ExtraHop Cybersecurity Solutions

ExtraHop Cybersecurity Solution: Comparisons, Review, Benefits, Use Cases, Pros & Cons

Author: Netify Research Team

If you have questions about ExtraHop and how their capability is aligned to your needs, email the Netify research team. UK: uk@netify.co.uk North America: northamerica@netify.com

(Please use the UK email for ROW - Rest of the World - questions or inquiries)

Netify Review

ExtraHop offer a comprehensive Network Detection and Response (NDR) solution with cloud capabilities. The solution has options for cloud-security (AWS, Azure, Google Cloud) and security for remote users, along with MDR solutions and managed services provided by one of ExtraHop’s authorized managed services provider partners. ExtraHop is recommended for companies looking for granular NDR and cloud security services. 

However, offerings such as firewalls, Next Generation Firewalls (NGFW), Managed Detection and Response (MDR), Extended Detection and Response (XDR), and managed services are all offered via partnerships with third-party companies. This allows ExtraHop to provide granular and featured services due to collaboration with expertise from other companies. Although this could have the potential to  create a complex solution due to the high number of third-party companies that are involved.

About ExtraHop

ExtraHop were founded in 2007, and have their Global Headquarters in Seattle, Washington, North America. Their EMEA Headquarters located in London, United Kingdom and their APAC Headquarters can be found in Singapore. Their Primary focus is on Network Detection and Response. ExtraHop were named as  Leaders in the 2019 Gartner Magic Quadrant for Network Performance Monitoring and Diagnostics and in 2020 they are a Representative Vendor in the Gartner Market Guide for Network Detection and Response.

What are ExtraHop's Solutions?

NDR/MDR:

• Reveal(x) 360: ExtraHop provide cloud security for AWS, Azure and Google Cloud via their Reveal(x) 360 Network Detection and Response product (see, How does ExtraHop Networks deliver cloud security?).
• ExtraHop Discover: ExtraHop provide a range of appliances including the “Discover” Series which can be deployed physically or to virtual environments such as via VMware, AWS, Microsoft Hyper-V, Google Cloud and Linux kernel-based virtual machine (KVM).
• Enterprise Internet of Things (IoT) Security: ExtraHop provide IoT security via their Reveal(x) 360 platform. The service leverages machine learning and offers service-layer discovery and detection, threat detection and IoT device identification and profiling. Devices are automatically profiled, detecting for violations and threats for quick remediation.
• Integrated NDR and Security Information and Event Management (SIEM): ExtraHop allows clients to integrate NDR and SIEM solutions for zero-trust and extended detection and response (XDR). The solution works with Security Orchestration Automation and Response tools (SOAR) for automated response, Reveal(x) decrypts data for instant access to correlated forensics, whilst also offering remediation techniques using a combination of rule and behavior based analytics, with guided investigations for tier 1 analysts. 

Cybersecurity Products & Services:

• Reveal(x) Advisor: Offered in 5-tier Advisor plans, ExtraHop Reveal(x) Advisor offers Threat Intelligence and Proactive Threat Hunting from dedicated ExtraHop Security Engineers, Threat Analysts and Incident Response Technologists. This service offers threat detection reports and briefings, proactive tuning of Reveal(x) and coaching in investigation and response. Support for corporate IT teams is offered by reducing Analyst fatigue, accelerating threat response and reducing security ticket queues. This helps to distribute the network security workload and amplify enterprise security teams when required to ensure threats are not missed and to prevent losses and incident response costs. Reveal(x) Advisor is an optional, on-demand monthly or annual subscription service. 
• Risk Optimization Services: ExtraHop offer services to help mitigate risks that can include operational risks, network and application security risks and risks to reputation. ExtraHop Risk Optimization services can be used on cloud, on premises or as a hybrid to provide insights into risks and vulnerabilities across all aspects of the company network. 
• Business Automation & Transformation Services: Provides migration, integration and enterprise adoption programmes and allows Reveal(x) customers to automate incident response through integrations. This service also allows enterprises to complete cloud and datacentre migrations accurately, with no defects and ExtraHop Accelerate can help Customers adopt the Reveal(x) platform across all aspects of the enterprise.
• Deployment Services: ExtraHop deployment services offer a Solutions Architect, Project Coordinator, Trainer and Practice Manager to understand enterprise requirements and set the foundation through an implementation project plan as well as a customer journey map outlining how best to meet customer outcomes. 
• Application Mapping Services: Uses ExtraHop experts to augment a wide array of enterprise  IT teams to improve application performance monitoring, investigation, triage and application security. 
• Security Operations Center (SOC) Optimization Services: This service provides training, reports, consulting and dashboards to enterprise SOC analysts, offering guidance on how to best utilize the Reveal(x) solution and boost SOC productivity. Enterprise SOC teams can also be further supported through ExtraHops Reveal(x) Advisor solution.

