Name: Your Zero Trust Vision: Achieving Complete Network and Application Visibility with Netskope and ExtraHop
Uploaded: 2025-09-24T19:17:48.672Z
Duration: 52 min 24 s
Description: Your Zero Trust Vision: Achieving Complete Network and Application Visibility with Netskope and ExtraHop

Transcript for "Your Zero Trust Vision: Achieving Complete Network and Application Visibility with Netskope and ExtraHop": Hello, everybody. Thank you for joining us. As people start to, trickle in, we'll give them just a moment before we kick things off, probably about two minutes after the top of the hour. Looking good. I can see a few more people still entering. We'll give it about another thirty seconds or so, and then we will kick it off. Okay. Great. Thanks everyone so much for, joining us for this webinar this morning. My name is Sheila Barnaby. I am the field marketing manager with ExtraHop, who covers the West Territory. We have some great content coming up for you. Before we jump in, I did want to cover a few, call outs here. Wanted to let everyone know that this webinar will be recorded and sent out afterwards for on demand viewing. So if someone wasn't able to make it today and you wanna share it with your team, you will absolutely be able to do that. As we go through the presentation and if you have any questions, please drop your questions into the q and a box, and then that way we can get to all of them towards the end of the presentation. There's a few of us that'll be monitoring the chat in case any of those questions go into the chat box instead, but please try to get them into the q and a box. Now we can get to the good stuff. I wanna introduce our speakers for today's zero trust vision discussion. First up, we have, Gary Jenkins who is the worldwide solutions architect at Netskope. And joining him is Gerard Gerard Odeway, who is the global partner solutions architect at ExtraHop. Alright. I will let them come on stage and hand it over. Thanks so much. Thank you very much. Hello, everybody. Hey, Gerard. It's great to see you again, man. You too, Gary. Thanks for doing this. Yeah. So real quick, I wanna give a little bit of a foundation to who Netskope is in case, somebody doesn't know. We're a market leader. I have a couple of slides on that. But the main thing I typically like to point out here is that center, middle one where it talks about large scale. We're we're a cloud native, SaaS company. So what happens is is you put a client agent on the computer, we steer the traffic to our Netskope cloud where we do all the inspection there. And so that's kind of the foundation of it. We're looking at your traffic. We decrypt it at scale because we're in the cloud, and then we do a deep packet inspection on it in order to view exactly what's going on with, all the traffic that's going through us. Here's that market leader slide I was talking about. You know, I've been here for four years now, and, every single one of these reports that have come out since I've gotten here, that lucky for me. Right? It's not like I did anything for this, but, we are always, you know, pretty far over there towards towards the right and top of most of these, different SASE, and and SSE, or SaaS, AN SASE, magic quadrants that have come out. Over to you, Gerard. So for ExtraHop, we're in the network section response space and network performance monitoring. I've been at the company for about six years now and have seen a a ton of changes. And one big thing ExtraHop's pushing right now is is modern NDR. There's a a lot of different technologies and competitors in the NDR space, and we really think we have the correct way of going about things. And one thing customers ask when they go, you know, what is NDR? Why do we need it? And that's why we have this slide right here. We're filling in visibility gaps that a lot of the existing security soft tools that are in your enterprises just aren't, meeting the needs. Right? There's this critical gap at the network visibility area, and the network's super critical, as you can see because you're, you know, wanting to put things for your network even through a SaaS provider. Right? So ExtraHop really shines in that East West corridor where lateral movement occurs and the damage is done once a a breach occurs. So just moving on quickly, we'll get more into some of those differentiators and some of the things that are really important, with some of the integration capabilities we're speaking about with, ExtraHop, VELIX, and Netskope today. But, ExtraHop is the only NDR to be recognized as a leader by all the same, analysts, that Gary was speaking about. So we're also a leader in the Gartner IDC and then Forrester Wave. Moving on past that quickly. So, again, what's what's the need for NDR? Well, attacks are getting more and more sophisticated. Dwell times are even increasing, and damage is being done very, very quickly. I I think this is down even to minutes and seconds, not even hours for for some exfil cases. There's even highly sophisticated nation state actor groups doing interesting things like, mimicking entire environments and then creating scripts. And then once they're in with a valid credential or something like that, they're off to the races. So, another big important reason for NDR right there. And then what ExtraHop doing, is trying to coalesce a lot of the functionality that was typically on the network perimeter or edge. Right? So we're also doing things like intrusion detection. So I'm sure a lot of you are familiar with IDS. That's something we're coalescing into that modern NDR sensor. And, you know, as Gary said, you know, you put an agent on any of your endpoints for ExtraHop. Most simply, you could think of us as a a stealth solution. It's a network appliance, virtual or physical, and you deploy that and then it takes in mirrored packets. So that stealth part is pretty important. Right? That means attackers don't know about it. And it also means that it's not gonna cause any outages. It's all out of band, not an in line solution. And it real reads all those were all packets in real time and then provides visibility into them for IT ops, security ops use cases. When we talk about this, there's users everywhere. So with the Netskope agent running on your computer, your users could be at home. They can be at a branch office. They can be in a large, you know, multi multi complex office. And so with this, they're also going to these apps that are all over the place now. Right? The the days of everything being in your data center is obviously gone. It's been gone for some time. But now, you know, as things are moving around, we help secure that by putting that agent on there, tunneling your traffic. But when we do that, you know, we bring that back into our core system. We call it, Netskope One. That's our network that we run. And with this, we're able to then do that encryption decryption at scale and then look at that traffic. On the performance side, we also give you the ability to track the performance of all the users and the applications that are going through the network. And that way, it gives you that great visibility in order of what's exactly going on. Everything can be sent through us. I know I've talked about an agent a lot, but we also have the ability to, do a, IPsec or a GRE tunnel to our network to get your traffic to us. And and when we do this, you know, one of the things I wanna talk about is as we are doing this, we're encrypting that traffic. So in a typical NDR scenario where you have, you know, sensors at these remote sites for your users, of course, they still pick up anything that's not doesn't have the Netskope client on it. But that's why this solution is so important of us doing a cloud tap for that, for that data to get it over to, ExtraHop. So when I talk about our network, right, people get concerned. They're like, hey. You know what? You're putting this client agent on the computer. It's steering the traffic to your cloud. And so we have an enormous size network. I forget the exact number. It's, like, in the top 10 largest network in the world. But you'll see these are our different, data pops throughout the throughout the world. So no matter where you're at, you put that agent on your computer, it stirs the traffic to the closest, pop to you, and then we're able to do the inspection. And so a little bit about the actual, what we do. You know, I've been talking about inspection and and encryption and and that type of stuff a lot. But what we do, it's, it's broken down into these different, elements. So we're a single pass architecture. And so as you come in, we identify and look at each of these. So first, we start with identity. Who who are you? How are you logged in? And, you know, exactly we identify exactly who you are based off of that. We look at the device. Is it managed? Is it unmanaged? Is it a risky device? We can determine this by the agent or by partnerships. So if, you know, ExtraHop signaled back and said, hey. There's a virus on this person or we see something going on, some type of, critical thing going on with this user, they become risky. We can change the the device posture based off of that feed from them. We look at location, you know, are are you where you should be? Are you in two places at once? You know, that type of thing, and then a policy. When I'm talking about these, I should make sure that I am putting this up correctly if we not only look at this, but apply policy based off of this. So any of these different categories that I'm going through can change the policy on the device. So you just go into our interface and you say, hey. If they're not in in this particular country, I'm not gonna allow them to, you know, get on my network, or I'm gonna restrict what they can do on my network. We look at the category, so that's our Swig product where we're like, you know, should you be able to go to a gambling site or not? Look at the applications and the risk level of those. We have something called our CCI, cloud confidence index, where we're looking at all the different applications. And maybe if it's a new website that you're going to, you're gonna, you know, change the behavior. Maybe you have a remote browser isolation going on for that particular one. And in this instant one, I find this the most important thing. So we know that if you're going to your personal, say AI, since that was the category there, your personal generative AI or your corporate version. If you go to the corporate version, maybe you can upload code to that and then have ask the questions and and everything's okay. But as soon as you log in to your personal one and you try to upload code, we get that little pop up, like, over there on the right. That one's showing a a DLP violation, but it's the same type of thing where it pops up and it says, hey. I see that you're trying to upload code to your personal one. Please click here to get to your your corporate version or just block it, straight out. So there's lots of things you can do there. Those pop ups are one of my favorite things, so I I mess with those a lot. Then, then that's also the instance. Right? So that's instant awareness that we do. And then down on activity, we since we are decrypting that traffic and we're inspecting it, we see the JSON protocol going back and forth with the SaaS app. With that, we're able to see exactly the capabilities of that SaaS app and what you're doing. So, like here at Netskope, what we do is we use Gmail for our corporate email, and we can do whatever we want on our corporate email. But if we log in to our personal Gmail account, we can view our email, but we can't send an email from that. And that's controlled, by that activities, feature. We can go in and you can say, hey. You know what? On these particular time, if they're not sanctioned applications, maybe I'm not gonna let you upload to them or send, from those particular applications. The behavior is a behavior analytics, that we do, where we're saying, hey. We're seeing you doing start doing something weird. Maybe you've you all of a sudden started downloading a lot of your internal content, maybe you're uploading it to a personal OneDrive, for instance, assuming that you allow that as as one of your policies. This triggers a actually, a