Paul Ditty

View Original

SANS WhatWorks: ExtraHop Reveal(x) for Reducing Detection Time

Ransomware has risen to the top of many organization’s lists of concerns. These attacks have increased the need for security operations to reduce the time it takes to detect and mitigate threats and restore connectivity. In addition, financial pressures as the world comes out of the pandemic are putting a premium on processes and tools that can quickly show positive return on investment without high staffing requirements.

An effective and efficient way of achieving both objectives is for Network Operations Centers (NOC) and Security Operations Centers (SOC) to use common tools that support insight into security-relevant changes and anomalies as well as performance issues.

Lee Chieffalo is the technical director of cybersecurity operations at Viasat, a large ISP and services company that needs to protect its own network and customer systems from advanced attacks. He explained how he helped build the company’s commercial security capabilities and merged with the government side of their business to create a high-level SOC. “My role is to go out and understand the existing and new technology and find the best ways to augment and implement that technology to increase our staff’s effectiveness, efficiency, and accuracy.”

In a recent WhatWorks webcast, SANS Director John Pescatore interviewed Chieffalo about his experience with the business justification and deployment of Extrahop Reveal(x) to increase visibility into network traffic. “ExtraHop allowed us to get complete visibility of the ground truth of pretty much every frame that’s written to the wire on the network. That key capability is the enabler of our other security capabilities,” says Chieffalo.

Both Viasat’s NOC and SOC teams use Reveal(x) and discovered some key findings:

  • The NOC team is able to do more direct application troubleshooting. Reveal(x) works with their DNS and DHCP servers to show how they perform frame by frame, from the client’s request to Viasat’s reponse.

  • Their SOC team gets so many line events each day—upwards of five billion!—that it’s near impossible to triage everything directly. Reveal(x) helps them sift through the noise to determine which events are worthy of investigation. “We generate a risk calculus based on that behavior, or that attack pattern or traffic pattern, and then send that into our Security Information and Event Management (SIEM) server to be combined with other data sources to get an aggregate level of risk. If that aggregate level of risk is higher than that client’s risk acceptance, then we do something about it,” says Chieffalo.

  • Reveal(x) has exposed malicious threats like WannaCry, Petya, NotPetya, and others. Viasat can see attacks targeting their customers and are able to stop them before they get out of control.

To learn more, download the SANS WhatWorks analyst report or watch the on-demand webinar.