ExtraHop and CrowdStrike, through their two-plus-year partnership, have provided significant benefits to customers by combining NDR and EDR data. ExtraHop has now announced a new capability related to CrowdStrike by enabling customers to integrate ExtraHop network meta data into Crowdstrike Falcon® LogScale, a centralized log management technology that allows organizations to make data-driven decisions about the performance, security, and resiliency of their IT environments.

Using Reveal(x) 360, ExtraHop’s NDR solution, security operations teams can now feed network data into the Falcon® LogScale platform to more quickly qualify or disqualify threats. This combination gives security analysts the ability to focus on triaging their most pressing concerns.

The integration correlates network data from ExtraHop with endpoint, log, and identity data in Falcon® LogScale to remove guesswork and provide the context analysts need to protect their organizations.

To learn more about this strategic partnership, visit booth #N-6155 at RSA Conference, April 24-27.

The 2023 RSA Conference is two weeks away. This year’s theme is Stronger Together, which seems fitting, as the event is expected to welcome nearly 50,000 attendees and 700 exhibitors from April 24 to 27.

With so much to see and such a big turnout, RSA Conference can feel overwhelming. Here’s a quick (and admittedly biased) guide to some activities worth checking out.

Visit ExtraHop at Booth #N6155

This year, we have some exciting new events. Stop by our booth to meet our team of experts, see a live demo, and to discover…(drum roll, please):

What’s in the Black Box?

Take a short quiz and find out what’s really happening on a network by entering our unique and engaging Black Box experience. In cybersecurity, you can’t trust what you can’t see. Find out what can happen when you have the power to reveal the unknown and unmask an adversary.

Unlock the Box. Beat the Clock Challenge with CrowdStrike

Join us for an exciting new event with our integration partner CrowdStrike. Harness the power of ExtraHop Reveal(x) 360 and CrowdStrike Falcon to stop a Kerberos golden ticket attack. Earn points toward winning an Xbox Series X or a shopping spree at the CrowdStrike Swag Store by completing tasks in this 15-minute challenge. The clock is ticking—are you ready?

Customer Giveaway

We have a special promo for existing customers. If you have a few minutes before the show, submit a Gartner Peer Insights review ahead of time and you’ll get $75.

Line Up for These Sessions

Don’t miss these speaking engagements:

4/25: Face the Music: Cybersecurity and the Music Industry

When one thinks of industries targeted by malicious actors, the music recording and performance industries don’t always spring to mind. But the music industry has been forced to grapple with evolving technology just like any other business. This ensemble of leaders from the music industry, law enforcement, and academia will discuss artificial intelligence and cyber-enabled threats to the music industry.

Time: 1:15 – 2:05 PM

Session Code: KEY-T08S

4/26: Semi-Advanced Threats vs. the Semi-Critical Infrastructure

As state-sponsored gangs disband, skilled hackers will need income, and supply-chain dependencies like small food suppliers and transit companies are vulnerable to an attack that could affect millions of consumers. Jeff Costlow, Deputy CISO at ExtraHop, will explain why the semi-critical infrastructure is a target and how to prevent disruptions.

Time: 2:25 – 3:15 PM

Session Code: Part4-W09

4/27: The Hugh Thompson Show: Quantum Edition

Partially dead cats? Entanglement? Multiverse? Everything everywhere all at once. Pop culture fascination with quantum has created a magical—and sometimes scary!—exploration of this breakthrough science. Join real quantum computing and cryptography experts, and then welcome to the stage the most celebrated Hollywood quantum scientist of them all, Doc Brown. Great Scott! Quantum has arrived.

Time: 3:15 – 4:00 PM

Session Code: KEY-R07W

See You There

This year’s RSA Conference will no doubt be full of excitement and memorable experiences. If you haven’t registered yet, get a free Expo Hall pass on us with code 54EXTRAHXP at checkout before supply runs out.

Question: What do a cosmetics company and a gaming platform have in common?

A few things, actually:

• Millions of customers

• Strong security postures

• Optimized digital experiences

We live in a world that runs on apps. Whether social media, streaming services, or how we order our coffee, people everywhere use apps to simplify their lives. In fact, according to the data.ai State of Mobile 2023 report, consumers worldwide spent 108 billion hours shopping on apps, spending over $150 billion in 2022.

