Good morning. Good afternoon. I'm John Tolbert lead analyst here at KuppingerCole and today's webinar is called enabling full cybersecurity situational awareness with NDR. And today I'm joined by Jamie Moles, senior manager, product marketing at ExtraHop. Hi Jamie. Hi John. Great, great. Thanks for being here today. You're very welcome. So before we begin, we'll take a quick look at some of the events that we have coming up. Our KClive series. We have a virtual event coming up on March 23rd zeroing in on zero trust, and then our big hybrid event for the year. The European identity and cloud conference will be held in Berlin and online May 10th through the 13th. So we certainly hope you can join us for those events as well.
Some logistics information, we are controlling the audio everybody's muted. There's no need to mute or unmute yourself. There will be a Q&A period at the end. And there is a question blank in the go-to webinar control panel. If you have a question or think of something during the session, feel free to go ahead and type that in, and we will take those questions at the end and just to keep it fun and interactive, we'll do a couple of polls during the early part of the session. And then we will talk about the results also during the Q and a period. And yes, we are recording and both the recording and the slides should be available in the next day or so.
So with that, just a quick look at what we're going to talk about. I'm going to look at the NDR markets, some of the reasons why you might be interested in network detection and response things to think about for, you know, if you are looking at purchasing a solution like that. And then we recently did a leadership compass, one of our comparative reports on that, and we'll take a quick look at the results and then I will turn it over to Jamie and then we'll do the Q and a at the end. So, first question, is your organization looking at NDR today? Just a quick? Yes, no. It's always interesting to see where people are on their technology journeys. So this is definitely a hot topic and I hope as you'll see throughout the morning here, there's a lot of value that can be gained from, you know, what Indy our solutions can provide. So if you're considering that if you know your is looking into something like that, please select yes. And if not, just, no.
Okay. And thank you. We will we'll move into the content. So network detection and response in the ER, you know, in the ER, is a newer way of doing things that we have done in the past. You may have heard of intrusion detection, intrusion prevention systems, you know, from, from years gone by, you know, say 20 years ago, this was IDs and IPS was kind of the way that you looked for threats on the network. And, you know, mostly they were rules based. And as you can imagine with hundreds and thousands of different protocols and different nodes across the network, writing the rules for that was very complex and almost inevitably system administrators would miss something because you just can't write rules to cover everything. Plus it created an awful lot of false positives and required an awful lot of fine tuning just to keep it up and running.
So NDR is sort of an artificially intelligent, you know, uses machine learning algorithms way of doing some of those same functions, but doing them much better and giving organizations to deploy them a lot more capabilities. So how it works is the NDR solution. We'll talk about how it's deployed in a minute. You know, it looks at the network connection metadata, and you have to sort of baseline, you know, what's on a network, what the right kinds of what the normal traffic patterns are on a network in terms of protocols and which nodes talk to which other nodes or servers. So you get a baseline for what's normal and then it makes it easier to look for what is anomalous. These NDR solutions use both unsupervised and supervised and machine learning detection algorithms. The unsupervised are good at, you know, sort of looking through the massive data and figuring out, you know, what the outliers are in that data.
And then the supervised ML algorithms are used to sort of classify or categorize what kind of, you know, suspicious traffic it is. And then that gives the analyst more information about what's going on on the network. So it's this combination of different kinds of machine learning algorithms operating on large amounts of data that can provide actionable intelligence, help an organization, know how they should respond to maybe suspicious, suspicious traffic that's identified and these, the algorithms need to be trained. So you need behavioral models that understand what is specific to a given environment. You know, there are NDR solutions out there that train just on sort of academic data sets it's most effective. If the data is, you know, trained on live in C2 data in a customer's given environment.
So thinking about where is it deployed? Well, you can deploy it in line. Meaning, you know, in most cases you'd have to set it up so that it decrypts traffic since most traffic on most networks is encrypted. These days. You'd also put a network appliance off of a span port or even kind of in full offline mode where it's just simply pulling in log telemetry from various other networking devices. They're designed to detect both what we call north south, you know, things that are moving across the perimeter in and out from the internet, as well as east west or the lateral movement here's cases where you, you know, look for like reconnaissance. If, if an intruder has gotten them to the network, then they will be moving from machine to machine looking for, you know, the kinds of data they might want to steal. So you you'll want to be able to detect things coming in and going out as well as the lateral movement inside your own environment in the AR can also help understand, you know, operational technology and industrial control systems protocols.
