back caretBlog

Debunking the Myths on NDR Selection Criteria

Four flags a best-of-breed network detection & response solution must capture

Here at ExtraHop we have built our products around the core idea of helping our customers Rise Above the Noise. We do this within our products by combining industry leading data ingestion capabilities with our cutting edge protocol parsing and machine learning engines. The result is high fidelity data and accurate detection for those who need it, when they need it most.

There's a lot of misinformation floating around about network detection and response, and some vendors are more keen than others to use all that noise to obfuscate their own shortcomings, rather than to help security teams find clarity about their actual technology needs. We stand behind every bit we push into our product, and to prove it, we provide a live demo of Reveal(x) completely free and available without even signing up.

In this post, we want to play a little game of capture the flag to reveal important topics for security buyers to research, and to help our readers rise above the noise.

Flag #1: What Scale and Fidelity of Data Does NDR Need?

Any kind of threat detection and response requires rich data in real time. If you're relying on machine learning, which all credible modern NDR products are, then the volume and fidelity of the data matters even more. Vendors who operate on low volumes of data, or have to write the data to disk and analyze post-hoc, simply can't keep up with enterprise needs.

Fact: ExtraHop Reveal(x) sits out-of-band, analyzing up to 100Gbps of high fidelity "wire data" in real time before writing to disk, so critical insights are available instantly.

Reveal(x) extracts and evaluates more than 5,000 features from Layers 2 through 7 of the OSI stack, as detailed in the 2019 SANS Product Review:

"Reveal(x) has a deep application layer protocol analysis engine enabling the product to granularly inspect content and information contained in the transaction payload, such as methods, errors, SQL statements, DNS hostname lookups, file names, user names and the like."

This wealth of in-depth data is crucial for ensuring the accuracy of the Reveal(x) machine learning detections, as well as the performance monitoring features that our customers rely on. However, by leveraging the ExtraHop Trace and Explore appliances, customers have access to all the metrics gathered by ExtraHop but also the underlying packets from which the metrics were extracted.

Flag #2: Can You Get Security and Performance Insight From the Same Dataset?

Fact: ExtraHop collects an unparalleled depth and breadth of data. By leveraging this data, Reveal(x) is able to correlate attack patterns and disparate or anomalous traffic. This allows for real-time context of performance and security detections. Put another way:

"Reveal(x) includes a wealth of context along with detections, such as expected range and deviation, devices involved, how they calculated the risk score, links to outside resources such as the CVE listing or MITRE ATT&CK tactics, techniques and procedures (TTPs) and next steps for investigators." - SANS Product Review

"Extrahop's ability to see into Layers 1-7 gives it unrivaled advantages over other tools. The fact that it sees this data "on the wire" means that when you catch something in ExtraHop it has actually happened, cutting down on the noise and finding the problem faster cutting down on MTTR significantly." - Gartner Peer Insights

ExtraHop has its roots in high-throughput performance monitoring, and our years of specialization in performance monitoring helped us to develop a solution capable of capturing and analyzing a sustained 100Gbps of traffic. Indeed, our product can handle more sustained data throughput than any other network detection and response tool on the market. The analysis portion of the ExtraHop product extracts over 5,000 specific features from Layers 2 through 7 of the OSI stack. This includes a wide array of traffic features that are useful for both security and performance.

Flag #3: Do You Need Cloud and High Fidelity Data to Scale ML?

It is important to note that more data is not always better, depending on the quality of the data. That is why ExtraHop's ability to collect a sustained traffic load of up to 100Gbps is so critical to our analysis engine. Being able to capture the whole network stream, in its entirety, every time, ensures that we not only have the feature sets needed to train our Machine Learning Models, but also that the data is of the highest quality. The result is fewer false alarms and higher quality alerts with the information you need to perform your analysis and respond rapidly.

How ExtraHop leverages data is equally special. ExtraHop is the only NDR vendor to apply the scale of the cloud to its ML allowing us to run more than 100 predictive models for each entity observed on the network, in addition to privilege inference, peer grouping, and other models. Cloud Scale ML allows us to rapidly evolve models based on analysis of threat telemetry from across our global customer base—enabling our customers to stay ahead of threats.

"Reveal(x) reconstructs every transaction on the network and stores 4,800+ metrics for these transactions. This not only gives it excellent content for machine learning features, but also enables analysts to quickly understand the context of a detection and conduct ad hoc investigations since the metrics are all indexed and searchable. This can assist analysts in understanding the "blast radius" of an incident and what the attacker did previously on the network." - SANS Product Review

Flag #4: Does Encryption (TLS 1.3/PFS) Make NDR Less Effective?

You can't talk about NDR without talking about encryption. A 2019 EMA survey found that 72% of enterprises were either already encrypting internal, east-west traffic using TLS 1.3, or were planning to start within the next six months. 61% of respondents also expressed concern about the security impact of this, with 57% identifying "Monitoring Application Security" as their biggest concern due to the lost visibility from implementing TLS 1.3.

Fact: Reveal(x) is the only NDR product that is able to decrypt TLS 1.3 and perfect forward secrecy ciphers in real time, at line rates up to 100Gbps. This enables real-time wire data analysis, as well as forensic data gathering and decryption of PCAPS for later validation of the scope and impact of an attack.

Can Your NDR Vendor Capture Them All?

When you're shopping for new network security solutions, make sure to have conversations about all these flags. Scale and fidelity of data, security and performance insights, the right data for ML, and decryption are all critical focus areas for NDR products, and every vendor should be able to clearly describe their approach to these challenges.

To see for yourself how ExtraHop Reveal(x) delivers each of these critical needs, start the online demo now.

Related Blogs

Sign Up to Stay Informed