ExtraHop Reveals Security Analytics Tool

Secure Ops2

By: Michael Vizard

It doesn’t get any more real than being able to analyze data at wire speed in real time. Now ExtraHop Networks wants to apply that capability to security. The company today announced the availability of ExtraHop Reveal(x), an instance of the company’s appliance for applying machine learning algorithms to analyze network traffic inline that has been tailored specifically to address security.

The basic idea is to create a turnkey approach to security analytics based on the appliance that ExtraHop developed that can capture and analyze network traffic in real time, says Matt Cauthorn, vice president of security for ExtraHop.

“We’re extending a capability around one of the biggest use cases for our appliances,” says Cauthorn.

Cauthorn says ExtraHop Reveal(x) makes use of machine learning algorithms to analyze data aggregated in the cloud to not only automatically classify devices and applications, but also discover anomalies. Those anomalies can then be correlated against known attack chain vectors to make it possible to also more easily discover when cybercriminals are scanning open ports or make multiple login attempts.

“We’re able to detect anomalies at the transaction level,” says Cauthorn.

Other activities that can also be detected include lateral movement of malware across the network; communications between a compromised host and some unknown external source; and any exfiltration of large amounts of data.

To make it simpler to sort through all that data, Reveal(x) includes graphical tools that enable analysts to review relationships between activities, including exhibited behaviors, baseline measurements, transaction details, and the assets involved, says Cauthorn. Individual transactions can also be replayed to aid in security forensics tasks, adds Cauthorn.

Most IT security teams spend a lot more time looking for the cause of problem than they do remediating it once it's discovered. Given the sophistication of social engineering attacks these days, most IT organizations can assume malware has already infected their systems. The challenge IT organizations face now is detecting that malware as quickly as possible to limit any potential harm.

Many IT organizations today are relying on log analytics to try and discover anomalies indicative of compromised systems. But Cauthorn notes that cybercriminals are become increasingly adept at covering their tracks by adjusting log files. The only way to be certain of detecting the presence of malware activity is to be able to analyze network traffic in-line, says Cauthorn.

It remains to be seen how IT security defenses will evolve as more organizations assume that malware has managed to get past their perimeter defenses. But the longer malware lingers, the greater the potential harm that can be inflicted becomes.