This is, you know, increasingly important, especially for, you know, critical infrastructure or, you know, manufacturing environments where there are industrial controls, SCADA machines, human machine interfaces, PLCs, things like that. You know, a lot of them can't run endpoint agents, you know, which is a typical way of providing coverage in, in most enterprise it environments. So understanding at the protocol level, what is going on, what's good traffic, what's bad. Traffic is super important in, in environments that do have these kinds of devices, threat hunting tools in are, can be, you know, an essential component for threat hunting. You know, threat hunting is more than just responding to incidents. It's sort of proactively looking for signs that, that something may be going wrong in a historically EDR endpoint detection and response tools have been, you know, parts or things that would be used by threat hunters to look for evidence of, of, you know, malfeasance, but also in the ER is necessary as well to kind of get the network layer picture of where an intruder may have gone or what they may be doing.
And as I was hinting to before, you know, this can find evidence of malicious activities when other tools miss it, you know, EDR log files, SIM let's say you've got a very sophisticated intruder, you know, and as we always hear in the news these days, every attack seems to be sophisticated. You know, an intruder may go in and if, if they're savvy enough, delete all the log files. So they're trying to hide the evidence that they were ever on a system, but it gets very, very difficult to try to hide the fact that an intruder may have going across the network. So, you know, and conducting, you know, operations that, you know, don't fit the baseline for that particular environment. So NDR can find evidence of, you know, things that should not be going on if, if other tools in your security architecture mess up.
And then lastly, the R is for response, you know, there are both manual responses and automated responses, you know, what can you do at the network level where you can terminate sessions, you know, that you think are suspicious, you can isolate whole nodes. If you think they've been compromised and you can block traffic, you know, say externally, you know, by IP or URL, those are some of the major functions in terms of response. Oh, plus, you know, like DNS sink holing, if you are getting hit by a DDoS attack or something like that, you can, you can sinkhole something, you know, the URL that's affected. So there's, there's lots of different kinds of capabilities. And again, they can either be implemented where an analyst has to say, yes, I want to isolate this node. Or, you know, even in some cases make it respond to triggered events and happen automatically.
So if you're looking for India, I came up with this list of seven things you might want to consider for your RFPs, think about your environment. You know, do you have a big on-premise component? Probably, you know, not everybody is fully cloud yet. There's, there's hybrid course. There's increasing use of infrastructure as a service. You know, most of the tools have, you know, reasonably good coverage for those. Then there are also these OT and ICS use cases for industry and critical infrastructure. So you really want to, I think start with knowing your environment and knowing what you need, you know, agents or appliances to be able to cover and understand then since not everybody can or would want to decrypt all the traffic on the network, you know, having encrypted traffic analysis is pretty useful. There are some quasi open source methods like that looks at, you know, the TLS handshake, you know, and there are ways of determining whether or not the traffic is good or bad based on, you know, the ciphers that are use something like mercury, mercury is kind of like that, or, you know, it takes a different approach, but it was open source by a vendor and, and is now out there for others to use as well.
And then, you know, just looking at the basics of how the TCP IP protocol is used for various kinds of traffic, you know, re transmits spacing in between, you know, communications, there are some telltale signs in, at that low level that traffic may or may not be malicious. So those are ways that vendors do encrypted traffic analysis, machine learning. You know, I think it'd be good to take a look as, as much as you can, and to figure out which products are, have the most capabilities in terms of machine learning and how it improves the overall detection rate. Cause that's really what matters is the accuracy and detection, and then being able to respond to it, cyber threat intelligence, you know, indicators of compromise IOC is, you know, these can come across coming from across a vendors customer base, but then there are also open source feeds of IOC, you know, and they really need, you know, curation or pruning.
There's, there's not, there's, there's good stuff that can be found in open source Intel, but some of it, you know, it gets dated pretty quickly. That's why there are third-party services that, you know, provide the curation of that CTI and then provide that as a subscription service that you can then integrate with your solution. So if you're looking for an NDR product and you already have, you know, some threat Intel portal, make sure that it would work with that the enterprise console, this is, you know, your sock management pane of glass it's for, you know, not only the managers, but analysts do it, forensic investigations and threat hunting. Their most tools these days are put a good emphasis on API APIs for interconnectivity, which is absolutely needed. You know, these tools like NDR needs to be able to feed its information and to seam and then onto soar in many cases.
And then lastly, playbooks playbooks are the response part. You know, this, this can help automate time consuming tasks, you know, like doing those initial investigations, copying IP addresses, going out to threaten gel portals and getting the latest, everything that you can do to automate that, both speeds up the investigation plus decreases the chance that, you know, there's going to be some sort of data entry error. Oops. You know, you put in the wrong IP address and got the wrong threat Intel back, that, that speeds up the investigation and, and gives the analyst, you know, higher quality information to work with. Then they're like, you know, either one click, you know, manual responses that can, you know, do the things that we were talking about earlier, you know, terminate sessions or isolate nodes, or in some cases, you know, you may want to automate that if you don't have a 24 by seven SOC and something happens over a weekend, it is, you know, lower risk to go ahead and isolate a note. If you think it may be trying to propagate ransomware around your network. So this, these are, you know, some of the key features that we see in NDR and some of where the, you know, where the value comes from.
So the top use cases, you know, increased visibility, as we've said, there are places that EDR agents really can't cover all that well. So, you know, having visibility at the network layer gives you a chance to catch signs of malicious activity that you probably would otherwise miss the rapid ransomware response. I mean, we hear about ransomware nearly every day. It is a serious problem. If for some reason, ransomware gets into your environment, it would be great to have the capability to shut that down again at the network level, you know, detective cutoff that node contain the problem and then alert in case it is somehow missed by EPD our tools in your environment.
It can be useful for apt investigations, advanced, persistent threats. These are, you know, where bad guys get in and try to look for, you know, either sensitive data or critical intellectual property and exfiltrate that, you know, so that being able to do an IOC search look for signs of recon lateral movement, unusual communications. Again, these are things that may be picked up by an NDR tool, but could be missed by other parts of the security architecture. And even if not apt, you know, which sometimes are state actors or corporate espionage, you know, data breaches that try to siphon out PII, personally, identifiable information, you know, that that creates several kinds of risks, including the risk of noncompliance with privacy regulations, if that's exposed. So being able to prevent that is certainly an extremely useful thing to do. And then insider threat investigations, you know, looking for, you know, unusual traffic, different log-in times, traffic times, or maybe users looking at assets that are sort of outside of their normal purview. This is something that also may be detected by NDR.
And then lastly, here in our integration with seam and sor it's an important part of your security architecture, it sort of needs to be able to plug into those as well and, and be managed if you have a sore, it should be managed in conjunction with that kind of a quick look at where these things go. Let's say the NDR sensors, little circle. I mean, you'll want to make sure that you cover your offices, cloud environments, industrial environments. If you've got those, you know, perimeter environments, you know, so many people have been working remotely and will continue to work remotely. You know, if you've got dedicated infrastructure where they come into the network, that would be a great place to deploy that same thing with, you know, email and web server environments. All this should come into the MDR console. It can be forwarded on to seam, which then can be operated on by soar. You can draw the cyber threat Intel into the MDR console, do your threat onset or forensic investigations, and then be able to go out and, you know, proactively, you know, block traffic in any of these environments if necessary.
So let's take a quick look at the leadership compass. This came out a couple of months ago. It is specifically on NDR on our leadership campuses. We rate by nine major categories. So I'll quickly go through those security. This is internal product security, you know, how does it, does it encrypt? Does it have internal, you know, role-based access controls, things like that. It's a measure of the internal security of the product functionality. It doesn't have all the features that we think that it should have. We've listed the majority of the ones that are most important here, integration and deployment, you know, does it cover all those environments that we've talked about and then does it appear to be easy to deploy and integrate into your environment, your overall security architecture, interoperability? Does it work well with the other services you have? This is where it's important to have, you know, standards for communication, you know, things like sticks and taxi support for, you know, threat intelligence would be one example, SIS log for cm integration rest API is for soar integration, usability since main users are, you know, the system admins or the forensic analysts, you know, what's it like from their perspective, is it easy for them to use?
Then we look at innovation, you know, is it, is it checking all the boxes of the things that it's supposed to do? And then some, you know, is it leading edge or is it kind of playing catch up to everybody else in the market? And then the next three market ecosystem, financial strength market and ecosystem are about the numbers of customers and partners, you know, system integrator type partners. And not only how many of them, but how are they geographically distributed, you know, do they have global coverage or are they regional? And then financial strength is, you know, it kind of runs the gamut from, you know, new startup, mid to late stage startup, you know, but with a lot of funding or, you know, a massively profitable, you know, unicorn or a public company. So this is where we, you know, try to indicate the overall financial strength of the company.
We group these into four categories, there's product leadership, which is really about the overall functionality market leadership. That's a combination of those three market ecosystem and financial strength. Innovation is purely about the innovation rating, but we put them all together into the overall leadership category. Here are the vendors about read all these off to you, but you can take a look real quick here, all the vendors that covered in this last edition of the NDR leadership compass, the ones that were rated are the ones that fully participated. And the ones that in vineyard to watch did not fully participate in, you know, our process is to send out a giant questionnaire, technical questions, and then look at, you know, usability from the admin perspective, do a briefing demo, get information about the roadmap and, you know, find out how well does it sit with customers. So that's the basis for both the writeup and the ratings that you're about to see.
