Over the course of my career, I've had the good fortune to gain first-hand security operations and incident response expertise. During my time in the operator's seat, I never really fully appreciated how valuable this experience was. Further, until I moved over to the vendor side, I never really appreciated how little most people really understand about day to day life in security operations and incident response.
As some of you may have noticed, I've been focused lately on serving the underserved. At the startup I co-founded (IDRRA), we are working to help small and medium-sized businesses in the areas of benchmarking and assessment. And on the vendor side, when I see a promising player with a lot to offer that just needs a little bit of my expertise, how can I not help?
That is why I agreed to advise ExtraHop. The team is bright, energetic, and intent on solving some real problems. The product is mature and robust. The leadership is competent and focused. By adding just a little bit of "security spice" to the recipe, ExtraHop is poised to become one of the leaders in security.
If you were to ask me to articulate the value of ExtraHop in one sentence, I would offer something like this: ExtraHop simplifies workflow around visibility, detection, investigation, and classification of enterprise data and assets. Further, because of its strong technology roots, ExtraHop has already solved what I would consider to be some of the harder problems in security. And that is something that I've been looking for in the security market for a long time.
Let's take a look at a few strategic needs in the security operations and incident response that I've seen ExtraHop address quite well:
- Visibility: Most people jump right to detection when they start talking about security solutions. But it's important to remember that you can only detect that which you can see. And we aren't just talking about web and mail traffic here, but rather, all of it. DNS, Windows protocols, web applications, databases, and plenty of other sources that are critical to successfully monitoring an enterprise. There is no longer a need to acquire specialized equipment for each of these or to give up on having them entirely.
- Detection: Lots of products offer signature-based, behavioral-based, or analytics-based detection. But a product that offers all three, combined with the ability to reduce noise and prioritize events and alerts based on asset criticality and data sensitivity? That's refreshing and sorely needed.
- Investigation/Automated Investigation: Even the best alerts and events need to be investigated before their true nature can be understood. The last thing security professionals want to do is to jump between tools to make this happen. Having a consolidated and efficient investigation functionality seamless integrated into the workflow is essential. Automating pieces of that investigation, where appropriate, makes it even better.
- Classification: How many ingress/egress gateways do you have? Are you sure about that number? How about wireless access points? Databases? Servers that allow SSH inbound? Expired certificates? The list of things you want to know about goes on and on. It can be several full-time jobs to keep after all of this in a dynamic enterprise environment. The fact that ExtraHop does all this automatically adds to the value it brings to an organization.
There is no shortage of network security tools out there, that is for sure. All marketing and hype aside, it's rare that I see a tool with the promise and potential of ExtraHop. Although ExtraHop may be less familiar to you than some other products, I'd recommend giving it a look if you face any (or all) of the challenges I've listed above.