What is the ExtraHop SASE security solution?

ExtraHop do not offer a SASE solution. However, they offer real-time network and endpoint threat detection in partnership with CrowdStrike. The solution integrates ExtraHop Reveal(x), and CrowdStrike Falcon Insight to offer clients a combination of endpoint security, network visibility, remediation, and machine learning behavioral threat detection. ExtraHop SASE works as Reveal(x) detects threats that are only visible on the network and automatically notifies CrowdStrike, where compromised devices will be contained. Analysts will use endpoint data collected from CrowdStrike and network data collected from ExtraHop to investigate, validate and appropriately respond to threats. 

What ZTNA (Zero Trust Network Access) Solution is Supported by ExtraHop Networks?

ExtraHop do not offer a ZTNA solution, however their Reveal(x) 360 NDR solution enables the visibility required to support the roll out of ZTNA to the network at any phase. The risks and lead time of ZTNA deployment can be reduced when working in tangent with Reveal(x) 360, as the single management pane provides real time insights into users, assets, cloud workloads and across the network. 

What CASB (Cloud Access Security Broker) Solution is Supported by ExtraHop Networks? 

ExtraHop do not offer a CASB solution, however, Reveal(x) 360 extends NDR to the cloud, offering multi-cloud security solutions for AWS, Azure and Google Cloud (see, How does ExtraHop Networks deliver cloud security?). 

What SWG (Secure Web Gateway) Solution is Supported by ExtraHop Networks?

ExtraHop do not offer a SWG solution, however this may be available from a third-party company.  

What FWaaS (Firewall as a Service) Solution is Supported by ExtraHop Networks?

ExtraHop offer their partnership with Palo Alto to provide a bundle service which allows users to quarantine compromised devices in Panorama or on a client’s pre-existing Palo Alto firewall. This is carried out in real-time as the ExtraHop Discover appliance identifies alerts. Included in the bundle are two triggers, one for alerts and one for detections. Clients can choose which alerts and detections that they wish to be monitored, as well as the address group where they will be quarantined. The bundle comes with a dashboard that shows clients how many detection and alert events have been sent to the firewall, as well as the IP address of related devices. The bundle also supports Panorama, which is a centralized management system that supports global visibility and allows clients to control multiple Palo Alto Next Generation Firewalls (NGFW) via their web-based interface. The bundle includes:

• Palo Alto as an application.
• The Palo Alto Remediation dashboard.
• Two triggers: Palo Alto Firewall Remediation - Alerts, and Palo Alto Firewall Remediation - Detections.

In order to use this bundle, clients must ensure that they reach the following requirements:

• ExtraHop firmware version 7.5 or later.
• An administrator account for Palo Alto firewall or Panorama - Palo Alto recommend that users create admin accounts for API access.
• Access to the discover appliance with an account that has Unlimited privileges. 

Installation advice is available on the ExtraHop website. 

What MDR (Managed Detection and Response) Solution is Supported by ExtraHop Networks?

ExtraHop do not offer MDR directly. However, they are one of MDR provider Datashield’s premier partners. The partnership combines the ExtraHop Reveal(x) NDR platform with Datashield’s MDR services, leveraging Datashield’s Security Operations Center (SOC). The solution also integrates with ExtraHop Reveal(x) 360, to bring MDR to the cloud, and offer scalability for client’s looking to move to the cloud. Datashield keep an up-to-date record of all devices that are inside a corporate network. This is augmented by the ExtraHop Network Discovery feature, which learns the behavior of devices within the network to help to identify them. Datashield also offers constant monitoring via their SOC, which is combined with ExtraHop NDR for Threat Detection capabilities. 

What NDR (Network Detection and Response) Solution is Supported by ExtraHop Networks?

Reveal(x) Enterprise is a self-managed NDR solution for hybrid network architectures, cloud and containerized applications. The solution helps companies to detect advanced threats, analyze breaches and deliver improved responses through automation and network visibility. This enables network security improvements such as critical asset discovery, hygiene and compliance and automated responses via SOAR as well as performance improvements including real time application analytics, machine learning anomaly detection and more. Please see below for a features breakdown for the ExtraHop NDR solution:

• Automated Inventory: Uses auto discovery to classify all network communications to ensure the inventory is current at all times.
• Automated Investigation: Supports responses to detected threats by offering expert guidance for next steps, as well as attack background, context and risk scoring.
• Confident Response Orchestration: Response workflows can be automated and augmented by integrations such as Palo Alto and Phantom whilst Reveal(x) provides investigative tools and detection of threats.
• Cloud-scale Machine Learning: Reveal(x) uses 5,000+ features covering Layers 2 to 7 to offer predictive modeling and cloud-scale machine learning to protect critical assets by identifying, examining and prioritizing threats. 
• Perfect Forward Secrecy Decryption: Uses decryption of SSL/TLS 1.3 with PFS passively to provide real-time monitoring of encrypted traffic to hunt and identify concealed threats. 
• Peer Group Detections: Reduces the number of false positive detections when an anomaly is detected as devices are automatically assigned to specific Peer Groups. 

The ExtraHop NDR solution is available in various different tiers dependent on enterprise size and cloud capabilities: 

• ExtraHop Reveal(x) Essential 
• ExtraHop Reveal(x) for Midsize Enterprises 
• ExtraHop Reveal(x) Enterprise 
• ExtraHop Reveal(x) 360

What XDR (Extended Detection and Response) Solution is Supported by ExtraHop Networks?

ExtraHop Networks do not currently offer a full XDR solution, however their Reveal(x) NDR platform can be integrated with Exabeam Fusion XDR or Exabeam Fusion SIEM to provide faster threat response and develop a more rounded XDR solution. ExtraHop is the only NDR vendor within the XDR Alliance, an open cybersecurity ecosystem of vendors.

How does ExtraHop deliver cloud security?

ExtraHop deliver multi-cloud security solutions for Amazon Web Services (AWS), Microsoft Azure and Google Cloud through their Reveal(x) 360 solution, which extends NDR services to the cloud. The solution features deep visibility into SSL/TLS encrypted traffic, and offers intelligence across multi-cloud, remote work, IoT and hybrid environments. Cloud-based machine learning detects anomalous behavior and malicious activity to protect APIs and misconfigurations, accelerating threat hunting. Clients can deploy ExtraHop sensors in the cloud, data centers and remote sites to decrypt and process network data. The data is extracted and is sent to Reveal(x) 350 for analysis, investigation and real-time threat detection. This data can be accessed via the Reveal(x) 360 user interface. 

• AWS: Reveal(x) 360 offers a SaaS-based Network Detection and Response (NDR), which allows clients to utilize a cloud-native solution for securing hybrid enterprises - even for workloads deployed in orchestration platforms such as Amazon Elastic Container Service (ECS), containers such as Amazon Elastic Kubernetes Service (EKS) and compute engines such as AWS Fargate. The ExtraHop sensors will analyze and decrypt network traffic, collecting metadata for further analysis, investigation and real-time threat detection. Clients are also offered a cloud-based record warehouse which allows for query, index record search, and drill-down investigation in all areas of the hybrid environment. Sensors with continuous packet capture (PCAP) enable detailed forensics services for Reveal(x) 360 for AWS. The service is further able to integrate with Amazon VPC Traffic Mirroring for agent-less visibility, to improve the efficiency of DevOps processes. Reveal(x) offer intelligent response, integrated with services such as Amazon CloudWatch, AWS EC2, Amazon CloudTrail, Amazon Lambda, S3 and Amazon VPC Flow Logs. 
•  Microsoft Azure: ExtraHop’s Reveal(x) 360 cloud-native NDR platform protects Azure, AKS and hybrid environments, with automated discovery and asset classification, as well as machine learning to provide threat detection and investigation. The service offers complete visibility into all assets in the cloud environment, helping to defend misconfigurations and insecure APIs and prevent unauthorized access, whilst offering full payload analysis which includes SSL/TLS encrypted traffic in real-time. Real-time detection and intelligent response offer real-time analysis of security threats. 
• Google Cloud: Security for Google Cloud is available from ExtraHop Reveal(x) 360. It has the capability to protect containers such as Google Kubernetes Engine (GKE), and offers deep visibility as well as detection using machine-learning. The service also offers native integration with Google Cloud Packet Mirroring to improve the efficiency of the DevOps processes. This service includes: complete visibility with out-of-band decryption for SSL/TLS encrypted traffic, real-time detection to protect misconfigurations and insecure APIs and intelligent response. 
• Cloud Record Store: Offers 90-day lookback,with the capability to purchase more capacity whilst leveraging on-demand pricing. 
• Unified Security: Supports remote and on-premises users by being accessible from anywhere, using a secure, web-based UI which enables unified security in a single management pane. 
• Global Intelligence: Reveal(x) 360 is able to analyze petabytes of anonymized threat telemetry, which is collected every day from 15 million devices and workloads worldwide. 
• Line-Rate Decryption: The solution is capable of decrypting SSL/TLS 1.3 encrypted traffic - which includes cipher suites that support Perfect Forward Secrecy (PFS). 
• Continuous PCAP: Packet capture enables detailed forensic investigation, powered by Reveal(x) 360 Ultra Sensors. 
• Automated Inventory: Reveal(x) 360 automatically and continuously provides classification, asset discovery and dependency mapping across all environments. 

How does ExtraHop support remote users?

ExtraHop offer remote access security, which allows clients to monitor usage, maintain uptime and defend their distributed workforce against cyberattacks. The offering is part of the Reveal(x) NDR solution, creating visibility across on-premises, hybrid and cloud infrastructures. This includes:

• Remote Access Tool Policies
• Solve Remote Access and VPN Issues
• Detect and Investigate Suspicious Logins
• Monitor and Secure Active Directory
• Correlate Performance Across Tiers 
• Understand Resource Utilization

What is the ExtraHop managed, co-managed and DIY services solution? 

ExtraHop offer managed services via their service provider partners (See, Which service providers and partners do ExtraHop Networks support?). ExtraHop offer two forms of authorized managed services provider partners: ExtraHop Managed Services provider partners and ExtraHop MSP resale partners. 

Managed Services provider partners leverage SOCs, and regularly inspect integrations with ExtraHop. Typically these partners provide EDR and SIEM services, and often partner with SOAR vendors for managed remediation services. ExtraHop MSP Resale Partners differ because they typically do not have their own SOC. Instead, they are able to partner with High Wire Networks via ExtraHop to provide clients with ExtraHop Managed Service via SYNNEX - this is only available in North America.

What Reporting and Management is available via the ExtraHop Portal?

The ExtraHop Customer Portal allows clients to report issues with their solution. There are two tiers of maintenance and support plans offered which are accessible via the Customer Portal: Gold, which offers support services that are active from Monday - Friday from 6am until 6pm local time; and Platinum, which offers constant support services, every day of the week for 24 hours a day. The portal also allows clients to deploy services such as the ExtraHop Trace Appliance in Azure and offers system notices.

What is the ExtraHop SLA?

Below is a table displaying the main focus points of the ExtraHop Networks Service Level Agreement (SLA). 

Hardware Appliance Lifecycle and End-of-Life Policy:

(ExtraHop Networks, 2021) Find out more at: https://www.extrahop.com/support/policies/ 

ExtraHop Support Plans:

(ExtraHop Networks, 2021) Find out more at: https://www.extrahop.com/support/