Splunk Agrees: Wire Data Adds Crucial Context to Logs | ExtraHop


Over the past several years, there has been growing recognition of the need to think about the data sources you're using in your analytics. It's no surprise that ExtraHop touts wire data as the most complete, unbiased, and instant source of IT data, but we're not the only ones!

Even Splunk Agrees, Wire Data Is Truth

A recent post from Splunk (a great ExtraHop technology partner) caught my eye with this title: Find the Ultimate Truth in the Wire. Even the Most Granular Logs Are Not Enough to Be the Truth. The author explains how SIEM platforms necessarily lose some granularity when they normalize the data for analysis and that knowledgeable hackers exploit these data limitations to try and hide or obscure their activities. When responding to an event, IT and security staff need to validate it and then find out with certainty what data was affected and whether adversaries are still active in the network.

The Splunk post also explains that, while logs are an invaluable piece to the analytics puzzle, they are self-reported information about an event and not the actual "source of truth," even when preserved in their original form. Network packet forensics, or wire data, is the answer. Like a closed-circuit camera, wire data is the objective observations of activity and can provide root cause analysis, especially with the ability to download the precise packets (in a PCAP file) that comprise a particular flow.

In addition to providing definitive answers, wire data can also improve the accuracy and fidelity of SIEM alerts, acting as an additional dataset that is already consistently structured by virtue of the network and application protocols. The Splunk post also points out the broad coverage of wire data, not only including obvious HTTP information but also SQL transactions and DNS activity.

ExtraHop and Splunk make for a great pairing, and we share a number of joint customers who stream wire data from ExtraHop into Splunk for correlation with log data.

As the author of the Splunk post points out, you need to make sure data is normalized and ready for analysis before feeding it into an analytics platform. ExtraHop's secret sauce is its ability to transform raw, unstructured packet streams into structured wire data at tremendous scale—up to a sustained 40 Gbps, even with line-rate decryption. A few key reasons why organizations choose ExtraHop for wire data visibility:

  • Agentless Auto-Discovery - Automatic discovery, classification, and mapping of all physical and virtual devices, clients, and applications
  • Broad and Deep Visibility - L2 – L7 content analysis for holistic visibility across tiers at industry-leading scale—up to a sustained 40 Gbps throughput
  • Machine Learning - Powerful machine learning applied to your richest data source to detect security and operational anomalies
  • Extensibility and Openness - Rich APIs to integrate with other platforms for correlated analysis or to orchestrate automatic responses

If you are interested in learning more about how ExtraHop can improve your organization's security posture, including by improving the accuracy of SIEM alerts, make sure to register for a webinar we have coming up with ESG's Jon Oltsik. We'll be talking about what ESG calls "security operations and analytics platform architecture" (SOAPA) that includes SIEMs but also best-of-breed analytics tools that feed other rich data into the system.

Register for the Integrating Network Analytics Into Your Security Architecture webinar with ESG.

More resources:

This is a companion discussion topic for the original entry at https://www.extrahop.com/company/blog/2017/splunk-agrees-wire-data-is-truth/


Microsoft ATA analyzes full packet data from a port mirror for the same reason: logs are vulnerable to tampering, but out-of-band network monitoring is authoritative.