ExtraHop, Splunk Deliver New Compliance and Security Offering

By Darryl K. Taft  |  Posted 2013-10-04
security analytics

ExtraHop, Splunk Deliver New Compliance and Security Offering

LAS VEGAS—ExtraHop Networks, a provider of analytics for wire data or data in motion, joined forces with Splunk to deliver a new compliance and security offering.

The product provides pervasive, context-aware monitoring that imparts intelligent compliance and security, ExtraHop officials said. The ExtraHop compliance and security offering provides correlated, cross-tier visibility and anomaly detection that complements intrusion prevention systems (IPS), intrusion detection systems (IDS) and Security Information and Event Management (SIEM) systems.

Moreover, the new product is extensible and demonstrates the programmability and ease of ExtraHop integration with security platforms. In addition, ExtraHop’s integration with Splunk Enterprise transforms real-time security-related wire data into machine data for in-depth visualization, enabling IT, compliance, and security teams to easily pinpoint the system, application or infrastructure element in which a security event is occurring without using agents or offline packet capture.

ExtraHop demonstrated the compliance and security offering at Splunk .conf2013, Splunk’s annual user conference here.

“As security threats, including zero-day attacks that exploit previously unknown vulnerabilities, become increasingly varied and sophisticated, real-time monitoring across all components of the application delivery chain is becoming a crucial first line of defense,” said Jesse Rothstein, CEO of ExtraHop, in a statement. “With the ExtraHop compliance and security solution and our integration with Splunk Enterprise, enterprise security teams are armed with a highly scalable solution designed to detect potential security events as they happen. With Splunk Enterprise, these anomalies can be easily visualized, enabling organizations to pinpoint the source before a serious breach occurs and prove that they have had adequate controls in place.”

The ExtraHop compliance and security solution delivers continuous, real-time auditing and anomaly detection across the entire application delivery chain, analyzing all wire data, including encrypted traffic, to deliver visibility and intelligence that mitigates risk and helps ensure compliance with both internal policies and regulations such as the Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI-DSS) and Sarbanes-Oxley (SOX).

“Part of the answer to the seemingly insurmountable problem of how to identify attacks without signature-based mechanisms lies in pervasive monitoring to identify meaningful deviations from normal behavior to infer malicious intent,” wrote Neil MacDonald, vice president and Gartner Fellow, in his May 2013 report titled Prevention Is Futile in 2020: Protect Information Via Pervasive Monitoring and Collective Intelligence. “If you assume systems will be compromised with advanced targeted threats, then information security efforts need to shift to detailed, pervasive and context-aware monitoring to detect these threats.”

The ExtraHop compliance and security offering provides encryption auditing, which identifies all Secure Sockets Layer (SSL) transactions and certificates used by servers and clients, including those using weak keys and cipher suites, and tracks certificates that are about to expire for proactive remediation. Encryption auditing makes it easier to prove that all sensitive data is actually being encrypted in flight and that keys and ciphers are the correct strength.

Also, monitoring for locked-down virtual desktop environments enables users to track all ICA communications and provides continuous monitoring of any data passing over protected channels, with per-user and per-client details so that IT teams can identify users violating policy. For example, ExtraHop continuously monitors VDI channels such as print and USB, and it sends an alert if any of these channels become active on unauthorized machines.

ExtraHop, Splunk Deliver New Compliance and Security Offering

Storage access monitoring analyzes networked storage activity, enabling users to continuously monitor SAN or NAS environments and break out client IP, username, file path, filename, and frequency to proactively identify unauthorized users attempting to gain access to secured systems. This capability provides context to ensure sensitive customer or patient protections are being enforced and a means to prove it.

The new offering also provides brute-force authentication alerting, which detects both high-intensity and low-intensity attacks by tracking and alerting on the frequency of failed attempts per user and historical counts in real time using Lightweight Directory Access Protocol (LDAP) analysis. Also, surreptitious tunneling over Domain Name Systems (DNSes) is a common method that infected or compromised machines use to communicate to external controllers. With ExtraHop acting as a sentinel, this activity is continuously monitored and detected by breaking out DNS records by type and tracking irregular TXT-records and normal A-records specifically, raising a red flag to mitigate potential data leakage, the company said.

And super-user account tracking enables users to monitor all super-user log-ins with per-client and per-server IP details, providing alerts and visibility into who is accessing an application or database so that security administrators can quickly take action.

“As the volume of data continues to grow and the sophistication of malicious activity increases, the ability to monitor and proactively identify potential threats has become mission-critical for enterprises,” Bill Gaylord, senior vice president of business development at Splunk, said in a statement. “Given the complexity in today’s IT environment, all data is security-relevant. Splunk is at the forefront of this approach with a security intelligence platform that collects, monitors, analyzes and visualizes machine data at enterprise scale. Adding wire data from ExtraHop as a critical new data source delivers real-time intelligence and a deeper, data-driven view of security events.”


Rocket Fuel