Vectra AI Reviews

We are using it for our SOC services. We are also using it for our clients. We have our monitoring setup for our SOC staff.

There are many detection features available. There are extensive out-of-box detection capabilities. I cannot mention just one or two at the moment. There are multiple detection rules, and its integration with ADR and Office 365 AI is very nice, to be honest with you. It is scalable, and they have their own appliance that can handle multiple locations. You can deploy it for enterprises with multiple sites.

This tool operates on machine learning principles, utilizing its own AI-based models and rules to detect activity within your environment. Initially, Vectra AI observes and monitors your organization's behavior for a two-week period, identifying legitimate services operating within your environment. Once it completes this monitoring phase and detects all services, it begins to assign certainty and severity levels to the network traffic it observes.

Vectra AI offers a range of valuable features. Firstly, it utilizes its own AI-based tools. Secondly, it provides various dashboards that facilitate the identification of connections and can detect data exfiltration, meaning data sent from your environment to another. The tool operates based on metadata, offering comprehensive information about traffic between source and destination. Some key features include the ability to integrate with EDR or EPP solutions, allowing you to secure servers with stability issues or infections. Alternatively, you can use Active Directory to lock down infected hosts if you choose not to incorporate EPP or EDR. These features provide insights into your network, showing connection details, data transfers, VPN connections, and the number of connected EDS event hosts, among other things.             

Our Customers use Vectra AI to detect networks, endpoints, identities, SaaS-based, and private and public clouds.

The most valuable feature of the solution is that it only shows us the events that are actually critical. The solution is currently used as a central threat detection and response system. It ingests every bit of information from the SIEM, does AI triaging and detection, and sends incredibly high-fidelity alerts to the SIEM for investigation.

We use Vectra AI for endpoints where we are unable to install agents, like endpoint agents, EDR agents, or antivirus tools. For example, BYOD devices or routers in our network. We don't have any control over those, but we need monitoring capability. 

Vectra AI can monitor the traffic from the wireless router to the firewall or any outgoing traffic. It can give us an idea of whether there is any C&C or C2 communication or any botnet activity from those source IPs. Without having any agents in the endpoint, it is a network monitoring tool. We use this tool to detect threats within the environment where the assets are unmanaged. 

Also, since we tap into certain network points such as firewalls or IDSs, we get more visibility from managed assets as well. So before the endpoint notices the behavior, Vectra notices some of the exfiltration techniques and alerts us.

Overall, it is good and has reduced our time in identifying the system. It is for unmanaged devices. Previously, if we got an alert from the firewall, it was very difficult to find that particular asset. But with the help of this tool, we can simply run a packet capture and immediately get the hostname and know which user is using it. 

It has greatly reduced our time to remediate the situation. We can identify the user, block their account immediately, and sometimes kick that device off the network completely.

It has a confidence level of around 60% to detect insider threats of anomalies, but we mostly need to fine-tune the product. We are still in the fine-tuning process. Even though it has been one year since we implemented the product, the first six months were spent integrating various log servers and determining where to tap. 

For the past three months, we have been actively investigating the alerts. When we investigate some of the insider alerts, most of the time it is a false positive because the domain is allowed. Vectra does not know that those are allowed domains, such as OneDrive and SharePoint, to access our network devices. 

It considers it malicious because a huge amount of file uploads is seen, according to Vectra. But we know those are known URLs and known behavior. When we slowly started whitelisting, the threat confidence level increased. So right now, for insider threats, it gives around 60% confidence, but around 80% of the incidents were false positives because we are still in the fine-tuning process.

The key challenge we face is visibility, things that happen in isolated and pocketed environments where visibility is limited. Silos and isolated networks exist across the environment, and it's difficult to control it completely. Blind spots are the main challenges.

With this solution, the focus has changed from reactive to more proactive, because all the other SOAR and EDR solutions, firewalls, and IPSs are generally reactive. With those tools, when most things are triggered, it means you are already slightly late. With Vectra, we become more proactive than reactive. More often than not, we pick things up before the actual damage can start. It picks up things that none of our other tools pick up because it's designed to detect things before harm is done, at the initial stages. This is one of the main benefits and the biggest business justification and use case for us.

It reduces the time it takes to respond to attacks because we find out about a threat in the beginning so we can stop it before it can cause harm, rather than reacting when the damage is done and significantly more effort is needed.

