Security teams can now seamlessly increase the speed of investigations with more reliable threat intelligence

ExtraHop has announced a new integration between Reveal(x), its network detection and response (NDR) platform, and Splunk SOAR.

  • Tuesday, 25th October 2022 Posted 2 years ago in by Phil Alsop

Using the Reveal(x) integration, Splunk SOAR users now have expanded visibility with packet-level insights from IoT to the cloud including unmanaged devices, legacy systems, and all network assets. Users can correlate logs with network intelligence to gain a greater understanding of threats and more confidence in automation of tier 1 and tier 2 incident response.

Analysts and IT security managers receive thousands of alerts every day, many of which are ignored due to bandwidth. In fact, according to a research study by ESG, 27% of cybersecurity teams surveyed said they spend most of their time addressing cybersecurity emergencies, not top tier priorities, leaving them little time to work on strategy or process improvement. Even more alarming, 23% said not being able to keep up with the workload contributed to security events in the past two years. Most security teams simply don’t have enough people staffed to stay on top of their workload and be effective.

SOAR platforms excel at streamlining data-gathering from multiple security tools into a single interface, but logs alone are not always reliable and can be inaccurate, disabled, or destroyed by adversaries. ExtraHop for Splunk SOAR enables security teams to enrich any SOAR playbook with high-fidelity data about detections, devices, network artifacts, or even full packet capture. In addition, Reveal(x) covers more network-detectable MITRE ATT&CK techniques than any other NDR product, covering nearly 90 percent—including privilege escalation, lateral movement, exfiltration, and command & control.

“The network is a source of ground truth, difficult for an attacker to evade, and nearly impossible to turn off. As such, network traffic analysis offers an effective means to detect suspicious behaviors and potential threats with high signal and low noise,” said Jesse Rothstein, co-founder and CTO, ExtraHop. “Our new integration with Splunk SOAR combines our rich, contextualized data with an advanced platform to enable defenders to prioritize alerts, accelerate investigation, and run trusted playbooks to ultimately stop threats faster.”

With strong expertise in attack detection, unusual behavior, and risk analysis, ExtraHop provides reliable insights and full context analytics, powered by its cloud-based machine learning. Security analysts can respond to alerts that matter, and have everything they need to know about an incident automatically gathered before they start investigating.

“This integration between Splunk and ExtraHop helps overburdened SOC analysts streamline their workflow so they can leverage out-of-the-box playbooks to handle low level alerts and focus on orchestrating the response and forensics needed for the alerts that matter,” said Chris Kissel, research vice president, security and trust, IDC. “A key benefit of integrating with ExtraHop is visibility into encrypted traffic. Encryption is vital for security and privacy, but it can be a double-edged sword when attackers use it to hide their actions. ExtraHop decrypts traffic and provides near real-time insights that are vital for SOC analysts to make faster decisions.”

“We integrated network intelligence from ExtraHop with Splunk and gained significant visibility that enabled our analysts to respond quickly to suspicious behavior,” said NAME, TITLE, COMPANY. “The value of integrating ExtraHop with Splunk is tremendous. The integration has reduced the amount of time we spend addressing tier 1 and tier 2 threats. We now are able to focus on more mission-critical security strategies. I feel much more confident in automating responses with reliable detections and full context from ExtraHop.”