Vectra AI OverviewUNIXBusinessApplication

Vectra AI is the #3 ranked solution in Network Traffic Analysis tools, #3 ranked solution in top Network Detection and Response (NDR) tools, and #5 ranked solution in top Intrusion Detection and Prevention Software. PeerSpot users give Vectra AI an average rating of 9.2 out of 10. Vectra AI is most commonly compared to Darktrace: Vectra AI vs Darktrace. Vectra AI is popular among the large enterprise segment, accounting for 63% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a computer software company, accounting for 20% of all views.
Vectra AI Buyer's Guide

Download the Vectra AI Buyer's Guide including reviews and more. Updated: November 2022

What is Vectra AI?

Vectra threat detection and response is a complete cybersecurity platform that collects, detects, and prioritizes security alerts. The Cognito platform for Network Detection and Response (NDR) detects and responds to attacks inside cloud, data center, Internet of Things, and enterprise networks. The platform also provides automated response capabilities for low-level threats and escalates more severe anomalies to security personnel.

Cognito captures data for multiple relevant sources and enriches it with context and security insights. It starts by deploying sensors across different networks in datacenters, IoT, or enterprise networks. The algorithm extracts relevant metadata from network and cloud traffic. The information can also be non-security information that can help investigation. 

The data is enriched with security context to support critical use cases, such as threat detection, investigation, hunting and compliance. The platform is machine learning-based, which enables it to adapt to any new and current threat scenario. It detects, clusters, prioritizes, and anticipates attacks by using identity and host-level enforcement. 

With the Vectra platform, a person can investigate 50 threats in just two hours. By prioritizing alerts and leveraging threat intelligence, it provides faster results.Vectra solves today’s security challenges for network detection and response. 

One of Vectra’s best features is the emphasis they put in pairing research and data science for security insights. It offers behavior codification with unsupervised, supervised, and deep learning models. 

The pricing is according to a subscription model with a free trial available.Vectra is available for Office 365, Azure AD and AWS Brain.

Features of Vectra AI

  • AI-based threat detection and response. 
  • Detects attacks in real time with behavior-based threat detection. 
  • Consolidates and correlates thousands of events, detecting threats. 
  • Enriches threat investigation with a chain of evidence and data science security insights. 
  • Machine learning techniques, including deep learning and neural networks. 
  • Gives visibility into cyberattackers and analyzes all network traffic. 
  • Continuous updates with new threat detection algorithms. 
  • Provides encryption at rest and in transit. For the AWS version, it offers AES-256 encryption via AWS Key Management Service. 
  • Guaranteed availability according to the SLA of the service selected. 
  • Does not connect to public sector networks. 

Benefits of Vectra AI

  • Behavioral models use AI to find unknown attackers. 
  • Context increases the accuracy of threat hunting. 
  • Allows for proactive action by prioritizing the most relevant information. 
  • Provides a clear picture and extensive context for investigations. 
  • Aids decision-making in the incident response process. 
  • Helps working with large datasets by capturing metadata at scale. 
  • Automates time-consuming analysis. 
  • Reduces the security analysts’ workloads on threat investigations. 

Other advantages of Vectra services include that they can be deployed in the public, private, or hybrid cloud. Support is available via email or online ticketing with an average of 4 hours of response. Phone support is available 24/7. 

Vectra provides full on-site and online training and documentation. Regarding the user interface, it supports several types of web browsers, such as Internet Explorer, Microsoft Edge, Firefox, Chrome, Safari and Opera. However, it is not available for mobile devices.

Reviews from Real Users

Here’s what PeerSpot users of Vectra AI have to say about it:

"One of the core features is that Vectra AI triages threats and correlates them with compromised host devices. From a visibility perspective, we can better track the threat across the network. Instead of us potentially finding one device that has been impacted without Vectra AI, it will give us the visibility of everywhere that threat went. Therefore, visibility has increased for us." - Dave W., Operations Manager at a healthcare company

"It does a reliable job of parsing out the logs of all the network traffic so that we can ingest them into our SIEM and utilize them for threat hunting and case investigations. It is pretty robust and reliable. The administration time that we spend maintaining it or troubleshooting it is very low.” - T.S., Senior Security Engineer at a manufacturing company

Vectra AI was previously known as Vectra Networks, Vectra AI NDR.

