Lumu, ExtraHop Lead Network Analysis, Visibility: ForresterArista, Trend Micro Earn High Marks as Decryption, Analyst Experience Take Priority
Startup Lumu edged out larger incumbents Extra Hop, Arista Networks and Trend Micro for the top spot in Forrester's first-ever network analysis and visibility rankings.
The percolating of zero trust mandates from the United States government down into the civilian world prompted Forrester Senior Analyst Heath Mullins to conduct an evaluation of providers in the market. Vendors in the network analysis and visibility market have recently focused on improving the analyst experience and more effectively mapping security incidents to the MITRE ATT&CK framework, Mullins said.
"People started not paying attention to network security as much as they should have, and it resulted in a lot of the breaches that you've read about," Mullins told Information Security Media Group. "Companies weren't tracking lateral movement. They didn't know what was happening on the network. They were looking north and south, not east and west."
Forrester saw Lumu's strategy around network analysis and visibility as the strongest, and ExtraHop, Arista Networks and Corelight took second, third and fourth place, respectively. In terms of strength of current offering, Forrester awarded Arista Networks the gold. ExtraHop, Lumu and Trend Micro captured the silver, bronze and fourth place, respectively.
Leading network analysis and visibility vendors excel at decryption, which had fallen out of favor, but that changed with executive orders from the Biden administration requiring encryption for data and workloads in transit and at rest, Mullins said. He also factored in a white-glove sales experience and partnerships around zero trust network access since they help boost visibility through the cloud and down to the endpoint (see: Proofpoint, Cloudflare Dominate Email Defense Forrester Wave).
"The bad guys are coming in with new and novel approaches on how they're going to get past something," Mullins said. "When you decrypt the traffic, you have full visibility."
Long-standing companies in the network analysis and visibility market tend to focus on payloads or content in the network packet, while newer vendors rely on artificial intelligence, machine learning or heuristics to make determinations on what they can see, Mullins said. Going forward, he expects to see XDR vendors buy network analysis and visibility firms to more tightly apply orchestration and response.
"People started not paying attention to network security as much as they should have."
– Heath Mullins, senior analyst, Forrester
Mullins has seen network analysis and visibility vendors pull in threat intelligence and other telemetry and pursue tight integrations with SOAR vendors in hopes of displacing SIEM tools in client environments. This effort has gained the most traction in the midenterprise and among some large enterprise customers as organizations increasingly grapple with analyst inexperience and fatigue.
"The SIEM providers should definitely take note that they're being undercut by these NAV vendors," Mullins said. "They're providing the same information with additional context without the need for a secondary or tertiary console and having to hop back and forth."
Outside of the leaders, here's how Forrester sees the network analysis and visibility market:
- Strong Performers: Cisco, Fortinet, VMware, Corelight, Vectra AI, Netscout
- Contenders: Darktrace, Trellix
- Challengers: Exeon Analytics
How the Network Analysis and Visibility Leaders Climbed Their Way to the Top
|Arista Networks||Awake Security||$180.5 million||October 2020|
|Trend Micro||TippingPoint||$300 million||March 2016|
|Trend Micro||Third Brigade||Not Disclosed||April 2009|
Lumu Streamlines Experience for Security Analysts
Lumu rolled out a security operations offering that optimizes the view of alerts for security analysts and makes it easier for them to drill down and prioritize incidents in the way that makes the most sense for their company, said founder and CEO Ricardo Villadiego. Lumu clients typically receive only a few alerts each day, which can be filtered by threat type or prioritized based on what hasn't been responded to.
The product detects the threat and automatically orchestrates a defense via integrations with other tools in the company's tech stack, such as Palo Alto Networks, Trend Micro, CrowdStrike and SentinelOne, Villadiego said. Lumu also can generate executive reports on a weekly, biweekly or monthly basis that document how many incidents the team handled and flag the top incidents seen in the firm's network (see: 'Have We Been Compromised?').
"We came out of stealth at RSA Conference 2020 with the firm belief that cybersecurity has to be upgraded. And if you provide the right tools to security operators, they're going to be able to do so," Villadiego told ISMG. "One thing that makes us different is our firm belief that companies can operate this technology by themselves."
Forrester said Lumu lags rivals in encrypted traffic analysis since it relies on metadata and JA3/JA3S for encrypted traffic management. Villadiego said Lumu has focused on detecting traffic using network metadata since it's always unencrypted and relies on decryption analysis devices for assistance rather than decrypting the traffic itself.
