How Reveal(x) 360 Works
Behind the curtain on SaaS-based network detection and response
Real-time Stream Processing
ExtraHop's real-time stream processor transforms unstructured network packets into structured wire data at line-rate. Depending on the type of traffic, protocols involved, and security policies applied, a variety of processes are performed in real time:
1. Broad Spectrum Decryption
For encrypted traffic, the stream processor decrypts traffic at line rate, including Active Directory protocols and cipher suites that support perfect forward secrecy (PFS) such as TLS. This bulk decryption can scale to 64,000 transactions per second (TPS) using 2048-bit keys, which no other real-time analytics engine can match in a single unified offering. To learn more, read the white paper on how decryption is necessary for security visibility.
2. High-Performance TCP State Machines
Starting at the most fundamental level, the stream processor recreates the TCP state machines for every sender and receiver communicating on the network. A prerequisite for deeper application-protocol analysis, this allows the platform to understand all TCP mechanisms and their impact.
3. Wire-Protocol Decoding and Full-Stream Reassembly
The real-time stream processor decodes 70+ protocols (skip to Protocols We Decode) to understand, define, and act on that protocol's unique application boundaries in hybrid and cloud IT environments. This allows the processor to construct complete flows, sessions, and transactions for total application fluency, which in turn allows for higher-order content analysis through full-stream reassembly into wire data (derived from the wire protocol itself). The processor will even automatically resynchronize and recover in the event of traffic anomalies such as microbursts, that might otherwise result in packet loss.
4. Full-Content Analysis
After reassembling packets into full streams, the stream processor analyzes the payload and content from layers 2-7, auto-discovering and classifying all devices and clients communicating on the network. The processor also continuously correlates relationships between clients, applications, and infrastructure with 5,000+ built-in metrics.
Full-content analysis supports dozens of protocols, providing key performance indicators such as database methods used, file access by user, storage errors, DNS records and errors, web URI processing time and status codes and SSL certificates with expiration. The stream processor also captures sophisticated network metrics such as receive-window throttles, retransmission timeouts, and Nagle delays.
5. Fully Programmable Telemetry
While full analytics capabilities are always available, it's also easy to customize results so you only see the precise metrics and insights that you need.
An event-driven programmable interface enables you to customize the telemetry captured by the stream processor. You can programmatically extract wire data events and threat indicators that are specific to your organization.
With this Application Inspection Triggers functionality, you can be as surgical or as verbose as necessary to extract anything from a simple header to the full application payload. For example, this data can include specific HTTP or SQL query strings used in injection attacks.
The same principle and functionality holds true for all of our natively decoded protocols. You can also use triggers to extract, measure, and visualize data from defined fields, or to decode proprietary protocols based on TCP and UDP.
Machine Learning and Global Intelligence
Real-time intelligence derived from petabytes of anonymized threat telemetry collected daily makes Reveal(x) 360 cloud-based machine learning uniquely reliable—all without impacting sensor performance. Cloud-scale machine learning provides more than 1 million predictive models for a typical enterprise deployment to identify suspicious behaviors and potential threats. ExtraHop's machine learning service detects cyber kill chain behaviors such as reconnaissance, exploitation, lateral movement, command and control, and actions on objective. ExtraHop ML also provides coverage for the MITRE ATT&CK Enterprise Matrix and detects ransomware, botnets, unauthorized data exfiltration, and much more.
Machine Learning Algorithms
Reveal(x) 360 uses a suite of machine learning algorithms to provide advanced, SaaS-based network detection and response, including:
- Attack detection - Hundreds of self-adaptive unsupervised attack-detection models leveraging proprietary time series analysis and outlier detection algorithms.
- Entity importance - Inference engine for inferring entity importance and entity network privilege level based on observed behaviors and innovative graph analytics.
- Device identification - Entity clustering engine for identifying behaviorally similar devices.
- Peer group identification - Peer group outlier detection engine.
- Risk score determination - Risk score estimation engine that combines domain expertise and customer base telemetry.
Continuous Global Intelligence
Reveal(x) 360 automatically updates detectors, threat intelligence feeds, and IoT profiles via the cloud, eliminating the need for manual intervention to ensure that policies or software on sensors are always up to date.
Customer Data Security
Only de-identified metadata is sent to ExtraHop's cloud-based machine learning service, meaning that no payloads, filenames, strings, or other data categories that might contain sensitive data will leave your protected environment. ExtraHop has received SOC 2, Type 1 compliance certification for our machine learning technology, which you can learn about on our Compliance page.
ExtraHop machine learning performs the following processes:
- Network traffic is analyzed locally to extract and store 5,000+ metrics including IP addresses, URIs, database queries, CIFS filenames, VoIP phone numbers, and other potentially sensitive data. Metrics collection can be customized as needed.
- A subset of these metrics are de-identified and sent to a customer-dedicated cloud-computing instance operated by ExtraHop.
- ExtraHop ML then compares device and application behavior against predictive models and flags any significant anomalies.
- Anomaly events are sent back to your environment, where you can re-identify and decrypt them with your private key for alerting and investigation.
Cloud Record Store and Data Indexing
ExtraHop leverages the power of the cloud to provide scalability as businesses grow or security needs fluctuate. By providing cloud-based record storage, Reveal(x) 360 transforms both how and where NDR capabilities can be deployed, and how and when they can be consumed. When required, enterprises can now augment record capacity by utilizing cost-efficient upfront capacity reservations, pay-for-use record capacity as needed, or both methods—making unpredictable loads manageable and providing value for customers with more predictable needs.
From a SecOps perspective, a cloud-based record store provides fully hosted and managed search capability for streamlined incident investigation. Security teams can also leverage index record search and query of data from every segment of the hybrid environment for 360-degree visibility and situational intelligence.
Data Visualization and Exploration
One of the most challenging aspects of real-time analytics at cloud scale is, well, the scale itself. At ExtraHop, we do our best to make this easy for you as a user to parse the immense wealth of information that is wire data and derive meaningful insights no matter which perspective you're coming from.
We start you off with a simple, intuitive user interface for teams across your organization.
ExtraHop enables you to create bespoke dashboards quickly. Drag-and-drop functionality enables you to build dashboards with widgets; if you want to create your own widget, all you have to do is select your desired data source and metrics, pick a visualization type, and save it to your dashboard of choice. You can quickly and easily export charts and background data points to PDF, Excel, or CSV.
No Scripting? No Problem.
Our visual query language gives you the power to refine or change your search queries by clicking UI elements that control everything from grouping, to filtering, to time-range selection. Whether you stick with the hundreds of built-in record attributes or branch out and define your own, this functionality means any user can quickly answer questions during an investigation without needing to learn a query language.
For example, if you sort SQL messages by query string, you can identify attempted SQL injection attacks, pinpoint the malicious IP, and then instantly pivot to see all the activity of that client on the network over a given length of time. By exporting that information to Excel, CSV, or a visualization tool like Tableau or Qlik, you'll have a step-by-step map of what the attacker did so you can both respond with confidence and be better equipped to prevent future attacks.
Live Activity Maps
Along with traditional methods of data visualization like charts and graphs, ExtraHop uses live activity maps to present a dynamic and intuitive view of your environment. Instead of manually creating and updating network diagrams as your IT environment changes, you can use live activity maps to visualize protocol-based connections between devices and applications in real time.
By allowing you to filter by time interval and broaden or narrow your scope as needed, activity maps make it easy to answer multi-part questions like, "How are devices interacting within a certain tier, and how have those devices been interacting across the network in the last hour?" Anomalous behavior detections also appear on live activity maps, so you can see the context of the detection before clicking down into the transaction or even into the precise packets straight from the map.
This blog post goes into a lot more detail about the latest capabilities of live activity maps and provides some more ideas about how you might use them in your day to day.
Protocols We Decode
ExtraHop decodes the following enterprise protocols with real-time fluency at the application layer. Protocol modules offer varying levels of analysis, starting with L7 classification, and Application Inspection Triggers allow you to create a custom metric.
|Citrix ICA*||HL7*||MS-RPC||IEEE 802.1X|
|Database: Microsoft SQL||VoIP: SIP*||VoIP: RTP*||IRC|
|Database: MongoDB||VoIP: RTCP XR*||VoIP: RTCP*||ISAKMP|
|Database: Sybase IQ||ICMP||IBM MQ||OpenVPN|
* Not included in Reveal(x) 360 base license
Of particular interest to SecOps analysts, Reveal(x) 360 analyzes application-layer metadata for databases, Active Directory, web, SSL, and storage systems:
Database: RDBMSs: Oracle, Microsoft SQL Server, MySQL, PostgreSQL, Informix, Sybase, and DB2. NoSQL databases: MongoDB, Memcached, Redis, Riak. Metadata extracted include transaction timing, table/user access patterns, query errors, SQL queries and responses, and system-level commands.
Identity and Access Management: Active Directory visibility, including NTLM, Kerberos, LDAP, MSRPC, WINRM, SMBv3, and DNS monitoring for privileged identities and service accounts allows you to improve detection and facilitate audits. Reveal(x) extracts metadata including user/computer account activity, invalid or expired passwords, new privileged access, privileged access errors, DNS SRV lookups, LDAP binds, plain-text HTTP authentications, unknown SPNs, and forged Kerberos ticket detection.
Storage: Metadata extraction for all NAS and SAN transactions (iSCSI, NFS, and CIFS) enables machine learning detections based on actual file details and equips security analysts to track file access patterns and detect ransomware activity by examining file extensions and WRITE operations.