This article was written and contributed by, ExtraHop.
Fulfilling the Vision of the Modern SOC
One of the biggest challenges enterprises face is seeing and understanding what's happening across their complex, encrypted, and hybrid networks.
Our latest release helps customers by exposing threat actors who move laterally without being detected, impersonate authorized users to gain access, and exploit privileges to target more critical assets.
With these new features, ExtraHop gives SOC teams unprecedented visibility across SASE, lateral movement, and identity attacks.
Zscaler Integration for Expanded Zero Trust Visibility
Together, Zscaler and ExtraHop are providing end-to-end visibility into communication that traverses the Zscaler cloud and beyond. By correlating Zscaler Private Access (ZPA) logs with network telemetry from ExtraHop, SOC teams get a complete view of events for faster response.
Zscaler Log Streaming Service (LSS) forwards ZPA user activity logs into ExtraHop RevealX packet sensors, automatically enriching ExtraHop detections to deliver end-to-end L2-L7 visibility for all user-to-application communication. ExtraHop creates records that can be stored for analysis for up to 365 days.
This expanded visibility provides security teams with a holistic understanding of threat context and user attributes, allowing them to quickly triage and respond to attacks. While ZPA offers secure, zero trust network access, RevealX NDR enables deeper visibility and accelerated investigation. By analyzing traffic patterns and behavioral insights from RevealX, security teams can also create more granular and effective Zscaler policies and ensure policies are working as intended.
Enhanced Visibility into Lateral Movement
We've also enhanced our ability to detect adversaries utilizing living off the land binaries and scripts (LOLBAS) techniques like PowerShell to move laterally across environments. These latest capabilities improve command line arguments analyses used for Powershell over MS-RPC and WSMAN protocols.
Leveraging ExtraHop's unique decryption and protocol decode capabilities, customers can detect malicious activity from threat actors who try to evade detection by misusing legitimate tools. Too many security controls lack awareness of the contents of these communications (either because they lack the ability to decode the protocols used, or cannot decrypt encrypted communications, or both) and as result ignore PowerShell activity.
Visibility into Anomalous Privileged User Activity
Privileged or influential users, such as admins and executives, are often the first ones targeted by threat actors due to their extensive access to sensitive data and systems. We've added the ability to automatically raise detections involving privileged or influential users to a higher priority level, ensuring SOC analysts can quickly investigate and triage the most critical identity-driven threats.
Easier Analysis in Record Search
Now you can do a records search and "group by" for up to three fields, then export to a table so you can add it to your report, investigation, etc. Also, we've increased the max number of records returned from 50, up to 1000. This will make it much easier to analyze multiple records to find what you're looking for during your investigations.