back caretBlog

Boost SOC Analyst Productivity with Reveal(x) Spring '19

Accelerated investigation, detection control, MITRE & OWASP links, & more

Today marks the Spring 2019 release of Reveal(x) and the ExtraHop performance platform (version 7.6, for those keeping track).

Since Reveal(x) first launched we have been maniacally focused on building a network traffic analysis product that provides complete visibility, real-time detection of threats, and guided investigations to accelerate incident response and remediation. With the Spring 2019 release, we've focused especially on making all these capabilities easier to use and more accessible, especially for Tier 1 analysts. Every member of a SOC should be able to rise above the noise of data silos and alert overload and contribute more effectively to the mission of proactive, successful security without burning out.

Control Which Detections You See to Focus on What Matters

The security industry overall struggles with lost productivity and opportunity cost due to the flood of undifferentiated alerts emitted by many tools. Our critical assets, dynamic grouping, and full-spectrum detection help provide only the most meaningful detections and make them easy to understand and act upon. In addition to improving detection quality, we also know enterprise IT environments have unique characteristics that impact their priorities about what is important to investigate.

Detection Control

In that spirit, Reveal(x) now allows analysts to manage which detections appear in the feed so that it makes it easier to focus on what's new, what's unknown, and what matters. These controls are fine-grained, and can be applied to individual detections or groups that share a variety of characteristics. Rules can be set to expire in timeframes from minutes to months.

Enabling the collaboration that makes a SOC effective, a new lightweight triage feature is available on each detection, allowing analysts to note directly in the detection card when a detection was seen and by whom. This feature is in addition to the ticketing integration already available. The detection feed can be sorted and filtered based on acknowledgement status to assure that everyone looking at detections is well-informed and can prioritize their own activities efficiently. For more detail, see our post on What's New in 7.6 from our technical publications team.

Security Expertise & Attack Background Info Built Into Detections

Too often, security products flood the SOC with alerts without context. The analysts know something happened, but not what it was or why it might matter. The Spring 2019 release of Reveal(x) takes a big step to address this challenge.

MITRE-LLMNR Reference

Building on the guided investigations introduced in Winter 2019, Reveal(x) now features educational information about particular attack types within the detection card, as well as mitigation steps and pertinent links to vendor-neutral attack frameworks like OWASP and MITRE ATT&CK. This curated, detection-specific educational information lets the analyst stay within the console and get the benefit of third-party information about the attack.

Sharing PCAPs is Caring

Many tools such as EDR and SIEM can benefit from the data contained in packets to fully understand attack activities. That's why we use wire data for our analytics and provide the option to store packets. Now, other tools can tap into powerful and fast packet capture capabilities, and take advantage of our unique ability decrypt TLS 1.3 traffic for inspection out of band in real time. As of this release, packet captures can be requested via our REST API, along with session keys including ephemeral keys for PFS traffic.

An adorable kittenThis feature does not lend itself to visualization, so here's a kitten.

This enables analysts to configure other tools to request packets in the event of a security detection, providing visibility and forensic evidence across the SOC. It also breaks down data silos and provides visibility into encrypted traffic at the exact time when it is most useful and relevant. For example, analysts could configure their Endpoint Detection and Response (EDR) or Security Orchestration, Automation, and Response (SOAR) to request packets to and from a particular device where a potential threat was detected during the exact time window in question, enabling instant investigation and keeping the relevant forensic details easily accessible.

Rapid, programmatic access to packets and session keys will become both more crucial and harder to come by as TLS 1.3 encryption adoption increases. In recent research by EMA, sponsored by ExtraHop, 88% of respondents said they either were already implementing TLS 1.3 for internal traffic, or would be within the next 12 months. 81% reported some level of concern about lost security visibility once TLS 1.3 is implemented. We're helping security teams get out ahead of this challenge by making our packet captures, and by extension our unique TLS 1.3 decryption capability, accessible via API.

For technical details about all these features and more new capabilities in Reveal(x), check out the blog post from our technical publications team or read the release notes.

To experience the power of Reveal(x) NTA yourself, try our online demo, now featuring a live red team vs. blue team scenario where you can track an attack from end to end: enter the interactive demo here.

Related Blogs

Sign Up to Stay Informed