Blog
How to Evaluate NDR in a Single Sprint
POC Datacenter Tech Outside of Production Environments
April 7, 2020
Your SOC team realizes security breaches are inevitable and wants to build organizational muscle to detect and respond to threats that sneak in despite your best "protect and prevent," defense-in-depth efforts. And you understand that network detection and response (NDR) solutions provide packet-level visibility that isn't possible with endpoint detection and response (EDR) and security information and event management (SIEM) solutions. You also know NDR doesn't come with the common observability baggage of installing agents and wrangling flow, firewall, and event logs.
Now that you're ready to enter the world of acceptable "time to detect" and "time to respond" dwell time measurements—think milliseconds and seconds instead of weeks, months, or years—there's just one thing standing in the way of your cybersecurity maturity dreams coming true. You have to choose which NDR solution to buy. In many cases, identifying which NDR offering rises above the noise of marketing claims and buzzwords requires some kind of evaluation project. Sounds like it's proof of concept (POC) time.
If you need a refresher on why the most effective way to detect threats early and enable robust and nuanced automated remediation is to use full packet data to analyze attack behavior as it happens (going deeper than network flow data and not subject to the downsides of event logs), Gartner's concept of the SOC Visibility Triad lays out the case for why NDR gives organizations the biggest maturity boost for the least effort.
Evaluating NDR Solutions
Production-quality environments are the best proving grounds for cutting through a vendor's carefully-crafted product claims. Speaking to analysts, reading third-party reviews, consuming product documentation, and getting live demos from the vendor's sales team are no substitute for your skilled team's sound judgement, formed through extended hands-on product experience.
Customers like POCs because they get to kick the tires on a vendor solution in a realistic, production-quality environment and see how the product performs on their own live data. After all, anything can be made to look pristine in a demo. Vendors, of course, like the POC because they get to showcase their product to buyers who are willing to spend weeks preparing for it and a month (or three) participating in the evaluation. Plus, those prospects are more likely to actually buy at the conclusion of the POC.
But "proof of concept" is a misnomer for an evaluation project that requires looping in multiple teams for design and architecture meetings, navigating the dreaded change approval process, and de-risking the POC design implications for interdependent production systems. Even after all those steps, the evaluation requires more cross-team coordination to install, configure, and tune the product.
At this point, you're way past "proving a concept." A sprawling and unwieldy effort like this is better thought of as a "Pilot Project," and it's natural to recoil from them because, in the worst cases, they can waste considerable time and effort on something that goes nowhere, leaving stakeholders empty-handed. And even a successful Pilot Project has its drawbacks because you've still got to do your actual job during the evaluation.
Defender-attacker asymmetry is real. Security teams need to protect their organization's assets and data from 100% of the attacks levied against them, yet attackers only need a single successful exploit to get a foothold. Without NDR, it's easier for adversaries to establish persistence and move laterally undetected, which means you need to make the right NDR selection yesterday, not in three months at the conclusion of your Pilot Project.
Unfortunately, NDR vendors haven't created a low-friction model that allows you to properly evaluate a datacenter technology without installing anything in your datacenter—until now.
The Single-Sprint POC
ExtraHop is the only NDR vendor whose technology can be delivered as a pure SaaS solution that's purpose-built for securing the dynamic and ephemeral AWS workloads at organizations of any scale. The deployment-less nature of a SaaS also enables organizations to leverage the cloud to conduct a complete, hands-on evaluation of Reveal(x) 360 in a single, two-week sprint.
You can simply select one of ExtraHop's network and application templates to stand up a true-to-name POC environment in AWS that is functionally equivalent to your actual datacenter environment. Packet acquisition is handled automatically at environment-creation time using AWS Lambda to manage AWS VPC Traffic Mirroring sessions. Red Teams can safely attack this POC environment, and Blue Teams can watch the Red Team's every movement with Reveal(x) 360, all without having to install a single piece of hardware in the datacenter or a single agent on monitored workloads. This means ExtraHop eliminates the need for planning and architecture meetings before the evaluation kicks off, and you don't have to defend the evaluation installation plans in front of the Change Approval Board.
At the end of two weeks and a couple of workshops, you'll have a better understanding of your attack surface through Reveal(x) 360's automatic asset discovery, classification, and mapping. You also see where Reveal(x) 360 improves your MITRE ATT&CK detection coverage, and you'll get the latest best practices for incident response.
One Sprint Too Many
Even a single, two-week sprint can feel like a huge commitment if your overburdened SOC team is drowning in a sea of vague, noisy alerts. For those situations, ExtraHop has a fully-functional version of Reveal(x) available online.
ExtraHop is proud to be the only NDR vendor who has made its product publicly available without requiring prospective customers to talk to a sales person, or even provide any contact information in a sign-up form. So take advantage of seeing what the best-in-class NDR solution looks like on your own if the timing isn't right for a two-week POC.
You can take a self-guided tour, walk through live attack scenarios, and get a feel for how our cloud-native NDR solution detects threats as they unfold. If you're up for a challenge, put yourself in the shoes of a cybersecurity incident responder and see if you can identify "patient zero" without the guided walkthrough. Or easily explore the sample dataset on your own.
The Reveal(x) demo environment features real devices running a wide range of operating systems communicating over 70+ protocols, and it covers the breadth and depth of activity that happens in actual enterprise networks.
If the timing is right for a two-week "deployment-less" POC, visit the Reveal(x) 360 listing on AWS Marketplace and click "Continue to Subscribe" to start your free trial.
Discover more