With so much revenue at stake, it’s critical to protect digital experience from advanced threats. The IBM 2022 Cost of a Data Breach Report explains that the average cost of a breach is $4.35 million and 60% of companies reporting a breach ultimately pass this cost on to customers by raising prices.

As organizations expand digital footprints to engage wider audiences, they need to protect systems from malicious threats. To better understand how applications run—and to optimize user experiences—organizations are turning to network detection and response (NDR) platforms to improve security, which in turn keeps customers happy.

Ulta Beauty Scales to the Cloud

As the nation’s largest beauty retailer, Ulta Beauty has a reputation for delivering exceptional customer experiences with its unique assortment, passionate associates and services, both in person and online. When the company decided to migrate its e-commerce platform to the cloud, the migration necessitated a security posture to scale with data centers and protect cloud workflows. "We are always working to wow our guests, and from our perspective, that means we must protect those guests," says Diane Brown, vice president, IT Risk Management. "As our network grew, we lacked the visibility needed to detect and respond to breaches and attacks swiftly."

As Ulta Beauty deployed NDR, the retailer increased its cloud-scale machine learning which gave networking and security teams the ability to spot and resolve performance issues. “We can quickly identify vulnerabilities and understand how our applications are performing in the cloud," explains John Kreis, senior IT engineer. "The technology really helps us accelerate cloud adoption by ensuring our workloads are secure."

Having cloud-native NDR enabled Ulta Beauty to accelerate its cloud migration with confidence in its security relative to advanced threats. Brown notes the insights from network data allows her team of engineers to “focus on the things that matter most, like projects, strategic initiatives, and—most importantly—innovation in service of guests.”

Wizards of the Coast Keeps on Playing

From dungeon crawling to deck building, Wizards of the Coast knows how to capture the imagination of its dedicated fanbase. When the gaming company’s development team made the leap from the tabletop to the desktop, it needed the freedom to create and design quickly—and without compromising on security.

"The developers want to put out quality games that are fun, that are exciting, and they don't want the friction because it's a distraction," explains Dan McDaniel, Chief Architect and Information Security Officer at Wizards of the Coast. "It slows them down, but most of all, it makes them justify what they're doing, which puts pretty much anybody on their heels."

The company built its online gaming platform on AWS and needed a cloud-native solution that could collect and analyze network traffic packets and handle global demand. With a growing list of online multiplayer games, a single incident could bring gameplay to a screeching halt. "What ExtraHop allows me to do is to provide security without validating the architecture of their games before they go live," McDaniel says. "It gives (developers) the freedom to create and go, but I still have visibility and transparency into my risk."

Protecting the Future of E-Commerce

Throughout the pandemic, the mobile marketplace cemented itself as a preferred way to shop all over the world. The State of Mobile report states that even as in-store shopping returned to a relative level of normalcy in 2022, apps remained an important part of daily life offering consumers a way to save money.

Organizations will continue to embrace digital transformations, which means protecting critical, revenue-generating processes from cyber attacks will be even more important. NDR allows businesses to maintain a competitive edge with complete network visibility into hybrid and multicloud environments. These insights empower security teams to minimize threats of disruption and create more runways to innovate and improve customer experiences.

HardBit ransomware is ransomware as a service (RaaS) that was first observed in October 2022. By November, the threat had moved to version 2.0, which continues to use similar tactics, techniques, and procedures (TTPs) that allow many threat actors to evade endpoint detection and gain access to the network. However, this new version appears to also use a new tactic by targeting organizations with cybersecurity insurance. This new tactic allows attackers to negotiate a higher payout, assuring the victim that it’s in their best interest to have the insurer cover their ransomware demands.

Watch this short video with ExtraHop expert Josh Snow as he guides you through a HardBit ransomware attack, from initial access to how it gathers information, to how it overwrites and replaces content with encrypted data. He explains how network detection and response (NDR) from ExtraHop Reveal(x) 360 can detect this attack at a variety of stages, from initial access and reconnaissance, to data encryption and beyond. Josh also shows how Reveal(x) 360 detects lateral movement, including new or unusual Windows Management Instrumentation (WMI) processes, remote registry modification, suspicious SMB/CIFS file activity, and more attacker activities.

Each year, CRN announces its annual list of Channel Chiefs, which celebrates the achievements of IT channel executives and managers in supporting both channel partners and customers. ExtraHop is excited to acknowledge that one of the recipients in this year’s list is Wendy Hoey, Senior Director of Global Distribution and Channel Programs.

Wendy is no stranger to these lists. In 2014, she was named in CRN's 2014 Power 100 Women of the Channel. In 2019, she was included among the Women of the Channel Power 30 Solution Providers. Wendy serves on the Channel Company Women of the Channel advisory board.

Wendy recently joined ExtraHop and brings her 25 years of experience working in U.S. and European channel account management to grow our global distribution strategy. She shared a few insights on the IT security industry.

Why are you passionate about cybersecurity?

I have worked in cybersecurity since 1999. I have seen threats come and go, but they just keep on coming! I love working in this industry because when you work in these channels, you are working with some really smart people who want to make a difference and effect change—especially when cybercrime threatens more than wallets, for example, when ransomware groups target medical facilities.

What can you do in your role to make life easier for CISOs and their teams?

A sales channel is only as effective as how you enable it. With so many technology vendors pitching their story to the market, partners will play a key role in being advisors to CISOs and their teams. Working globally with our distribution partners, together we can help support our reseller partners and can help them navigate through these new technologies, allowing them to solidify the relationships with their clients as their trusted advisors.

What does it mean to you to be on the Channel Chiefs list?

I have been very lucky in my career and very fortunate to have worked with many of the people on this Channel Chiefs list. To be included in the listing is a great honor and I feel very humbled to be alongside these channel legends. It just makes me even more determined in my role to help and support my partners towards our joint success!

Can you share some predictions for 2023 and beyond—for the channel or otherwise?

With so many new technologies in cybersecurity, the vendors that will be successful are those that embrace channel and partnership. The executive team at ExtraHop represents some of the most channel-friendly leaders I have ever encountered in all my time working in the cybersecurity industry, and I personally believe that we have built one of the strongest channel teams I have had the pleasure of working with. That combination of leadership and channel team strength will allow ExtraHop to build the best programs and develop our joint business with our channel in 2023.

What do you do when attackers can disable or otherwise circumvent the advanced security technologies your organization has been relying on to detect and prevent attacks?

That’s a question facing many organizations using endpoint detection and response (EDR), security information and event management (SIEM), next-generation anti-virus (NGAV) and other tools, as threat actors employ malware designed to shut down endpoint agents or destroy logs.

This question has led leading security organizations to turn to network detection and response (NDR). NDR solutions continually ingest, monitor and analyze network traffic and data to identify advanced cyber threats that have been designed to evade other security tools. The network is the highest fidelity data source for early threat detection because it can’t be compromised by attackers. Moreover, the network is where intruders land, expand their reach, establish command and control communications, move laterally and more.

Of course, not all NDR solutions are created equal. If you’re in the market for NDR, there are some key capabilities to look for that go beyond more traditional features to bolster internal traffic defenses.

Strategic Decryption

Today’s advanced threats use encryption to make themselves more difficult to track when inside an organization’s network infrastructure. It also reduces the effectiveness of forensic investigation, which allows them to confidently sneak off into the darkness. We’ve seen this in high-profile incidents like the PrintNightmare vulnerability, which included multiple Windows Print Spooler service vulnerabilities. This exploitation also could occur within encrypted protocols, which only makes detection and investigation all the more difficult.

So how can you gain visibility into encrypted traffic? While decryption may be the first thought that comes to mind, it’s not necessarily the easiest. Decrypting network traffic is expensive and could require additional infrastructure, which in turn creates additional security and privacy issues. However, some NDR solutions offer targeted decryption techniques for traffic that is more vulnerable—including insecure protocols and known exploits—which allows organizations to stay safe without increasing spend.

Investigative Workflows

The unfortunate truth about today’s advanced attacks is that breaches can and will happen. According to the 2022 ExtraHop Cyber Confidence Index, 85% of security and IT leaders at global organizations experienced at least one ransomware attack in the past five years. In that same group, 30% suffered six or more. It’s an expensive problem to have, and when analysts have to toggle between multiple user interfaces (UIs) to triage, it can bog down the investigation.

Reducing mean time to respond (MTTR) is critical to stem the damage from a breach. To conduct a more detailed and conclusive investigation, security teams want an intuitive UI that helps them better understand the data they’re looking at. Design makes all the difference when time is of the essence—and when you pair a clean UI with the high-fidelity data from an NDR solution, you’ll be able to streamline your investigation.

It Starts and Ends with the Network

In order to protect your organization, you need to have insight and visibility into what’s happening on your network. The most effective NDR solution should be able to give your IT security team peace of mind and simplify their workload so they can focus on the most important issues. Strategic decryption techniques and investigative workflows are two key capabilities that strengthen your security posture and enhance return on investment.

Last March, the U.S. Securities and Exchange Commission (SEC) proposed a series of rules to “enhance and standardize” publicly traded companies’ disclosures about cyber incidents and their practices for managing and governing cybersecurity risk.

In their official document, the SEC proposes that registered companies adhere to the following:

• Disclose information on material cybersecurity incidents in their 8-K filings within four business days of identifying the incident’s impact as material.

• Provide updates in their quarterly and annual reports (10-Qs and 10-Ks) on material cybersecurity incidents they previously disclosed in 8-Ks.

• Notify the SEC when previously undisclosed, immaterial cybersecurity incidents become material.

• Describe their policies and procedures for identifying and managing cybersecurity risks, including whether they have a CISO (or someone in an equivalent role), reporting relationships for the CISO, and whether they consider cybersecurity as part of their business strategy, financial planning, and capital allocation practices.

• Describe their boards of directors’ and senior management team’s expertise in assessing, managing and governing cybersecurity risk and in implementing cybersecurity policies, procedures and strategies.

The rule changes are intended to bring consistency to the way SEC registrants report on cyber risks and incidents, and to provide investors with information they can use to better assess an organization’s overall risk profile. However, they’ve become a source of concern for both C-level leaders and corporate directors, not to mention a wellspring for debate. For cybersecurity practitioners, the central question is whether the proposed rules–which go into effect on April 1, 2023–will ultimately improve or undermine an organization’s cybersecurity posture.

CISOs’ views on the impact of the SEC’s proposal vary. Some welcome it. Others urge caution. Here, we present highlights from public comments that several prominent CISOs filed with the SEC or posted to their LinkedIn profiles. We’re grateful to these CISOs for the time they spent drafting these comments and for sharing their informed and experienced perspectives in the public interest.

What CISOs Are Saying About the SEC Cyber Rules

Jerry Perullo, the esteemed former CISO of IntercontinentalExchange (parent company of the New York Stock Exchange), lauded the SEC’s proposed rules for their focus on driving “the right outcomes while avoiding over-prescription.” In his detailed public comments, he offered reasonable and nuanced suggestions for implementing the incident disclosure and governance rules in a way that wouldn’t arm threat actors with new details on registrants’ vulnerabilities or specific security practices. He also advised the SEC to improve its examples of incidents that would merit disclosure and urged them to provide clarity on gray areas, like whether organizations would need to disclose a ransomware attack they successfully contained to a single or limited number of computers.

“The Commission has done well to focus on material cybersecurity incidents. Other authorities have flirted with the notion of incidents that merely present the potential of jeopardy, panicking industries recognizing a potentially limitless expanse of reportable events. Materiality has been core to the Commission’s remit since the Securities Act of 1934, and it is wise to extend this notion—which preserves signal-to-noise ratio for the investing public—to cybersecurity.”

In his forceful public comments, Bill Shields, Executive Vice President and CISO at TransUnion, echoed concerns shared by many of his peers when he urged the SEC to better define “materiality” and give registrants more than four days after determining materiality to report an incident.

“That turnaround is simply too short to collect and present the necessary information accurately and will inevitably lead to mistakes that do the opposite of what the rule intends—disclosures will misdirect the Commission and investors, rather than provide clarity.”

Shields also cautioned the SEC against forcing companies to disclose too much information related to active and ongoing security investigations. “The interest of investors in transparency cannot override the need to effectively resolve an issue and prevent its recurrence, which itself is in the interest of not just one company’s shareholders but the shareholders of any other company that may be under a similar threat.”

Abhay Raman, SVP and CISO for Toronto, Ontario-based Sun Life Financial, noted the rigorous regulatory obligations around cyber risk management and incident reporting that publicly traded Canadian companies are required to meet, some of which are similar in spirit to the SEC’s proposed rules and some of which go beyond. Due to Canadian regulatory authorities’ strict requirements, Raman advised the SEC to continue allowing eligible Canadian foreign private issuers to follow their own domestic disclosure standards and documents to satisfy SEC requirements and to make compliance with SEC rules voluntary for Canadian filers.

“Not doing so,” he wrote in his public comments, “would subject Canadian companies to additional incident reporting regimes that would distract critical resources with fulfilling reporting obligations rather than focusing on addressing a cybersecurity incident.”

“We encourage the SEC to work closely with Canadian regulators to resolve any concerns with existing cybersecurity reporting regimes before imposing additional reporting requirements. Cross-border regulatory cooperation is a powerful tool to support regulators seeking to fulfill their mandate while also minimizing disruption to businesses.”

Andrew Heighington, CISO at Visit.org and former information security leader at Bank of America, JP Morgan Chase, and the U.S. Department of Defense, researched the cyber governance practices of the fastest growing Fortune 1000 companies in 2022 to get a feel for their readiness to comply with the SEC’s proposed rules. He published his research in a widely viewed LinkedIn article and post. Among his findings:

• Only 36% met three of the SEC’s criteria for cyber risk governance.

• 42% don’t have a publicly named CISO or equivalent.

• 38% don’t have a board committee designated to govern cyber risk.

“The lack of foundational cyber governance and leadership at many of these companies means it’s highly unlikely there is agreement on the company’s financial exposure to cyber risk, how much cyber risk the company is willing to accept, transfer, and reduce, what will constitute a material cyber incident to the business and trigger SEC reporting, and what cyber trends are emerging that the C-suite and Board need to be aware of as they craft their business strategy.”

It’s so important for CISOs to weigh in on these rules since they’ll be responsible for putting in place many of the systems, processes, policies and practices to enable their organizations to comply. The CISO community is fortunate to have such a deep bench of mission-driven practitioners.

Black Basta ransomware reportedly compromised 90 organizations in five months, between April and September 2022, with attacks continuing that fall. The speed with which this ransomware moved, combined with its use of double extortion techniques and ability to turn off endpoint detection and response (EDR) solutions, caught the attention of the entire cybersecurity industry.

Watch this short video with ExtraHop expert Josh Snow as he guides you through a Black Basta ransomware attack, from initial access to how it impairs and turns off defenses. He explains how network detection and response (NDR) from ExtraHop Reveal(x) 360 can detect this attack at a variety of stages, from initial access, to reconnaissance, to command and control (C2) and beyond. Josh shows the tactics and techniques Reveal(x) 360 detects, including network privilege escalation, loading backdoors, C2 shell-based beaconing, unusual schedule task, Active Directory (AD) enumeration with BloodHound, and more.

As advanced threats become even more disruptive, the need for a strong cybersecurity posture must be a top priority. For years, all it took was a firewall to stop intruders. When that levy broke, endpoint detection filled the gaps, while security information and event management (SIEM) tools offered additional log data and compliance capabilities. Finally, network detection and response (NDR) solutions emerged to provide the missing piece—network data—to the security puzzle.

Now, extended detection and response (XDR) is coming into the picture, and for good reason. It’s a strategy that aims to give organizations complete visibility across endpoint, network, and other high-fidelity data sources and provide a more complete picture of an organization’s attack surface. According to a report conducted by Wakefield Research on behalf of ExtraHop, 78% of IT leaders believe that wider adoption of XDR will be a necessity in 2023. At the same time, what constitutes an XDR strategy continues to be a point of contention. It seems not all IT decision makers agree on what parts are needed to make the whole.

Defining XDR

Despite all the hype over XDR, many IT decision makers struggle to define what it is, its benefits, and key technology components, even as they move forward with XDR strategies. According to our research with Wakefield, only 47% of IT decision makers could accurately define XDR as a strategy for deepening threat visibility and accelerating threat detection and response by correlating endpoint data with higher-fidelity network telemetry and other data sources via an integrated, cloud-native platform.

The large proportion of respondents who couldn’t identify an accurate definition of XDR may explain why our results also showed little consensus about which data sources are most important to support an XDR strategy: if you don’t know what XDR is, then your understanding of the technology components needed to support it is likely limited as well. This showed up most starkly among IT decision makers at organizations not currently implementing an XDR strategy. Those organizations were more likely to rank threat intelligence, firewall data, and identity and access management logs as most important–three components we don’t see prioritized in analyst reports on XDR.

