Interview: How Network Detection And Response (NDR) Can Give Businesses Greater Visibility And Reduce Their MTTR

Jamie Moles is Senior Technical Manager at ExtraHop. With over 30 years of experience in the IT industry, with a particular focus on security and infrastructure technologies, Moles is a seasoned thought leader in the cybersecurity space. Moles spent his earlier career writing his own antivirus software and working and heading up support in Europe for Symantec’s Norton product range. At ExtraHop, he helps the vendor’s customers better understand the risk they’re facing, and minimize the time it takes them to respond to cyberthreats.

At InfoSecurity Europe 2022, we spoke to Moles to discuss how network detection and response (NDR) solutions can help businesses gain greater visibility into their assets and the risks facing organizations today, as well as reduce the time it takes to identify and remediate threats.

Can you give us an introduction to ExtraHop, your key use cases, and what differentiates you from other providers in the threat detection and response space? 

As a company, ExtraHop plays in the network detection response space. We’ve been in business for about 15 years now. We started in the network performance monitoring and diagnostics space. With this foundation, we are very network-focused whereas some of our competitors in the NDR space come in from different markets.

NDR is an interesting new market segment, with lots of vendors coming into it from different areas. My old employer, Lastline, for example, joined the NDR market whilst I was there, as a specialist in malware traffic analysis. Other organizations have come in with expertise in machine learning. But we came in with very specific expertise in understanding how networks work, when they’re working well, when they’re failing, and understanding network protocols in depth. This is one of the first differentiators between us and our competitors.

We moved into the security space around five years ago, primarily because market research with our customers showed us they were using us for security.  We often heard, “With the visibility you give us, our security team has started using you.”  This is obviously an amazing opportunity to harness our network intelligence to deliver improved value to our customers and as a result, we changed the direction of the company to focus on security. We are now security- and cloud-focused. The performance side, which continues to be a subset of what we do, gave us the grounding and the fundamental foundation to have a really strong position in the market.

Understanding the network is what we do. And that includes things like protocol coverage, traffic decryption, and encrypted traffic analysis. The premise is simple: we can see what devices are speaking to each other, what protocols they’re using, how long and how regularly they speak to each other, and how much data they exchange, and we help organizations draw conclusions from that analysis. Those conclusions include identifying unusual traffic and providing visibility into what’s happening on the network.

To do all this, we have to be able to process large volumes of data. Our top end appliances will do 100 gigabits per second packet analysis, which is roughly four times more than our top competitors. Our founders formed ExtraHop and built our appliances from scratch, not using anybody else’s technology, so they could focus on performance when analyzing networks. If you’re monitoring devices and looking for operational issues, you have to be faster than the devices you’re trying to detect these conditions on. So, it was built from the ground up to be a high-performance protocol processing platform, and that foundation has led us to where we are today.

How can an NDR solution like ExtraHop help organizations protect themselves against some of the threats we’re seeing today? 

We know that bad actors—let’s call them intruders—are getting into networks. We know that there’s a point of intrusion and we know they’ve got an objective, which is the breach. But in the middle of the intrusion and the breach, you’ve got a huge amount of opportunity to find these cybercriminals.

A lot of technologies that are designed to prevent intrusions are doing their job at a hit rate of around 60%, maybe a little bit more. While intrusion prevention controls are important and critical, they aren’t enough. There always are those one or two cases that get in.

You’ve probably heard of a concept known as the offender’s dilemma and the attacker’s advantage. The idea behind this is, as a defender, you need to defend your networks completely. You can’t make a mistake, because the attackers only need one chink in the armor to get in. But the interesting thing is, once they’re in, that completely turns on its head, because they have to hide. You only need one chance to catch them.

This is what we are aiming to do with our NDR solution. We’re all about taking back the advantage from the cyber attackers. You can have EDR on your endpoints, which is a fantastic solution that gives you endpoint context around attacks and threats, and you can have event logging and correlation, which are great, too. But when attackers get into networks, they actually try to disable those defenses. They try to delete logs or turn off EDR. But they can’t turn off the network because the network is their highway into your systems.

