Blog
New in Reveal(x): Built-in CrowdStrike Threat Intelligence, Falcon LogScale Record Storage, and More
ExtraHop
January 25, 2024
The latest release of Reveal(x) integrates industry-leading cyber threat intelligence from CrowdStrike Falcon® Intelligence Premium to help users detect and respond to threats with greater precision and confidence.
Version 9.5 of Reveal(x) Enterprise further expands its integration with the CrowdStrike Falcon® platform by giving joint customers the option to use CrowdStrike® Falcon LogScale™ next-gen SIEM for their record storage with on-premises deployments.
In addition, a new feature in the network performance management (NPM) module of Reveal(x) detects VoIP call quality problems. Also in version 9.5, the IDS module enables customers to import custom IDS rules based on the open-source Suricata framework, and an improved data exfiltration detection in the network detection and response (NDR) module is designed to help organizations reduce mean time to detect (MTTD) attacker activity.
Here is more information on the major new features and updates in version 9.5 of Reveal(x):
Falcon Intelligence Premium
The Falcon Intelligence threat intelligence product module, which provides real-time indicators of compromise (IOCs) and threat metadata, will be automatically integrated in the Reveal(x) NDR platform at no additional cost to ExtraHop customers.
CrowdStrike Falcon Intelligence, long recognized as the industry's leading automated and adversary-focused threat intelligence, provides a real-time stream of IOCs fed by trillions of global events each week. The feed includes details such as threat category, confidence level, the age of the IOC, attribution, related vulnerabilities, and more. This intelligence is used to enrich Reveal(x) alerts and detections in real time, providing deeper context for analysts and shortening time and effort needed to investigate and respond to threats.
The threat intelligence will also integrate with the Reveal(x) 360 automated retrospective detection feature to automatically search for IOCs associated with past attacks and ongoing campaigns that are preserved in the customer’s cloud recordstore.
As organizations face advanced and fast-moving threats, they need high-quality information to detect attacks and respond to them quickly. By combining the respective market-leading capabilities of Falcon Intelligence Premium with Reveal(x), customers gain greater confidence in their ability to see and respond to serious threats.
Falcon LogScale Record Storage for NDR
In addition to the threat intelligence integration, ExtraHop is partnering with CrowdStrike to provide customers the option to use Falcon LogScale next-gen SIEM as their native recordstore for on-premises deployments. The new functionality allows customers to centralize their security logs and reduce logical complexity while still maintaining a separate level of control and accessibility from general business data storage.
Joint customers of ExtraHop and Falcon LogScale will be able to send records from Reveal(x) Enterprise to Falcon LogScale for storage and further analysis, while still maintaining the ability to query the records from the Reveal(x) UI or from Falcon LogScale.
Collecting, analyzing, and storing the volume of data needed to secure an organization requires significant operational overhead. The integration of Reveal(x) Enterprise and Falcon LogScale pairs the leading NDR platform with a leading AI-native SIEM and log management platform built for fast and scalable security logging.
VoIP Call Quality Detection for NPM
ExtraHop continues to expand detection coverage in both the NDR and NPM modules of Reveal(x) by introducing new and updating existing behavioral detectors for security and performance use cases.
Among the updates for NPM, version 9.5 features a new detector designed to improve VoIP quality of service and user satisfaction. The new detector alerts IT operations teams to degradations in VoIP call quality so that they can react quickly and proactively to prevent service disruptions.
In many organizations, IT operations teams must either constantly check performance dashboards or rely on trouble tickets submitted by end users to identify voice quality problems. When VoIP users report isolated issues, it’s often challenging for IT operations teams to identify wide-scale network problems.
However, with the Reveal(x) detector, organizations can proactively monitor VoIP quality and take instant remediation steps when problems first appear–in some cases, even before employees report issues. Users will no longer need to wait for multiple complaints to pile up before having their VoIP quality issues fixed.
In addition to this VoIP call quality detector and other performance detector updates, ExtraHop also released new and updated detectors for security use cases, primarily around IOC coverage.
Custom Rule Import for IDS
A new capability of the Reveal(x) IDS module enables customers to import their custom IDS rules based on the open-source Suricata framework, allowing security teams to target specific types of attacks they may expect.
The new capability lets security analysts upload sets of .rules files to their cloud services through the Reveal(x) settings UI. They can then filter and search on results, and delete or replace custom rules as a set.
Custom rule sets are beneficial to security teams because attackers are increasingly targeting specific industries. With this new capability, organizations can import and use IDS rules that are unique to their business or industry.
Some organizations may be reluctant to move off of standalone IDS solutions because they rely on custom rules. But the new feature in Reveal(x) allows them to reduce risk by combining the benefits of IDS and the leading NDR solution to enhance east-west network visibility. Customers using Reveal(x) NDR capabilities can augment their security posture by adding the IDS module, which includes tens of thousands of curated rules, as well as importing their own custom rules to defend against advanced attacks.
Improved Data Exfiltration Detection
Finally, an updated data exfiltration detection in the Reveal(x) NDR module will give security teams additional information about attacker attempts to steal data.
The new data exfiltration detector is targeted toward common archive file types observed in attack campaigns. Reveal(x) detects unusual outbound SSH connections and unusual RDP and FTP traffic.
The improved detector will give Reveal(x) users increased coverage of the MITRE ATT&CK® framework, and it will improve the MTTD data exfiltration attempts, even as threat actors adopt more advanced data exfiltration techniques.
Discover more