UPDATED 15:45 EDT / DECEMBER 21 2018

INFRA

Machine learning analytics could be toughest security on the block

What is breach-detection technology good for? Does a police report help if the thief is already out the back door with the sofa, TV and grandfather clock? Getting closer to real time analysis is essential to effectively put out fires before they seriously injure an organization. Cybersecurity officers need to not only detect, but also investigate and take action on threats immediately. The computing network is emerging as a plane on which they can see and deal with suspicious activity as it happens.

If companies want real-time, always-on security, the network level is the place to be, according to Jesse Rothstein (pictured), co-founder and chief technology officer of ExtraHop Networks Inc. “It’s as close to ground truth as you can get, it’s very hard to hide from, and you can never turn it off,” he said.

Security tools that examine packets of data in motion may be seen as a form of superficial network security. “If you’re only looking at the packets, you’re barely scratching the surface,” Rothstein stated.

Security analytics based on data flow offer very sparse reports, he added. “It’s like a phone bill. It tells you who’s talking to whom and how long they spoke, but there’s no notion of what was said in the conversation. In order to do really high-quality security analytics, you need to go much deeper,” Rothstein said.

Applying more sophisticated analytics to real-time network telemetry data results in immediate, actionable detection. “Network analytics has tremendous implications for security,” he added

Rothstein spoke with John Furrier (@furrier) and Dave Vellante (@dvellante), co-hosts of theCUBE, SiliconANGLE Media’s mobile livestreaming studio, during AWS re:Invent in Las Vegas. They discussed the role of the network in real-time threat response and the great cloud-versus-on-premises security debate. (* Disclosure below.)

This week, theCUBE spotlights ExtraHop Networks in our Startup of the Week feature.

Splunk for network

Organizations have been investing in defense in depth for decades. This type of security shuts out  attackers at the parameter and at end points. But it does not do a good job of alerting users to breaches happening in real time, according to Rothstein.

Are breaches terribly difficult to spot? Actually, there are not many different behaviors that signal that a breach is about to take place. Verizon Communications Inc.’s “2018 Data Breach Investigations Report” gives statistics on security breaches. According to the report, “there are only nine or so behaviors that account for 90 percent of all breeches … what they look like,” Rothstein said. “You look for reconnaissance; you look for lateral movement; you look for some form of exfiltration.”

ExtraHop monitors the network for activities like these with sophisticated behavioral models and analytics. “I often describe ExtraHop as Splunk for the network,” Rothstein stated.

Splunk Inc. is the highly successful software platform for searching, monitoring and analyzing machine-generated data. ExtraHop uses very different technology, but the idea is the same, according to Rothstein.

The company offers analytics products for IT operations and security. Its targeted cybersecurity offering, Reveal(x), leverages machine learning to analyze network security threats at a deep level. Its network behavioral analytics allow it to actually “detect suspicious behaviors and potential threats, bring them to your attention,” Rothstein added.

Reveal(x) connects to ExtraHop’s broader analytics platform, which gives users the ability to investigate threats on the fly. “You’re a click away from being able to investigate or disposition these detections and see, ‘Hey, is this something I really need to be concerned about?'” Rothstein stated.

Importantly, it doesn’t rely solely on statistical baselines, but is actually predictive.

“We’re actually building predictive models around how we expect end points and instances to behave, and then when they deviate from their model, that’s when we say, ‘Hey, there’s something strange going on,'” he said.

Multicloud is dissolving parameter. Now what?

With the growth of multicloud dissolving old parameters and firewalls, it’s important to develop new, fluid security models. The network and the application layer are two areas that might replace the firewall as security ground zero.

“[Security] has to get away from that approach people took in the past where security was always this friction; it was this impediment,” John Morello, chief technology officer of Twistlock Ltd., recently told theCUBE. TwistLock is a four-year-old startup that secures containers (a virtualized method for running distributed applications).

Agile cloud development does not mix will with old, parameter-based security systems, according to Morello.

“One of the things that we really think is important is to be able to bring the parameter to the application,” he stated.

ExtraHop users can monitor the network in both cloud and on-prem environments. Rothstein does not take sides in the on-prem-versus-cloud security debate. “From my view, [cloud] relies on the same people, processes and technologies that are inherently insecure as we have on-prem, and, therefore, it’s just as insecure,” he said.

Public cloud’s automation capabilities, however, can transfer commands easily between environments. This helps avoid annoying “swivel-chair” security operations. This was clear from the talks at the security track at AWS re:Invent.

“I sat in about five different security-track sections, and every single one of them kind of ended with, ‘So we automated it with a Lambda function,'” RothStein said.

AWS will holding its first security conference in Boston, Massachusetts, in June 2019.

Watch the complete video interview below, and be sure to check out more of SiliconANGLE’s and theCUBE’s coverage of AWS re:Invent. (* Disclosure: ExtraHop Networks Inc. sponsored this segment of theCUBE. Neither ExtraHop nor other sponsors have editorial control over content on theCUBE or SiliconANGLE.)

Photo: SiliconANGLE

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU