Security Experts:

ExtraHop Introduces Real Time Wire-Level Threat Detection

IT analytics firm ExtraHop Networks today announced ExtraHop Addy, a cloud-based machine-learning wire data analytical tool that is being trained to automatically detect anomalies on the fly as they are happening.

Seattle, Washington-based ExtraHop was born in 2007. It was founded by senior architects Raja Mukerji and Jesse Rothstein, formerly from F5 Networks, with a vision of tapping wire data to provide the most complete and definitive information on the current state of the IT infrastructure. Since then ExtraHop has picked up hundreds of global customers, including Sony, Lockheed Martin, Microsoft, Adobe, and Google.

But the working of the infrastructure is not the only diagnosis that can be drawn from wire data. Wire data has been described by Rothstein as "everything on the network, from the packets to the payload of individual transactions. It is a very deep, very rich source of data... And it's definitive." Inevitably, within that data, are any and all subtle indications of cyber security compromise.

Machine-learning threat detection tools are not new. For the most part, however, they are high-speed forensic tools that rapidly analyze huge volumes of log data -- they can tell you what happened, but not necessarily what is happening. 

Addy is a new SaaS offering that takes the data already derived from ExtraHop Network and analyzes it in the cloud. It builds a continuous baseline of normal behavior for every device on the network; it then analyzes what is happening against what it would expect to happen; and it highlights anomalies or issues to the IT team -- or the security team. This takes its potential beyond IT infrastructure monitoring into real time threat detection. 

Early access customers have already demonstrated Addy's security value. One large cable company detected a server unexpectedly probing other systems in the datacenter; and were immediately able to shut down the compromised server. A financial services firm was able to detect the Dyn DDoS attack in real time and route DNS traffic through an unaffected region to avoid downtime. And a national medical institution averted two potential security breaches when Addy detected international servers probing their DNS, as well as reverse DNS lookups.

Addy learns from both the customer's own environment and also crowd-sourced domain expertise. This means that the behavioral baseline for every device in the network is continuously improving, the accuracy of alerts is increasing, and false positives are minimized. 

For the most part, the wire data sent to the cloud for analysis is kept in customer-specific compartments. Although that data includes nothing personally identifiable, this is an added assurance for customers concerned with any form of network data sharing, or are otherwise concerned about the evolving data protection laws.

"ExtraHop provides a real-time view across the entire IT environment," explains Rothstein. "With Addy, we're taking the next step, applying machine learning techniques to this vast data set while leveraging the scale, elasticity, and compute power of the cloud."

Addy is available through an Early Access Program for select participants now, and will be available generally in April 2017.

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.