Blog
6 New Features to Look for in Network Detection and Response
...and Why They Matter
Jesse Munos
April 3, 2020
Security analysts, incident responders, and IT Operations teams need to understand the most important alerts to focus on and need fast access to data at their fingertips to quickly investigate and respond.
The following 6 new features for network detection and response (NDR) set the standard for accelerating investigations with the right data at the right time. Below we outline what to look for in network detection and response including detecting on interactive traffic, detection based access controls, accelerating investigations with advanced detection filters, flexibility of deployment, identifying all of the devices on your network, and understanding the most important devices on your network.
Watch the video below for a full overview of these features in the latest release of ExtraHop Reveal(x):
6 New Features to look for in Network Detection and Response
Detect on Interactive Traffic
Machine learning models offer the best way to automatically detect a variety of attacks. In nearly all attack scenarios attackers begin their attacks by first compromising a single system and setting up a stealthy C2 channel for interactive sessions and lateral movement. ExtraHop Reveal(x) now provides enhanced detection capabilities for this Interactive Traffic. This includes but is not limited to C2 activity including bind shells, reverse shells, and remote desktop activity. These improvements are designed to help uncover stealthy C2 channels and quickly bring them to the attention of analysts with all of the detection details for investigation and remediation.
Detection-Based Access Controls
It's critical that sensitive security information remain restricted to those tasked with investigating and remediating malicious activity. It is our mission at ExtraHop to provide the best network based detection capabilities on the market, and help security teams have a greater focus on the task at hand. The new release of Reveal(x) introduced new user specific controls designed to allow admins to limit the scope of the information accessible to users.
Administrators can now restrict who sees detections in the product while still allowing full access to the dashboards to those in SecOps, IT Ops, or other teams who need it. This allows security teams to fully investigate an incident and determine the severity before alarming or involving a broader team for remediation. Other Reveal(x) users will still benefit from all the data available within the product to troubleshoot operation or performance issues.
Accelerate Investigations with Enhanced Detection Filters
It doesn't matter how much data is available to an analyst if the data is hard to understand or if leveraging it requires a complicated workflow. Analysts need simplified yet powerful workflows, providing the information you need, without hunting around for answers and having to leave your existing interface to find them. To facilitate faster investigations, it is now quicker and simpler to get to the detections you want in Reveal(x) by filtering out the highest priority incidents to investigate. Our goal is to help Security and IT teams find answers in 3 clicks or less and drill down into the exact packets related to the detection without leaving the Reveal(x) console.
Deployment Flexibility
You need visibility and shouldn't matter if your workloads are in the cloud, in your HQ data center, or in a hybrid model. It is important to provide you with flexibility to meet the deployment needs of your unique environment. ExtraHop Reveal(x) will meet your deployment needs whether your organization is on-prem, hybrid cloud, cloud-native, or SaaS.
Identification of All your Devices, Including IoT
Device Identification is critical to providing complete visibility into what is connected to your network. It isn't only the device you need to know, but the specific details about that device and its function on your network to enable enhanced visibility into network traffic and security incidents. The newest refinements in Device Identification ensure that Reveal(x) is always providing the most accurate identification of all devices on the network including IoT. As an additional refinement we have also added the ability to ingest remote DHCP traffic. This will greatly improve your ability to link traffic to source and destination regardless of the network segment ExtraHop Reveal(x) is deployed on.
How Important Are Your Devices on the Network?
One of the most difficult parts of IT and Security Operations is keeping track of which systems provide crucial services which alerts to prioritize. Some systems such as DHCP servers, Domain Controllers, and Web servers are obviously important—but few remember that 5-year-old laptop that manages the keycards for the office—and you will want to know if that laptop starts acting out of character. To surface this data to you, ExtraHop Reveal(x) machine learning understands how a device should act, what its function is and the data that it has access to and determines how important that device is. If there is a detection that includes one of these critically important devices, you know that you should pay attention to those detections first.
Reveal(x) 8.0: Pushing the NDR Envelope
For years, ExtraHop has provided cutting edge network monitoring and visibility, during that time we have enhanced our capabilities to provide best in class security detections and alerts with a focus on accurate and relevant notifications. In our latest release, we have introduced new deployment models, improved feature functionality, and a wide variety of UI improvements to help security analysts investigate faster without sacrificing accuracy.
For more information please see our video walkthrough of the Reveal(x) 8.0 Feature Release for these exciting new features, and more:
Discover more