What is most valuable?
Auto discovery and auto classification of the entire data-center application environment allows ExtraHop to be functional within hours of providing the EDA with a data feed. There is no product I have seen that even comes close to the speed at which it becomes operational.
The administrative overhead to install and manage the tool is ridiculously low. It is completely agentless, passive, and requires zero configuration on any end device for it to work. The only engineering required is providing the data feed. The time administrators normally spend on system administration can be funnelled into customization instead.
The degree to which the tool can be customized is near limitless. Just about anything on the wire can be a metric or a transaction record. It is most broadly used for operational analytics, but has many use cases for security, clinical, and business analytics as well.
The big data back end is a game changer. Every single network flow and application transaction can produce records. The EXA is still in its initial version having only been released a few months ago, and is already very useful. There are numerous improvements already in the pipeline for the next releases that will make it an even better analytics tool.
How has it helped my organization?
Like most organizations, the one where I worked had no functional tier 2. This is because systems are so complex the vast majority of support required engineering resources. This also means that any performance ticket could wind up with just about any engineering group and often multiple groups would have to be engaged for troubleshooting. ExtraHop provides metrics and dashboards that allow IT staff to quickly triage issues and get them to the right group for remediation without having to play hot potato with multiple tickets. It makes the idea of building an effective tier 2 operations team a feasible one.
What needs improvement?
The improvement that would make the most impact would be expanding on the new EXA big data back end. Currently the queries are limited to simple ones and visualization of the query results does not exist. That being said, it is still incredibly useful and unlike anything else out there. As one would expect, developers have been working on features since before the initial release and there will be many improvements in the near future.
The second criticism I have is the Activity Map. This tool allows one to see all device and protocol connectivity with a selected device or group of devices. It is a fantastic tool for defining client types and tiers in an application. My criticism is that the maps cannot currently be added to a dashboard. Logical application connectivity maps are very nice to have and I would always want one on an application dashboard, given the option.
For how long have I used the solution?
I was a customer or prospective customer for nearly two years. I was so impressed that, when offered the opportunity to work with the platform as a major part of my job description, I left my stable, well-paying job to go to work for a VAR who is an ExtraHop partner. We've used both the EDA and EXA versions.
What was my experience with deployment of the solution?
Deployment is entirely dependent upon the data feeds. The difficulty in engineering those feeds varies widely depending upon the network architecture. My organization already had a Gigamon visibility fabric in place so, in our case, engineering the feeds properly was fairly simple – ‘done before lunch’ simple. The mid-sized appliance had a 10GBPS limit, which was fine since traffic was generally under six GBPS. When data domain replication or large NetBackup jobs ran, we could just filter that out on the Gigamon to prevent saturating the single link.
What do I think about the stability of the solution?
I have had no problems with stability.
What do I think about the scalability of the solution?
The appliances are scalable up to 40GBPS and can scale horizontally as well through the use of a command appliance, so no issues there.
How are customer service and support?
Both customer service and support were outstanding when I was a customer. During our POC, they actually developed a new built-in metric based on our input which was in the wild before we had even completed the purchase. Support has always been responsive and knowledgeable.
Which solution did I use previously and why did I switch?
I was looking to reduce the large amount of time I was spending in deep capture analysis sessions to diagnose application issues. I had some Omni Engines in place to make that job easier – which is a great analyser, by the way – but capture analysis was still a long process of finding the needle in the stack of needles. I was looking for a tool that not only made the analysis easier, but empowered the application owners to do their own analysis. I did an extensive bake-off between ExtraHop and NetScout. The conclusion was that they were two very different products. It took a week of banging on NetScout to get it functional in the first place and, once it was up, I realised that it would be a useful tool for me, but would ensure that every issue would continue to come to me because I would be the only one who could leverage it. ExtraHop, on the other hand, was useable the afternoon I plugged it in and solving problems immediately. Not only that, but it was useable by all the IT silos. While engaged in troubleshooting activities I would provide reports generated from ExtraHop, which would usually result in someone asking where that amazing data was coming from. The conversation often resulted in my creating accounts for new users. It was clearly a tool that empowered others.
How was the initial setup?
The logical setup is extremely simple. There is also a large body of customization that is simple to deploy thanks to the community bundles that can be downloaded and installed. ExtraHop also has a process called a quick start, which is a week-long engagement where an ExtraHop engineer executes or validates the install and builds a few dashboards to operationalize the most important applications. The process of defining and dashboarding applications can be a bit time consuming to get it just right, but that is normal for deep customization. The more dashboards there are to provide templates, the easier future ones become. Customization can be as complex as one wants to get – even to the point of bubbling up business analytics from the wire data.
The only engineering challenge is the data feed. As I mentioned, the organization where I worked had a Gigamon, which simplified things. A couple of SPAN ports on core data center switches usually gets the majority of the visibility. If there are challenges in getting east-west traffic to the data feed (server to server traffic on the same subnet and hypervisor, for instance) there are numerous approaches to getting those packets; it’s doable but sometimes a bit challenging depending on the architecture of the data center. That isn’t an issue with the platform, though, just a challenge in accessing wire data in general.
What about the implementation team?
I implemented myself, although the ExtraHop SE was extremely helpful and responsive throughout the POC process. I have since learned that I was an outlier and a grabby customer. I have witnessed several engagements since then and the SEs are always actively engaged in the process and build customization in before a purchase is even made. After purchase, they have a quick-start process which involves a solutions architect spending a week or two getting the appliance operationalized and building the first few pieces of application customization for the customer.
What was our ROI?
ROI is tricky, because it depends on how well the tool is worked into the support workflow. In most cases, when used properly, it can reduce root cause from weeks to hours. Sometimes minutes. It can eliminate the majority of the “all-hands” trouble shooting sessions and war rooms by quickly isolating the real issues. It can also proactively identify issues and help prevent outages. In the organization where I worked (and in most others I have seen), there was not a central operations team that handled triaging so adoption was by individual silos. My day job was on the networking team, so I don’t know first-hand the extent to which it was adopted by each group. I do know that requests for packet capture analysis almost entirely dried up and I could spend much more of my time on that day job which, I am afraid, was the primary metric I was concerned with at the time.
What other advice do I have?
ExtraHop is far ahead of anything comparable in the industry. As a matter of fact, there isn’t anything that really compares. It is a wire-data driven operational analytics platform that provides network flow and application transaction performance monitoring out of the box. That description really doesn’t do it justice, though.
The ExtraHop website has a demo environment that will walk someone through numerous scenarios. It is well put together, but can be a bit overwhelming without some context or experience. I recommend having a look, but then scheduling a demo with ExtraHop, or with a VAR like the one for which I work. All that being said, these are demo environments and what it the platform can do seems a bit unbelievable at times. As a customer, I know I wouldn’t have believed it without seeing it. The real proof is in the POC. If you can set up SPAN sessions on the core data center switches, ExtraHop would be delighted to send you an appliance and help to get it deployed so you can see for yourself. Don’t take my word for it in any case. Do a POC.
*Disclosure: My company has a business relationship with this vendor other than being a customer: I work for a VAR who is an ExtraHop partner.
The most surprising part using this product is finding out all the other systems that your application server is communicating with. Normally in a Wireshark study I would have to exclude this 'noise' so I could focus on the what I through was the real traffic interactions.
Seeing it with ExtraHop you do not need to exclude those. We found AD LDAP processing that was happening way too often. Once viewed with a longer view than just a 15 minute test cycle for detail Wireshark Analysis.
Having the ability to create a dynamic Wireshark data capture of a certain based on a 'long' response time also gave us insight into the application that with other approaches would have been more difficult.
As I tell me co-workers - this product is great - except it continues to create more work as we discover problems we were not aware we had. ! ! - -
With the addition of the EXA Product it extends the analysis you can do with looking at each detail interaction instead of summaries.
This is very much a Lego type of product. You have the different legos to put together to create unique solutions based on your applications and setups.
It looks at all the interactions taking place. A very rich product.