Something irregular happens on your network. Say there's a bunch of files being transferred all at once. Which teams would care?
The security team might want to know if an impatient hacker was trying to make away with sensitive data. The application developers might have pushed some new code that had an undesirable side effect. The operations team might be worried about the impact on network bandwidth and application performance.
The sad news is that an abnormality on the network might be of concern to any of these teams, but most of the time none of them would notice. ExtraHop Reveal(x) surfaces abnormal behaviors on the network in a way that all teams can see and understand them (extracting the Layer 7 application details that make sense to people, such as users, file names, methods, and errors).
Mitch Roberson is the director of enterprise systems at Curo Financial, a company with 400 retail locations that serves under-banked customers with loans and financial services. He says that Curo grew quickly from a very small company to a very large one, and that things were pretty messy. "When I got here, there were a lot of things that people couldn't answer for me about how things worked. So I started pushing for visibility into the environment pretty early."
SANS director John Pescatore interviewed Roberson recently in a SANS WhatWorks case study about how Curo deployed Reveal(x) to gain detailed and timely insight into security and performance issues in a single platform. The solution also helped promote cross-departmental collaboration. "We operate under the premise that we can't be siloed anymore," says Roberson.
At Curo, each team uses Reveal(x) for their own unique purposes:
- The Security team monitors and investigates behavioral threats. Reveal(x) not only detects threats but also provides analysts with context to evaluate the detections and investigate the root cause.
- The IT and Network Operations teams can measure the impact of changes, allowing them to target and disable services using vulnerable protocols (such as SMB1) without causing outages. "I've got over 100 different scenarios where we've made changes just based on the data that we've pulled out of Reveal(x) over the past year to 18 months," says Roberson.
- The Application teams can easily see how their new code affects performance in the production environment and identify areas for tuning the performance.