Vectra AI Customers

Tribune Media Group, Barry University, Aruba Networks, Good Technology, Riverbed, Santa Clara University, Securities Exchange, Tri-State Generation and Transmission Association

Vectra AI Video

Vectra AI Pricing Advice

What users are saying about Vectra AI pricing:
  • "From a pricing perspective, they are very commercially competitive. From a licensing perspective, just be conscious that some of their future cloud solutions come with additional subscriptions. Also, if you're outside of the US, you will get charged freight for the device back to your country."
  • "Vectra is a bit on the higher side in terms of price, but they have always been transparent. The reason that they are this good is that they invest, so they need to charge accordingly."
  • "Their licensing model is antiquated. I'm not a fan of their licensing model. We have to pay for licensing based on four different things. You have to pay based on the number of unique IPs, the number of logs that we send through Recall and Stream, and the size of our environment. They need to simplify their licensing down to just one thing. It should be based on the amount of data, the number of devices, or something else, but there should be just one thing for everything. That's what they need to base their licensing on. Cost-wise, they're not cheap. They were definitely the most expensive option, but you get what you pay for. They're not the cheapest option."
  • "Cost is a big factor, as always. However, I think we have a very good price–performance ratio."
  • "Vectra's licensing model could scale to our research network, which has multiple, 100-gigabit links."
  • "My company pays for the Vectra AI licensing fee yearly. I know the figure because my company recently renewed the license, and it's okay, at least for the financial sector."
  • Vectra AI Reviews

    Filter by:
    Filter Reviews
    Industry
    Loading...
    Filter Unavailable
    Company Size
    Loading...
    Filter Unavailable
    Job Level
    Loading...
    Filter Unavailable
    Rating
    Loading...
    Filter Unavailable
    Considered
    Loading...
    Filter Unavailable
    Order by:
    Loading...
    • Date
    • Highest Rating
    • Lowest Rating
    • Review Length
    Search:
    Showingreviews based on the current filters. Reset all filters
    Operations Manager at a healthcare company with 51-200 employees
    Real User
    Gives us a greater level of confidence that we will be able to detect threats more quickly
    Pros and Cons
    • "One of the core features is that Vectra AI triages threats and correlates them with compromised host devices. From a visibility perspective, we can better track the threat across the network. Instead of us potentially finding one device that has been impacted without Vectra AI, it will give us the visibility of everywhere that threat went. Therefore, visibility has increased for us."
    • "I would like to see data processed onshore. Right now, the cloud components, like Office 365, must be processed on servers outside of Australia. I would like to see a future adoption of onshore processing."

    What is our primary use case?

    The key challenges are employee weakness, getting alerted as soon as possible on our network and infrastructures to anything suspicious that is happening, and policy-type enforcement.

    The challenge that it tends to solve is visibility. We put a lot of controls in place for what we suspect will be a risk. However, something like Vectra gives us more visibility and confidence that we have a better understanding of what is actually happening, rather than just the things that we have already planned for.

    How has it helped my organization?

    We adopted an Office 365 add-in with the product that looks over the Office 365 suite and data traversing that platform. In the future, we see this as a valuable asset that we already have in place to be able to better monitor that type of detection of information. We don't have an environment where there are many true positives, which is good. That has been consistent across the old and new. Our detections have usually been benign or more configuration-based rather than some sort of attack. Because it provides more context and raises things in a way that make it more actionable, it does help you understand the anomaly on a deeper level because it is not just a log that is being forwarded on and has context around it. Vectra AI does do a good job of providing the model information upfront about how its detections work, which is helpful.

    We have an external SOC and most of the data or detections from Vectra now flows to them. The final design is that they are the recipient of those alerts in parallel with us. We also receive them directly at times, depending on the criticality. What it does for us is it improves the information and context that they are getting upfront, which means less questions for our internal IT team about what these assets are and what they are doing. Because the analysts at the SOC have more information to work from, it has reduced wasted time and improved the path that we are taking to a resolution, if there is a problem. It is more straightforward when you are getting quality information upfront about what you are actually investigating and why you are investigating it, rather than just, "This particular activity was detected on the network. Go and work out everything about it," Vectra gives you some context around it and a little bit of direction when you see these things, e.g., this is potentially what could be causing it. This improves workflow, reduces wasted time, and makes everyone's life a little bit easier.

    It has given us an increased level of confidence in our information security that we have a tool like Vectra to back up some of the incidents that could take place, knowing we are going to get them detected as quickly as possible and identified to us. Nowadays, with threats on ransomware and information security types of techs, we believe that Vectra does give us a greater level of confidence that we will be able to detect those more quickly. If they do occur, we can shut them down more quickly, preventing further risks or damage to our systems or infrastructure.

    Vectra AI provides visibility into behaviors across the full lifecycle of an attack in our network, beyond just the Internet gateway. It spells that out quite clearly in each detection. It is not just in the detection. You can look at detections individually, which are essentially individual events. Also, when you are looking at an asset that has multiple detections attached to it, you can see where those sit in the lifecycle of an attack. This gives you an idea of how far Vectra thinks that it has progressed. Having the ability to know where you are in an attack helps you prioritize things a bit better.

    The solution correlates behaviors in our enterprise network and data centers with behaviors that we see in our cloud environment. In terms of a specific example, it links cloud identities to on-prem identities. This is something that we have never really had before, because we didn't have that visibility in our cloud environment. Now, it improves the visibility that we have of our security operations as a whole. Rather than sometimes viewing these things in silos and objects as individual objects, we are now viewing them as what they are, which is people undertaking action in our network and the pathways that they are taking to get to certain resources. By combining the cloud and on-prem data, it gives us context and helps us to get a proper view of what is actually going on.

    What is most valuable?

    An attractive thing about Vectra AI is the AI component that it has over the top of the detections. It will run intelligence over detections coming across in our environment and contextualize them a bit and filter them before raising them as something that the IT team or SOC need to address. 

    While the device itself is deployed on-prem, the hybrid nature of what it can monitor is important to us.

    Its ability to group detections for us in an easier way to better identify and investigate is beneficial. It also provides detailed descriptions on the detection, which reduces our research time into what the incident is. 

    There are also some beneficial features around integration with existing products, like EDR, Active Directory, etc., where we can get some hooks to use the Vectra product to isolate devices when threats are found.

    On a scale of good to bad, Vectra AI is good at having the ability to reduce alerts by rolling up numerous alerts to create a single incident or campaign for investigation. My frame of reference is another product that we had beforehand, which wasn't very good at this side of things. Vectra AI has been a good improvement in this space. In our pretty short time with it so far, Vectra AI has done a lot to reduce the noise and combine multiple detections into more singular or aggregated alerts that we can then investigate with a bit more context. It has been very good for us.

    There is a level of automation that takes place where we don't have to write as many rules or be very specific around filtering data. It starts to learn, adapt, and automate some of the information coming in. It works by exception, which is really good. Initially, you get a little bit more noise, but once it understands what is normal in your environment, some of the detections are based on whether an action or activity is more than usual. It will then raise it. Initially, you are getting everything because everything is more than nothing, but now we are not getting much of that anymore because the baseline has been raised for what it would expect to see on the network.

    We use the solution’s Privileged Account Analytics for detecting issues with privileged accounts. Privileged accounts are one of the biggest attack vectors that we can protect ourselves against. This is one of the few solutions that gives you true insight into where some of those privileged accounts are being used and when they are being used in an exceptional way.

    We have found that Vectra AI captures network metadata at scale and enriches it with security information. We have seen that data enriched with integrations has been available and implemented. This comes back to the integration of our EDR solution. It is enriching its detection with existing products from our EDR suite, and probably some other integrations around AWS and Azure. In the future, we will see that improve even further. 

    One of the core features is that Vectra AI triages threats and correlates them with compromised host devices. From a visibility perspective, we can better track the threat across the network. Instead of us potentially finding one device that has been impacted without Vectra AI, it will give us the visibility of everywhere that threat went. Therefore, visibility has increased for us.

    What needs improvement?

    I would like to see data processed onshore. Right now, the cloud components, like Office 365, must be processed on servers outside of Australia. I would like to see a future adoption of onshore processing. 

    Buyer's Guide
    Vectra AI
    November 2022
    Learn what your peers think about Vectra AI. Get advice and tips from experienced pros sharing their opinions. Updated: November 2022.
    655,774 professionals have used our research since 2012.

    For how long have I used the solution?

    I have been using it for two to three months.

    What do I think about the stability of the solution?

    We have only a few months of history with it, but the solution has been rock solid. I don't think it has gone down yet.

    What do I think about the scalability of the solution?

    We have the ability to add agents in Azure and AWS Cloud if we want, but we still haven't made a decision yet. We can also add more agents or sensors on-prem with the VMware virtual machine that they provide. It is scalable in that way, but at some point, you will hit the limit of the device.

    One of the selling points for us was, down the track, we can just add additional agents to the box from other sources without the need for additional licensing costs.

    Internal to the business, there are only two users. External to the business (the SOC), there could be a team of up to 10 people who are watching alerts day-to-day as well as using the product and logging into the product to better identify what those alerts are. Being the owners of the system, we use it when we are triggered by alerts about something significant.

    We have a small IT team with fewer than 10 staff, where there are only one to two information security focused staff. We leverage an external SOC, i.e., a third-party.

    Vectra AI has enabled us to do things now that we could not do before. We are able to give our SOC a tool that can both reduce their time and potentially allow them to do more on our network. Potentially, they will look into isolating the threat a lot quicker. They can use some of the integrations to turn off endpoints when a threat, which is significant, is detected.

    How are customer service and support?

    Through the different phases of deployment that we have gone through so far, we have been mainly assigned one technical resource to assist us with everything from beginning to end. He has been very knowledgeable and responsive. I can't say anything really negative about him. 

    In terms of the ongoing support, we haven't had to leverage it much yet. We are now in the production phase, so we have been handed over to the main support desk, but I haven't had to use them yet.

    Through deployment, the technical support was very responsive. I think every question that I asked, if it wasn't able to be answered, got passed onto someone who could then come back with something. I think they were pretty upfront as well when the solution couldn't do what we were after. We were told that they would go away and check, then they would come back with an answer about whether what we were asking for could be done. It has all been pretty good so far.

    Which solution did I use previously and why did I switch?

    We already had a solution like this one in place, which was another competitor's product, where the three-year contract for that product was up. We wanted to retain the level of detection that the product provided, but adapt to the way our network had changed over three years to adopt a more hybrid cloud technology. This device sits on our internal network watching for any threats to our internal network. It looks at our Office 365 threats as well.

    We were previously using DarkTrace. We went to the market for reasons of maturity over time for our network. We wanted to further adapt this product to a hybrid working model. We wanted it to be able to adapt to cloud technology that we were adopting. We also wanted something commercially competitive. After three years, they came back asking for a 20% increase in their renewal fees, which wasn't acceptable.

    One of the main things that Vectra has brought to the table for us, over what we were previously using, was the ability to combine our on-prem packet data that we were watching with the cloud data that we needed to start including. We have one system monitoring a hybrid environment, rather than having separate systems for separate environments. That is a key thing that Vectra does that others might not. It comes back to visibility with network monitoring.

    For critical alerts, there has been a huge reduction compared to our previous solution, approximately 80% less. What our previous tool would mark as high, we wouldn't, and Vectra AI aligns with that. Vectra gave us some classifications of the threats, where our previous tool would just trigger high risks on a lot of things that to us, as a business, were not high risk. This is because of fundamentally the way that Vectra looks at detections compared to the way that our previous product did. Every detection was its own entity within the previous one. Whereas, with Vectra AI, it is all about combining the detections and getting a more complete picture. When you are looking for more than just one indicator of compromise, and you are not viewing these things in isolation, you start to realize that one indicator oftentimes doesn't mean critical. That is what Vectra does pretty well.

    How was the initial setup?

    The initial setup was straightforward. We had the existing competitor already in place, and it was architected in a pretty similar way. Someone without a device like this one in place would need to spend a little bit of time on the setup. However, that is not so much about Vectra as it is with the type of device that it is. No matter which device does this sort of thing, when you put it in place, you will need to set certain things up.

    We unboxed the device, plugged it in, and it pretty much turned on. We didn't have to do much at all. Then, there was the config after the fact, which was all supported.

    The initial deployment really only took a couple of weeks to get it to the point that we were relatively comfortable with what we were receiving. In terms of getting the box plugged in, that took a day. Then, we finished the whole deployment phase of it. which was to fine tune some of our detections and config. That has really been finalized in the last few weeks.

    Vectra was extremely easy and quick to get into place. It was able to run inline with DarkTrace while we were evaluating it. Also, the implementation was not heavy in any way.

    What about the implementation team?

    We went through a proof of concept with Vectra. We had already identified our functional requirements for the product and entered into our proof of concept arrangement with Vectra to assess that they could achieve all the functional requirements that we had.

    The support for deploying it was ready to assist further, if needed, with the deployment. In our case, it was very straightforward. It was very quick to implement. The support that they gave us week-to-week kept us moving. They were also able to implement it in line with us.

    Development and maintenance needs a tenth of a staff member. We mostly handle this ourselves. To be effective with the alerts that you are getting, you need security staff or people who are dedicated to this kind of thing. It is one thing to maintain and deploy the device.

    It is another thing to action the information that the solution is giving you. We outsource that, so we don't do it in-house.

    What was our ROI?

