Integrations improve security team efficiency and effectiveness
Visibility eliminates shadow IT risk
Faster and more complete performance issue identification and inventory tracking
Executive Summary
Reveal(x) is a critical component protecting our device data privacy, cybersecurity, and compliance. It allows us to quickly pinpoint those applications that don't have good security standards, so it's key to keeping us safe.
Kevin Wright
Cybersecurity Manager,
U.S. Xpress Enterprises
The Beginning
Fast-growing Company Updates Cybersecurity
A fast-growing company, U.S. Xpress went public in 2018. The company had used Symantec Endpoint Protection, but steady changes to the business meant the company needed to upgrade its security posture.
The company first replaced their simple antivirus solution with a more functional EDR from CrowdStrike before adding AlienVault's Open Source SIEM. The final piece was a strong NDR solution, so they investigated offerings from Darktrace, Gigamon, and ExtraHop.
"We picked ExtraHop Reveal(x) over the others because of its speed," says Cybersecurity Manager Kevin Wright. "The advanced machine learning and integrations are also key to achieving our business goals—and ExtraHop's customer service is second to none."
The Transformation
Reveal(x) Simplifies Security Management
Wright's team has only three people who manage the company's cybersecurity, and they appreciated the opportunity to build out a program using the best tools they could find to maximize their effectiveness.
"Autodiscovery, peer group analysis, and the ease of creating investigations to view multiple detections make Reveal(x) simple to manage and use for our small team," he says. "And we especially like its real-time DVR capability—which lets us rewind time to look into specific issues instead of having to dig into a bunch of alerts with limited data to figure out what happened."
The security team has extended the use of Reveal(x) to the company's network engineers and developers who build in-house apps. These teams use the platform to assess performance analyses for servers and apps. The network team is also able to use it to troubleshoot networking issues.
"After a couple weeks to be sure that Reveal(x) had identified legitimate traffic, we added integration to CrowdStrike and customized dashboards. ExtraHop customer service was key in making our install so efficient and clean," says Wright.
The Outcome
Creating an Effective Security Ecosystem
Integrations fuel new efficiencies
"ExtraHop integrations were paramount in the success of this project," says Wright, "especially for a team like ours."Reveal(x) works in sync with U.S. Xpress' SIEM, which saves the security team time while also making them more effective. Wright credits an ExtraHop engineer for helping the team set up a log collector that forwards logs, alerts, and investigations directly into the SIEM.
The log collector runs within the NDR to capture and pass information up to the SIEM. The MSSP triages alerts and then hands it back down to the security team for remediations. "We were collecting logs and reporting out in just a couple days," says Wright. "Then we were able to fine-tune alert thresholds in our SIEM to screen out noise and reach a happy equilibrium."
"We work with our SIEM on a daily basis, so this was a huge efficiency gain for us," says Wright.
Reveal(x) ensures app quality and inventory tracking
U.S. Xpress has an internal team of developers who develop and build in-house applications that are hosted both on-premises and externally. The development team uses ExtraHop Reveal(x) to ensure quality of service for all applications and web servers. "They've used it to troubleshoot some notoriously badly written applications, too," says Wright.The infrastructure support team also utilizes Reveal(x) for inventory tracking. "Whenever a new appliance is connected to the network, they're able to see it," says Wright. "It's good to see that we have a new appliance connected and transmitting data to TCP over port 80. We can see that happen live and it's great to be able to react quickly when we get those types of alerts."
Visibility reduces shadow IT risk
U.S. Xpress needed Reveal(x) to integrate smoothly with their EDR and SIEM so they could get full visibility of everything in their environment. For instance, Reveal(x) integration lets the team easily run alerts, investigations, and responses through SOAR workflows. "You can trigger off of 'if this appliance does not have CrowdStrike as an agent then do XYZ,'" Wright explains.This visibility helps the security team ferret out shadow IT devices more efficiently, which loomed in importance during the recent pandemic. "We went from being an office-based organization with everyone on site and at terminals to one where 98% of us work from home," says Wright. "We really needed to be able to detect what we have coming across the pipe, especially now with users coming back into the office we can ensure that they're only bringing back authorized hardware. And Reveal(x) is phenomenal for finding shadow IT."