Zero Trust: ExtraHop IDS for Enhanced Government Security

By the end of government fiscal year 2024, all U.S. civilian government agencies must adopt CISA’s Zero Trust Maturity Model as a part of White House directive M-22-09. To help agencies meet this directive, ExtraHop released a new IDS module for Reveal(x), its network detection and response platform. ExtraHop IDS is designed to address the unique security requirements of U.S. government agencies and support a zero trust security architecture.

Verify and Manage Information Access

Due to the sensitive nature of government data, agencies have historically opted for on-premises solutions. In recent years, however, these agencies have been pushed to prioritize and adopt cloud-based solutions. As a result, many agencies still deploy sensors that have limited cloud access or are disconnected entirely, which makes it harder for security analysts to manage and update them with rules for detecting new malware.

Agencies are also moving toward more decentralized environments, where employees and contractors can access information that may originate from outside traditional federal agency perimeters. While legacy intrusion prevention systems (IPS) have had their place in defending against certain attacks, it only takes one breach to cause major damage.

These factors increase agencies’ attack surfaces and complicate their ability to maintain a strong security posture. ExtraHop IDS provides government customers with expanded detection coverage of known threats so analysts can see every device, user, and asset on the network. With the 9.3 release of Reveal(x), our new modules come with specific role-based data access controls—NDR, NPM, IDS, and Packet Forensics.

Our flexible deployment options include both virtual and physical on-premises sensors for agencies with restricted cloud access or isolated networks. The physical sensors also come preloaded with tens of thousands of curated rules from trusted sources including the ETPro ruleset and are updated daily. The ExtraHop REST API can be configured to upload resources to disconnected sensors, providing additional support to government agencies with restricted cloud access.

How ExtraHop IDS Accelerates Zero Trust

An essential tenet of zero trust is the ability to inspect and analyze logged network traffic at the packet level. As attack surfaces continue to expand, leaning on IPS to prevent attacks will not be enough. Organizations need to be able to analyze both north-south and east-west network traffic at scale. Traditional IDS solutions have limited decryption capabilities and can miss critical detections. These products also struggle to identify new and evolving threats because they must maintain, review and manually update signature rulesets.

ExtraHop IDS can accelerate zero trust adoption by harnessing network data and tens of thousands of high-fidelity network signatures. Analysts can validate policy enforcement by monitoring and safeguarding network traffic—both east-west and north-south traffic—with enhanced decryption capabilities.

Along with network data, government agencies need the ability to search for and identify connections that might have malicious intent. By deploying ExtraHop IDS, analysts gain complete coverage for known malware, command-and-control communications, botnets, communication with drive-by sites, and other advanced threats. When new vulnerabilities emerge, analysts can update rules within minutes of being published through the API workflow.

An integrated approach with IDS as part of the Reveal(x) NDR platform provides deeper coverage and a seamless experience for civilian government agencies to implement zero trust initiatives faster and better defend IT environments from future attacks.

The latest release of Reveal(x) also includes native integration with the CrowdStrike Falcon LogScale observability and log management solution. Customers using both Reveal(x) and Falcon can respond quicker to advanced threats with enhanced precision.

ExtraHop was also named a Leader in the inaugural Forrester Wave™: Network Analysis and Visibility, Q2 2023. According to the report, ExtraHop has the largest market presence among the leaders.