While attending Splunk's .conf 19, iTWire took the opportunity to chat with some of the more interesting vendors on the show floor. Here we speak with Amelie Darchicourt, ExtraHop's Product Marketing Manager.
iTWire: what is it that ExtraHop does?
Darchicourt: What we do is network detection and response. Basically we gather network data, and to do that we use an agentless solution.
You need a tap or a span that you will install right behind your firewall, so that we can get a copy of your entire network traffic. With that, we do analysis in real-time, so we capture all the packets and extract over 5000 different metrics.
Then we send this metadata, about the network traffic, to our machine learning, which is in the cloud. From there we're able to build up detections, so based on all these analyses we then provide a very deep analysis (and detections) to our customers, based on this data from the network traffic.
iTWire: And where did this come from? What was the origin of ExtrasHop?
Darchicourt: You can use our product for performance, that's where we started. We started with providing the solution to network teams and also IT Ops in general and they would use it to troubleshoot their network; troubleshoot applications. But we also offering the same product Reveal(x) for security, for SoCs. You can do both, and the same product will cover both the performance use cases and security use cases.
The way we like to explain it is using this diagram the "SoC Visibility Triad."
This has recently been created and released by Gartner, and what they say is that, if you want to have full visibility into your environment, you need to combine those three data sources - logs from your SIEM (which is Splunk), agent based data with your EDR, and the last one is network data and that's where NDR network protection and response comes into play.
iTWire: Why would we use this? And why are you here at .conf19?
Darchicourt: So, combining those data sources is how you get your visibility. We're here at Splunk .conf to show how we can complement Splunk, and [show] any companies already using Splunk how to combine the two and have logs and network data to have much deeper investigations and more accurate detection of any incidents within your environment.
We cover on-prem, and also cloud and remote sites. It doesn't matter how complex and wide your environment is, we can deploy anywhere and we can cover everything, giving you complete visibility over everything. For instance, a lot of our customers will use our solution for a cloud migration, because as, soon as you turn on the ExtraHop in your environment, we automatically discover, and classify, all the assets in your environment. We're able to tell you that this is a web server for instance, and this web server is communicating and having transactions with those other servers or other applications or shared services etc. We can map all the dependencies. A lot of our customers are using that for monitoring but also to prepare for a cloud migration so that they can see exactly what the current state of their environment, and set the priorities of what should be migrated first, etc.
iTWire: You mentioned cloud migration. What is your specific offer in that space?
Darchicourt: We recently launched Reveal(x) Cloud - it is for the AWS cloud. We announced it in June this year at AWS Reinforce. At Reinforce, AWS announced a new feature called the Amazon VPC Traffic Mirroring, which is basically a virtual tap. So that's how we're able to do exactly what we're doing on-prem, but in the cloud. We get the same thing - a full copy of all the network traffic within your VPC - within your virtual machines in AWS. This one is fully SaaS, so we completely manage everything on behalf of our customers so the way it works is that this is your environment here this is your PC. Those are your workloads, right there, as an AWS customer you just have to turn on the traffic mirroring feature, so that you can point all the traffic to the VPC traffic mirroring target, which is the Reveal(x) Cloud [instance]. We do that mirroring with through a secure VPC tunnel so all the data is transferred security. From there you get all the good features from Reveal(x) - the string processing - capturing packets, re-assembling everything, searching query and also machine learning. As a customer you can access everything through your web UI, just like public internet and that's how you get access to everything.
iTWire: I assume there are layers of security here…
Darchicourt: There's also strict data segregation within your SaaS so not all the data is aggregated together. Each customer has its own tenancy, and no one has access to your data so even accounts like ExtraHop's cloud admin, they have no access to customers' data, they're just there to set up the accounts and that's it.
iTWire: So, where are you based?
Darchicourt: We're based in Seattle. But we have a global presence; we're in a very present in the US, we have a big office in London, and in Singapore so we can offer a full coverage.
iTWire: Is there much interest in Australia?
Darchicourt: So unfortunately for using Reveal(x) Cloud, I don't think that AWS has made it [the virtual tap] available yet in Asia. I think they might soon in Australia, but Asia is not available yet. The cloud part is not as big in Asia, but we're seeing an increasing interest for Reveal(x) in the Pacific and Asia.
iTWire: There's plenty of Australian-based organisations using AWS that are using US-based repositories anyway. But you've not made any sales into Australia?
Darchicourt: Oh sales in Australia, I'm not sure honestly, there's a chance but I'm not sure.
iTWire: Okay, thank you very much for your time.
Darchicourt: You're very welcome.
The author attended .conf 19 as a guest of Splunk.