Chalk Talk: The ExtraHop Architecture

The ExtraHop platform was built to deliver visibility, detection, and investigation at massive scale. We consume a copy of unstructured network traffic from across your entire environment – from the data center to the cloud to the remote site – using a tap or port mirror. The ExtraHop stream processor performs line-rate decryption, decoding, and full-stream reassembly for every transaction. The end result is structured wire data that can be analyzed, explored, and fully leveraged for investigation and remediation. It’s our wire data that keeps our machine learning focused, precisely, and uniquely reliable.

In this session at Security Field Day 2, Deputy CISO Jeff Costlow explains the architectural foundation of ExtraHop’s network detection and response (NDR) platform, highlighting how it addresses the challenges of increasing network speed, sprawl, and the prevalence of encrypted traffic. ExtraHop’s design hinges on achieving real-time analytics by processing traffic in motion rather than relying on inefficient store-and-process models seen in traditional PCAP tools. By consuming raw packet data via taps or spans and avoiding reliance on NetFlow, the system extracts high-value metadata across over 4,800 metrics and 60+ L7 protocols, including HTTP and various database protocols. This metadata serves as a rich foundation for both security investigations and performance analytics, enabling operators to detect anomalies and rapidly respond across environments—whether on-premises or in cloud deployments.

A key strength of ExtraHop lies in its streamlined, unified workflow for investigation that integrates metrics, records, and packets under a single interface. It utilizes a custom event-based domain-specific language called Triggers for real-time scripting and flexible protocol support, empowering users to extract and act on specific application-level behaviors. ExtraHop can decrypt TLS traffic, including TLS 1.3 with perfect forward secrecy, through a patented method that forwards ephemeral session keys from servers in a secure, privacy-aware manner. The platform ensures customer privacy using deterministic encryption, selectively anonymizing data before it’s sent to the cloud while preserving utility for machine learning. This architecture not only adheres to privacy-by-design principles aligned with GDPR and HIPAA, but also provides effective machine learning outcomes by leveraging its expansive metric catalog in the cloud without compromising sensitive information.