Turning a Moonshot into Reality

ExtraHop is excited to announce the general availability of our built-in integration with Netskope Cloud TAP, giving joint customers unprecedented visibility into their Netskope Intelligent Security Service Edge (SSE) environments. This expanded visibility enables customers to detect advanced threats, monitor the performance of critical business services, and preserve forensic evidence for compliance purposes.

Similar to a traditional network test access point (TAP) that connects directly to cabling infrastructure to copy network packets, Netskope Cloud TAP is a new cloud service that connects directly to the Netskope NewEdge network to copy encrypted traffic packets and session keys. While the integration between Netskope Cloud TAP and ExtraHop RevealX has been available to early adopters for several months, it now supports export to customer environments on AWS, Azure, and Google Cloud Platform (GCP). From there, feeding Netskope traffic to RevealX is a complete visibility solution that scales to meet the needs of the world's largest enterprises.

Historically, SSE environments created blind spots, blocking visibility to north-south traffic. Meanwhile, cyberattacks are becoming harder to detect, outages can come from unexpected culprits, and operational resilience is becoming a regulatory imperative. Customer feedback became the catalyst for innovation. This integration is the culmination of close collaboration between two deeply committed technology partners and their customers.

The Moonshot

One customer in particular was making significant investments to migrate their core applications to the cloud, and using Netskope to enable teams to work from anywhere. While the organization was seeing tremendous benefits as a result of moving to the cloud, the traditional network perimeter was evaporating. With a hybrid environment and a remote workforce, the organization’s security team lost the visibility they once had.

One option was to move to SASE, rely on an endpoint detection and response (EDR) solution, and hope nothing really bad happened. A Ponemon report found that an average of 48% of enterprise devices are at risk because they are not being detected by IT or the operating system is outdated.

But in today’s always-connected, encrypted world, blind spots are unacceptable. Too much is at stake. There had to be a better way. The company’s security leader thought that if they could get the internet traffic and session keys from Netskope into ExtraHop for decryption and analysis, they would gain a ubiquitous view of all traffic. He called the idea a “moonshot” because complete observability of SSE traffic was unheard of at the time.

Now, together with Netskope, we’ve made this moonshot into a reality.

“The value add is getting visibility into traffic from laptops and mobile devices that are off the corporate network. We haven’t been able to see that before. The ability to see all that traffic, all the time, is huge.”

Global Cybersecurity Executive, Financial Services Organization

Large, well-established enterprises were not the only customers seeking this integration. ExtraHop received similar feedback from smaller, cloud-first organizations, including a boutique investment firm. The firm’s vice president shared that the company’s geographically-distributed, fully-mobile workforce uses many leading SaaS apps, and the traffic goes directly to employee endpoints without ever routing through a managed datacenter or VPN. The executive emphasized the importance of zero trust solutions like SSE, but lamented the loss of visibility. He asked us if they could use RevealX to monitor Netskope traffic.

Top Use Cases

For customers who have already been using the integration, the top use cases for ExtraHop RevealX remain the same. Expand global visibility so organizations can:

1. Detect advanced threats, even in encrypted traffic
2. Identify the root cause of performance issues and improve the user experience
3. Preserve evidence for forensic analysis and regulatory compliance

Detect Advanced Threats, Even in Encrypted Traffic

The RevealX platform from ExtraHop helps organizations gain broad visibility across their entire attack surface. RevealX automatically discovers all assets communicating on an organization’s network in real-time, immediately identifying unmanaged assets, and mapping dependencies related to your business applications. It does this without the use of agents. Rather, ExtraHop analyzes a copy of network traffic that it receives from, in this case, Netskope Cloud TAP. If there’s a device on your network that is unknown and lacking policy enforcement, ExtraHop will help you identify it.

ExtraHop excels at detecting high-risk attack patterns including lateral movement, privilege escalation, and living-off-the-land attacks that exploit weaknesses in native tools. This includes proprietary protocols from Microsoft that are used to gain privileged access to Active Directory, such as Kerberoasting.

ExtraHop decrypts traffic out-of-band. Because it analyzes a copy of network traffic, the original communication is never impacted or slowed. Data-in-transit stays encrypted and protected with TLS 1.3 and Perfect Forward Secrecy until it reaches its final destination (see Figure 1).

Figure 1: How It Works

Identify the Root Cause of Performance Issues and Improve the User Experience

Modern applications are made of multiple component stacks that all have to work together in synchronicity across the network. Given this complexity, when latency or an outage strikes, identifying the root cause is akin to trying to find a needle in a haystack. The ability to quickly identify the root cause and resolve performance issues allows organizations to maintain productivity, brand loyalty, and revenue.

While application performance management (APM) solutions can be effective for identifying many issues, they don’t have a clear view of the whole story. Issues can lie in any of the following enterprise application architecture layers, which APM solutions don’t always have visibility into:

• Presentation - where the end user interacts with the application, e.g., a mobile device
• Business logic - the core functions and business rules of the application
• Data - how the application interacts with backend databases and data stores
• Integration - how the app connects to different systems, e.g., APIs and middleware
• Performance - e.g., load balancing to distribute traffic across multiple servers
• Scalability - e.g., microservices architecture and containerization

Every interaction between users, applications, shared services, and backend systems is underpinned by traffic on the network. RevealX captures packet data on every interaction in near real-time, providing a rich source of data to clearly identify where problems lie, speed resolution, and improve the user experience.

Preserve Evidence for Forensic Analysis and Regulatory Compliance

ExtraHop offers a range of options to store records, including 30, 90, or 180 days of storage and access with Standard Investigation. Working with the scalable PCAP repository, responders can perform forensic investigation with a deep level of network visibility to speed up intruder eradication and strengthen operational resilience.

For entities that store, process, and/or transmit cardholder data for credit and debit card transactions, these stored records enable entities to comply with the Payment Card Industry Data Security Standard (PCI DSS). This regulation requires entities to retain audit trail history for at least one year, with a minimum of three months of history immediately available for analysis.

Close the Loop and Prevent Further Infection

When ExtraHop uncovers previously undetected attacks, the Netskope Cloud Threat Exchange extracts the attacks’ indicators of compromise and shares those with the customer’s Netskope tenant for use in matching policies. The attack surface is automatically reduced. The attack is stopped. The indicators surfaced by ExtraHop can also be shared with multiple connected partner systems via Netskope Cloud Threat Exchange for a broader protection update.