The ExtraHop Reveal(x) Demo: NDR At Your Fingertips

"Sometimes magic is just someone spending more time on something than anyone else might reasonably expect" - Teller (of magician duo Penn & Teller)

It is surprisingly difficult to find an openly accessible, robust, and real-seeming demo of an enterprise cybersecurity product online. You run into a lot of video walkthroughs (which are great, but interactive is better!), and contact forms that say "Get in touch for a live demo with one of our reps (also fine, but not the same).

The reason for this is that it is very hard to build a robust demo that's safe to open to public internet users. Most enterprise cybersecurity companies do not have the capacity to do this, or don't prioritize it.

That's a mistake.

The online demo of Reveal(x), ExtraHop's flagship cybersecurity product for network detection and response, has been a crucial part of the decision-making process for many of our customers as they seek to make permanent improvements in their security posture. In a cybersecurity landscape where fear, uncertainty, and doubt-based marketing is the norm for 2,000+ vendors, we've consistently received feedback that our live, interactive, hands on, real demo is a welcome relief

THE HEAVENS HAVE OPENED UP AND THE GODS HAVE ANSWERED ME! A DEMO FOR US TO PLAY WITH! THANK YOU EXTRAHOP! You should be called Extra Hope because you have restored my hope in vendors. #XFD2

— InfoSteph, the Phoenix (@StephandSec) June 20, 2019

But more importantly, it helps people learn about network security! We use the online demo for user training to help people learn what real security data and network visibility looks like.

None of this happened automatically. We got there through the Teller method of spending more time and effort than anyone could reasonably expect to make our demo as great as possible.

This post will outline a few of the hurdles we've crossed in pursuit of making our demo truly magical.

The Environment Is Real

Reveal(x) is a network detection and response product. All it needs is a stream of raw packets in order to discover, identify, and conduct behavioral analysis on every device, protocol, and conversation happening across a network. It isn't easy to build an interactive, self-guided online demo that feels authentic to the enormous global enterprise environments where we're deployed (think of monitoring 2000+ retail stores and an online presence this way). In other words, we couldn't fake it.

For the Reveal(x) online demo, we build real environments with real devices running all kinds of operating systems, speaking 70+ protocols, and covering the breadth and depth of communication that happens in actual enterprise networks.

To make this consumable for online demo users, we built the actual environments, applications, devices, VMs, domain controllers, workstations, and more, and let them run while capturing a real-time packet stream that we can replay on a loop in our demo to provide the most realistic experience to our prospective users.

We're the only network detection and response vendor that does this and provides complete online access to our demo to anyone who wants it. All you have to do is visit www.extrahop.com/demo.

The Attacks Are Real, Because They Have To Be

One of the most valuable capabilities Reveal(x) offers is behavioral threat detection. The product observes every device on the network and uses machine learning to develop baselines and predictive behavioral models (over 100 per device) so that it can let our customers know when there's an active threat in their environment.

Because enterprise networks are large, complex, and ever-changing, we can't just rely on available attack simulation techniques, and we can't fake it. We have to actually run the attacks. For many of our detections, including ransomware, brute force, lateral movement, data exfiltration, and hundreds of others, we built enterprise-grade environments and attacked them in order to capture the actual, real-world behaviors that enterprise security operations teams need to be able to detect, investigate, and respond.

Modern cyber attacks against enterprise environments are far more complex than just dropping malware into the environment. Attackers have been forced to adapt to increasing security measures, and every step in the attack chain has grown more complex.

To generate the traffic for the Live Attack scenario in our online demo, our CISO and threat research team ran a full attack campaign against a real-world demonstration network, including:

• Starting with basic reconnaissance activities like using Metasploit to run nmap and DIRB scanning tools against the environment,
• Exploiting a known Drupal vulnerability (CVE-2018-7600),
• SMB/CIFS brute force attack to log into a workstation discovered in the scanning process,
• Moving laterally by abusing WSMAN and WMI protocols and a pass-the-hash attack tactic,
• Installing cryptomining software on compromised endpoints to hijack enterprise compute for personal profit,
• And finally installing ransomware on various critical assets to extort money from the company.

Obviously, our CISO did not actually follow through on the extortion, but the fact is that he ran a full-blown attack on a real enterprise environment. The steps above are just the highlights of the sophisticated, multistep attack he ran and the traffic we captured is exactly what is shown in our online demo.

Getting exposure to this type of real-life scenario is an important way for security professionals to learn to recognize and validate real threats in their environment. The educational component of the demo drives value for customers looking to elevate the skillsets and threat hunting instincts of their analysts, especially in a situation where many other enterprise security tools deliver a flood of false positives.

Managing The Service Is An Informative Challenge

The demo is basically a SaaS product. We have to manage it and resource it to be able to handle many concurrent users across the globe in real-time without falling over. That's a nontrivial challenge, and doing it directly benefits our product managers and engineers who build and manage our actual SaaS product that we sell and deploy in customer environments. We find bugs, we get feedback, and we learn things from the demo that end up benefiting actual customers and end users. What's not to love?

Why Do We Do This?

Short answer: we can't help ourselves. We couldn't bear just showing a mocked-up, cobbled together demo with carefully safeguarded access (not going to name any names here.).

Longer answer: building the demo benefits us in all kinds of ways. Explaining the depth and breadth of network security and visibility provided by Reveal(x) using just words is hard. We'd rather show off the product than just describe it or show slides about it. We're proud of what we've built, and we want as many people to see and learn from it as possible.

We use our own products in our own environment, and we are forced to explore their capabilities and understand their edge cases much more deeply because of the online demo. This helps us build a better product.

With that, we're announcing that we're fully opening up access to our demo. You used to have to fill out a little form to get in (we like to know who's interested).

Now you can just dive in. No questions asked. If you get to the end and you're excited enough to give us some contact info, we would be thrilled to get in touch and do a deeper dive, tailored to your interests.

Check out the demo here, and have fun!