back caretBlog

Response Automation with Reveal(x)

How to automate incident response based on the type of threat

"You can only automate what you're certain about, and there is still an enormous amount of uncertainty in cybersecurity." - Bruce Schneier

In the video below, I explain the Spectrum of Response and how Reveal(x) enables you to automate appropriate responses to both "low and slow" and fast and destructive attacks. Download our white paper here to get the details on our response strategy.


As the brains of your security toolset, the network detection and response (NDR) products such as Reveal(x) applies a spectrum of techniques to detect activity at every stage of the attack lifecycle. But what comes next?

Reveal(x) offers a number of out-of-the-box and custom integration options to help you automate an appropriate response to the threat. You already have firewalls and other pieces in place to enable remediation—your NDR solution should work with these tools rather than asking you to spend more money on a redundant "cyber AI response" technology.

But regardless of the tech you use to automate response, you need flexibility to do so intelligently. As Bruce Schneier writes, "You can only automate what you're certain about, and there is still an enormous amount of uncertainty in cybersecurity."

Cyber Attack Spectrum of Certainty

At one end of the spectrum of certainty, when the threat is "low and slow," you want a human in the loop when responding. Even when you're certain about what you've observed on the network, you may be uncertain about the appropriate response. Say, for example, that you've observed privilege escalation. It could be an insider threat who's trying to steal sensitive data, but it also could be Jane in IT who moved to a new team and legitimately has access to admin credentials she didn't before. Sending a message to the IR team's Slack channel with the detection details and link would be an appropriate response, and Reveal(x) enables that.

On the other end of the certainty spectrum, you can fully automate the response to stop fast, destructive attacks in their tracks. Keep in mind that WannaCry infected more than 230,000 systems in 150 countries in one day with damage estimates ranging from several hundred million dollars to $4 billion. In these cases, you will want to lock the user account, block traffic from malicious IP addresses, or quarantine devices ASAP. Reveal(x) integrates with NAC and firewalls to make this happen.

Here are a few examples of response automation in action with tools you might already use:

Quarantined Devices with Palo Alto Networks NGFW

The Reveal(x) integration with Palo Alto Networks NGFW applies policy rules to block traffic to and from those devices.

Quarantined device in ISE

Example quarantine policy applied to an endpoint in Cisco ISE based on a detection from ExtraHop Reveal(x).

To learn more about how Reveal(x) works with your existing security infrastructure to automate an appropriate response, download our whitepaper.

Related Blogs

Sign Up to Stay Informed