ExtraHop Reveal(x) – Network Detection and Response
SecOPs teams are working under a tremendous load nowadays. The attacks, malware and phishing are sophisticated and cybercriminals have unlimited time and resources to utilize them. False positive cases and extra noise is putting pressure and load on sysadmins and often you need to use multiple tools to find out what has happened when an attacker has breached you network.
Reveal(X) is a tool which uses passive sensors to collect all network traffic right out of the wire. It does not need agents or credentials to server or network devices as it uses mirror/spanning ports or network taps to collect the data. Even from the cloud services like Azure, AWS and Google cloud.
With Reveal(x) you’ll get a view on over 80 protocols through network layers 2 to 7. Using the computing power of the cloud (in Frankfurt, Germany in EU area) and unique algorithms helps you to find the bad from the norm.
Intuitive user interface will show and guide you to mitigation suggestions even if you were not a SECops pro. This gives an advantage for the operating teams, instead of collecting all the logs from SIEM, servers, firewalls, workstations etc. and arrangin a meeting with different silos in a war room, you can detect and response to suspicious traffic in real time.
his gives an edge. When a breach is detected, according to GDPR rules you have 72 hours to report what was stolen. With Reveal(x) you will see everything all the way to TCP packet level. And in a secure way, the data is not in the network, the attacker cannot go and clean the logs nor even see that you’re watching over their shoulder.
How does it work (in a nutshell)
When you fire up the Reveal(x) appliance (hardare or virtual) the first thing it does is start collectin the the data from the wire. During this initial time it creates a baseline and an inventory of the network devices. It starts to figure out what is normal and what is abnormal traffic. If there’s malware running or outdated certificates or cipher suites, legacy servers etc. You may call it a Swiss Army Knife of a network traffic. Reveal(x) can decrypt TLS 1.3 traffic too, so it can see inside the encrypted traffic as well. (private keys must be available)
ExtraHop Reveal(x) components (appliances):
Discovery Appliance (EDA), Uses the passive sensors to collect the netwrok traffic from “mirror/spanning port, network tap ”
Explore Appliance (EXA) Stores all the data and has a GUI for the user to see what is going on in the network.
Trace Appliance (ETA) packet capturing device which integrates with EDA and Command Appliance. User can download the PCAP with a single click on a button.
Command Appliance (ECA) centralized management applicance for environments with multiple EDA, EXA and ETA appliances. Command Appliance collect the data from distributed environments like branch offices and multiple datacenters or clouds.
Currently many network traffic analyzers need a lot of configuration work, agents and/or credentials to different data sources. Reveal(x) gets the data straight out from the wire and applies cloud based machine learning to it. This takes away the burden of keeping your configuration files and credentials up to date to keep up with the evolving threats.