ExtraHop Reveal(x) sheds light on the darkspace
ExtraHop announced Reveal(x) Summer 2018, setting a new bar for Network Traffic Analytics at enterprise scale. The latest release includes new capabilities designed to modernize enterprise security operations with critical asset behavior analysis that instantly surfaces the highest-risk threats, even those hiding within encrypted traffic.
With this insight, security operations teams can zero in on critical threat patterns and investigate down to the root cause in seconds, not days.
Between 2017 and 2018, threat dwell time in the enterprise increased to 101 days, according to FireEye’s M-Trends 2018 Report. The Verizon Data Breach Investigations Report noted, “in many cases, it’s not even the organization itself that spots the breach—it’s often a third party, like law enforcement or a partner. Worst of all, many breaches are spotted by customers.”
The Reveal(x) Summer 2018 release reduces dwell time by highlighting late stage attack activities on the “darkspace” in the enterprise. Through comprehensive network traffic analytics, Reveal(x) delivers real-time visibility and insight into threats to your critical assets throughout the hybrid enterprise.
The new “headlines” dashboard prioritizes speed and accuracy, eliminating the fake news fire drills from other tools by highlighting the highest-risk detections correlated with external and industry threat intelligence.
Other key new features in the Summer 2018 release include:
TLS 1.3 Support: As of 2017, forty-one percent of cyber attacks1 used encryption to evade detection, so the ability to detect threats within encrypted traffic is even more critical. With the latest release, Reveal(x) is the solution that offers out-of-band decryption at up to 100 Gbps and supports the requirements of the new TLS 1.3 protocol as well as decryption of forward secrecy.
Need-to-Know Decryption: Respect for privacy is simple now that authorized threat hunters and forensic investigators can be given rights to look inside suspicious packets for authoritative evidence (including content and user information), while other analysts only see the detections and metadata insights gleaned from the decrypted traffic.
Network Privilege Escalation Detection: Reveal(x) identifies changes to behavior that indicate an attacker has compromised a device, escalated access rights, and is using these higher privileges to explore and attack within the enterprise. Reveal(x) now infers escalation attempts on critical assets automatically based on changes in device behavior, commands, and protocol use, enabling detection of attacks underway and allowing SecOps teams to contain them before damage is done.
Peer Group Anomaly Detection: Reveal(x) now automatically correlates device behavior against peer devices for more precise assessment of anomalous behavior, leveraging auto-discovery and classification of critical assets. This strong outlier validation improves insider threat and compromised host detection and enriches Reveal(x) investigative workflows with critical asset context that helps SecOps collaborate with IT teams controlling endpoints and data centers.
Threat Feed Integration: The new release ingests Structured Threat Information Expression (STIX) formatted threat intelligence that contains suspect URIs, hosts, or IP addresses, and highlights correlations with detections from network traffic. SecOps teams can use STIX feeds in Reveal(x) or a secondary feed can be added for depth of intelligence. Analysts can confirm details within the workflow via easy access to enriched data and more easily retrace attack interactions that involve external actors, including Command and Control and exfiltration activities.
Third Party Integrations: Enterprise Security Operations teams need to partner with other IT teams and their tools to accomplish evaluation, scoping, containment, and mitigation within approved processes. ExtraHop’s REST APIs provide formal integrations for automated interaction with industry-leading threat intelligence, investigation, and response platforms including Anomali, Palo Alto Networks, Phantom, ServiceNow, and Splunk. These two-way integrations inject definitive Reveal(x) insights and wire data into other tools and let Reveal(x) interact as part of investigation and response workflows, including forensic packet analysis.
“Today’s threat actors are taking advantage of vast attack surfaces that extend across every endpoint from the branch office to the datacenter or the cloud and too often they operate unnoticed,” said Jesse Rothstein, CTO and co-founder, ExtraHop. “At ExtraHop we’ve spent years developing technology that can analyze the entire network in real time – every critical asset and every transaction so that there are no blind spots. With Reveal(x) Summer 2018, we’ve applied that deep domain expertise to security operations, closing the visibility gap and surfacing the accurate, targeted information that allows SecOps teams to act quickly and with confidence.”
“Security operations centers (SOCs) manage the business of security – maintaining a reliable security infrastructure, sorting through critical informational events and alerts, and working across the IT organization to fix security problems,” said Eric Ogren, Senior Analyst at 451 Research. “Network traffic analytics are poised to play a pivotal role in modernizing security operations. ExtraHop Reveal(x) is a pioneer of this emerging market segment with the ability to deliver broad network visibility, prioritization of critical assets, and advanced behavioral analytics to reduce and possibly eliminate the dark space within the enterprise.”