Cool technology only takes one so far. The real test is how well it delivers in the real world. We are very proud to be chosen by Enterprise Management Associates as a Top 3 Winner in 6 different use case categories for its new "Security Analytics for Threat Detection and Breach Resolution in 2019" report.
A year ago, I joined ExtraHop as we were prepping to release Reveal(x), which optimized 11 years of technology and 4 years of machine learning for the Security Operations Center (SOC). Since then, 4 significant feature releases, continuous updates to our machine learning models and detection engines, and a half dozen partner-native integrations have rounded out our enterprise-leading status in network traffic analysis. EMA's recognition spans many different areas of security operations, emphasizing how valuable Reveal(x) can be in upgrading visibility, detection, and investigation efficiency while replacing legacy tools that contribute to friction.
Here are the 6 use cases EMA chose us for based on last summer's feature set, and some of the reasons we are leading the pack.
Asset Classification and Inventory
ExtraHop invented real-time asset discovery and auto-classification using only network traffic. Unlike active scanners or CMDBs, we passively and continuously monitor for new devices communicating over the network. We then determine their role and asset value based on what they are doing (using observed, unspoofable details such as which devices they are talking to, over which protocols, how frequently).
Our Winter 2019 release expands the range of devices and users we can characterize and the detail we surface, and includes device-user mapping that is always current. This helps with rogue devices, active investigations, and user, asset, and application relationship mapping. For instance, if you are a threat hunter exploring a suspicious event, it's ideal to know with certainty who is using a device and where an attacker could navigate if a system or credential is compromised.
Early Breach Detection
ExtraHop excels at continuous visibility and real-time detection of known bad, suspicious, and anomalous activities within East-West or cross-zone traffic. This blind spot for many organizations conceals internal recon, lateral movement, and actions on objectives.
Passive (and therefore invisible) network sensors can also ID command and control, reconnaissance, and database exfiltration that involves North-South traffic. SOC teams gain real-time L2-L7 insights into traffic that may otherwise be limited to logs or flows or locked away in another organization's tool silo. Our UI also enriches the detection information and prompts with next steps to move the analyst immediately from early breach detection into validation and investigation.
Encrypted Traffic Analysis
The report says, "Being able to get a high degree of confidence in the analysis at high-line speeds without impacting traffic latency is a boon for security and ITOps, keeping the two from being at odds, as they often seem to be." This space is one where many vendors are limited to L7 header analysis, and "Without the payload contents, they have to rely on the source and destination addresses, metadata they can glean, and the strength of their algorithms."
ExtraHop's real-time decryption and full-stream reassembly let companies extract the full insights from the wire. I also like the reference to security and IT working together. This efficiency is needed as we work to shorten the entire prevention, detection, investigation, response lifecycle.
Forensic Analysis Leveraging Packet Streams
Do you start with packets and reverse engineer insights, or can you leverage packets as needed to inform and reinforce confidence during an investigation? Most analysts lack packet analysis skills (and few really enjoy packet mining anyway). Modern tools like Reveal(x) make it much more desirable and practical to use packets as a resource for extracting information that can be analyzed and visualized for forensics, and referred to if and when needed.
EMA encourages "those investigating forensic packet stream analytics should delve into the metadata that is created and used, since there is some differentiation in this area." ExtraHop's visibility into encrypted data coupled with our transaction payload analysis extracts more than 4700 metadata/features for analysis. Rather than retrieving packets from cold storage, packets are linked to the data and can be accessed in one click.
Identifying Network Protocol Misuse/Abuse
L2-L7 analysis of standard and enterprise-approved protocols provides visibility into abuse, tunneling, encryption, and other misbehaviors. With more than 50 different protocols analyzed, ExtraHop offers more ways to ensure your business doesn't succumb to a wily attacker and modern techniques. EMA calls out the importance of ensuring that enterprise traffic let through by firewalls has a secondary analytics layer to detect this sort of advanced threat technique.
Sample-based anti-malware isn't effective when ransomware morphs so quickly. Our protocol visibility and real-time analysis of behavior helps us immediately detect ransomware's actions: reconnaissance, lateral movement, enumeration, and encryption activities. When seconds count, real-time monitoring and alerting with high fidelity are crucial, and that is a core ExtraHop differentiator.