Having worked in various information security roles for the last decade, one of the things I've come to learn is that there is no such thing as an information security vendor.
The truth is, information security just isn't something that can be "vended," unfortunately.
Now, this does not mean there aren't any information security tools and services vendors; there are plenty of those, and to be clear, they play a very important role.
However, the art of information security is in how you put the various tools, products, service offerings, and skills together in a way that encases your organization in a bespoke suit of armor. This is opposed to chasing the latest flashy toy, and having your field of vision narrowed in doing so.
You see, there are plenty of ways to protect information. Yet the biggest challenge for most operational security teams is figuring out exactly what they have to protect as the environment constantly evolves. Because of the rapid pace of change, security teams often find themselves running behind the train, desperately trying to catch up.
I was in this exact position a few years ago. As the technical lead on a security team for a large software-as-a-service provider, I was frequently seeing different traffic patterns across the network. As the number of partners, customers, and service offerings grew, I needed a way to make smart decisions about what network traffic was expected, what could be malicious, and what I needed my team to investigate and justify. I needed to know what was "normal," when "normal" looked different on a weekly basis.
Sure, I had various tools to help me make those determinations. Firewalls, Data Loss Prevention, Intrusion Detection, and Intrusion Prevention systems all played a major role in creating the suit of armor I mentioned earlier. However, if you are relying on signature-based technologies such as these to draw your attention to suspect traffic, it's probably already too late.
It was then that I stumbled across ExtraHop, which I was introduced to by our application monitoring team. I remember assuming that it would be like any other performance monitoring tool I'd worked with before: a good place to get a second opinion on network traffic or finding performance blips, but not of major use to me and my team's use case. I was so very wrong.
The first thing that struck me about ExtraHop was the speed and presentation of information. I had so much data in front of me, and it loaded insanely fast. I kept increasing the amount of data I was looking at, clicking through to get more context around spikes and anomalies, expecting ExtraHop to choke at any moment. It never did.
Why is presentation important? Well, let me put it this way ... There is a famous story about Apache attack helicopter pilots. They wear heads-up displays that let them see all the data about the state of their aircraft while flying, so they never have to look down at instruments. The designers assumed the pilots would love this way of flying. However, when the helicopter was being tested, the pilots struggled. They didn't know what information was relevant and it was distracting to them. They suffered information overload!
Given the vast quantity of insight that was being afforded to me by ExtraHop, I was amazed that the visuals told the story and provided me with the information I needed to know, remaining completely usable.
With ExtraHop, I found I was able to easily profile traffic flows from potentially compromised clients, looking for evidence of an attacker pivoting or malware propagating. Add to that protocol-specific intelligence that gave me insight into things such as abnormal DNS traffic, large SQL database responses, and HTTP behaviors and errors that can be signs of malicious activity.
Over time, my team and I came to realize that ExtraHop was a platform that we could build upon, and it became a crucial tool our arsenal. We built alerts, triggers and dashboards for security relevant conditions. We used it in network forensic investigations and set up enhanced monitoring with ExtraHop as part of our standard incident response process. It allowed us to make smart decisions about what type of security controls to deploy and where we needed to deploy them.
No More Surprises
Wire data is everything, and if you can see everything, nothing should come as a surprise. With ExtraHop, there is no hiding and no signatures. Just a real-time view into your evolving network, which gives security operations teams like mine a crucial edge.
Then the opportunity came up for me to join ExtraHop, in a role where I'll be able to help other ExtraHop customers gain valuable security insights from this awesome product. How could I say no?
I am thrilled to help improve ExtraHop's capabilities from an information security perspective. The folks at ExtraHop are incredibly talented and the company is one that I have watched grow and innovate from the perspective of a customer for several years. I can't wait to see what we can achieve together.
This is a companion discussion topic for the original entry at https://www.extrahop.com/blog/2015/why-i-joined-extrahop-one-security-experts-story/