I had a chance last week to sit in on a demo of Extrahop Networks. The best way to think of it as “Splunk for network traffic”. If you are familiar with splunk it takes all sort of unstructured machine data and lets you report on it, see trends, create alerts and basically make sense out of it. Extrahop does the same for network traffic.
A few obvious use cases are looking for network errors, slow performance or security alerts. Though it’s not a SIEM, like Extreme’s Purview you can find security problems but it probably won’t replace your SIEM right away. Network errors and slow performance are also easy to spot using there product. Honestly most of the problems you would normally have to use a protocol analyzer or wireshark for, they can probably do.
Lately I’ve been thinking about healthcare a lot and one things Extrahop does well is healthcare traffic decoding. They have a screen that actually looks for ICD9 traffic and can tell you if you have applications or users that are using ICD9 instead of the now required ICD10. They also can figure out why your imaging software is slow by looking at DICOM and PACS traffic.
They aren’t just healthcare though they also have industry decodes for SSL certificates (so you can see when they are about to expire), credit card information sent in the clear (before your next PCI audit you can fix it) and of course all the normal traffic decodes for Microsoft, HTTP, Databases etc.
Like Splunk they also have a community of developers that share their tools as well, so not only do you get what Eztrahop builds, you get to leverage what other users (or developers) have made and bundled up.
You do, of course, need to get the traffic to the extrahop either using a tap or mirrored (span) port so you will need to think about where to get this traffic from. Tools like Netflow and Extreme Networks switches that do full netflow, or Extreme Purview can probably scale better, but also require a flow based switch. *If you are running an Extreme network I’d say definitely look at Purview, if not, or if you need the decodes, Extrahop is definitely worth a test drive.
*Purview can also help with non-extreme networks using an overlay approach like Extrahop or gigamon and has it’s own set of benefits so it’s not that cut and dried.
And of course, if you are having trouble with a recurring network issue, or just need some help implementing these tools or deciding which one fits best, contact us. We’re here to help