The Extrahop Visibility Platform
for Uncompromising Performance Analysis

With a dynamic real-time view of all transactions in your environment, any team from NetOps to SecOps can quickly identify and resolve problems.

ExtraHop decrypts SSL/TLS (including TLS 1.3) in real time so you can ensure both security compliance and complete visibility into troubleshooting.

From a high-level map of all assets in your organization to specific package payloads for incident resolution, ExtraHop provides context and precision in a single central user interface.

Machine Learning, which is based on the most objective, complete data source, provides high fidelity analysis that reduces the mass of false alarms.

ExtraHop learns how a device should behave based on empirical, observed activity, and then shows unusual behavior in the full context of what will be affected and why.

Integration with other analysis tools and orchestration platforms to automate response processes and easily scale limited resources.

The stream processor decrypts SSL/TLS-encrypted traffic, including encryption suites such as Perfect Forward Secrecy (PFS), at line speed with native hardware acceleration. This bulk decryption can scale up to 64,000 SSL-TPS with 2048-bit keys that no other real-time analysis can achieve in a single unified appliance. Read this quick technical guide for details on Extrahop’s decryption method.

Starting from the most basic level, the stream processor creates the TCP state machines for each sender and receiver communicating on the network. As a prerequisite for deeper application protocol and universal payload analysis, this allows the platform to understand all TCP mechanisms and their effects. Since TCP is the meeting point of network and application, this approach helps you to clearly identify whether problems are a network or application problem from the start.

The real-time stream processor decodes IP-based protocols to understand, define, and implement the unique application boundaries of this protocol. This enables the processor to create complete operations, sessions and transactions for a fluid application, which in turn enables higher order content analysis through a complete recombination into line data (derived from the line network itself).

While in a perfect world all of this would run pretty smoothly from start to finish, traffic patterns such as microbursts can actually lead to packet loss through a switch or SPAN; in these cases, the processor is automatically resynchronized and restored.

After compiling packets into full streams, the stream processor analyzes the payload and content of layers 2-7 and automatically detects and classifies all devices or clients communicating on the network. The processor also continuously maps the relationships between all clients, applications and infrastructure communicating on the network, measuring and recording over 4,700 metrics.

Full Content Analysis supports dozens of protocols and provides key indicators such as database methods used and their processing time, user file access, memory access time and error, DNS response time and error, Web URI processing time and status codes, SSL Certificates with expiration date, and load balancer and firewall latency. The stream processor also collects sophisticated network metrics such as window size, retransmission timeouts, and nagle delays.

We find that not everyone is interested in knowing every detail about every level of their environment, but don’t worry – while you always have the full analysis capabilities at your fingertips, it’s also easy to customize your view of the data so you only see the exact metrics and insights you need.

Once the stream processor has done its job and started delivering line data metrics, it’s time to take control of what you see and in what depth.

ExtraHop uses an event-driven programmable interface called Application Inspection Triggers to connect you to the stream processor and all stream transactions. Triggers allow you to programmatically extract line data events and correlated metrics that are specific to your business, infrastructure, network, clients and applications.

With Application Inspection Triggers, you can be as surgical or verbose as you want, and extract almost anything from a header to full application payload. For HTTP payloads, for example, this data can include sales, order IDs, unique user IDs in cookies or URIs, and even web page titles or error descriptions embedded by a developer in a 500 status code. And it doesn’t matter what HTTP goes through – it could be SOAP/XML, REST, JSON, AJAX, JavaScript or HTML5.

The same principle and functionality applies to all Extrahop natively decoded protocols. You can also use triggers to extract, measure and visualize data from defined fields or to decode proprietary protocols based on TCP and UDP.

Unlike typical SaaS solutions, Extrahop’s Machine Learning Service only transfers de-identified metadata into the cloud. This means that no payloads, file names, strings, or other categories of data that could contain sensitive data leave your organization. ExtraHop has received SOC 2, Type 1 Conformity Certification for its Machine Learning Technology, which you can read more about here.

ExtraHop uses the following combination of local technology and cloud services to support the entire machine learning process:

• An on-site device, fully controlled by you, analyzes network traffic to extract and store more than 4,700 metrics, including IP addresses, URIs, database queries, CIFS file names, VoIP phone numbers, and other potentially sensitive data; you can configure this device to collect custom metrics according to your needs.
• When the Machine Learning service is enabled, a subset of these on-premise metrics are de-identified and sent to a custom cloud computing instance in Amazon Web Services operated by ExtraHop.
• ExtraHop Machine Learning then creates predictive models for the behavior of devices and applications and detects significant deviations from these predictions as anomalies.
• Anomaly events are sent back to your local device, but you can also choose to receive e-mail notifications (which do not contain sensitive data). Once events are back in your environment, you can use your private key to reidentify and decrypt them for alerts and investigations.

On the performance side, Extrahop detects problems such as VoIP quality problems associated with increased latency and errors, or system startup and logon delays associated with DHCP server errors.