"More and more applications are encrypting traffic end to end," Villadiego said. "So you don't want to go through the burden of unencrypting traffic and find that whatever was unencrypted is now encrypted again in a way that you're not able to decrypt. We see the market adopting more application end-to-end encryption."
ExtraHop Takes on Zero-Days, Intrusion Detection
ExtraHop has focused on zero-day analysis to detect new vulnerabilities on the network using behavioral and signature analysis and to determine if compromise occurred before or after the zero-day was revealed, said co-founder and Chief Customer Officer Raja Mukerji. The company has focused on detecting when users put source code or business documents into ChatGPT since the network can't be turned off.
Mukerji said the company has looked to modernize the intrusion detection market, which traditionally forced users to turn off encryption to operate. ExtraHop addressed this by melding passive decryption technology that looks at encrypted traffic without having customers install keys with packet acquisition technology that looks at network traffic while using signature maintainers, according to Mukerji (see: ExtraHop Taps Ex-Check Point Exec Chris Scanlan as President).
"We were the first company to say to push the network as a data source as opposed to a signatures of feed," Mukerji told ISMG. "When we entered the space, everybody else was doing packet capture by keeping packets and writing them to disk. Instead, we said, 'We don't really care about packets. We want to drive insights for our customers.'"
Forrester criticized ExtraHop for lagging in sandboxing capabilities and email telemetry data ingestion as well as requiring custom API integrations for some third-party security vendors. Mukerji said ExtraHop has focused on network visibility, detection and response and therefore opted to partner for sandboxing and email. While custom API integrations are complex, he said, they maximize the benefit for customers.
"We look at that and say, 'We can do the catch-up, "me too" play,' or we can integrate in a meaningful way with these technologies so that customers can get the value that they've already invested," Mukerji said. "Most of the time, customers are looking for vendors that provide a consolidated view because they're all happy with those vendors."
Arista Brings Automation to Threat Hunting
Arista Networks has automated threat hunting for cyber analysts, giving them the telemetry and threat data needed to spot if something rogue is happening on the network, said Vice President and General Manager of Cybersecurity Rahul Kashyap. The virtual analyst can go back weeks or months and correlate activity for a particular device, spotting suspicious behavior and giving a foundation for broader analysis.
The company can help cyber analysts build threat-hunting models even if they don't have previous data science experience, providing the flexibility needed to deal with the complexity of IoT and OT networks. Arista gives customers the capability and flexibility needed to tweak and customize detection logic and conduct threat hunting based on MITRE-guided detection logic and provide models out of the box (see: Forcepoint CEO on How SSE Eases Unified Policy Application).
"We believe we are still the best of breed solution," Kashyap told ISMG. "We do really well in large enterprise environments. That's our strength compared to some of our competitors. Customers can see the value themselves."
Forrester criticized Arista's user interface and analyst experience, saying it requires multiple tabs and logins for analysts and is confusing for analysts who don't have a deep packet networking background. Kashyap said Arista will make significant changes to simplify its user interface and make its operation more autonomous going forward, meaning analysts will need to make fewer clicks to manage the tool.
"We are definitely on the journey," Kashyap said. "I'm sure that in the next review from Forrester you will see the difference in terms of how it is becoming simpler for even non-security analysts to manage."
Trend Micro Focuses on Wrapping Arms Around Unmanaged Tech
Trend Micro has invested in a more intuitive user interface to make it easier for users and analysts to understand what's going on and gain visibility into unmanaged areas of the corporate environment, said Product Marketing Manager Scott Sumner. The firm sees the network as the backbone of the corporate environment, and therefore wants to help customers address unknowns in an increasingly hybrid world.
The shift to remote work and rise of hybrid and cloud computing has created more unmanaged tech surfaces that network analysis and visibility can play a role in securing, Sumner said. Artificial intelligence and machine learning can help clients understand the underlying changes taking place within their networks, especially when combined with Trend Micro's existing investments around threat intelligence, he said (see: Unpacking the Booming Business of Cybercrime).
"Trend Micro has been around for more than 35 years," Sumner told ISMG. "We really specialize in everything. We're a pure cybersecurity company."
Forrester criticized Trend Micro for not giving customers the ability to modify detection logic and adjust thresholds. Sumner declined to comment on Forrester's critique.