Reveal(x) BLUE CHIP CUSTOMERS

Network Detection and Response

Applying Machine Learning for
Network Behavioral Detection

INDUSTRY ACCOLADES
 NETWORK TRAFFIC ANALYSIS
COMPLETE EAST-WEST VISIBILITY
COMPLETE VISIBILITY
Continuous auto-discovery and classification of assets
Line-rate decryption of SSL/TLS 1.3 encrypted traffic
Full L2-L7 payload analysis of wire data for complete context
Petabytes of analysis per day at line rate (up to 100 Gbps) Traffic
25%
REAL-TIME DETECTION 75%
Full-spectrum detection via advanced ML, rules, and custom models
4,700+ metrics for precise and contextual behavioral analysis
Complete transaction-level detail
Real-time analytics provide high-fidelity alerts with few false positives

G U I D E D I N V E S T I G AT I O N
Streamlined, guided workflows help any user hunt threats like an
expert
1-click investigation: detection to transaction to packet in seconds
Corroborative evidence via live activity maps & global search
Integration with enterprise tools and policies to automate response
 How ExtraHop Reveal(x) Detects Threats

The Source for Real-Time Analytics

WIRE DATA
• Instant
• Empirical and Definitive
• Complete Context

Wire data — radically rethought and used in new ways — ...will prove to be the most GARTNER RESEARCH NOTE

critical source of data for availability and performance management over the next five *Source: Gartner, "Use Data- and Analytics-Centric Processes With a Focus
on Wire Data to Future-Proof Availability and Performance Management,"
years.* Vivek Bhalla and Will Cappelli, March 10, 2016
Good Detections & Incident Response Start with Visibility

Incident Response
Forensic Investigation / Threat Hunting

Real-Time Detection
ML-based Behavioural, Rule/Signatures, Threat Intel

Security Hygiene
CVEs, Expired Certs, Self-Signed Cert, Weak Cipher

Visibility
Scalability (up to 100 Gbps) Protocol Fluency
SSL/TLS Decryption Critical Asset Classification
 Visibility At Scale
Fluent in the Technologies That Run Your Business

https://assets.extrahop.com/datasheets/ExtraHop-Protocol-Modules-Datasheet.pdf
 Network Visibility
Flow vs DPI vs Full Stream Reassembly of Wire Data
 Network Detection & Response for Enterprise
What Sets ExtraHop Apart Why It Matters
Distributed Architecture at Scale No gaps or compromises in coverage,
Petabytes of data analyzed each day from edge to core to cloud

Real-time Decryption See threats hiding within encrypted traffic—up to

Decrypt SSL/TLS-encrypted traffic 70% of datacenter communications

4600+ Metrics More robust data for ML

Application-fluent in 50 enterprise protocols models and more accurate detections

Critical Asset Lens

Accurate monitoring, prioritized focus
Dynamic and continuous

Investigation and Automation Superior SOC analyst productivity

Supports enterprise IR runbooks and faster time to resolution

Integration and Customization Operationalizes with existing tools and

Open APIs and a programmable parsing engine unique requirements
 COMPLETES THE SOC VISIBILITY TRIAD

• Combine network, agent and log data

NDR for complete visibility

• Achieve holistic security approach

The Cyber Triad
• Eliminate risk of undetected attacks
and lateral movements
SIEM EDR
 TOOL CONSOLIDATION
SecOps Tools & NetOps Tools
Network
Performance
Monitoring and Network Detection
Diagnostics and Response
Network Change (NPMD) Network
and Configuration (NDR) Forensics
Network Management Tools NAC
Configuration Firewall Policy
Automation Rule Management

SHARED
NetOps TOOLS SecOps
Tools SHARED Tools
INSTRUMENTATION

Source: Align NetOps and

SecOps Tool Objectives
With Shared Use Cases, Device Network Application
Gartner, July 2018
Discovery Packets Protocols
 TOOL CONSOLIDATION
SecOps Tools & NetOps Tools
SECURITY OPERATION TOOLS
Asset Inventory
Inv Comprehensive inventory of all assets including unmanaged and IoT
https://www.youtube.com/watch?v=2KBF0EKcEXM

Lateral Movement
Lm Detect post-compromise reconnaissance and lateral movement to stop the threat before the breach
https://www.youtube.com/watch?v=dP3TKi6iSP0

Monitor Sensitive Data

Msd Detect unauthorized movement of sensitive data
https://www.youtube.com/watch?v=tNQcAdx5mRY

Threat Detection and Response

Tdr By combining rule- and behavior-based analytics, your SOC can identify real threats, faster
https://www.extrahop.com/company/blog/2020/threat-investigation-speed-run-revealx/

Intelligent Response
InR Detect unusual behavior and activity across the hybrid network
https://www.extrahop.com/use-cases/security/alert-response/
Threat Hunting
TH Streamlined Threat Hunting with rich transaction data for all analyst levels
https://www.extrahop.com/use-cases/security/threat-hunting/
SECURITY OPERATION TOOLS
Remote Access
Ra Secure remote access and troubleshoot VPN connecting and performance problems
https://www.youtube.com/channel/UCUFjHkLX0NYMx3YLoGuFx6w

