ExtraHop's Addy uses machine learning to identify anomalies using wire data so you don't have to

I've liked ExtraHop's wire data monitoring for many years, and their recent cloud platform–Addy–takes their usefulness to the next level.

I love it when monitoring companies that collect data come up with interesting ways to leverage that data. I’ve said it for years about Lakeside Software, and today I’m adding ExtraHop to my list of favorite data-slicing-and-dicing companies. 

At RSA’s conference last month, ExtraHop announced their latest product, Addy, and though it won’t be out until the end of April I wanted to get an early look at it. If you’re not familiar with ExtraHop, they are a wire data analytics company that monitors network traffic on-the-fly. It’s pretty powerful stuff that can help identify problems based on information gathered from observing network transactions. For example, ExtraHop’s appliance, called Discover, can watch SQL queries as they are made and returned in order to determine if a SQL server is operating at an acceptable speed. It can also watch DNS and LDAP data, Citrix HDX traffic, storage traffic, HTTP payloads, and measure latency.

Of course, measuring all of this is one thing, but what I like about ExtraHop is what they do with all that data. We recorded a podcast with longtime friend John Smith (that IS his real name) last year that went into detail on how ExtraHop’s wire data analytics helps get to the bottom of problems that are easily, and often, blamed on other platforms. It’s the age old “Citrix is being weird” thing, except it works with almost everything across your infrastructure.

From within ExtraHop’s management console, admins can configure triggers that will generate alerts. These alerts are highly customizable and can alert you to many problems, even things like DDOS attacks and Ransomware activity, before they become significant. The problem is that while there are some machine learning capabilities on the ExtraHop appliances, they can only do so much since most of the resources are dedicated to collecting data. Plus, you have to know what you’re looking for, or rely on built-in trend analysis. All of this is great, but ExtraHop wants to do more.

That’s where Addy comes in. Addy is a cloud-based anomaly detection service that uses machine learning to analyze the activity that is captured from your network. No actual data is sent to the cloud, just the behavioral information gleaned from the device that resides on-premises. That means your data stays local, and it also means that you’re not transferring around the dozens (or hundreds!) of gigabytes of information that an ExtraHop appliance can collect. Addy interrogates the appliance, and the appliance reports back what it’s gleaned from all the data it’s watched go by.

Once Addy gets the data, it goes to work detecting anomalies automatically, looking for things you may not have thought to look for yourself. By running the detection platform in the cloud, ExtraHop has basically limitless capabilities to do trend analysis across your data. Plus, since the data is a set of behaviors and not actual network traffic, they can also compare your performance information against other customers. (I’m not sure if that’s in the product now, but it certainly is possible.)

The goal with Addy is to lighten the load on the admin. No matter how proactive you are with creating triggers that alert you to potential problems, odds are you’re still cursed with the problem of “you don’t know what you don’t know,” meaning you can’t set up an alert for something you didn’t even know to look for. Addy looks at everything and alerts you to things you should be interested in.

If Addy gets too ambitious, you can tweak it to not show certain things. For example, if it notices your login times are longer today than they were in the past, but they’re still within your acceptable limits, you can mute the alerts from appearing. This helps eliminate the noise that tends to desensitize us when we get too many alerts.

Addy hasn’t been released yet–it’s due out at the end of April–but it has already helped a beta customer identify a DDOS attack as it was beginning. It noticed a gradual increase in Layer 4 traffic and alerted the customer (who did not have a trigger set up locally because they didn’t know to look for it), and that customer was able to deal with the attack before it became a problem.

ExtraHop is one of the more intriguing companies out there, and it seems the world is starting to take notice. They were even just added to the Visionaries quadrant of Gartner’s Network Performance Monitoring and Diagnostics Magic Quadrant. As we get closer to launch, I want to take a deeper look at Addy. In the meantime, you can take a look at a webinar that they produced just after Addy's announcement, and check out ExtraHop to see how it can complement your exisitng monitoring platform (well, platforms, really, because we all have more than one).

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

So, at the risk of contributing to all the machine learning and AI hype, I think this is awesome. It's a new type of business logic for apps, and that includes the apps that IT uses to provide security and management for our environments. I wrote a bit more about this back in January: How will the rise of artificial intelligence affect EMM, desktop virtualization, and EUC? And another recent example was in this article about article about Centrify.