Six Reasons Your Security Toolset Needs to Include Wire Data Analytics | ExtraHop

Unlike IDS/IPS that use signatures, ExtraHop identifies threats by providing context—trends and real historical activity.
Every year, the stakes get higher for IT organizations trying to prevent data theft, ensure compliance, and protect the business from cybervillains. At ExtraHop, we want to help you build a complete IT operational intelligence architecture that provides the visibility you need to protect your environment. The ExtraHop platform can supplement the IDS and IPS tools already implemented with real-time wire data analysis—monitoring of all communications between application components, even encrypted traffic! Whereas traditional security tools are good for securing against known threats, ExtraHop enables IT teams to flag problems and track anomalous events that you would not have known to look for or had the time to look for, including:
  • Expired or weak SSL certificates
  • Data passing over printer and USB channels in VDI environments
  • Access-denied events for networked storage
  • High- and low-intensity brute-force attacks on authentication servers
  • Data exfiltration through DNS txt records
  • Superuser account activity
  • … and much more!
All of the scenarios described below also work with our free ExtraHop virtual appliance for IT operational intelligence, so if they sound intriguing, you can get them set up in your environment today. You'll need to download the the free Security and Compliance solution bundle, available in the ExtraHop Solution Bundles Gallery, which will automatically add the requisite dashboard, alerts, and triggers.

1. Encryption Auditing

Managing SSL certificates is a complex and often time-consuming process that can require significant planning, as was illustrated last October when a Microsoft update began blocking RSA keys using less than 1024-bit encryption. Sysadmins simply don't have the time required to continuously keep tabs on weak SSL keys and expired certificates. As customers begin to phase out weaker 1024-bit keys, ExtraHop can help make a smooth transition by identifying all SSL certificates passing over the network, including those using weak keys and cipher suites. ExtraHop also tracks certificates that are expiring in three months or less, or have already expired, for proactive remediation. This way, not only can you ensure that your encryption is up to standard, but you can prove it with push-button reports.
ExtraHop reveals clients and servers using RSA keys with less than 2,048-bit encryption.

2. Locked-Down VDI Environments

Many IT organizations that run Citrix VDI have locked-down environments to protect and secure sensitive information, like patient health information found in electronic health record systems. In these scenarios, USB and printer channels are locked to prevent both physical and digital data leakage. Because the ExtraHop platform tracks all ICA communications, it can provide continuous monitoring of any data passing over protected channels, with per user and per client drill-downs so you can identify the perpetrator.

3. Storage Access Monitoring

Unlike most transaction monitoring products, ExtraHop analyzes networked storage activity. This enables you to continuously monitor your SAN or NAS environment and break out client IP, username, and file path to identify who is accessing which files from where. By tracking access-denied events, ExtraHop keeps you apprised of any unauthorized users attempting to gain access to secured systems so you can remediate before any damage is done.

4. Authentication Brute Force Alerting

Malicious users may attempt a brute force attack against your authentication services. ExtraHop can detect such attacks in real-time through LDAP analysis. The ExtraHop Security and Compliance bundle is set up to detect both high-intensity and low-intensity attacks by tracking and alerting on the frequency of failed attempts per user and historical counts. High-intensity attacks are akin to smash-and-grab thefts where the attacker tries to gain access and deal damage as quickly as possible before you can react and lock down your environment. Low-intensity attacks try and hide in the noise of regular users' failed logins, with the hopes that persistent but controlled attempts to access a system will not raise any alarms.

5. Surreptitious Tunneling over DNS

Infected systems can pose serious risks to secured environments, whether they take malicious actions within your systems or exfiltrate sensitive information to external hosts. Several customers have seen surreptitious TCP/IP communications tunneling through DNS, either as a command-and-control protocol for malware or as a method for getting sensitive data back to a home server. By breaking out DNS records by type, and tracking irregular TXT-records and normal A-records specifically, we raise a red flag when potential security events arise, and help you mitigate potential damage.

6. Superuser Account Tracking

To audit any environment, you need visibility into who is accessing your systems. Attackers and rogue applications can use superuser accounts like root and SA to hide their tracks or open security holes. ExtraHop's Security and Compliance dashboard tracks superuser logins with per client and server IP drill downs so you can quickly take action.
ExtraHop associates superuser account logins with client IPs.

Ready to Get Started? Try ExtraHop for Free!

All the above functionality works with our free virtual appliance for IT operational intelligence, and it's important to note that these are just examples of the types of security analytics provided by the open and extensible ExtraHop platform. Have ideas for other metrics to track? We welcome your suggestions! In fact, we built the Security and Compliance bundle with the intent that ExtraHop users would extend its functionality and then share their enhancements through the forum.

If you're interested in reading more about what ExtraHop's wire data analytics can do for security practitioners, including geomaps and precision packet capture, visit our security and compliance page.

This is a companion discussion topic for the original entry at