So in this recent edition, here's the overall leader, graphic CR today's sponsor ExtraHop is there in the overall leader position, as well as a number of other major vendors. There are, you know, it's pretty well distributed across, you know, from a leader on the, on the right, through the challengers and then product leaders. We see, you know, a pretty good distribution here as well. A number of leaders, you know, NDR has been around for a few years in a lot of specialty companies that may have started out in that space have been acquired. And, you know, I think there will be more acquisitions coming up, especially as we move into XDR in the next few years, we'll hit on that just a minute, but, you know, product leaders here, you know, they have support for all the different kinds of environments. They do good encrypted traffic analysis. They have what we think is a good mix of ML detection algorithms, a good integration of CTI. And, you know, it appears to be pretty usable if they've made it into the leadership block here and they do have good playbooks and automated responses. That's, that's something that think is really key to focus on that part. It's not just about the detection, it's about being able to respond.
So innovation leaders, you know, here's where I thought it was important to call out things like the support for OT, ICS, IOT, you know, integration, or being able to offer some of these more advanced what we see coming, as far as XDR, you know, the one, the solutions that do in C2, data monitoring, not just training their ML detection models on like academic datasets. You know, these are the ones that kind of go over and above, you know, the baseline set of capabilities that we think are important for NDR and market leaders. Again, this is about, you know, numbers of customers where the customers, where the system integrators have many do they have, and then overall financial strength of the companies. And like I said, you know, there have been a number of acquisitions already, and I'm sure that there are going to be more so to wrap up here, you know, there are strong products in the MDR space today.
Now there's no doubt about that. There are plenty of good ones to choose from if you're interested in that. And it's a growing market, I think it will continue to grow. EPR is an absolute necessity, but, you know, MDR is becoming more and more unnecessary in, in organizations as well. You know, especially those that have those industrial settings where you may not be able to get maximum visibility of all your assets. So there are places where in VR, you know, can see things that the PDR can't, and then lastly, you know, the, or XDR XTR is going to be the union of a number of different things, NDR and EPR. The endpoint parts are probably the two most important, but also, you know, bringing in things like unified endpoint management, cloud, workload protection, you know, distributed deception platforms, you know, as a sort of a next gen or, you know, very advanced way of doing network detection.
These are some of the capabilities that I think we'll find themselves in XDR in the, not too many years ahead. And there are, you know, among the leader, the innovative leaders in the space, you know, they're offering a lot of these features already to them. So yeah, expect more consolidation, expect more emphasis on XDR, but you know, that is probably three to five years away before the entire industry sort of settles on that. I would think so. Our final poll question here, based on what you've seen today, do see a role for NDR in your security architecture. And if so, it, would it be mostly driven by the need for covering enterprise it? Or is it because you have these industrial and say manufacturing, critical infrastructure, you know, OT technology, do you think that the NDR would be more applicable for you in the OT ICS realm? So go ahead and select one of those. We'll give you a few seconds to do that. Okay. Thank you. And with that, I will turn it over to James,
John, thank you very much for, for that. And thanks for handing over and thank you very much for the opportunity to come on this webinar today and talk about the NDR review and, and Indiana market and how we do NDR at extrahop. And before I jump into the slides, just a quick few points. So I I've worked now in the NDR space for a few years. I've had the, the distinct pleasure of working for two NDR vendors, both of whom are in your report and in your leadership category. It's a very interesting market to work in. I've been in the it security and infrastructure industry for the best part of 35 years. Now, pretty much always insecurity and infrastructure and development and things like that in the market for NDR, as, as you have correctly identified in your report is it's a developing market.
It's an interesting market and a lots of companies have jumped into the NDR space, including ourselves from other market segments. It's interesting that if you look at some of the leaders in your report, it seems like there are a few main ways, but people have moved into the MDR space. So most of us have come from a network traffic analysis background. So using IDs based technologies and adding strengths onto that in order to develop a MDR product, if you like, some of our competitors have taken open source IDs and added onto that their special skills in machine learning and Basie and mats and add value and created a product out of that. One of my previous employers who is in the NDR space came in from a malware sandbox analysis background with frankly, an amazing malware analysis sandbox platform and added onto that the capability to analyze network traffic from the point of view of what does interesting malware do to interact with the, and interact with systems on there, an extrahop we've come into the MDR space from pure, from the point of view of being network protocol experts.
So our history is one of working in the network space. Our founders were two of the original distinguished engineers working at F five networks who produced the big IP product. And they moved on and formed ExtraHop based on what they developed and learn to F bite and, and created a product that was an expert analyzing network protocols to look for network performance and diagnostics issues learned very, very quickly that our customers were using that capability for security as well. And now, now, as a result, we've developed a, a full fledged NDR solution based on expertise in the network space. And it is after all network detection and response, isn't it, let's talk a little bit about why we're doing what we're doing and why NDR as a, as a product set exists. The reality is that we have been seeing over the years as have all of our customers changes in the threats that we're seeing coming in and attacking our networks.