Secure Decryption
Sd Out of band decryption of SSL/TLS 1.3 is needed to detect malicious behavior hiding within encrypted traffic
https://www.extrahop.com/company/blog/2018/five-reasons-secops-needs-decryption/

Behavior Analytics
Bhv https://www.extrahop.com/resources/webinars/analyzing-malicious-behavior/

Incident Response
Ir Incident response when you have 72 hours to disclose a breach under GDPR.
https://www.extrahop.com/company/blog/2019/how-to-do-incident-response-with-72-hours-to-disclose/

Forensic Investigation
Fsl Search for network evidence to identify, collect and analyze indicators of compromise
https://www.extrahop.com/company/blog/2021/sunburst-origin-story/
Advanced Persistent Threat
Apt Advanced, stealthy attackers should be fought where they are: on the inside
https://www.extrahop.com/company/blog/2020/detect-and-stop-lateral-movement/
NETWORK OPERATION TOOLS
Triage and Troubleshooting
Tt Quickly resolve performance issues
https://www.extrahop.com/use-cases/it-ops/resolve-performance-issues/#three-questions

Remote Working
Rm Support distributed workforces
https://www.extrahop.com/use-cases/it-ops/support-distributed-workforce/

NetSecOps
Ns Eliminate silos between NetOps and SecOps to improve incident response and productivity
https://www.extrahop.com/use-cases/it-ops/netops-secops-collaboration/

Cloud Operations
Cd Migrating workloads to the cloud is risky without understanding all the dependencies
https://www.extrahop.com/use-cases/it-ops/scale-to-cloud/

Application Performance Monitoring

Apm Eliminate blind spots in your app delivery chain & ensure high quality user experience without agents / logs
https://www.extrahop.com/solutions/app-analytics/
Network Hygiene and Compliance
Hyg Cons monitoring, operational awareness & automated audits gives you immediate answers to proactively
maintain hygiene and compliance at massive scale
NETWORK OPERATION TOOLS
User Experience Monitoring
Ex Improve user experience with end-to-end visibility and solve porblems before your users feel the pain.
https://www.extrahop.com/solutions/app-analytics/customer-experience-monitoring/

Remote Site Monitoring

Rsm Improve branch office and remote site visibility to proactively identify and fix issues.
https://www.extrahop.com/solutions/network/remote-site-visibility/

Remote Access Monitoring

Rma Maintain uptime and monitor resource usage to keep remote workforces productive.
https://www.extrahop.com/solutions/network/remote-access/

VPN Monitoring
Vpn Monitor traffic and performance for remote VPN users to detect unexpected or bad behaviors.
https://www.extrahop.com/customers/community/bundles/extrahop/wfh-vpn-bundle/

SSH Monitoring
Ssh Monitor Secure Shell (SSH) connections to keep users productive and prevent suspicous activity.
https://www.extrahop.com/company/blog/2020/security-in-the-wake-of-remote-access/
Infrastructure Monitoring
Inf Gain visibility into the critical systems, servers, and applications that make up business impacting experiences.
https://www.extrahop.com/use-cases/it-ops/resolve-performance-issues/
DEPLOY IN ANY ENVIRONMENT
Complete Visibility
 Less Very
Granular Granular

DISCOVER (EDA) EXPLORE (EXA) TRACE (ETA)

Time-Series Metadata Transactional Metadata Raw Original Packets
Retention: Months and Years Retention: Days and Weeks Retention: Hours and Days
 Operationalized ExtraHop Deployment:
Leveraging Existing Investments, Strengthening Overall Security Posture
ExtraHop Community
Bundles/Extensions

Firewall / IDS / NAC Vulnerability Scanner EDR/AV

Unstructured Wire Data
(direct or via SOAR solution)

Threat Feed / IOCs Detections, Triggered Records, etc.

3rd Party Threat ExtraHop Platform SIEM
Intelligence Feeds

Case Management
Machine Learning Real-Time Detection Dashboards Incident Ticketing System
Response & Reports CMDB
Threat Hunting
 PROPOSAL DEPLOYMENT TOPOLOGY

Discover VM (EDA-1100v) - 1 node

• 1 Gbps Real-Time Traffic Analysis
• Up to 250 Critical Assets, up to 750 Endpoints
• 50+ Protocol Modules & Decryption (SSL and PFS)
• Real-Time Anomaly Detection
• 2 x 1 GbE Base-T SPAN Port, 1 x 1 GbE Base-T
Management & Access Port

Explorer VM (EXA-S) – 1 node

• Vmware EXS or ESXi 5.5 or later
• 8 vCPUs, 16 GB RAM, 8 GB Book Disk
• 500 GB datastore disk
Question .