    The capturing of network metadata at scale reduces the time of investigations when researching incidents. Instead of having to look over multiple tools, that data can be somewhat aggregated, from a Vectra perspective. The time to detect and understand a threat has been reduced.

    Vectra AI has reduced the time it takes us to respond to attacks. The amount of time depends on the specific detection or circumstance around it. Some things have been raised previously, then we would have good knowledge about what that detection meant and how to investigate it effectively. Other times, a detection might be viewed as more novel, where there may not be the immediate skills in place to investigate it effectively, whether that is the security team or me. There is a whole lot of research that needs to go into this to make sure that you have the knowledge to actually verify whether a thing needs to be dealt with.

    Vectra AI provides you this information very well, with more context around the detection. Someone with a more general knowledge of some of these things can look at all the factors rather than just the detection to make a determination of how risky it is and how you might start investigating it. For example, with autodetection in an account, if it was just that detection, then your initial response might be to lock that account out. However, if you get a bit more context about it and can see what other activities were happening on the same asset around the same time, then you might not lock that account. You might just reach out to that user, and say, "Hey, what was this about?" because you are not so concerned about an immediate threat.

    There is ongoing maturity from our security strategy, which this solution introduces. Down the track, we could look to extend this from an agent perspective to our cloud platforms in a more rigorous way than what has already been implemented. It gives us increased confidence over time as we do get these detections and alerts that are valid, so we are able to accurately resolve and stop them quite quickly. That is where we will see the bigger benefit. It will tick something and alert us as quickly as possible, then we can get to it and shut it down as quickly as possible. That means our security maturity is only strengthening, and we can respond and have visibility over events in the future.

    The return on investment was passed over to our SOC. They were using our previous tool, DarkTrace, and now they are using Vectra. There will be a lot less in future reports because there will be a lot less that they are actually investigating.

    What's my experience with pricing, setup cost, and licensing?

    From a pricing perspective, they are very commercially competitive. From a licensing perspective, just be conscious that some of their future cloud solutions come with additional subscriptions. Also, if you're outside of the US, you will get charged freight for the device back to your country. I tried to negotiate getting rid of this, but unfortunately, it just wasn't something they would take off the table.

    I would like to see ways they can look to bring out new cloud functionality without introducing additional costs for them as additional subscriptions. They're about to bring out their AWS add-in, which has an additional cost. So, I would like to see them start to roll that into the product, as opposed to having it be offered as a separate subscription service. Because the more that that happens, the more it goes away from the core functionality of the product if we are just buying a lot of separate cloud processing pieces doing different functions. Why is that not being made as part of the core product?

    They also have some additional threat hunting tools that I would like to at least consider leveraging, but the cost is just prohibitive.

    Which other solutions did I evaluate?

    After deploying this solution in our network, it began to add value to our security operations straightaway. We ran the Vectra product in line with DarkTrace and were watching the alerts from both. Because I was sometimes getting exactly the same detections on both platforms, the Vectra information was actually assisting me in understanding what DarkTrace was doing and what it was warning me about. Straightaway, I started to get a better understanding of the alerts that we had been receiving for a long time.

    It pays to evaluate the market regularly on products like this. The industry and platforms change very rapidly, and there is always new technology coming out. Three years ago, these guys wouldn't have probably been around or been looked at. Now, they are. Therefore, going out to the market and actually assessing our existing investment, against what is out there today, was very worthwhile.

    For EDR, we are using CrowdStrike.

    What other advice do I have?

    The visibility of your threats will be easier to understand with Vectra AI. It provides you with a centralized dashboard of those threats and alerts. It gives you detailed descriptions for quicker research into what the identified threats and alerts are. It will integrate with existing products you may already be using. Overall, it reduces a lot of time spent on chasing false positives.

    Right now, we are leveraging the on-prem appliance and the Office 365 Cloud component. We want to look to the future around potentially extending this to further parts of Office 365 and cloud environments, like Azure and AWS.

    We haven't adopted Power Automate into our environment as of yet.

    I would rate this solution as eight and a half out of 10.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
    PeerSpot user
    Sr. Specialist - Enterprise Security at a mining and metals company with 5,001-10,000 employees
    Real User
    Top 20
    We have become more proactive, and significant noise reduction means one analyst can handle things
    Pros and Cons
    • "The most useful feature is the anomaly detection because it's not signature-based. It picks up the initial part of any attack, like the recon and those aspects of the kill chain, very well."
    • "The reporting from Cognito Detect is very limited and doesn't give you too many options. If I want to prepare a customized report on a particular host, even though I see the data, I have to manually prepare the report. The reporting features that are built into the tool are not very helpful."