report. That particular one triggers a report saying, hey. This person's about to quit because they're they're doing this. But besides that, if you do something outside of a normal thing that you do, your user risk score may start move would start moving around. That's another integration that I've worked on with a lot of our partners where we have the ability to to change that based off of, partner, telemetry that comes in. And then, of course, we're looking for for threats, malware, and and, viruses and things like that. And then, you know, the last one is that is the risk. So we have categories based off of, sensitivity of data. Is this a DLP violation? Is it sensitive? Is it based off of a a policy that you need to to restrict? So back to the Netskope. You know, we're one client and a, you know, a platform. We also have a VPN replacement that I didn't mention, which is our ZTNA product, where, we're able to also, you know, send your traffic to your data centers securely. So this integration so I've talked about encrypting the traffic. So what we do in this scenario is we send the traffic. We we encrypt it in the client. We send it to the cloud. And then once it's the cloud, we take this and we put it into a, a cloud storage bucket. You'll see that we support AWS, Azure, and GCP. And then either in a different bucket or in a different folder, we also and because those those packets are all encrypted, in a different folder or different bucket, we then also add the session keys. Then we run a small application called a Stitcher, which then brings this back together, and then it can stream it over to your ExtraHop sensor. And then they can take it from there. And so that's the basic, architecture of what this looks like. And this is the that's represented a little differently. Yeah. And I can go ahead and talk about this one some, Gary, and then I think I'll come back to this market texture slide, but, I'm I'm just gonna share this real quick and move back. But, you know, why are we talking about this Cloud Tap integration and Netskope and ExtraHop? It's, again, advanced attacks, existing tools are failing, and we came up with a really cool solution. This was based on a customer request. This wasn't our product managers discussing or anything like this. It was one of the world's largest financial institutions came to us a few years ago, and they said, hey. We love everything that we're getting through Netskope, but we aren't loving that we're losing some of the visibility we had when all this stuff was in our data center. Right? Like, that one prem element still exists for many enterprises, customers of all sizes, but you still want that SaaS benefit from, you know, any of your applications. But, you know, specifically here, we're talking about sort of SD WAN type implementations. Right? So, you know, how do you do that? And that's what brings us back again to Cloud TAP and and why we're speaking about that today. We're taking all of the data that routes through Netskope, and you're getting a perfect copy of that, immutable evidence, which is packets. That's the only immutable evidence we have in the security world. Packets are truth. That's the basis. ExtraHop is an NDR company, security company operates on, and our customers trust us for that. I'm sure if any of you ever had to work with a vendor, it's basically packets or bust when when you're looking at an an area, or resolution. Right? You need to show that proof and packets are that proof. So that's what we're doing here. It was really fun journey working on this, and I I guess it's been generally available now for about a year and a half now or or something like that. Right, Carrie? So, we basically called it a a a moonshot. So there's a great blog out here that goes into it a little bit more, but this is what one of the executive leaders, you know, said to us after we were able to put this solution together and rope roll it out globally. And it's, again, that it's getting visibility into an area where they traditionally didn't have it. So an analogy we like to say is it's like, you know, a flashlight in a dark hallway. Netscope's providing this fabulous data feed of all these packets for all your user traffic that's traversing their cloud, but then we get to put all of our analytics, engine and ML models and AI models and just general visibility as well. Right? Like, extra hops always on, always recording, sort of like big brother. We don't just start recording things when we think something bad happens. So, that goes into even IT ops use cases, you know, looking at performance things and connections. So just looking at this architecture a little bit more because, I think Gary and I both spent, you know, like, an hour at a time just dissecting this architecture and answering questions. So if you have some things in here in the q and a, we should be able to, answer some of those in a little bit later. We're saving about fifteen minutes at the end of the session to just go through a ton of the questions. Hopefully, we'll be answering as when we go. But, you know, starting in this bottom left hand side, again, that Netskope agent that's installed on any of your endpoints or even if you have, like, an IP sec GRE type tunnel set up for those remote branch offices. The idea, anything hitting that secure web and line gateway, it's like a literal virtual tap from the cloud into your object store. So that's what this customer environment area is. Within your environment, you get to still control your data, still own your packets. So in this case, you know, we could say it's in AWS and there's an s three bucket provision for those raw packets. You have the option to also split off the session keys. And then that stitcher tool Gary was speaking about provides the data feed to an ExtraHop cloud sensor that's deployed close to the, the packets, those those s three buckets. And then in real time, what extra op does is pair all those session keys up with the actual TLS sessions, those packets we're getting, and then we open them up. So at the very least, you're gonna be able to have that, chain of custody control where the packets are always encrypted, and then they're only opened up by ExtraHop to look at them and then save select metadata records and, again, run that analytics engine on it for all the machine learning, AI goodness, and stuff like that to give you better results. Anything you want to add in on the architecture again before I jump into some extra ops specific stuff, Gary? Yeah. The there's a couple of things that I forgot. So, one is that we use a Geneva protocol to send that over, and so we do capture the username as it gets sent over to ExtraHop so you can identify the package based off of the username. And then this also enables, since it's the from the could be from the client from Netskope, it enables no matter where you are. You'd be at, you know, in the airport, at a hotel, or in your office, and you're still getting the user traffic, to ExtraHop. So there's a little bit of an advantage of of doing it this way. Yeah. That's a great call out. And then I guess the last thing I'll call out before I move in, because I even saw a few things in the QA about this, is we do have a cloud threat exchange integration. So, Netskope and ExtraHop can be bilaterally sharing IOCs, security findings they have. And then, you know, to some of Gary's earlier points, maybe that's something like ExtraHop saw something with a a certain user, and that user is deemed to be riskier, and we either put them in time out or only let them communicate with a few things or nothing whatsoever. Right? And then the same idea goes the other way. ExtraHop can have an understanding of what's occurring on the Netskope side and then sort of treat some of the detections and security findings we're sending off to the SIMS, your case management tools, etcetera, whatever fits the bill for your environment in a in in a smarter way. Right? We're always looking for that one plus one equals three. And that's something we're providing here. So going back just into a few little things on extra hop and and our platform, because we glossed over that earlier. This is a a nice example of some of the stuff I've already been going over with you. Right? So we're taking unstructured packets. We have these all in one sensors. So it's just one appliance, one virtual appliance that can do everything from this analytics engine all the way to continuous packet capture. Right? So some of our customers really like to have three full days of PCAP. So we call it, like, the the weekend syndrome. Right? You come in on Monday and at least you can look back in till Friday and have packets for everything that was going on. And then what we do with that is different than the in the industry. I'm sure some of you have heard of things like DPI, deep packet inspection. We actually do something called, real time stream processing. So if you're familiar, like, with the load balancer, we're actually recreating all these conversations acting like a TCP state assembly machine. So why is that important? Well, it's important back to that advanced attacks and these dwell times and attacks being executed really quickly. We're actually analyzing all this stuff in real time at line rate. Since 2017, we've been doing that up to a 100 g per sensor. We have customers that have thousands of sensors deployed or maybe only a few for their critical crown jewels and their data centers and a few remote sites. Right? So you can go big, you can go small, but the value of the network is there. Right? Everything speaks across the network. And if you aren't monitoring it, you don't have as much information, and security is a critical information game. When we're speaking about some of the parts on the bottom here, we make structured metadata, which is really fantastic. It's basically if you're familiar, like, with the flow record, which is like a layer four connection type thing. Right? We have an IP speaking to another IP over these ports. We do something where we create records by the actual application layer of the OSI model if you're familiar with that. So it's like an HTTP record, a Kerberos record, even database. Like, you can see SQL statements going across the wire. So, the use cases for ExtraHop is sort of limitless. Right? It's anything that's traversing the network, and you can even custom hook into that and program things. We offer up to a a year of look back for that structured metadata, that record store. You can sort of think of it like a a SIM for all your network events. Just moving on here. Again, why is this important? Right, you have the security from Netskope. Netskope's looking at these things. You know, if it's not for the performance things, if it's not for just having that forensic look back, that immutable evidence, it it goes back a lot to these advanced attacks that are occurring. You know, ExtraHop is firmly in the NDR swim lane. Our entire company is devoted to getting really good information out of packets and seeing deeply into packets. It's not enough to just look at that encrypted TLS layer. Right? You gotta look at that application layer protocol. So we do encrypted traffic analysis. That's fine, but we prefer to open it up and do the encrypted traffic analysis. So that's another benefit about us sort of doing it out of band. But some of these advanced attacks are all things you can use ExtraHop for. C two beaconing, so command and control, that's a really, big area that a a lot of customers, a lot of stocks I speak to are are concerned about. And, you know, some companies might only have a single detection. Right? It just groups it. Oh, this looks like c two behavior. We'll actually break it down by the the threat actor and, you know, the different methods as they evolve. So pretty exciting stuff there. And then just to touch on this decryption piece one last time. So this is another thing unique to ExtraHop, but it's really important if you're looking to do this in your environment. It's unique to us because we invented it and patent it, but it's called, you know, session key forwarding. So again, there's no man in the middle approach, and we're using this technology with Cloud Tabs. So Netskope understands ExtraHop session key forwarding protocol, and it's sending those session keys to us in real time. So this allows us to decrypt even t l s one dot three, which, if you're familiar with that, there's an ephemeral secret. Right? There's no master cert. You're not gonna be able to just do that and open that up. So you have to sort of look at some of the man in the middle approaches, where you decrypt once and forward on. But we just went over why that's not as great. Right? Because you still wanna look at that encrypted layer. There's really cool stuff in that s n I area. Right? You could never even detect something like a domain front type attack unless you saw the s n I and then the actual h t p URI, someone visit it. Right? You need to see that disparity between those two values. So, but basically, again, we just take those session keys, we pair it up with the packets in real time, and, it's it's really good, especially going back to that chain of custody. Right? You don't wanna have, your sensitive traffic flying around your own networks unencrypted. You know, that's another area, a silent listener inside of your environment, could be getting data, exfilling data. I think that covers it for a lot of the slides we were gonna go through. We have a short demonstration. Gary, is there anything you wanted to cover on the slides before I head into a demo? No. I'm good. I'm sitting here answering some of the questions. Awesome. Thank you for that, sir. Give me one second, everyone. We're gonna switch gears here to a screen share. It looks like it's up. So you guys are looking right now at an ExtraHop for VLX console. This is an area where you can view all of the sensors that are monitoring everything in your environment. Everything's done in real time, so this global time selector influences everything we're looking at. I'm looking at this area from 08:20 to 09:24, and this is all data that was provided from Netskope. These were raw packets from Netskope broker connections, and they've been analyzed by ExtraHop. So I've gone back in time to look at this device. Going back to what Gary was saying, you know, on the network, users use assets and then the assets use networks. Right? And certain Neuralink gets a little bit more advanced. None of us have a NIC port or WiFi right in our our bodies. Right? So users use the network but through assets. So traditionally, in ExtraHop, we've been discovering assets, you know, by their IP address, their MAC address, and then we start categorizing the type of device it is, allows you to look at your whole network by a protocol centric level as well. Right? Like, what's everything serving SSH? You can quickly do that. But with this, through that GENEV encapsulation of those raw packets from Netskope, we have this metadata for the users. So we're actually able to identify these connections by the user, and that's super important for what you see even below here on this IP address history. So we dubbed it the coffee shop scenario when we were building this with our customers and and between our engineering teams. But, right, your the IP address isn't gonna be reliable for SaaSy type connections. It's, gonna be rotating. Right? They might be at home one day. They might be in a Starbucks the next day, and that's what we're showing you here. Right? So it's really good to have a a good by user, in this case, with the the SASE monitoring. And then just going through the rest of this pretty quickly, we can get into a few detections, and and show the security side of this. But we're just looking at an overview page, so you have bytes in and out. Right? We're showing the gigabytes over this amount of time. Top protocols, top cloud services, you can start breaking it down by the top peers this asset has. The network area would be a little bit more artificial for this area. So we'll just jump into TCP. So looking at TCP, so you get this is some of the performance area I was speaking about earlier. All this is dashboardable. All this, you can drill into those records, that structured metadata I was speaking about. You can see retransmission timeouts, flow stalls. And if you're not familiar with any of these terms, even an ExtraHop, you can sort of hover over one of these and then get a description. But, basically, the idea is all these network protocols have a lot of built in handling for performance issues, themselves. Right? The idea is that they're supposed to be able to negotiate things and and and make things work. So there's a lot of things indicative of performance problems built in to the error handling, protocol handling for, all the network protocols. And TCP, transmission control protocol, that's a a huge one. Right? So you can even sort of, from the network, diagnose that a asset probably doesn't have enough bandwidth on its actual NIC if it's doing something like giving zero windows out and advertising it. That's the device saying, hey. I I have no more capacity to send anything out. So things like that. And then a a really interesting thing that we're doing as well is, post quantum cryptography sessions. And that's sort of cool to point out here with Netskope because Netskope's using a lot of post quantum, cryptography already. This isn't something that's easy to identify in your environment, but that's one of the nice things with ExtraHop is, like, it makes very, very difficult things pretty simple, and then sort of impossible things pretty possible. So post quantum sessions is one of those. You can look at all those and how it goes with, other sessions in your environment. Obviously, through Netskope, all this stuff is gonna be super, protected using great cryptography, etcetera. But, again, you think about that combined coalesced view of your entire hybrid enterprise and little workflows like that really pop out. For Netskope CloudTap, this HTTP area and TLS area is really gonna be the main component. That's, you know, the the layer seven traffic that's being brokered through them, but that's still super powerful because so many applications are basically subsisting on HTTP and TLS. So, you know, if you're looking at API stuff, anything, that's all HTTP. Even a lot of the new, AI services and MCP, etcetera, that's all just JSON over h t p s. So there's a lot of opportunity to be looking at h t p for any number of things. A lot of our customers, typically even use it for, like, bot monitoring and stuff like that. But, past the use cases, right, we're we're showing an actual URIs people are going to, status codes from where they connect it. And this is all your 30,000 foot view to see, hey. Is there a weird spike? Is there something that doesn't look right here, for that dashboard view? And then you can drill into all this and and see more about what's going on. So here, we're going down to the URIs. We're seeing the number of responses. Just sort it. And then we can even go further into that, and then I'll show you guys a a quick view of the record that structured metadata area before we go back and look at some of those security findings. So this is a real environment. This is a real query, and we just pulled a 132 records for the specific HTTP flow. I'm gonna select all fields that have data, and then give us this little hamburger mash up view and zoom in a little bit so you can see more. But this is some of the information you're able to get for every single flow, extra hops analyzing coming from Netskope. So again, you get a lot of that flow information you're used to, but then it's more rich because it has stuff from the application layer of the protocol, in this instance, HTP. Anything you wanted to add into any of this stuff, Gary, before I, jump over into the sections? No. Just that, you know, as it gets to the gets to here, Netskope had already decrypted it a lot of the times. Right? Or or your engine did. So, all this is viewed even when it's was encrypted traffic. We're able to to peer into that. Yep. Exactly. Yeah. That's a that's a huge part of this. Like, at a a very minimum, you're gonna have ExtraHop be able to remove that outer layer that Netskope, puts on the traffic. And then depending on cert pinning, other things, we're even able to open up that TLS layer and then provide more HTTP details. So but this is all, one single Netskope client and, all data provided from Netskope going into a a Google Cloud bucket actually in in our little labs case. Pivoting over here into the sections. So we have a, a simple one sort of to make real attack data on here. So new DNS over HTTPS activity. So this is something someone wouldn't wanna do if they don't want you to see what site they're going to. Right? They don't wanna make a DNS request. They wanna try to keep it all encrypted. But, like, with ExtraHop, you can actually see within that. And then what's sort of interesting about this too and why I wanna show this detection even though the attack might not be the most critical, is just some of the behavioral analytics. Right? So a lot of network tools are very signature based and ExtraHop does ton of machine learning models that are custom for every single customer. So what we're looking at here is over a six hour snapshot, there is always zero bytes of DNS over HTTPS activity going on for this asset. So we had this huge deviation when the expected range was just zero bytes to one byte. So even just that initial connection, right, Sort of like a threat actor setting up shop, living off the land within your environment, just showing the real time nature of that and some of those machine learning models. And then we can look again. We have those structured records put in, like, why did you say this? Why did this happen? What what was actually the case? And then you can drill from these records sort of the final step right into the actual PCAP. So now we're looking at the data that Netskope providing to us in real time and that that cloud bucket where you've deployed the solution. And you can see we have two different options here. I'm I'm not sure we're seeing that. Oh. Oh, no. The screen I see just has the yeah. It just has a highlight. There you go. Sorry about that. So this is everything I was just talking about on that detection for a few minutes. My apologies, everyone. I, clicked new tab accidentally. So this is the deviation and the sparkline I was speaking about. Right? So there is zero bytes of activity, and now we have this huge deviation. And then I was just showing you here on this records area where we're looking at that structured metadata that, you can actually drill down in and then look at the actual packets associated with those flow. So, that's what we're looking at right here. So this is the actual data Netskope's sending us, and we have a few different options here. You can download the p cap. You can download the session keys. You can download the p cap with the session keys. So, like, a p cap n g file. That would allow your analyst to just open up these packets in Wireshark and, actually be able to decrypt them. Right? Have them decrypt it within Wireshark. We're also doing file extraction. So that's the main stuff I wanted to point out here in, this demo. And I think I know we have a good bit of time left. So I I know there's been a lot of questions. Maybe we can start getting into some of those and, answering them back and forth, Gary. Sounds great. There was a lot of questions through a few on the single pass architecture. I'm gonna be generic here. You know, we could have a whole webinar just on that particular thing. And so, basically, what happens is Netskope was founded as a CASB. Right? So as we brought that traffic in, we would decrypt it, do it, you know, deep packet inspection on it, figure out what's going on with it, and then apply policy based off of that. So it's really the architecture is is the simple answer. And I apologize that, you know, I'm not giving a a super detailed answer on exactly what I mean by the single pass architecture, but but that's really what it is. It's we're we're decrypting the traffic, looking at the packet, figuring out what it is, and applying policy to that. So that whether it's our firewall, our SWIG, or CASB, doesn't matter. That's all happening, at that one moment, without sending it from from there to a different engine, maybe even different location like some of our competitors do, and making that determination. It does it right there, in that particular part. Do you see I'm gonna expand on, one you answered. Just, there's a Yeah. Question on decryption of traffic is done by Netskope Taptool at the customer environment, or is it done by ExtraHop? So Netskope actually has the capability to send decrypted traffic, and they did that for other network tools that aren't able to decrypt. Because like I told you guys, that's a big superpower differentiator for ExtraHop is that we can do that out of band decryption. So if you have ExtraHop, you have the option to keep all that traffic encrypted and let, ExtraHop do it out of band, which is good because, again, as you saw, we have all that encrypted TLS area. So just a customer choice and then, again, if you have chosen to be an ExtraHop customer as well. Excellent. We had a question on how is this architecture supports zero trust principles. I'll take a a quick shot at it, and then if you wanna add anything, Gary. But, excuse me, that's a great question. For me, the biggest one is that defense in-depth element for zero trust. Right? You can't think of zero trust as just a single tool or anything like that. Like, zero trust network access is its own thing. But, you know, depending on what model you're you're doing, like, is it the CISA? Is it the DOD type principles for zero trust? For me, that single pillar of ensuring all your security tools are doing what they're saying they're doing, that's a huge part of this, as far as CloudTap, ExtraHop, Netskope. Right? We're verifying that everything Netskope is doing is what they're saying they're doing, and it's not based on logs. It's the actual packets. Right? So you get to look at all that traffic yourself, have it inspected by another tool in-depth, and then you also have that forensic look back and the performance look back. So, you know, like, without this, what would have that workflow look like before? I mean, I'm not I'm a lot of companies, it's basically you open a support ticket and then you ask some engineer to start doing a TCP dump to get some packets, and then you have a packet shipped to you. So this can take literally, like, 90% of time out of short investigation issues. But again so zero trust for me for this. The biggest thing is just that foundational element of ensuring everyone everything's doing what they're saying they're doing. What do you think, Gary? I was reading the next question. So Nothing to add on that one then? That's fine. Maybe I did that good. One of the one of the things we integrate also is, with our our threat exchange. So, Descript has a product called Cloud Exchange, which is an API broker, basically. And so if, ExtraHop finds, like an IOC, you know, in in within the data, it can then signal back to us, and then we can add it to our list to block that IOC for many other users. So there was there was a question on that, so I just wanna bring that up. I see a lot of other ones you answered. Just the general ones, just to touch on that quickly because we have plenty of time. But there what are the benefits of integrating cloud tap and NDR and NPM tools? I I think I hopefully, I showed a good bit of that in the demo. I know that was a lot earlier on. So I think we touched on that quite a bit. But the biggest thing is your NDR tool wouldn't get this data whatsoever had Netskope not developed this. Like, this is a literal infrastructure change they've done across their globe to provide this level of visibility. So just think about being able to see it or not being able to see it. And that's that's as simply as I can put it. Right? If if you can't see things, it can be difficult to impossible to actually resolve them. But if you have the visibility, it's super easy. Right? They say perspective and everything. We we got had a lot of hate email when when, you know, customers would go in and deploy, and then all of a sudden, you know, the person that that owns their ExtraHop, tool would be like, hey. I can't see anything now. What'd you guys do? And, like, oh, yo. We started encrypting all of the data. And so, I think a lot of our customers are a lot happier nowadays, with the solution because it it did make them blind. And I wanted to point out again, you know, I talked about it earlier, but this also gives you visibility to your remote users now. You know, unless you had a sensor, at all the remote sites, obviously, you wouldn't quite have them everywhere, but no matter where they are. We Gerard and I were on a show floor last week in Vegas, and as my laptop was there, right, I was getting that that type style of visibility into my system because we have it deployed. And so we could see exactly what's going on no matter where you're at. Oh, I hope I don't freak people out by saying no. No matter where you're at, we're watching you. That is the new reality. So, you know, that's the message we all have when we signed into our corporate owned devices. Right? Everyone needs to be watched and everyone's a threat even if it's not you that does it. Just your identity and access is a threat because of compromised credentials. Right? So someone can get your credentials and start using your keys to the kingdom, and hopefully, you're authenticated as you are. But if you're not, there again comes in the deed for that network level visibility. Right? You can ensure security controls are working as they should. But, yeah, great points. Yeah. And like and like you were saying before, you know, the speed of of the the right actors now is is just just so fast. Yeah. Hopefully, we don't get down to microseconds anytime too soon, but but that seems quickly encroaching. Let's see. We have about fifteen minutes left now. I just got a big red warning, but, I saw one more here at the bottom. Will Netskope and ExtraHop Solutions streamline infrastructure, cut costs, enhance operations across all user devices and platforms, maintaining top tier performance and security? Ned Kelly, that seems like a give me. I I feel like you're trying to set me up. Was that a seed question, sir? But that's a that's a great question. That's I I hope we, me and Gary touched on some of that today, but that's definitely what we're trying to do. I mean, I'll give you the quick pitch from the extra hop side, but we're we're trying to just help with everything. Because, again, everything traverses the network. Right? Everything we're speaking about today is network type solutions. Just some of it you're brokering through Netskope's cloud so they can make intelligent decisions for you in a central location. Some of it's that VPN replacement thing, but it's the same idea. Right? An intelligent decision, make sure this user is who it is. But for extra hop, it's again just anything going over the network. You wanna know something about an AI service? You wanna know something about a new protocol like that model context protocol I was speaking about or agentic AIs within your infrastructure communicating to each other? Right? Like, how do you keep doing things? Well, the network is always the common thread. So every new thing that comes up that seems to be a priority for your organization, you're gonna be able to find value from a network tool that has true visibility into that. And it's gonna give you a super broad view like I was showing you. That 30,000 foot view is gonna allow you to go into structured records, which is important because you can even export that to Excel if you have that type of workflow. Now you have an asset list. Right? You can do it for anything from asset discovery. Like, that's critical. And, Gary, I I I think we've spoken about it before, but it's like so many CISOs. That's their first order of business is to have a comprehensive and total list of all assets in their environment. And it's so hard to accomplish. So that's even a big way ExtraHop helps. So it it's everything from that a little initiative down to all the advanced attacks we're speaking and stuff we don't even know about yet. Yeah. I mean, that kinda plays into assets and then applications. And so the Netskope can give you the there was a couple of questions about shadow IT. Right? So we can give you the the visibility into what is a, sanctioned application and what's a non sanctioned application. Onto the next question, it, there is about cloud exchange and, threat exchange. It's very simple how it does it. The ExtraHop would identify, a a, I'm I'm losing the word. Brett, nefarious actions? Yeah. You would and you would you would hand us the ID. Right? So they're just handing us the ID. We're not taking a lot of information from them. It's it's simply the IOC. That's what I was looking for. Simply the IOC. They send us the IOC. We add it to our list of IOCs, and you would have a policy that says, hey. Any IOCs that came from ExtraHop block, and so it's it's as simple as that. There's there's not a lot of magic that's going on there. I wanna also point out one thing, before I forget. There's a docs, tab, there in the chat window. So it's next to QA and chat, and there's a bunch of documents there that, you know, for you guys to download and and review, offline. Any final questions, everybody? Go ahead and get them in the chat, please. Love to keep discussing anything that is even slightly adjacent. I guess I'll speak a little bit on that shadow AI component. That was actually something I I got to do a session with Netskope, Ramon on your side. And we did a whole session in, Colorado a few months ago, and it it was really interesting some of the problems people were facing. But, again, this solution really allows you to do something with those initiatives. And one of the most fascinating things I heard from that was a customer saying that they had been going through reviews to onboard different AI services and LLMs, and they got through the security reviews, legal reviews. And then, like, a a month into using the stuff, they found out that all the back ends that they had just approved through legal were switched by the little start up they went with. So that's just another real world example of something that someone just came up and was speaking that they were trying to solve using our cloud tap solution. Right? Like, they have vendors changing their LLM models on the back end, and you wouldn't know that as a user. Right? You're just getting the result from a prompt. But if you're looking at that network traffic, you can see where things are routing to. There's a question that came in. Are all the things, all components in the customer environment? Kind of. So the on the Netskope side, traffic goes to our cloud, then we stream it to a customer environment, meaning, you know, their buckets, that that's owned by them, their cloud buckets. So, GCP, AWS, or Azure. So that would be customer environment that that's owns that. So it starts in the Netskope cloud but then moves to the customer environment. Yep. And then just showing this, architecture again in case they wanted to refresh. But all this is in the docs too. I would really recommend that, blog for the turning a moonshot into reality. It it really lays out a lot of what we were speaking to you about today. But, yeah. The idea is, you know, a a lot of the SaaS stuff stays in the SaaS, and then the components needed to be deployed in your cloud are there. So it's gonna be an extra hop sensor, that that docker container, that stitcher component, and those buckets. And, yes, they're all scalable and, highly resilient. Like, for the ExtraHop component, that's a secured appliance that we've been speaking about. So, you know, with an AWS, you deploy it through an AMI or something from marketplace. So, ton of different options. But, yeah, security is utmost concern with this, and that's a lot of the reasons why this data is existing still within your environment. Right? We want you to still have your packets, because no one else is saving copies of these. No one else should have copies of your data. Excellent. Thank you. Alright. I don't see any other new questions coming in. You wanna wrap it up? Yeah. I think so. Excellent. Yeah. Reach out to us if you need anything. You know, hopefully, you downloaded those docs, and, thank you for joining. Thanks, everyone. Appreciate your time very much.