SHARED INTEL: How NTA/NDR systems get to ‘ground truth’ of cyber attacks, unauthorized traffic

The digital footprints of U.S. consumers’ have long been up for grabs. No one stops the tech giants, media conglomerates and online advertisers from intensively monetizing consumers’ online behaviors, largely without meaningful disclosure.

Related: The state of ransomware

Who knew that much the same thing routinely happens to enterprises? A recent report by network detection and response vendor ExtraHop details how third-party security and analytics tools routinely “phone home” in order to exfiltrate network behavior data back to their home base, without explicitly asking permission.

It’s tempting to chalk this up to competitive frenzy – a simple case of third-party suppliers seeking whatever edge they can get away with. But there is a larger lesson here. ExtraHop’s finding vividly shows how, as digital transformation ramps up, companies really have no clue what moves back and forth, nor in and out, of their networks on a daily basis.

In one case, ExtraHop tracked a made-in-China surveillance cam sending UDP traffic logs, every 30 minutes, to a known malicious IP address with ties to China. It appears the cam in question was unwittingly set up by an employee for personal security reasons.

In another case, a device management tool was deployed in a hospital and used the WiFi network to insure data privacy, as it provisioned connected devices. But ExtraHop noticed that the tool also opening encrypted connections to vendor-owned cloud storage, a major HIPAA violation.

Getting to ground truth

I had a chance to discuss the wider implication of these findings with Raja Mukerji, co-founder and chief customer officer at ExtraHop. We met at Black Hat 2019. Mukerji and fellow co-founder Jesse Rothstein, ExtraHop’s chief technology officer, were colleagues at Seattle-based network switching systems supplier F5 Networks.

Launched in Seattle in 2007, ExtraHop set out to help companies gain an actionable understanding of their IT environments. Since then it has raised $61.6 million in VC backing, grown to more than 450 employees and now finds itself in the thick of a hot emerging cybersecurity space, Network Traffic Analysis (NTA,) as so declared by tech industry consultancy Gartner. ExtraHop refers to what it does as Network Detection and Response (NDR.)

In a cybersecurity context, NTA/NDR involves applying machine learning, advanced data analytics and rule-based detection to network traffic, continuously and in real time, with the expressed intent of ferreting out suspicious traffic going undetected by other security tools.

“The network is an incredibly powerful source of insight; it’s the closest to ground truth you can possibly get,” Mukerji says. “The network is factual, it’s observable, it’s reality. And what we do is use the network to derive insights as to exactly what’s happening, so that our customers can be secure.”

ExtraHop scrutinizes all north-to-south traffic – the packets moving both ways across the network perimeter. And through the use of strategically placed network sensors, it can also keep close track of east-to-west traffic – the packets moving between systems inside the network perimeter.

Mukerji told me how, from this ground level view, ExtraHop achieves a detailed, tactical perspective of attack patterns; it can see which of the endless attack vectors available to threat actors are attracting attention and/or being actively exploited. For a full drill down on our discussion, please give the accompanying podcast a listen. Here are excerpts edited for clarity and length:

LW: What’s the central cybersecurity challenge companies face?

Mukerji: The big problem is complexity, which leads to an ever-expanding attack surface. Every time somebody rolls out a new application, new third-party service, new virtual machine, new software container or any new initiative this basically increases that attack surface . . . the opacity of all these interlocking parts, trying to work with one another, allows the attackers to hide. The complexity can cause oversights, in terms of controls, and ultimately, the result is breaches.

LW: Cybersecurity has become a profound burden; who’s most responsible for addressing it?

Mukerji: It’s a huge problem. Once upon a time, security groups were indistinguishable from compliance groups. So they applied certain controls across all of the infrastructure. And essentially the security groups were not really charged with helping the businesses transact in an agile manner. However, today, with the shared responsibility models, security is everybody’s job.

Now security is intended to be a part of moving the business forward. Organizations wish to be agile — while maintaining security. They don’t want to have to adhere to outmoded, static security principles.

LW:  Banks are a good example of this. They’ve spent billions to secure their networks, but, they too, are relying more on cloud services. How can something like Capital One getting its AWS S3 data storage buckets beached happen?

Mukerji: There is no one security tool to rule them all.  One might look at Capital One as an indication of just poor hygiene or issues with how they configured their web application firewalls or their S3 buckets. However, the fundamental problem was a lack of understanding and not being able to keep up with complexity. If you had the security groups operating with lower coordination costs, working off the same sheet of music, this sort of problem would have been much less likely to occur.

LW: So how does Network Traffic Analysis, as Gartner calls it, or Network Detection and Response as ExtraHop describes it, address this?

Mukerji: Data is indisputable. And the network is that polygraph, it just is. There’s no question of a blindspot. If it hits the network, you can see it. There are so many agent-based security approaches that attempt to interpret logs or systems events that can tell you what they think is going on in the environment. The network is not subject to subjectivity, in terms of interpretation. We’re actually seeing what happens. If a user comes into the environment, and they behave strangely, we actually see that manifested on the wire.

LW: Over time, I imagine, machine learning helps you get smarter about what you’re seeing on the wire?

Mukerji:  Exactly. Machine learning is a must. These networks run so fast. A large network will generate about a petabyte a day of information. And you simply can’t parse through that without machine learning. You need machine learning to keep up with it.

LW:  You recently announced a new version of ExtraHop’s core services offered as a Software-as-a-Service. What’s that about?

Mukerji:  We launched a product called Reveal(x) Cloud, which is a SaaS, hosted on AWS. A customer can fulfill their order directly through AWS Marketplace, and we’ll spin up an instance behind the scenes. We provide a UI that gives them complete visibility into their technology stacks and helps them understand everything that’s happening inside their environments.

LW: It’s interesting that ExtraHop is leveraging the cloud to help companies address complexities created by the rise of cloud services.

Mukerji:  Cloud is here to stay. Most of our customers, in fact, every single one of our customers, has some sort of cloud initiative in progress. And yet the number one reason, by far, that cloud migrations stall is because of security.

People have been pushing things they consider infrastructure to outsourcing, and treating them as commodity utilities. However, it’s exactly there that vulnerabilities emanate. And when you’re not looking at something, when you consider something a commodity, this results in opacity, and opacity — that darkness — is exactly where threats lie.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

*** This is a Security Bloggers Network syndicated blog from The Last Watchdog authored by bacohido. Read the original post at: