back caretBlog

What's Under The Hood of Reveal(x) Summer 2018

Eliminate darkspace with unprecedented visibility, definitive insights, and immediate answers

Today we announced the Summer 2018 release of ExtraHop Reveal(x), our Network Traffic Analytics solution for enterprise security. Our focus with this release has been to provide SecOps teams with three things: unprecedented visibility, definitive insights, and immediate answers.

The new features and capabilities we're announcing today move us towards those goals in a big way, and allow our customers to gain access to the information they need quickly so they can act with confidence and resolve threats faster.

Let's Start with the Basics

Reveal(x) provides unprecedented visibility by auto-discovering every device using the network, decoding and analyzing 50+ enterprise protocols, decrypting TLS 1.3, and reconstructing every conversation from L2-L7, including transaction contents and access to full packets. This all happens in real time at a rate of 100 Gbps.

To get definitive insights from this data, our cloud machine learning engine develops a real-time understanding of what normal behavior looks like on each customer's network, then applies advanced behavioral analytics to detect threats and anomalous behavior. Each detection is mapped to the attack chain model, providing security analysts with a complete, step-by-step view of attacks in progress.

For immediate answers about the exact details of what's happening, Reveal(x) provides one-click access to transaction details or full, decrypted packets, enabling analysts to pursue a real-time forensic deep dive.

Yeah, Yeah... Get to the New Features!

The new features in the Summer 2018 release are incredibly exciting, so let's dive in!

Session Key Logging for Role-Based Access to Decrypted Packets

This was a hard feature to name, but an easy one to get excited about. A new role is available for Reveal(x) users that allows them to download a precisely targeted set of packets and the session keys to decrypt only those packets. This is available in real time, so analysts in the midst of an investigation with a short SLA can gain forensic evidence even if the conversations were encrypted using TLS 1.3 with forward secrecy. What used to take hours or days, if it was possible at all, now takes minutes.

Session Key Logging screenshotClick image to zoom

Threat Intelligence Integration

Reveal(x) can now ingest structured threat data in the form of STIX files, and use that data to provide richer contextual information about every device on the network. After a user uploads threat intelligence data, Reveal(x) will know if any hosts, IP addresses, or URIs from the threat data are seen communicating on the customer's network. These indicators of compromise (IOCs) are annotated with a red security camera icon that users can click to learn what threat feed the item was flagged on, and any other available details about it. This instant access to threat context within the Reveal(x) interface enables analysts to quickly understand the full scope of a threat.

Threat Intelligence Details screenshotClick image to zoom

Risk Scoring

All detections from the Reveal(x) cloud machine learning engine are now labelled with a risk score to assist analysts in prioritizing which to investigate first. Risk scores range from 1-99 and appear in a yellow, orange, or red triangle next to detection details displayed anywhere in the UI. We know many teams are plagued with alert fatigue and forced to decide, or guess based on little info, which alerts to follow up on. Risk Scoring is just one more way we're trying to make it easier for analysts to prioritize their efforts and respond with confidence.

Anomaly Risk Score screenshotClick image to zoom

Detection Markers on Charts Everywhere

Too often, SecOps teams receive an alert from one detection tool, and are forced to use one or more other tools to get contextual info about it.

With Detection Markers on Charts Everywhere, we're putting detection details in the exact place analysts need them. Being able to compare charts with metrics across different protocols, timeframes, and other axes helps analysts get a more complete understanding of the context and reach of a threat.

Detection Markers screenshotClick image to zoom

Security Overview Page, a.k.a. Morning Headlines

With Reveal(x) Summer 2018, we're introducing a new page in the interface that rolls up all the most important, actionable information from across your network into a single screen. If there are any detections to display, the overview page shows:

  • Assets with Detections, in descending order by Risk Score
  • Signal metrics, a set of metrics that have exhibited high degrees of change in the currently selected time window compared to the previous time window of the same length
  • A live activity map showing protocol activity that cycles through several highly security-relevant protocols

If there are no detections, the Overview Page shows a Live Activity Map displaying activity on security-relevant protocols such as SSL, SMB/CIFS, LDAP, and more. As soon as any detections are created, the overview page automatically transitions to display them.

Security Overview Page screenshotClick image to zoom

Thanks for reading about our new release! To try Reveal(x) for yourself, check out our online live demo. Since we've been focused on delivering a great experience in the product itself, some of the features mentioned here may not have made it into the demo yet, but you can still get a great taste of the unprecedented visibility, definitive insights, and immediate answers Reveal(x) can deliver. Launch the demo now!

Featured Blogs

Sign Up to Stay Informed