The truth of PCAPs (packet seize) are that they’re time consuming to create. A number of laborious steps are concerned:
- Discovering a platform that’s in-path and able to internet hosting a PCAP software (if there even is one)
- Executing the PCAP
- Shifting the file to a system to research — and these information might be very giant. This may occasionally contain the extra step of deploying SFTP or SCP succesful functions on each side of the switch
The online results of all this overhead is that sometimes I don’t use them until there’s no different alternative. It was transformative within the Black Hat USA 2025 NOC to have the ability to take any observable that correlates to a system and easily proper click on it from the Firepower Administration Heart (FMC) utilizing the ‘Endace PCAP Pivot’ choice, to a richly featured packet evaluation platform, which features a Wireshark integration. The online result’s that I used packet-level evaluation 99% extra typically to large impact in my SOC analyst investigations.
“I used packet-level evaluation 99% extra typically to large impact in my SOC analyst investigations.”
This workflow allowed me to immediately entry the precise packet-level knowledge associated to the observable. As an alternative of relying solely on metadata or logs, I can view the definitive community visitors, together with payloads, timestamps, and session particulars, which gives complete context for my investigations. This direct pivot accelerates my workflow by eliminating handbook correlation steps and lowering the time it takes to validate threats via extra oblique means.
As soon as I’ve pivoted to Endace Imaginative and prescient from the FMC, I achieve the power to carry out back-in-time forensic evaluation on the captured community visitors related to the observable, transferring from one-click right into a high-level visitors composition evaluation. There’s further evaluation obtainable right here, however that is the Endace Vison facet that’s related to this investigation.
This implies I can reconstruct the total sequence of occasions main as much as, throughout, and after the alert, uncovering hidden assault vectors that may not be evident from alert knowledge alone. The combination additionally helps real-time and historic visitors evaluation, permitting me to correlate reside risk intelligence with previous community exercise. This holistic view enhances my risk searching and incident response capabilities, enabling extra correct root trigger evaluation and finally quicker containment of safety incidents.
Pivoting from FMC to Endace Imaginative and prescient streamlines my SOC workflows by tightly coupling alerting and proof assortment inside a single operational setting. A single click on allowed me to pivot right into a Wireshark packet stage evaluation for my investigation.
I might drill down from high-level alerts within the Firepower Administration Heart immediately into Endace Imaginative and prescient’s packet-level interface with out switching instruments. This seamless transition reduces operational friction, permitting me to answer threats with a exact immediacy that isn’t obtainable with out it. The combination additionally helps automated workflows and enriches alert knowledge with definitive packet proof, enhancing the general efficacy of my safety investigations, that took moments, not hours, to allow packet detailed evaluation.
I look ahead to utilizing this functionality in different Safety Operation Facilities. Try my weblog sequence on different SOC work.
About Black Hat
Black Hat is the cybersecurity business’s most established and in-depth safety occasion sequence. Based in 1997, these annual, multi-day occasions present attendees with the most recent in cybersecurity analysis, improvement, and traits. Pushed by the wants of the group, Black Hat occasions showcase content material immediately from the group via Briefings displays, Trainings programs, Summits, and extra. Because the occasion sequence the place all profession ranges and tutorial disciplines convene to collaborate, community, and talk about the cybersecurity subjects that matter most to them, attendees can discover Black Hat occasions in the USA, Canada, Europe, Center East and Africa, and Asia. For extra info, please go to the Black Hat web site.
We’d love to listen to what you assume! Ask a query and keep linked with Cisco Safety on social media.
Cisco Safety Social Media
Share:
