s open EndaceProbe Platform is that it allows customers to choose analytics tools from a wide range of commercial vendors as well as from open source projects like Zeek (formerly Bro IDS), SNORT, Suricata or Wireshark and host them on, and/or integrate them with, the EndaceProbes they deploy on their network.

Rather than being forced to settle on a limited set of vendors in order to prevent platform sprawl and overextended hardware budgets – or being forced to deploy integrated “all-in-one” solutions that typically don’t provide best-of-breed capability in all areas – customers can mix-and-match solutions to achieve the right balance of capability they need while also having the ability to tightly integrate their chosen tools. This delivers a coherent view of network activity and enables streamlined workflows that dramatically increases productivity and visibility resulting in faster, more accurate threat response.

To make this easy, Endace has partnered with some of the world’s leading network security vendors to provide “out-of-the-box” integration with the industry’s most commonly used security analytics and monitoring solutions.

The EndaceProbe’s powerful API also allows customers to integrate with their existing legacy solutions as well as hosting, or integrating with, open source solutions or custom tools they build in-house. The same API integration allows scripted access to Network History to automate common processes – such as threat hunting activity – too, further improving productivity.

Endace calls its technical partner program Endace Fusion. Endace’s Fusion Partners are listed below with a link to the partner page for each which describes the currently available integration with their product(s) and in most cases includes a demo video of the integration. 

• BluVector (now Comcast): https://www.endace.com/bluvector
• Cisco (Firepower and Stealthwatch products): https://www.endace.com/cisco
• Darktrace: https://www.endace.com/darktrace
• Dynatrace: https://www.endace.com/dynatrace
• Gigamon (Endace works with Gigamon Network Packet Brokers and SSL Decrypt): https://www.endace.com/gigamon
• IBM (QRadar): https://www.endace.com/ibm
• Idappcom (SNORT management solution that can run on EndaceProbes): https://www.endace.com/idappcom
• IXIA (packet brokers/SSL decrypt/high-frequency trading solution): https://www.endace.com/ixia
• Palo Alto Networks: https://www.endace.com/palo-alto-networks
• Plixer: https://www.endace.com/plixer
• Splunk: https://www.endace.com/splunk.html

Darktrace Enterprise Immune System and the EndaceProbe Analytics Platform

Modeled on the human immune system, Darktrace’s technology is the world’s leading, enterprise-grade AI with thousands of customers worldwide.  Protecting corporate networks, cloud and virtualized environments, IoT and industrial control systems, Darktrace autonomously detects and fights back against emerging cyber-threats across the enterprise.

An AI system like Darktrace’s Enterprise Immune System intelligently makes cybersecurity decisions based on its understanding of the network, and what constitutes normal user behavior versus what is anomalous.  To do its job properly, Darktrace needs real-time access to packets, as fast as possible, without packet-loss – which makes the EndaceProbe an ideal platform on which to host the Darktrace sensors that analyze traffic to detect threats.

The partnership between Darktrace and Endace is a great example of the synergy of combining innovative security analytics solutions with the robust, high-performance EndaceProbe platform.

Organizations that already have EndaceProbes deployed on their networks can deploy Darktrace sensors quickly and easily without rolling out new hardware by hosting them on the EndaceProbes in their network. And for Darktrace customers looking to complement the Darktrace Enterprise Immune System with weeks or months of high-fidelity network history and scale their monitoring infrastructure to support fast, high-speed links and large traffic volumes, EndaceProbes, with their deep storage, ultra-reliability and massively scalable architecture provide an ideal hardware platform for hosting Darktrace sensors on – from the core of the network to remote office locations.

Signup Today for a Game-changing Live Demo

Catch a game-changing webinar and live demonstration, where AI Threat Detection Meets AI Threat Response to see this integration in action.  In this webinar, you’ll see how Endace and Darktace have joined forces to deliver real-time threat detection and autonomous response with definitive network evidence.

Darktrace can now be deployed and hosted on the EndaceProbe platform with full integration between Darktrace’s Threat Visualizer and the packet-level Network History recorded by EndaceProbes.  Register today and block Thursday, April 11^th at  9am US Pacific Time (noon Eastern Time, 5pm London Time) for this awesome demo.

Future Considerations

There is little doubt that a trend towards open infosec platforms featuring broad compatibility and offering virtualization capability is inevitable.  As always, it will be a dynamic process, with fast and fundamental changes coming at unexpected times.

The next time your organization evaluates the effectiveness and cost of your current infosec infrastructure, consider how deploying  a common hardware platform could:

• Enable you to tightly integrate your solutions for greater visibility and better productivity
• Increase the range of solutions available to you and give you the flexibility to evolve as needs change without ripping and replacing your underlying hardware infrastructure
• Allow you to reduce the cost of hardware, freeing up budget to extend monitoring to more areas of the network and to deploy new functionality to address existing gaps in capability
• Deploy new capability quickly without slow, costly hardware rollouts
• Reduce the cost and complexity of managing infrastructure by reducing the number of disparate hardware platforms you have to manage.

NOTE:  In case you missed reading the prior article on Packet Capture Technology in Cyber Defense Magazine, it can be accessed online at https://www.cybersecuritymediagroup.com/packet-capture-technology-is-critical-for-infosec-and-regulatory-compliance/

About the Author

Yan Ross, J.D., is a Cybersecurity Journalist & The Editor-at-Large for Cyber Defense Magazine.  He is an accredited author and educator and has provided editorial services for award-winning best-selling books on a variety of topics.  He also serves as ICFE’s Director of Special Projects, and the author of the Certified Identity Theft Risk Management Specialist ® XV CITRMS® course.  As an accredited educator for over 20 years, Yan addresses risk management in the areas of identity theft, privacy, and cyber security for consumers and organizations holding sensitive personal information.  You can reach him via his e-mail address at [email protected]