NIL ExtraHop
20.10.2016

When IT infrastructures evolve into complex systems full of legacy equipment and services, troubleshooting often turns into arcane magic or a game of whack-a-mole. Even identifying problems is a challenge, you can't always count on the staff to tell you an operation is slow. If you haven't thought about network sniffing and reporting tools as the tool which lets you harness the power of the assets you own, it's high time you do. Basically it turns unstructured network data into structured wire data, applies real-time analytics and delivers monitoring results you were after in the first place. Yes, it is that simple.

As an IT and network engineer, I have just about seen it all when it comes to hardware, software, networking and even virtual problems. Over the years, I learned the best way to handle them is to have a good monitoring solution in place.

The average IT department doesn’t control and monitor all the assets it owns. To be honest, they often don’t even know about all the IT assets, as “stuff” just piles up in the IT infrastructure over the years. This leads to one of the biggest problems faced by IT departments today, understanding how and why solutions work or don’t work together.

Back to troubleshooting or control and monitoring. Solutions are usually implemented in one of two ways. The simple approach relies on (performance) logs being sent from different devices, and IT personnel checks the logs when it encounters a problem in the IT environment. The somewhat more useful approach bets on software agents installed on these devices. Both solutions have serious shortcomings. Logs only offer basic information, usually when something breaks completely, and agents have to be installed, but not all devices allow them (think IoT).

Most monitoring solutions will tell you which assets work and which don’t – they just won’t tell how well a complex solution is performing. So what do you do when your helpdesk keeps being called that a part or all of the IT infrastructure or its services are underperforming? It may be hardware, software or network related; the problem can be hidden in various solutions/services, the connections between them, or even in (seemingly) completely unrelated parts of the infrastructure.

This is where a network sniffing and analytics approach shines. It monitors the network traffic, as just about everything is communicating over network nowadays. This isn’t the type of troubleshooting via network that’s been a nightmare of its own in the past. Making sense of all the zeros and ones in Wireshark (a famous network protocol analyser) requires highly skilled personnel that many IT departments just don’t have, and with big data moving over networks, this approach is becoming less and less viable if data interpretation requires a human.

Then came ExtraHop, a tool that I’ve recently seen move the boundaries of performance monitoring and analysis. The team behind ExtraHop went a few steps further from the old days of data inspection. The company offers physical and virtual monitoring appliances that analyse over 3,600 metrics and over 50 protocols, and can make sense of the data in the most dynamic and complex of IT environments. The virtualized (software) appliance can monitor up to 10 Gbps of throughput and the hardware version raises the bar up to 40 Gbps of wire data analytics.

The platform is user friendly as well. It turns unstructured network data into structured wire data and delivers insight in operations, DevOps, Security and many other predefined charts. I wanted to see how well it picks up on unannounced and unspecified disturbances in the infrastructure, so I put it to the test and challenged it to catch the activity of a crypto-virus (ransomware) in the network. Its proactive security model can help current security platforms that protect the perimeter, and use the gathered data as forensic proof in case of a hacker attack etc. It’s no surprise that a tool like this also excels at performance monitoring – allowing you to check how long a transaction takes to complete on the network and server-side, involving IT support when you’ve identified the real problem(s).

At its core, ExtraHop is a passive system that analyses network data traffic in real time. Coupled with triggers, alarms and notifications when certain thresholds are reached, it becomes an early-warning and problem identification system, which helps you achieve much better utilization of IT personnel. Proactive machine learning (in 5 minute intervals) doesn’t only help with security issues, but just about everything else – it will soon see that your company is performing nightly backups, and consider this normal operation. If there is no night-time network activity, an alarm will go out to the IT administrator.

The discovery appliance also delivers eye candy in the form of reports and summaries, based on flow records. These can be integrated into other BI systems/solutions via API, allowing you to perform additional queries. The beauty of ExtraHop lies in its simplification of information – it can show even the non-network savvy people where problems are – such as bad HTTP requests, expired certificates, IP-telephony routing, etc. And when you decide to use one or more (SQL) database modules with ExtraHop, the real-time insight is even better (wider), as the platform provides visibility into the network, web, and storage tiers for a holistic view of application performance.

At NIL, we use ExtraHop primarily for application performance monitoring and fine tuning IT asset performance. We plan to apply the wire data analytics to security monitoring as well. All in all, I am not surprised ExtraHop is considered the global leader in real-time wire data analytics. It does such a great job on so many levels.