Security / April 5, 2016

What Stream Analytics Means for InfoSec

Security teams used to think about the enterprise network as having a hard shell and soft center. The idea: Keep the bad guys locked out at the perimeter so business could run smoothly on the inside. It wasn’t a bad idea, just one that has passed its prime. Today, attackers have shown that—given enough time—they can penetrate network perimeters regularly.

In response, security teams have adopted zero-trust models using network micro-segmentation as well as sophisticated authentication and identification schemes. This is a great start, but security teams should aspire to have complete traffic visibility at both the perimeter and the core, including critical East-West traffic between internal assets. For too long, security teams have blindly trusted in their methods to secure the perimeter without having the necessary visibility or auditing to gauge effectiveness.

At the recent USENIX Enigma 2016 conference, Rob Joyce, Chief of Tailored Access Operations at the National Security Agency (NSA), spoke about network visibility and how to defend against nation-state attackers. He said, “One of our worst nightmares is that out-of-band network tap that really is capturing all the data, understanding anomalous behavior that’s going on, and someone’s paying attention to it.” When the NSA gives us advice on how to protect ourselves from hackers, we ought to pay attention!

To better grok the importance of application-level visibility into network activity (both North-South and East-West), consider each phase of a typical intrusion-data breach:

  1. Day 0 – A user opens an email message with a malicious attachment and compromises his machine. The email is sent using SMTP over the network.
  2. Day 5 – The infected machine makes a request to an external server and downloads a rootkit. The request and response use HTTP on the network.
  3. Day 5 – The attackers set up a command and control session using SSH over the network.
  4. Day 6 through 14 – The compromised client begins a slow port scan using ICMP and TCP on the network.
  5. Day 14 through 25 – A MySQL database is identified as a target. The attackers begin low-intensity brute-force login attempts using LDAP on the network.
  6. Day 26 through 29 – Setup | Admin14 login accepted. The attackers begin downloading 100 GB of data over a seven-day period using the MySQL protocol over the network.
  7. Day 30 – The compromised client begins exfiltrating data to an external client over a throttled connection using FTP on the network.

At each step, the attacker must use standard protocols on the network. If security teams can make sense of all their data in flight, they’ll be able to identify and stop even the most persistent attackers.

Stream Analytics and Network Visibility

There’s an exciting new approach to making sense of all in-flight
data: stream analytics.

The ExtraHop stream analytics platform in combination with the GigaSECURE Security Delivery Platform—which provides the right feeds fast—lets you transform raw packets flowing over the network into structured wire data.There’s an exciting new approach to making sense of all in-flight data: stream analytics.

IT professionals agree that packets don’t lie. But, first, you need to make sense of them. The ExtraHop stream analytics platform with GigaSECURE does that for you, in real time, by reassembling all transactions, flows, and sessions, and then extracting 3,400+ L2-L7 metrics and making those immediately available for analysis—done at speeds up to a sustained 40 Gbps.

This stream analytics approach is more suited to today’s high-speed networks than traditional packet capture, where you write raw packets to disk and analyze them after the fact. The latter approach, first conceived in 1987 when Van Jacobsen created tcpdump, doesn’t work as well today with network speeds roughly 10,000 times faster than in the late 80s. That’s why you need stream analytics, where all data in flight is processed before anything is written to disk. Packet capture is useful for forensics and compliance, but not the best starting point. Stream analytics gives you holistic visibility, helps you be smarter about what to investigate further, and even lets you to look at raw packets as needed.


The ExtraHop platform makes it easy to see activity across protocols.

The ExtraHop platform gives you access to your wire data so that you can:

  • Discover, Detect, and Dissect – Equip teams to establish and monitor micro-perimeters, and detect and investigate all types of anomalies on the wire.
  • Make Rapid, Data-Driven Decisions – Identify operations that require oversight. Don’t be the last to know!
  • Simplify Compliance, Audit, and Forensics – Track access to sensitive assets, verify encryption, and monitor compliance with HIPAA, PCI, SOX, etc.
  • Enrich Your Security Analytics Ecosystem – Stream wire data to third-party platforms to correlate wire data with other data sources, such as log files and endpoint monitoring data.

Transforming InfoSec from a Checkbox into a Partner

However cool a technology is, it won’t make a difference unless it enables people to change how they work. In the case of security, having access to real-time wire data enables InfoSec teams to change how they interact with IT.

Today, many InfoSec requirements are viewed as a burdensome “checkbox” that only slows down projects. With ExtraHop and GigaSECURE, InfoSec teams can delegate security for specific technology domains to particular teams. If security is everyone’s job, then everyone should have the tools to do it right.

For example, the database administrators (DBAs) would have a customized dashboard monitoring key metrics for sensitive databases, such as privileged account logins and suspiciously large responses. Similarly, teams responsible for storage would want dashboards monitoring the IPs and access patterns for sensitive partitions or folders. The general idea is that InfoSec would delegate security functions to application teams and the domain experts that understand what is normal behavior, along with the ability to establish micro-perimeters that alert on deviations from normal.

In this decentralized, #wefightsmart model, InfoSec sets the policies, monitors compliance, and handles relationships with customers and external auditors. The result should be: better security, more collaboration with business units, and a reduced workload because InfoSec teams don’t have to waste time sifting through logs. Best of all, InfoSec teams won’t be playing catchup. Instead, they’ll be first at the table to learn about new projects.

Back to top