Silence Your Alert Cannon with ExtraHop Reveal(x) Security Analytics | ExtraHop


Today we launched ExtraHop Reveal(x) security analytics, a new product intended to increase visibility into critical assets and automate investigations for security teams at any scale. This product is built to address a persistent challenge that costs security programs a great deal of money and wasted time.

The Challenge: Current Workflows Lag Behind Modern Threats

Most security teams initiate investigations by navigating an alert cannon of individual events or anomalies--they are drowning in alerts. Tools like SIEM laboriously reconstruct and correlate event sequences from separate sources such as logs, endpoint snapshots, and network flows. Unfortunately, the data quality, timeliness, accuracy, and fidelity of these sources vary widely, requiring analysts to fill in gaps manually, collect fresh data ad hoc, or leave crucial clues out of consideration. The enterprise environment is also in flux: BYOD, rogue devices, and shadow IT undermine the accuracy of data sets and conclusions. Garbage data in means garbage conclusions out. Who has time for this?

Behavioral Analytics To The Rescue...right?

Enter behavioral analytics. This capability, largely dependent on advances in machine learning and AI, theoretically improves data relevance by showing changes in the context of specific data types, including users, entities, and network communications. Through heuristics and machine learning, behavioral analytics tools can refine their perceptions over time. This sounds promising, but practical realities such as deployment complexity, processing limits, licensing, data sources, and data storage costs have made behavioral analytics largely inaccessible, except to the most sophisticated organizations.

So security operations teams face two problems: garbage data and impractical analytics.

Better Data === Better Outcomes

Im proud to announce that ExtraHop Reveal(x) introduces a different class of data and a different approach to advanced behavioral analytics to help meet these challenges. We use the transaction-level visibility and authenticity of wire data as the data source to drive insights. Reveal(x) correlates transactions and behaviors across critical data-center assets. This focus on critical assets helps make analytics practical – the most attention (human, compute, storage) is devoted to the most important stuff. Its important to note that this analysis is done in real-time, processing these events as they occur so that insights are delivered in time to make a difference.

Reveal(x) then uses enterprise-proven anomaly detection to monitor changes over time leveraging machine learning. Only when something meaningful happens on a critical asset do we fire an alert, and that alert appears with the full context and evidence needed for a confident evaluation of risk and impact. This means that early investigation steps are done automatically for the user, which can dramatically reduce investigation times.

For instance, a common attack might start with malware downloaded onto a corporate laptop from an email or a website. The laptop itself may not be that important, but it provides a hideout and a user account for the attacker, who escalates their privilege access, compromises other corporate systems and extracts valuable data. This attack sequence happens in a targeted attack, but similar behavior patterns also appear in ransomware, botnets, worms, and insider threats.

During this attack, the typical enterprise would have preventative controls that would kick off a barrage of independent alerts from an endpoint (compromised host), a sandbox (convicted malware), and a database or file server (unusual access). Some alerts might go to individual operational teams, others to the SOC. No one would track internal reconnaissance such as scans and brute force login attempts, and no one team would have full visibility into the correlation between all the alerts, even if they're part of the same attack.

ExtraHop Reveal(x) changes this dynamic by assembling a complete picture of the activities within the internal, or East-West, network. In addition to flagging the activity itself, Reveal(x) tells the analyst the role, relationships, and threat impact in the context of an attack. A live map can visually represent the activities and show communication types and sequences. Concrete evidence includes the behavior that was exhibited, the metrics captured, and which systems were involved. With a click or two, the analyst can get all the way to the relevant packet to see the truth.

Analysts in the SOC finally have the insights they need to triage, scope, contain, and dispose of incidents in record time.

Now, lets make the problem harder. What if instead of an infected laptop, the suspicious communications were encrypted within the microservices of an application hosted in AWS? Typical systems wont provide any visibility here, but with ExtraHop Reveal(x), the same focus and complete picture applies. The SOC analyst would be alerted that something was going wrong with a business-critical application and get the detail required to evaluate and act.

Part of making this advanced analysis practical for more organizations comes from the way we have automated key processes to have the machines do more analytics before the people get involved. Auto-discovery and classification takes care of asset inventorying. The wire data model associates protocols, applications, and devices/users with network communications as a complete transaction. The cloud-based anomaly detection reflects the brains of our data scientists, whove built a machine learning system that keeps detections updated without supervision, including adapting as new behaviors are gleaned throughout the system. And the user interface links up activity type with potential impact (such as lateral movement or exfiltration) to help analysts understand scope and priority.

One last, important point. Hidden storage and licensing costs bite many budgets as companies discover that they cant afford to capture or store data that could be useful. We meet this challenge with several innovations. First, were doing much more analysis much earlier, so we reduce the footprint required for the job you want to do. Second, the packages are all inclusive, so there are no surprises. And third, the subscription matches the natural stages of maturing SOCs:

  • Standard - Ideal for Sec Ops teams with an emerging security program and incident response, the package includes network security analytics, Machine learning-driven anomaly detection, automatic detection and classification of critical assets, and threat investigation capabilities.
  • Premium - For mature security programs with Integrated Platforms (e.g., SIEM) and encryption, Premium includes everything in the Standard plan, plus SSL decryption capabilities and ExtraHop's Open Data Stream for integration and automation with existing security products and workflows.
  • Ultra - For sophisticated programs with forensic and demanding compliance requirements, Ultra includes full packet capture for smart forensics and investigative capabilities, as well as monthly Security Atlas Reports.

With wire data capturing the entire transaction as forensic-quality data and advanced anomaly detection showing each relationship, security teams can focus on protecting their most critical assets rather than filtering through the alert queue and chasing false positives. To quote one customer: "The visibility is addictive."

See for yourself.

This is a companion discussion topic for the original entry at