What is our primary use case?
We were seeking a solution that can effectively identify security incidents within our networks, providing a level of visibility that surpasses what other products with agents currently offer. Additionally, we have a critical need for robust asset management capabilities. Traditional agent-based products fall short in comparison to what we can automatically glean from our network. Our third priority lies in network hardening. We aim to rapidly identify vulnerabilities and weaknesses, a task that has historically been time-consuming or, in some cases, nearly impossible. The ability to receive comprehensive information within a mere three minutes is crucial for enhancing our network security posture.
How has it helped my organization?
We only used it on PoV. But we have already easily identified the places that need attention. So we can say that the product starts bringing valuable data to the company from the very first minutes of use.
Additionally, I would like to mention the option to purchase an additional NPM licence which enables the statistics and network metrics module for NOC. For example, this solution will help in troubleshooting network and AD.
What is most valuable?
It stands out for its intuitive and efficient user interface, robust detection capabilities with minimal false positives, and the ability to handle encrypted traffic, making it a valuable asset for network security and management. Its strengths lie in its outstanding user interface, streamlined implementation, and efficient ongoing support. With a commendably low false positive rate, it minimizes operational efforts, allowing for quick comprehension and configuration. A notable advantage is its licensing based on MAC addresses, providing a more accurate representation of real devices and potential cost savings.
What needs improvement?
The NDR feature analyzes network traffic, creating records with connection details. While these records offer insights, there's a limitation in investigating payloads directly. ExtraHop provides an option for an additional server to save payloads, but its temporary storage has constraints. Unlike some competitors, it lacks an automatic payload-saving feature for each detection, presenting an improvement opportunity. Suggested enhancement involves the main sensor prompting payload storage for specific detections, streamlining the investigation process, and contributing to a more efficient workflow. A drawback includes packet storage limitations for payload data, necessitating timely extraction for thorough investigations.
For how long have I used the solution?
I have been working with it for several weeks.
What do I think about the stability of the solution?
Occasionally, when I click on a link, I receive a page error, and after a few refreshes, it starts working again. I'm unsure whether the issue lies on my side or theirs, and we need to identify the cause. It's worth noting that this happens infrequently, and the rest of the system operates smoothly without any errors.
What do I think about the scalability of the solution?
The solution scales well, supports network traffic analysis in the cloud. Of course, it is limited due to the limitations of the cloud itself. The servers are very powerful. For example, a 1U server can handle 25 Gbps of traffic. When there are solutions that require 2 2U servers for such performance.
Which solution did I use previously and why did I switch?
We used LogRhythm NetMon, but it had reached its life cycle and had basic functionality.
How was the initial setup?
The initial setup was straightforward.
What about the implementation team?
The implementation process was swift, taking only an hour. After receiving sign-up emails, I completed a questionnaire, discussed the architecture, and a dedicated environment with the correct naming was promptly set up. Upon receiving an invitation, I set a password, and enabled Multi-Factor Authentication, gaining full access to the client environment. A server arrived via post, and following documentation instructions, I installed it in our data center, handling all cabling. During a call with a technical engineer, we configured the server together, initiating data transmission to the cloud environment. In the cloud, I easily customized settings and added users and the essential setup was complete.
What's my experience with pricing, setup cost, and licensing?
The pricing is dependent on the network size, typically falling into the six-digit range. When compared to other solutions, it aligns with the market average, indicating a competitive pricing level.
Which other solutions did I evaluate?
Yes. LogRhythm NDR and DarkTrace.
What other advice do I have?
I recommend prioritizing demos over POCs when engaging with vendors. Organizing POCs involves significant time and resource investments for both parties. Instead, invest time in multiple demo sessions, exploring the product in various scenarios and comparing capabilities against a predefined list of success criteria. Create a detailed success criteria list initially. Identify a top vendor based on these criteria, saving time and resources. Overall, I would rate it nine out of ten.
Which deployment model are you using for this solution?
Private Cloud
*Disclosure: My company does not have a business relationship with this vendor other than being a customer.