The most advanced threats that we're seeing nowadays are the ones that are already inside your hybrid enterprise that have bypassed traditional defenses or prevention tools. Post-compromised activity is designed to be hidden, ask yourself if your agents were disabled or your logs are evaded. How would you know when you got greased? And if the threat dwells for more than a few weeks in your network, how would you investigate the extent of the compromise? We often see a lack of coverage. We're up to 70% of the attack. Surface is not protected by agents or locks. That's a big amount. And we also see attackers invading defenses by encrypting their malicious behavior or covering their tracks or by deleting or disabling logs, which all leads to frankly, an unacceptable dwell time and a higher risk to the business. There is a short period of time, post compromise, pre breach, where you have the greatest opportunity to prevent an event from becoming a full-scale data breach.
The kind of thing you have to report publicly paid GDPR costs or sub suffered potential brand damage. And this is where organizations need to be investing. Now we talk about the dock space in networks and the dark space is those parts of the network, which if you go and speak to your it guys, what they will tell you. Yeah, we don't know exactly what's there and dark space, maybe. Okay. There are some older legacy systems that we can't put logs on. Cause they're running windows NT. We can't put agents on there and all their devices that are being brought in from the outside that we know are coming in, but we can't necessarily have full control over all their applications and services where the logging for those systems has been designed for operational resilience rather than necessarily security. So when you combine that with a vast amount of protocols moving around the inside of the network and between the hybrid network, I, your insight and your, your cloud platform, and a lot of those protocols nowadays are encrypted as a default for good security reasons. Having visibility into what's going on your network nowadays is it's, it's, it's tough. And this is where we believe MDR comes into play quite strongly.
You mentioned in your opening, but you, you described NDR as AI, enhanced IDs IPS, which I think is actually not a bad description. If you look at the way the NDR market has developed, it had, there were parallels between NDR and EDR, not no coincidence that they both have similar names. EDL developed out of the antivirus market, which again was signature-based with some heuristics and a lot of antivirus programs, but EDR has gone on to be much more intelligent uses. Some signatures uses heuristics uses all sorts of clever techniques on the endpoint to monitor what's going on in memory and in the registry and in process execution and things like that. NDR, it is exactly the same kind of thing. It's a natural evolution away from our IDs, which as you quite rightly pointed out is mostly signature or rules-based to add in other capabilities, such as machine learning, behavioral analytics, threat, Intel integration, and you have already highlighted some encrypted traffic analysis, a good solid NDR product is going to do what we call full spectrum detection, which is not just rely on signatures.
That's IDs, not just rely on ML, but also incorporate other technologies that will enable them to find threats, behavioral analytics, threat Intel, an ETA. For example, why, why is the NDR offering so strong when it comes to dealing with post-compromised activities? Well, the answer is because NTR is typically designed to sit in the east-west corridor, the inside of the perimeter. Although of course, the perimeter nowadays, as we know, is not the solid barrier, the inside and the outside that it once was the perimetry is fading. You know, we have a hybrid environments where we have some of our workload on premise or in our own data centers and some of our workload in cloud. And after COVID, we have so many of our staff now working from home, it's very difficult to define a perimeter, but generally speaking, there are certain parts of your network where you have enterprise grade internal protocols running and certain parts where you just have protocols that might be traversing and going to the internet, going out of egress points that are right.
IDs has typically been deployed in the past, initially in the perimeter. So look for threats, coming into organizations and as such has had firstly lower bandwidth requirements. IDs is typically, I'm not looking at massive amounts of packets going through systems, but also they tend to use a smaller set of protocols for analysis. You wouldn't typically see an IDs looking at SQL statements going between your web server and your backend databases, for example, whereas NDR being typically deployed or the inside of the network, a good NDR solution is going to be looking at a significantly greater amount of traffic because it's often plugged into taps or, or core switches off of span ports. And for example, extrahop bar, our top appliance will do a hundred gigabits per second packet ingest and extraction of data from those packets and storing in a record store, which is, you know, quite a bit larger, quite a bit different to what you'd expect on, on the perimeter, but we're also analyzing over 70 protocols.
So it's clearly a different job and a different story than talking about what's going on on the perimeter. And when you're on the insight, the threats are typically different kinds of things that customers typically care about on the inside of the network is, well, it is someone doing something on authorized, are they accessing the systems they're not authorized to do? Is there some reconnaissance happening on my network? You know, TCP scans, ping scans, other activities such as bloodhound activity is trying to perform reconnaissance on my active directory are the command and control sessions running are coming from the inside of my network, going out and can we see exfiltration and lateral movement, which are no lateral movement is one of those topics that can be very, very tricky to deal with. And certainly if you only have logs looking for lateral movement can be a huge challenge if you're relying on EDR instead of, instead of the network, that can be challenging as well, unless you've got a very, very complete EDR deployment and all of the EDR management systems are actively looking for this kind of thing.
What part of the other problem that we're seeing is that network security is very, very siloed. I mean, India has emerged as the fastest way to detect advanced threats, but a lot of customers we're speaking to still have legacy networking tools, which continue to pose major changes for security teams. You know, they require multiple network taps and multiple tools to satisfy narrow use cases. Data lives in separate tools, often controlled by different teams, which introduces friction into the security requirements from security hygiene to incident response to regulatory compliance. Yep. Maybe it's time to think differently about network intelligence and recognize that the industry doesn't need another micro solution to capture one tiny bit of value from the network, no siloing. And what we do on the network is, is not a good idea side OSA for great security needs to be seamless. And one of the things that we're particularly typically trying to deal with when we're dealing with threats on the inside with network detection and response is long dwell times, those kinds of Dell dwell times tell us that advanced threats are really good at staying hidden, but the bad guys, aren't the only ones with a secret weapon on their site.
Yeah. Covert threats require covert defenses and NDR fits this bill really well. You talked about deployment of NTR in your presentation. You mentioned that some are deployed in line where we deploy out of bed. And I, I, I strongly support the idea that NDR deployed out of band is the best way to do it. And the reason for this is because it's out of bad, it's difficult to evade. So threats can't hide it. It's passive and agentless. So you stay stealthy and, you know, out of band without actually manipulating or interfering with operational traffic, you know, you're getting the ground truth from the core to the edge, to the cloud. Now this isn't to say other tools like EDR and SIM are not necessary. Attackers will often attempt to standard automated attacks against your environment all day at virtually no cost to them and EDR firewalls and seams and other solutions will stop many of these in the tracks, but the sophisticated attacks, which has you said in your presentation, that seems to be with every attack we hear about in the news is sophisticated.
The ones that get in are the most savvy and the most determined to cause you harm for their own profit. That's what you need to bring out the big guns. This quote at the bottom of this, this slide is one that we see often. And I love so Rob Joyce, who used to be the head of tailored access operations at the national security agency, he was presenting at used nix and enigma several years ago. And the, the, the actual quote that he gave us a bit more along the lines of what we NSA our worst nightmare is that out of band tool, that's capturing all the data understanding what's going on. And the key thing that isn't on this and which everyone seems to forget is, and that someone is paying attention to. And that is really, really key here. One of the advantages that NDR seems to have over IDs and some other technologies is with IDs.
It can often be an alert, Canon creating lots and lots of alerts. And we see this with other technologies as well. And this is the one thing that a lot of customers, when we've talked to them saying, we don't need any more alerts. We just need high-fidelity detections that tell us what's actually happening in our environment. And this is one of the great things about NDR, a good NDR tool that sees everything that's going on. The network that analyzes lots of protocols that use is good, appropriate detection technologies, which I'll go into in a bit more detail in just a moment is, is an absolutely fantastic tool for helping customers deal with these kinds of advanced threats. They're the big guns. If you like, you talked a little bit about encrypted traffic analysis, and this is a technique that's been used for quite a while, and we use some encrypted traffic analysis as well, but I'm going to suggest that for the very best bang for your buck, not just in terms of detection, but in terms of investigation as well, you want to decrypt, you know, we're in encrypted traffic, you can't see anything encrypted traffic analysis allows you to look at the metadata for traffic and things like how SSL sessions are constructed and come to some conclusions.
As an example, the last company that I worked for, the sandbox in company, we knew that when and it's muttered, putter Trojan creates an HTTPS session, it was not done to the RFC standard for SSL. And we, we knew there were certain attributes we could look for in an SSL session construction. That would be an obvious red flag that this was my chapter. This is what you can do with encrypted traffic analysis. But wouldn't it be better if you could just click that traffic and see what my interpreter was actually doing and say it certainly from an investigations point of view, it is. I want to talk a little bit now about machine learning and why this is so important. Network detection and response as a technology uses, or as a, as an offering uses three key technologies that we were all talking about 10, 15 years ago, but which in the last decade or so have really matured.
And when you put them together, give you some really, almost super powers to deal with network-based issues. The first was fail fast packet capture. Okay. So fast Eaton. It may, maybe not everybody was talking about that, but certainly those of us in the network space, we're excited by the possibility of handling greater data volumes of having faster networks. The second is, is big data. Of course, everyone was talking about big data and, and that the transition from relational databases to, you know, elk based platforms. So it's, it's been a revelation in being able to handle vast amounts of data and index it and search it fast. And the other thing has been machine learning that we've talked about ML for a few years now, and it's really coming into its own. Nowadays is in my mind the, where this really comes into play with network detection response is, imagine you're looking at your core switch.
You'll are processing a hundred gigabits per second worth of traffic through that network. You're looking at 70 to 80 different internal protocols, including all of your database traffic, all of your authentication traffic. You're looking at your sip. You're looking at voice over IP. You're looking at a lot of protocols that you don't normally see on the perimeter, for example, and your decrypting, that crowd, that traffic as well. You're extracting useful metrics from it. Bytes sent bites received zero sliding windows, but you're also pulling out layer seven transactional data. That's a vast amounts of information to have to process. And it's certainly probably too much to expect human beings to process. So what do you do with it? Well, you take it all out of the packets. You put it in a record store where it's accessible by humans who might want to do threat hunting, but also buy computers that can use ML to look at that data and tell you exactly what's going on. This gives you what we call.
Did you massive intelligence and an intuitive workflow, a way of looking at some many autos or detection only devices that capture a point losing context, and just frankly, adding to the 5,000 or so alerts, you must sit through every day to leverage the ground truth of network. You're a real time view of your enterprise and highly accurate detections, but we enable you to drill into the alerts to investigate and ultimately respond all in one integrated and simple workflow. Within seconds, you can get to real answer basic level investigation, even write down, down to the path with many enterprise level solutions, allowing you to respond with confidence. It's a complete solution that covers your entire attack surface from your data centers to your cloud sites.
Why do we win? Why does network intelligence matter? This is our own graph, peer enterprise scalability for hybrid multi-cloud environments, comprehensive visibility to detect the lateral movement and unusual activity, much better security hygiene with your environment with automated asset discovery and classification, and understanding how those assets communicate with each other. You're able to hunt advanced threats with advanced investigation and forensics. And with our record store with 90 days, look back as a default, you can go back in time and see as that new threat that was just released. This weekend been impacting me for the past. However, I'm at the time we got into the system, one thing that is worth pointing out as well. High-fidelity detection from cloud AI and ML. What do we mean by this? Well, look, we're looking at a vast amounts of data processing over 70 protocols and all the data that comes out of that in a one U box in a rack ML model is just not going to work.
So we do it in the cloud, which means that you effectively have unlimited resources for the analysis of your threats within your system. By take some of the most advanced in the market. We built high-fidelity cloud ML. And if you go back and look at the ML market, and you look at the likes of Google and others, they will always tell you that the models they use are fairly standard, but the differences, the data, and that's absolutely the case with our MDR solution. When you're punt, when you're putting into your ML models, quality data, and vast amounts of it from 70 to 80 different protocols at high rates, you're going to see much more and you're going to be able to detect threats that potentially you couldn't do. If you're looking at smaller data rates, less protocols, and you're not decrypting the traffic. The last point on this slide that I point out is we have added to the product, not just TLS and SSL decryption, but Microsoft protocol decryption as well.
These other protocols like WMI SRPC that tools like PS exec and other living off the lounge tools use at hiding as they move laterally through your network, as well as things like authentication traffic, such Kerberos and elder PEs decrypted. And you can see things like golden ticket attacks instantly as they happen. It makes it very difficult for the attackers to evade what you're doing. And we deliver this as a SAS delivery model. It looks like I'm probably running out of time now. So I would merely point out to potentially wrap up. We integrate with a number of other solutions to provide you with the capabilities that you need. We can pull traffic in ingest traffic from a number of platforms, as you can see here on the left. So your various packet brokers, as well as the cloud platforms, such as AWS BPC port mirror, and we are able to correlate, we, we output to data into the single pane of glass that you use as an organization that might be a sin.
It might be a sorter, it might be Splunk Phantom. It might be cortex, something similar like that. And then the response process we're integrating with the technologies that you have chosen to deploy in your environment to control your security. So you don't need to use TCP resets or, or technology like that. And that's not hugely effective to control C2. We're going to speak to your firewall and we're going to get your firewall to kill that C2 because that's its job to manage traffic. We're going to speak to CrowdStrike. When we see a device has been compromised with ransomware and is trying to encrypt your files and CrowdStrike is going to knock it off the network in seconds. This is the rapid ransomware response that John spoke about in his presentation. Get the best bang for your buck and the best response using extra VX to protect your environment, full coverage, cloud native security for the hybrid environment. And I am done
Well. Great. Thanks Jamie. A lot of good content there. You know, you had a slide that I had taken out, the kind of put together, you know, a pyramid of, you know, three major components that I see, you know, there's the network there's in-point and there's application level. So, you know, to really cover everything that, you know, might be of interest from a security perspective. I think it's key that organizations remember, you've got all these different levels, you know, so you do need to cover the network. You do need to cover what's going on on the end point because, you know, EDR solutions have extremely granular things that they can do within, you know, their agents to protect endpoints. And then there's the application level. And it's the correlation between all those different components that can, you know, really open up new insights and, and help organizations discover when malicious activities are taking place. So let's say your first question about decryption wouldn't you consider decryption to be kind of a bad thing to do for compliance and risk reasons. You know, that's, that's an interesting, and maybe slightly complicated answer. I'll tell you what Jamie, why don't you go first on that one?
Yeah, it, it's actually a really interesting question. I get this a lot and decryption has become a panacea in our networks. A lot of, a lot of the time, it's, it's a core part of most of the security standards like PCI DSS and other things like that. So we deploy it and it's all as a default with a lot of protocols, which is fantastic. I mean, security, privacy, we absolutely promote these things left right and center. But when you're on the inside of your network in the east west corridor, typically, and you're trying to deal with the advanced threats that come from nation state actors or ransomware actors who are moving more into nation state type behaviors, we're seeing nowadays lateral movement and things like that, that, that, that can take advantage of protocols inside your network that are encrypted. As a default can be very, very difficult to detect as an example, when eternal blue hit Microsoft, when they released fixes for that, their default advice was to make sure you turned on things like SMB version three, which is good, solid security, posture, security, hygiene advice.
You know, it's there to protect your systems, but if you turn that on and you can't see what's going on in your network in SMB V3 traffic. So my answer is to use strategic decryption. And what I mean by that is you don't decrypt on the perimeter. You don't decrypt inline, you do crypt a copy of your traffic out of band, and you decrypt only the things for which you have the keys. So you're not going man in the middle, not interfering with traffic, you're going to decrypt traffic going to, and from your critical systems whereby if it's running HTTPS, you've deployed the keys. So you have access to that. Or if it's TLS 1.3, you can put an agent on there to capture the ephemeral keys. Or if it's a Microsoft protocol, you can log into the domain controller and get the keys to decrypt MSRP, PC WMI, and other protocols like that, doing it out of band.
So you're not interfering with operational traffic and doing it only on traffic for which you have got the keys. So you've encrypted it to start with means that a you're protecting yourself from falling foul of regulations, such as PCI DSS and others that say you need to encrypt data in transit, which by the way, they say, you need to encrypt the data in transit going across private untrusted networks, not your own network, but we encrypt as a default from the end point, don't we? So that's going to be the case. Anyway, my answer is do it in a controlled manner. Do it within a controlled scope, do it on systems that you have built in which for you control the encryption and don't do it on your operational traffic, do it on a copy out of bed traffic so that you don't risk messing up your operations and you don't risk decrypting things that you shouldn't do like your users attempting to access their private email or Facebook or their banking.
Yeah. You know, there, I tried to call out in the report, if you read the various entries, which products do allow for decryption, which are strictly encrypted traffic analysis only, you know, I leave that up to the customer to decide how they want to handle it. You know, I would think if whatever you can glean by not having to decrypt is probably pretty useful. I think there are certain use cases where, you know, that that limited or on demand decryption can certainly yield a lot more insight. And I think there's a recent, I can't remember if it was NIST or a DOD STIG document that was sort of now advocating, not decrypting for traffic analysis in most scenarios. But if you're going to decrypt, I think, you know what you're describing about the, the limited offline mechanisms that you're talking about would probably be a bit safer, but yeah, there's, there's definitely things to consider for how you even do that, you know, and still comply, not only with PCI regulations, but privacy regulations in places where you are handling PII. So we've pretty much reached the top of the hour here. Any, any concluding thoughts? Jamie?
I think the only conclusions on this are, if you've not already looked at NDR, please do take a look at John's report. It's got a wonderful summary of the market itself. Take a look at extrahop, take a look at our website. If you want to understand more from what we're doing, NDR is a fantastic technology. I may or may not have said this right at the beginning when I did my intro, but I'm a geek. I love playing with technology. And I love telling people about great technologies and that's what I'm doing with NDR. It's, it's certainly worth looking at if you're concerned about advanced threat attacks. And if you're concerned about ransomware and your EDR and SIM, isn't really cutting the mustard.
Great. Well, thanks Jamie for participating today and thanks to everyone who has dialed in. And with that, we will conclude today's session.