If you’re monitoring from the network—seeing everything that happens in your organization, shining a light on all of the traditionally dark areas of the network where you wouldn’t ordinarily monitor—then you’ve got a much greater chance of catching the cybercriminals. As they move through your network, they leave a forensic trail of breadcrumbs. All you need to do is find it. And if you find it, you can stop them.

There’s a huge opportunity for users to stop the bad actors before they run away with the data. And that’s a big concern that we get from customers nowadays: How do we stop them before they encrypt our data or steal the data and hold us to ransom?

Our reason for existing, if you like, is to help reduce that problem by catching the cybercriminals and stopping advanced threats before they get to their end game.

We also want to simplify the investigation process. We put a lot of effort into our platform so that it will correlate incidents automatically. If a number of incidents are in the same time frame, and they involve the same devices, it’s easy to string them together and develop an attack chain that tells you the story of what happened.

We also help collate the evidence. For example, if someone performs a brute force attack against your web server, in the past, your security team might have had to go to the web team and say, “Can I have the web logs ?” But what happens if you’ve outsourced your web services to a company in India, and you’ve detected this at five in the afternoon, when they’re all asleep? You’re not going to get the logs until the next day—and that’s 12 hours added on to your investigation timeframe.

If you’re looking at the network, and you’re gathering that data automatically, we just present it within the detection for that threat. So, here’s the detection, here’s how it works, here’s the offender and the victim, and here’s how it relates to the rest of the incidents within this attack chain.

As well as offering automated and tech-based network detection and response, ExtraHop enables organizations to utilize human intelligence through your Reveal(x) Advisor service. Why is it important for organizations to combine human and artificial intelligence when it comes to stopping today’s advanced cyberthreats?

It’s difficult to hire experienced responders and investigators, and one of the ways you can deal with that is by outsourcing capabilities from other organizations like MSPs and having them do all the work for you. While not everybody wants to outsource—a lot of organizations want to keep everything on the inside—outsourced help can significantly help raise an organization’s security posture. 

The reality is, the network is not the most intuitive place to do investigations. Threat hunting books or documentation always start with the endpoint, because it’s easy to look for files on a hard disk or for processes in memory. But when it comes to the network, you’re dealing with massive amounts of data. And anybody who has to do network forensics will always tell you that the first thing they tried to do is drastically narrow down the scope of work.

So, within the product, we manage all the detection and automation side of things, but not every company has someone who is knowledgeable enough to look inside network traffic captures and find an issue. So, who better than us— experts in networks—to do that for you?

The Advisor service is based on the idea that, “You have our solution. We will hold your hand and help you look at the risks of the issues that you’re seeing on your network and we’ll show you how we would investigate.” Two things will happen. First, you get better and faster value out of the solution because we’re doing the work with you. Second, during that process, we’re also upskilling your people, giving them the best practices on how to investigate threats, how to get the best value out of the interface, and how to get the best out of your people using the platform.

Finally, what is your advice to organizations looking to improve their resilience against the emerging and zero-day threats they’re currently facing? 

Whenever I’m talking to CISOs and other security guys recently, the one word that crops up time and time again is visibility. One concern that everybody has is, “I’ve got to protect all these assets but I don’t know where they all are.”

Find a security framework that works for you and will help you better understand what you’ve got, and provide a clear, step-by-step process to go through to measure what you have in place. You need to understand all of your own assets that you have to look after, the risks that you face from the outside world, and the risks you face from the inside. Getting yourself in a position where you know what you have to manage is the single most important thing you have to do as a security manager or CISO.

If you outsource a lot of things, that’s going to involve speaking to other people and making sure that they communicate with you as soon as you need.

The second most important thing is getting board buy-in. You’ve got to be really good at communicating with the board and explaining risk to them in terms that they understand. I always say, start by talking to the board about what your department is going to do to keep the business going when threat actors attack, which is a very large possibility.

Talk about the risks you’re facing, but also about how you’re going to build resilience to protect the core parts of your business that must stay up and running in order for you to still generate revenue.

If you get that right, you’ll find that the board takes a step back and lets you do your thing.

Thank you to Jamie Moles for taking part in this interview. You can find out more about ExtraHop’s network detection and response solution via their website.

Expert Insights provides leading research, reviews, and interviews to help organizations make the right IT purchasing decisions with confidence.