Debunking the Myths on NDR Selection Criteria

Here at ExtraHop we have built our products around the core idea of helping our customers "Rise Above the Noise." We do this within our products by combining industry-leading data-ingestion capabilities with our cutting edge protocol parsing and machine learning engines. The result is high fidelity data and accurate threat detection for those who need it, when they need it most.

Indeed, this concept of "Rise Above the Noise" is so central to our company identity that we all got it tattooed on our foreheads backwards so we'll be reminded of it when we look in the mirror each day.

OK, we didn't really do that, but we do take it seriously. There's a lot of misinformation floating around about network detection and response (NDR), and some vendors are more keen than others to use all that noise to obfuscate their own shortcomings, rather than to help security teams find clarity about their actual technology needs.

We stand behind every bit we push into our product, and to prove it, we offer anyone access to our live demo of ExtraHop Reveal(x). It's completely free and available without even giving us your email.

Let's play a little game of capture the flag to reveal important topics for security buyers to research, and to help our readers rise above the noise.

Flag #1: Scale And Fidelity of Data

Any kind of threat detection and response requires rich data in real time. If you're relying on machine learning, which all credible modern NDR products do, then the volume and fidelity of the data matters even more. Vendors who operate on low volumes of data, or have to write the data to disk and analyse post-hoc simply can't keep up with enterprise needs.

Fact: ExtraHop sits out of band, analyzing up to 100Gbps of high fidelity "wire data" on a single sensor (using a 2RU appliance) in real time before writing to disk, so critical insights are available instantly.

ExtraHop Reveal(x) extracts and evaluates more than 5,000 features from Layers 2 through 7 of the OSI stack, as detailed in the 2019 SANS Product Review:

"Reveal(x) has a deep application layer protocol analysis engine enabling the product to granularly inspect content and information contained in the transaction payload, such as methods, errors, SQL statements, DNS hostname lookups, file names, usernames and the like."

This wealth of in-depth data is crucial for ensuring the accuracy of Reveal(x) machine learning security detections, as well as the performance monitoring features that many customers rely on.

ExtraHop Reveal(x) comes in two flavors, our Reveal(x) Enterprise product is an appliance-based solution and Reveal(x) 360 is our SaaS solution. Reveal(x) customers have access to all metrics gathered by their sensors as well as the underlying packets from which the metrics were extracted, across both physical and cloud based infrastructure.

Flag #2: Extract Security and Performance Insights From the Same Dataset

Organizations today suffer from silos. Siloed teams and siloed data. When an event is flagged in your network, who is responsible? Is it the network team, the security team, the cloud team? When teams don't work off of the same set of data there is a lot of finger pointing. More importantly, it causes delays that allow an adversary to escalate privileges or that cause outages and downtime. Either situation costs the organization in time, dollars, and possibly brand damage.

To resolve incidents in as little time as possible, your teams need to work closely together and base their decisions on consistent, reliable data. ExtraHop Reveal(x) collects an unparalleled depth and breadth of data, analyzing and reporting on a sustained 100Gbps of traffic with a single sensor—more than any other NDR product on the market. By leveraging this data, Reveal(x) is able to correlate attack patterns when there is disparate or anomalous traffic.

ExtraHop's roots in high-throughput performance monitoring means that we know the network better than anyone. It's the reason we are more successful in finding and stopping attacks while simultaneously helping minimize network downtime by providing your teams the data they need to address issues rapidly and decisively.

"Reveal(x) includes a wealth of context along with detections, such as expected range and deviation, devices involved, how they calculated the risk score, links to outside resources such as the CVE listing or MITRE ATT&CK tactics, techniques and procedures (TTPs) and next steps for investigators." -SANS Product Review

"Extrahop's ability to see into Layers 2-7 gives it unrivaled advantages over other tools. "The fact that it sees this data "on the wire" means that when you catch something in Extrahop it has actually happened, cutting down on the noise and finding the problem faster cutting down on MTTR significantly." -Gartner Peer Insight

Flag #3: Flexible Deployment Models: On-Premises, Hybrid SaaS and Multicloud

ExtraHop Reveal(x) 360, the only truly cloud-native NDR product, supports AWS, GCP, and Azure to seamlessly capture network traffic. Both Reveal(x) Enterprise and Reveal(x) 360 are capable of collecting a sustained traffic load of up to 100Gbps on-premises and 10Gbps SaaS, which is critical to our analysis engine.

Being able to capture the whole network stream ensures that we not only have the data sets to train our machine learning models, but also that the data is of the highest quality so that you can surface the insight that counts.

However, data collection is only part of the problem. The Reveal(x) platform leverages the scale of cloud to power its machine learning (ML) and can run more than one million predictive models, including privilege inference, peer grouping, and others. Cloud-scale ML enables Reveal(x) to rapidly evolve models based on an analysis of the anonymized threat telemetry from across our global customer base—helping our customers stay ahead of threats!

"Reveal(x) reconstructs every transaction on the network and stores 5,000+ metrics for these transactions. This not only gives it excellent content for machine learning features, but also enables analysts to quickly understand the context of a detection and conduct ad hoc investigations since the metrics are all indexed and searchable. This can assist analysts in understanding the "blast radius" of an incident and what the attacker did previously on the network." SANS Product Review

Flag #4: Decryption of TLS 1.3 and Perfect Forward Secrecy

You can't talk about NDR without talking about encryption. A 2019 EMA survey found that 72 percent of enterprises were either already encrypting internal, east-west traffic using TLS 1.3, or were planning to start within the next six months.

Additionally, 61 percent of respondents also expressed concern about the security impact of internal encryption, with 57 percent identifying "Monitoring Application Security" as their biggest concern due to the lost visibility from implementing TLS 1.3. Essentially encryption creates a blind spot that administrators must find a way to cope with.

Reveal(x) is the only NDR product that is able to decrypt TLS 1.3 and perfect forward secrecy ciphers in real time, at line rates up to 100Gbps. This enables real-time wire data analysis, as well as forensic data gathering and decryption of packet captures for later validation of the scope and impact of an attack.

Flag #5: Zero Click Investigations Plus Automated Responses

In order to achieve peak efficiency, analysts need as much data at their fingertips as possible. Investigation of incidents should not mean analysts are popping back and forth between monitors and products.

Modern security products are capable of a wide variety of response actions, like automatically blocking network traffic, quarantining files, triggering response actions via API integrations, and sinkholing malicious domains. However, not all responses can or should be automated. Serious incidents need human intelligence to understand the severity and impact of an incident before responding.

Efficient security responses require that both investigative capabilities and response actions fit into existing workflows, allowing analysts to get an alert, complete an investigation, and take action rapidly. ExtraHop Reveal(x) provides instant access to the raw packets, enriched metadata, and metrics to accelerate the investigation and threat hunting process.

Whether a response is manual or automated, robust and flexible API integrations with technologies like EDR, NGFW, SIEM, cloud service provider (CSP) infrastructure controls and SOAR are critical. They ensure analysts have access to the data they need, when they need it. Leveraging API integrations means analysts can perform rapid detailed investigations and can immediately deep dive into the information that matters.

Can Your NDR Vendor Capture Them All?

When you're shopping for new network security solutions, make sure to have conversations about all these flags. Scale and fidelity of data, security and performance insights, the right data for ML, decryption and best-in-class integrations are all critical focus areas for NDR products. Any vendor you talk to should be able to clearly describe their approach to each of these challenges.

To see for yourself how ExtraHop Reveal(x) delivers each of these critical needs, start the online demo now.