One of our customers is a multinational play and entertainment company. If you or your children have ever played a board game or watched an animated movie, you have more than likely been a consumer of this company's products. Here's how they use Reveal(x) network traffic analysis to dramatically reduce their attack surface, maintain good security hygiene, and proactively minimize risk!
The Original Plan
Our customer's investment in ExtraHop Reveal(x) was two-fold. First they planned to utilize ExtraHop's industry leading 4600+ data points in order to better manage and clean up items in their infrastructure that were less than optimal. Some of the items they planned to tackle included:
- Fixing expired or weak encrypted SSL certificates across all their business units
- Addressing poorly performing and suspicious DNS queries
- Authentication being performed across their WAN rather than on local servers
All of these items would allow them to significantly reduce their attack surface.
Additionally, they would be leveraging ExtraHop Reveal(x)'s cloud powered machine learning to detect suspicious activity within the East-West corridor of their environments.
The Reveal(x) Solution
Being a large, multinational company means that much of their critical data (and the massive amount of intellectual property they need to protect) is shared across multiple data centers around the globe. The decision was made to deploy ExtraHop in three strategic locations, scaling anywhere between 10Gbps and 25Gbps of network traffic, combining to analyze up to 645TB of raw data PER DAY in 3 single rack unit appliances!
Collecting this extreme amount of network traffic and analyzing it with an industry leading 50+ different protocols and 4600 different data points—as well as automatically classifying and categorizing every device across the network—allowed the security operations engineers to immediately get to work analyzing what was actually on the network so they could clean up the aforementioned items.
Additionally, they began focusing on the suspicious detections the system was alerting them to, utilizing ExtraHop's unmatched investigation workflow to go from a single anomalous detection to the actual transaction in a matter of clicks!
Prior to Reveal(x) being deployed, when the SOC team received a call about investigating permission changes or access to specific files on the network, their traditional workflow was to import access logs to their file security tool and locate the offending party. When a call came in for this scenario after Reveal(x) was implemented, the team started the log import process, and with a few minutes on their hands to wait for the import to complete, they decided to swing over to Reveal(x) to see if they could find the answer they were looking for.
After entering the file name into the Reveal(x) global search query, they immediately found not only the IPs and usernames that accessed the file, but could also review the different SMB methods utilized, identifying not only who read or wrote to the file, but who ultimately made changes to the permissions. They turned their attention back to their file security tool, and 10 minutes later, after all the logs had finished importing, they came to the same conclusion Reveal(x) had given them 10 minutes earlier!
High profile breaches keep security operations teams consistently focused on tools that merely detect items of concern, and which often require time-consuming manual investigation to determine whether or not those items are serious threats. This has led to alert fatigue and missed security events that have dominated news cycles.
Taking a different approach of hygiene first and reducing the attack surface helps our customers proactively minimize their risk. Follow that up with high fidelity detections and the ability to investigate in the same tool by utilizing the 4600 data points that Reveal(x) surfaces out of the box, and security operations teams can save time as well as gain a far deeper understanding of the context of a detection or event.
Watch this 3-minute video to see the Reveal(x) investigation workflow for yourself: