ExtraHop extends XDR partnership with CrowdStrike

New capabilities build on existing detection, investigation, and response integrations between ExtraHop Reveal(x) and CrowdStrike Falcon, adding highly-targeted, intelligence-backed response to best-of-breed XDR alliance.

  • 2 years ago Posted in

ExtraHop has introduced an 'industry-first' integration with CrowdStrike that takes security analysts from detection to quarantine to investigation with a single click. The new push-button response integration expands the best-of-breed extended detection and response (XDR) partnership between the two companies, enabling users to quarantine individual assets from a detection directly within Reveal(x) and then pivot seamlessly into an investigation workflow. Armed with this capability, defenders can act with speed and precision, accelerating response times and minimizing the impact to the business. 

The new native push-button response feature within ExtraHop Reveal(x) gives defenders the tools they need to dramatically accelerate containment while minimizing disruption to the organization. Unlike automated response offerings, push-button response gives security analysts the ability to control how and when assets are quarantined based on high-fidelity detections and intelligence that extends from the network to the endpoint. By integrating this capability into the security analyst workflow, security teams can conduct efficient forensic investigation.

“Over the past five years, the security pendulum has started to swing more meaningfully towards a detect-and-respond model that assumes even the best perimeter defenses will eventually be breached,” said Jesse Rothstein, co-founder and CTO, ExtraHop. “But many organizations remain reluctant to invest more in this approach due to the complexity of playbook-driven response. With our new native push-button response, we’re continuing to build on our partnership with CrowdStrike and existing response integration capabilities to give defenders the ability to rapidly and precisely quarantine compromised devices without causing massive disruption to the organization.” 

“This new capability enables faster remediation and faster time to respond, letting teams focus

on critical assets and resources,” said Chris Kissel, research director, security and trust, IDC.

“The focus on streamlining the work of the overburdened SOC analyst adds real value for

defenders.”

The push-button response integration builds upon ExtraHop’s existing partnership with CrowdStrike which offers integrations into CrowdStrike Falcon X, Threat Graph, and Falcon Real Time Response to deliver best-of-breed XDR to their joint customers around the world. 

Unified Threat Intelligence: Reveal(x) 360 correlates threat intelligence indicators of compromise (IOCs) from CrowdStrike Falcon X automated threat intelligence and endpoint security data from Threat Graph with network details about IOC hosts and domains for complete coverage. The data is correlated and contextualized in the Reveal(x) console.

Real-time Detection: Rapidly detect threats observed on the network such as network privilege escalation, lateral movement, suspicious VPN connections, and data exfiltration. It also helps thwart those occurring on the endpoint, including ransomware, local file enumeration, directory traversal, and code execution. This provides complete coverage across the entire attack surface.

Instant Response: With the new push-button response, security analysts can use the Crowdstrike Falcon integration to instantly quarantine a device from within the Reveal(x) platform. This approach cuts off access to network resources and endpoints, stopping an attack in progress without disrupting an analyst’s investigation workflow.  

Continuous Endpoint Visibility: With automatic device discovery and classification, Reveal(x) continuously updates and maintains a list of devices impacted by threats, even on devices where the CrowdStrike agent is not yet present. This alerts CrowdStrike customers to newly connected and potentially compromised devices that need instrumentation for device-level visibility. It also extends edge visibility to include IoT, bring your own device (BYOD), and devices incompatible with agents.

Ransom attacks in the cloud are a perennially popular topic of discussion in the cloud security...
Talent and training partner, mthree, which supports major global tech, banking, and business...
Cloud-native organisations to gain full understanding over every identity in the cloud, secured...
MSSPs identify regulatory compliance as additional factor as organisations seek to shift...
Orange Business (Norway), a global leader in digital services, has selected ARMO’s advanced...
Gigamon and Exclusive Networks have expanded their existing distribution partnership, broadening...
Trustwave and Cybereason have announced a definitive merger agreement offering a comprehensive and...
FortiDLP’s unified approach to data protection enables enterprise organizations to anticipate and...