And since it is not preventive, it does not trigger any adverse reactions. For example, sometimes we have seen, with certain kinds of malware or ransomware, that they tend to get more aggressive if they realize that something is stopping them, but that doesn't happen with detection tools like Vectra.

For capturing network metadata at scale and enriching it with security information, that's where the second product comes in, Cognito Recall. It takes enriched network metadata and keeps that information available for you to access, whether it triggers a detection or not. For example, if you want to check who is using SSL version 3, TLS version 1.0, SNMP version 1, SNMP version 2, or who is using clear text passwords, even though they don't trigger a detection in Cognito Detect, that metadata is available. Of course, the duration of that data is dependent on how much storage we can buy from Vectra. That's a financial constraint and we have opted for one month. We might look at expanding that further.

That metadata helps in closing vulnerabilities. For instance, if there is a TLS version or an encryption level that we want to deprecate, it is very useful for us, because we can also generate reports. We know which systems are using SNMP version 1 or SNMP version 2. Even though it has more features and you can create custom detections through Recall, we've not gone that far. For us, this has been our most common use case: protocols and communications that we would like to stop or close. This provides useful data.

The solution also provides visibility into behaviors across the full lifecycle of an attack, beyond just the internet gateway. It provides the whole MITRE Framework and the key chain—recon, command and control. It has detections under each of those categories, and it picks them up within the network. In fact, most of the detections are internal. Internet-based detections comprise 25 to 30 percent, and those are based on encrypted traffic. And most of the time when we validate, we see that it's genuine because it's a call from a support vendor where large files need to be uploaded. That gives us an opportunity to validate with that end-user as well: What was happening, what did you transfer?

We used to have SIEM and antivirus solutions and we would get a lot of alerts. Those alerts resulted in a lot of effort to refine them and yet we still needed a lot of effort to analyze the information. Vectra does all of that automatically for us, and what it produces, in the end, is something that can easily be done by one person. In fact, you don't even need one.

We use it as our internal network monitoring solution.

It's interesting to consider how it has helped our organization because it's a security product. But the way it has helped is that nothing has gone wrong. And it has certainly enhanced our internal security capabilities.

Vectra has helped accelerate our threat investigations, providing us with real-time visibility of potential threats to the network that we can act upon or triage accordingly. Prior to the implementation of Vectra, we didn't have that visibility. We had a number of disparate security tools, each with its own alerting functionality. Vectra has significantly helped with a consolidated view of potential threats. And the prioritization of threats allows us to focus specifically on those threats that we believe present the greatest risk and to react to those threats extremely quickly.

Vectra MDR is also very important for us, given the relatively small size of our internal team, and it gives us 24/7 capability that we didn't have before we used Vectra's MDR service.

As a sector, the education industry as a whole is under threat with quite a large volume of immediate threat offenders. We've seen numerous attacks coming through brute force or DDoS. The amount of ransomware and phishing attacks is on the rise compared to that of five years ago, for instance. I see regular threat campaigns from numerous actors around the world.

Our main use case is to have Vectra AI as an addition to our security team. We have a large campus with 1,100 boarding students and about 600 staff on top of that. However, my security team only comprises myself and one other person.

Being able to detect security threats in real-time and, more importantly, being able to get rid of the noise is very important to me. That is, getting rid of the false positives and just focusing on the actual high threats that we see coming through is a great benefit for us.

The biggest feature for us, because we are heavy Microsoft users, is its integration with Office 365. On top of Vectra AI, we use all of the Microsoft security platforms, such as Defender ATP and Sentinel. Having full integration and a central platform to look at all of the threats that are coming through from the different platforms is a huge benefit for us.

With one nice front dashboard, we can look at the high-volume threats rather than all of the noise. We do get a lot of noise as our students all own their own devices. With Vectra AI, we can look at threats in a controlled manner, which saves us an extraordinary amount of time. Even if I doubled the manpower, I doubt that I would still have the same visibility that I have with the correct security platform.

Vectra AI's Threat Detection and Response platform has done remarkably well. We're well-versed in using the security dashboard from Microsoft Defender, and we're at the stage where we are checking both. We haven't fully switched to relying on only the Vectra dashboard yet.

In terms of Vectra AI Attack Signal Intelligence for empowering security analysts within our organization, we have complete faith in the data that's coming through from Vectra. If we could also have what's happening at the front-end, that is, the firewall, then it would give us the complete security front dashboard.