What Works in Application Security:

Improving Time to Detect, Respond and

Contain with ExtraHop Reveal(X)
John Pescatore, Director, SANS
Celebrating Successes

2
 Obligatory Agenda Slide

• Housekeeping info
• Here’s what we will do
– 1:05 – 1:15 Overview– John Pescatore, SANS
– 1:15 – 1:45 Conversation with user
– 1:45 – 2:00 Q&A

Thanks to our sponsor:

3
Q&A
Please use GoToWebinar’s
Questions tool to submit
questions to our panel.

Send to “Organizers”
and tell us if it’s for
a specific panelist.

4
Cybersecurity Performance Varies – Why?

Source: 2019
Identity Theft
Resource Center

• Breaches declined by 23% in the US!

• Take out the Marriott breach:total number of records exposed
decreased by 60%!
• Breaches down further in 2019, but ransomware up!
• Effective and efficient SOCs are key common factor to
success stories
 What Is Success for a SOC?

Statement of Success

SOC is successful when it intervenes

in adversary efforts to impact the availability,
confidentiality, and integrity of organization’s
information assets. It does this by proactively making
systems more resilient to impact and reactively
detecting, containing, and eliminating adversary
capability.
Visibility
Matters
But, wait – there’s more!
• Quality Metrics
• Percentage of work tickets declared as false positives
• Percentage of remediation actions that resulted in “friendly fire”
• Efficiency Metrics
• Ticket closures per shift/analyst
• Resources consumed per incident
• Outlier Analysis
• Frequency of external notification of incident
• Cause of multi-ticket simultaneous closures
Taking Action Earlier to Avoid or Minimize Damage

Pre-attack
Late Action = Incident Response
Mitigation

Proactive = Earlier Action = Damage Minimization

Damage Avoidance
 WhatWorks Interview
• What is your business and IT environment?
• What problems or threats prompted you to
look for a solution like Reveal(X)?
• How did you convince management to fund
this effort?
• What were your key criteria for a solution?
• Can you walk me through the process you
used to find the best solution?
10
 WhatWorks Interview

• How long did it take to become operational?

Walk us through the process.
• Which/how many Reveal(X) features were
used?
• What were the major obstacles you had to
overcome?
• How much staffing does it require to use it
effectively?
11
 WhatWorks Interview
• When you first deployed Reveal(X), did you
find anything that surprised you or prompted
changes before you went operational?

12
 WhatWorks Interview
• Are there some lessons learned you’d like to
pass on to other people who will be
following on your path?
• How has the support been overall?
• Are there any features or functions you’ve
asked Reveal(X) to add to the product?
• Anything thing else you’d like to add?

13
14
Resources
• SANS What Works: https://www.sans.org/critical-
security-controls/case-studies
• SANS Difference Makers Awards –
https://www.sans.org/cyber-innovation-awards
• ExtraHop: https://www.Reveal(X)Security.com
• q@sans.org
• @john_pescatore

15
Acknowledgements

Thanks to our sponsor:

And also to our user and to our attendees:

Thank you for joining us today

© 2019 The SANS™ Institute – www.sans.org

16