Extrahop, a network performance monitoring company, has announced its first-ever security product, Reveal(x).
The goal of the product is to to spot anomalous behaviors, provide useful insight and context around those behaviors, and speed security investigations.
Reveal(x) combines an on-premises appliance, which can be physical or virtual, with its Addy cloud service. The appliance collects network data from a tap or port mirror, processes it, and then sends a summary of that data to the cloud.
The cloud service runs the data through machine learning algorithms to look for anomalous behavior.
Using machine learning, ExtraHop says it can identify anomalies that may indicate actions including:
- hosts conducting network recognizance from within the organization
- lateral movement and privilege escalation
- contact with a command and control system
- data exfiltration
For example, if the product discovers a laptop running ping and Traceroute inside the network, it will notify the security team of the behavior and provide the IP address of the device. It will also show the team a deviation score that rates how unusual the behavior is for that particular device.
The product can also categorize and prioritize behaviors. If, for example, it detects an active exfiltration, it will push that alert to the head of the line.
The product does not include a remediation component. However, it can integrate with products such as ServiceNow and incident response systems to allow security teams to tie Reveal(x) into their own workflows and processes.
How It Works
ExtraHop, which first came to market as a performance monitoring platform, has developed a data processing technique it calls wire data.
The product receives mirrored packets, extracts metadata from each packet, then reassembles that metadata in real time into streams that track every flow, session, and transaction on the network. Depending on the model you purchase, Reveal(x) can decrypt traffic before processing it.
It also analyzes content from layer 2 to layer 7 to identify transactions based on application and protocol.
Last but not least, the product maps the relationships among all the clients and network devices that communicate on the network, which can be useful for security teams when tracing potentially malicious activity.
With Reveal(x), ExtraHop has taken this network processing capability and applied it specifically to a security use case.
Wait, What’s That Cloud Part?
As mentioned, Reveal(x) does include a cloud component. The company says it decided to structure its machine learning processes as a service to leverage the scale and processing power of the cloud.
Anticipating that some potential customers may be wary of sending sensitive network data off premises, ExtraHop has taken steps to minimize potential risks.
First, no actual packets go into the cloud. Instead, the appliance sends summary metrics. Second, no PII or customer data leaves the premises. The company also de-identifies data that goes to the service so as not to reveal device IPs or other details.
Third, transmissions are encrypted end to end. Fourth, customer data is not co-mingled; each customer gets its own dedicated stack and anomaly detection engine.
Of course, organizations must perform their due diligence to ensure these and other controls are sufficient to address the potential risks.
The Reveal(x) appliance and cloud service can be purchased as a stand-alone product; you don’t have to buy other ExtraHop products to use the security offering.
ExtraHop offers Reveal(x) in three tiers:
- Standard: Full stream analysis, security anomaly detection, standard protocols, global index and search
- Premium: Decryption, integration with third-party products such as ServiceNow and Phantom
- Ultra: Full packet capture, customized security reports from its Atlas service
Reveal(x) is shipping now.