Indeed, according to IDC, a fully realized XDR solution should have:

• EDR capabilities

• SIEM

• NDR

• Integrated external threat intelligence

• A SOAR workflow management

This point is consistent with our research, which states that a “majority of IT decision makers view XDR as a disruptive technological force and the next logical step in the future of cybersecurity because of the way it incorporates network and other telemetry to build on endpoint detection and response (EDR) solutions, and ultimately, to shift detections from the endpoint to earlier in the attack cycle.”

XDR is Becoming A Reality

When this strategy was first introduced a few years ago, the idea sounded too good to be true. Now companies are looking to implement their own XDR strategies to keep pace with the ever-growing cyberthreat landscape. Whether they fully understand it or not, the vast majority of respondents have either begun their journey to XDR or plan to do so over the next 12 months.

The reality is that cyberattacks are only getting more malicious, and outwitting them demands a strong security posture. To learn more about XDR and IT decision makers’ perceptions of it, check out the report.

Over the last two decades, cybersecurity has evolved from a perimeter-centric model to one that acknowledges a largely dissolved perimeter. This evolution has largely been driven by three issues that weren’t factors twenty years ago: technology complexity, stemming from employee mobility, cloud computing, and other trends; obscured visibility as networks grew, transformed, and accrued technical debt; and massive increases in the volume of data and alerts security teams must analyze.

As complexity rose, visibility dropped, resulting in very few network operators having a reasonable level of confidence in their understanding of their own infrastructure. Meanwhile, increases in operational technology, combined with various business trends and cycles of expansion and contraction, compounded these complexity and visibility challenges and led security practitioners to a place where we’re not certain what’s on our networks, where those things reside, or what risk they pose to our organization.

To make matters worse, as network complexity ratcheted up, security teams have attempted to keep pace by placing more security devices throughout their networks. The increase in security devices has led to a surge in low-fidelity alerts and false positives, which in turn have driven the need to perform more manual investigations and build larger and larger SOC teams at a time when demand for cybersecurity practitioners vastly outpaces supply.

Enter Network Detection and Response (NDR)

Against this backdrop of technology change and security challenges, NDR has emerged over the past several years as a remedy for the triple hurdles of complexity, visibility and volume. It delivers high-confidence visibility into managed and unmanaged devices, higher fidelity data for threat detection, and integrated response capabilities. The net result is a decrease in complexity, an increase in visibility, and a manageable alert volume.

In order to make it even easier for organizations to use Reveal(x) 360, our industry-leading NDR solution, ExtraHop is excited to announce a strategic partnership with Binary Defense, the industry’s premier managed detection and response (MDR) provider. By delivering ExtraHop Reveal(x) 360 as a managed service, ExtraHop bundles technology with security expertise to deliver the power of NDR to organizations who don’t want to implement and manage it themselves. Managed NDR delivers mission-critical technology without increasing any potential operational burden on security teams.

Delivering Managed Network Detection and Response (mNDR)

ExtraHop’s powerful mNDR solution is designed to reduce operational burden while providing unparalleled security value to the SOC. Complete packet-level visibility, even into encrypted traffic and at the protocol level, at the speed of the world’s fastest networks, provides rapid value to security organizations. Our solution helps eliminate blind spots and gives threat hunters the ability to detect lateral movement and respond to threats faster without deploying any more agents. Integrating this service and platform into an organization’s existing security stack ensures operational benefits without the traditional drawbacks.

For SOC teams, alert triage and response is always going to be part of the job, but with advanced behavioral analytics and context-rich investigative workflows, ExtraHop technology reduces the number of false positives SOC teams will have to waste their time on.

For organizations that recognize the critical value of NDR in threat detection, response and network forensics, an mNDR service is an easy choice. ExtraHop mNDR delivered by Binary Defense helps organizations rapidly realize the value of ExtraHop NDR with a world-class SOC that lowers security operations overhead, lets customers’ security teams focus on prioritized incident response and remediation, and helps guide meaningful remediation and incident resolution. Incidents will happen, but catastrophic breaches don’t have to.