    What is our primary use case?

    The key challenge we face is visibility, things that happen in isolated and pocketed environments where visibility is limited. Silos and isolated networks exist across the environment, and it's difficult to control it completely. Blind spots are the main challenges.

    How has it helped my organization?

    With this solution, the focus has changed from reactive to more proactive, because all the other SOAR and EDR solutions, firewalls, and IPSs are generally reactive. With those tools, when most things are triggered, it means you are already slightly late. With Vectra, we become more proactive than reactive. More often than not, we pick things up before the actual damage can start. It picks up things that none of our other tools pick up because it's designed to detect things before harm is done, at the initial stages. This is one of the main benefits and the biggest business justification and use case for us.

    It reduces the time it takes to respond to attacks because we find out about a threat in the beginning so we can stop it before it can cause harm, rather than reacting when the damage is done and significantly more effort is needed.

    And since it is not preventive, it does not trigger any adverse reactions. For example, sometimes we have seen, with certain kinds of malware or ransomware, that they tend to get more aggressive if they realize that something is stopping them, but that doesn't happen with detection tools like Vectra.

    For capturing network metadata at scale and enriching it with security information, that's where the second product comes in, Cognito Recall. It takes enriched network metadata and keeps that information available for you to access, whether it triggers a detection or not. For example, if you want to check who is using SSL version 3, TLS version 1.0, SNMP version 1, SNMP version 2, or who is using clear text passwords, even though they don't trigger a detection in Cognito Detect, that metadata is available. Of course, the duration of that data is dependent on how much storage we can buy from Vectra. That's a financial constraint and we have opted for one month. We might look at expanding that further.

    That metadata helps in closing vulnerabilities. For instance, if there is a TLS version or an encryption level that we want to deprecate, it is very useful for us, because we can also generate reports. We know which systems are using SNMP version 1 or SNMP version 2. Even though it has more features and you can create custom detections through Recall, we've not gone that far. For us, this has been our most common use case: protocols and communications that we would like to stop or close. This provides useful data.

    The solution also provides visibility into behaviors across the full lifecycle of an attack, beyond just the internet gateway. It provides the whole MITRE Framework and the key chain—recon, command and control. It has detections under each of those categories, and it picks them up within the network. In fact, most of the detections are internal. Internet-based detections comprise 25 to 30 percent, and those are based on encrypted traffic. And most of the time when we validate, we see that it's genuine because it's a call from a support vendor where large files need to be uploaded. That gives us an opportunity to validate with that end-user as well: What was happening, what did you transfer?

    We used to have SIEM and antivirus solutions and we would get a lot of alerts. Those alerts resulted in a lot of effort to refine them and yet we still needed a lot of effort to analyze the information. Vectra does all of that automatically for us, and what it produces, in the end, is something that can easily be done by one person. In fact, you don't even need one.

    What is most valuable?

    The most useful feature is the anomaly detection because it's not signature-based. It picks up the initial part of any attack, like the recon and those aspects of the kill chain, very well. We've had numerous red team and penetration exercises and, at the initial stage, when the recon is happening and credentials are used and lateral movement is attempted, our existing tools don't pick it up because it has not yet been "transformed" into something malicious. But Vectra, at that stage, picks it up 80 to 90 percent of the time. That has been one of the biggest benefits because it picks up what other things don't see, and it picks them up at the beginning when attackers are trying to do something rather than when the damage is already done.

    The ability to roll up numerous alerts to create a single incident or campaign for investigation takes a bit of effort in the beginning because you'll always have misconfigurations, such as wrong passwords, that could trigger brute force and SMB-types of alerts. And you'll have genuine behaviors in your environment that tend to be suspicious, such as vulnerability assessment and scanning tools, that are not noise, per se. Even if they're non-malicious, it always tends to point to events like misconfigurations and security tools. It's been very useful in that sense, in that, once we do the initial triaging, indicating that this is a security tool, or that is a misconfiguration we need to correct, it reduces the noise quite significantly. We don't get more than 10 to 20 events, maximum, generated per day.

    Vectra shows what it does in terms of noise reduction, and we can see that it is down to only 1 percent, and sometimes even less than 1 percent, of what actually requires a person to act on.

    It becomes quite easy for a SOC analyst to handle things without being overburdened. And, obviously, it's at the initial stage because it picks things up before the damage happens. It's not the kind of prevention tool that has signatures and that only tells you something bad has already happened. It tells you that something is not right or is suspicious. It says there is a behavior that we have not seen before, and it has always been effective in the red team exercises that we periodically conduct.

    Also, we have privileged account management, but we don't have a separate analytics tool. Still, Vectra also picks that up. This is also something that has come up during red team exercises. If there's an account that is executing an escalated privilege or running a service that it normally doesn't run, it gets flagged. It tells us about lateral movements and privilege escalations; things that constitute non-standard usage. It's quite effective at catching these. I have yet to see a red team exercise that doesn't generate any alerts in Vectra. We see a jump, and it's very easy to identify the account and the system that is the source.

    It also triages threats and correlates them with the compromised host devices, because it maps both ways. It maps the host, the account, and the detection, and vice versa. You can also go to the detection and see how many affected hosts there are. In addition, if there's a particular detection, is there an existing campaign? How many hosts are also doing the same thing? These are the kinds of visibility the tool provides.

    What needs improvement?

    The reporting from Cognito Detect is very limited and doesn't give you too many options. If I want to prepare a customized report on a particular host, even though I see the data, I have to manually prepare the report. The reporting features that are built into the tool are not very helpful. They are very generic and broad. That's one main area that I keep telling Vectra they need to improve. 

    Also, whenever there's a software upgrade and new detections are introduced and the intelligence improves, there is a short period at the beginning where there's a lot of noise. Suddenly, you will get a burst of detections because it's a new detection. It's a new type of intelligence they've introduced and it takes some time to learn. We get worried and we always check whether an upgrade has happened. Then we say, "Okay, that must be the reason." I would like to see an improvement wherein, whenever they do an upgrade, that transition is a bit smoother. It doesn't happen all the time, but sometimes an upgrade triggers noise for some time until it settles down.

    For how long have I used the solution?

    We've been using the Vectra AI for over three years.

    What do I think about the stability of the solution?

    In the beginning, there is a struggle to fine-tune it because it will generate noise for the reasons I mentioned. But once that learning phase is complete, it's quite reliable. We have been using the hardware for more than three years and there have been no failures or RMAs

    Upgrades happen automatically. We have never gone into the appliance to do an upgrade, even though it's on-prem. It all happens automatically and seamlessly in the background. 

    Initially, we had some problems with the Recall connection to the cloud, to establish the storage connectivity. But again, these kinds of things are at the beginning. After that, it is quite stable. We've not had any problems.

    What do I think about the scalability of the solution?

    Scalability for the cloud solution is straightforward. For the on-prem solution, you need to take care of the capacity and the function itself, because the capacity of the same hardware varies, depending on what you use it for. From a capacity point of view, there is some effort required in the design.

    Looking forward to the future, the tool integrates with more and more solutions outside of its existing intelligence. It's not something that we have yet embarked on, but that's an interesting area in which we would like to invest some time.

    The cloud solution is something that has limited visibility because PaaS and SaaS in the cloud are always a challenge in terms of cyber security. And in the future, even though we have taken the Vectra SaaS for O365, they're also coming up with a PaaS visibility tool. It is currently under testing, and we are one of the users that have been chosen to participate in the beta testing of that. That's another thing in the future that would add a lot of value in terms of visibility.

    Currently, we have about 8,000 users.

    How are customer service and support?

    The support is directly from the device or we get a response via email. The response is okay. Because the product is stable, we have not been in a situation where we urgently needed something and we wanted support right now. We have never tested that kind of fast response. They take some time to respond, but whenever we have requested something, it has not been urgent. 

    We do get a response and issues always get resolved. We haven't had any lingering issues. They have all been closed.

    How would you rate customer service and support?

    Positive

    Which solution did I use previously and why did I switch?

    We did not have any tools in the same league. We had security tools, but not with anomaly detection as part of the feature set.

    How was the initial setup?

    Cognito Detect is on-prem and Cognito Recall is in the cloud, as is the O365 and Azure AD protection.

    The cloud setup is extremely simple. The on-prem takes some effort. There is the sizing, depending on what model. The throughput varies. Those kinds of on-prem design considerations create a bit of complexity in the beginning, but the cloud is straightforward. All it needs is the requisite access to the tenant. Once it gets that, it starts its work. 

    In the beginning, there is some effort in fine-tuning things, but that comes as part of the package with the solution. They have a success manager and tech analyst assigned to support you in the beginning. Once that is done, the product is very stable.

    For us, there were an initial four to eight weeks of triaging and clearing the noise, in terms of misconfiguration issues or known security tools. After that time, we started seeing value.

    What about the implementation team?

    We only used the people from Vectra.

    What's my experience with pricing, setup cost, and licensing?

    Vectra is a bit on the higher side in terms of price, but they have always been transparent. The reason that they are this good is that they invest, so they need to charge accordingly. They are above average when it comes to price. They're not very economical but it's for a good reason. As long as we get quality, we are okay with paying the extra amount.

    Which other solutions did I evaluate?

    We did a PoC with Darktrace recently as part of our regular exercise of giving other solutions an opportunity, but the PoC didn't meet our requirements. It didn't detect what Vectra detects in a red team situation.

    The deployment time is similar because they all need the same thing. They need the network feed for a copy of the network traffic. The base requirements are the same.

    What other advice do I have?

    My advice is that you need to size it right and identify what your capacity will be. And you need to place it right, because it's as helpful as what it can see, so you need to have an environment that supports that. What we did, as part of implementing Vectra, was implement an effective packet broker solution in our environment. It needs that support system to function properly. It needs copies of your traffic for detection because it doesn't have an agent sitting anywhere. The positioning and packet brokering are critical allies for this solution.

    We have it deployed on-premises. However, we are in the process of acquiring O365 and Azure AD as well. When it comes to Power Automate and other deeper anomalies, these are things that we have on the cloud in Azure. In the new module, it lets us know if any automation, scripts, or large, sudden downloads, or access from a country that is different from where the user has normally been, are happening. But this is a very new tool. We are yet to familiarize ourselves with it and do the fine-tuning. We don't have any automation or any such functions happening on-prem.

    In terms of correlating behaviors in the enterprise network and data centers with behaviors in the cloud environment, because we have taken the O365 module, it gives us good correlation between an on-prem user and his behavior in the cloud. We have seen that sometimes it detects that an account is disabled, for example, on-prem, and it says somebody downloaded a lot of data just a few days before that or uploaded large data a few days before that. It does those kinds of correlations.

    We have one SOC but it's based overseas. It's an offsite managed service and it covers the gambit of incident detection and response. It's an always-available service. The SIEM we are using is RSA NetWitness, and the EDR solution we use is McAfee.

    Vectra has some automation features, in the sense of taking action through the firewalls or other integrations, but that's a journey that we have not yet embarked on. As long as we have a continuously available SOC that rapidly responds to the alerts it generates, we are okay. In general, I'm not comfortable with the automation part. Accurate detection is more important for me. Prevention, when something is picked up too late, as is the case with some of the other solutions I mentioned, is a different case. But here, when it is at the preliminary stage, prevention seems a bit too harsh.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
    Flag as inappropriate
    PeerSpot user
    Buyer's Guide
    Vectra AI
    November 2022
    Learn what your peers think about Vectra AI. Get advice and tips from experienced pros sharing their opinions. Updated: November 2022.
    655,774 professionals have used our research since 2012.
    Senior Security Engineer at a manufacturing company with 10,001+ employees
    Real User
    Top 20
    Easy to deploy and maintain, gives us ML, AI, and custom detection options for rule detection, and saves storage cost and time
    Pros and Cons
    • "It does a reliable job of parsing out the logs of all the network traffic so that we can ingest them into our SIEM and utilize them for threat hunting and case investigations. It is pretty robust and reliable. The administration time that we spend maintaining it or troubleshooting it is very low. So, the labor hour overhead is probably our largest benefit from it. We spend 99% of our time in Vectra investigating cases, responding to incidents, or hunting, and only around 1% of our time is spent patching, troubleshooting, or doing anything else. That's our largest benefit from Vectra."
    • "They use a proprietary logging format that is probably 90% similar to Bro Logs. Their biggest area of improvement is finishing out the remaining 10%. That 10% might not be beneficial to their ML engine, but that's fine. The industry standard is Zeek Logs or Bro Logs, or Bro or Zeek, depending on how old you are. While they have 90% of those fields, they're still missing some fields. In very rare instances, some community rules do not have the fields that they need, and we had to modify community rules for our logs. So, their biggest area of improvement would be to just finish their matching of the Zeek standard."

    What is our primary use case?

    In terms of deployment, we have one brain and seven physical sensors. We're currently working on deploying a large number of virtual sensors, but those aren't done yet. We also have a SIEM and an EDR.

    How has it helped my organization?

    There are a large number of difficult-to-manage devices on a network. Traditional security vendors do a great job of making sure that workstations and servers are properly protected, secured, and observed, but they fall short when we're talking about odd peripherals, such as printers, scan guns, tablets, guest devices, and things like that. That's what Vectra helps us see. I can't tell the number of employee guest phones that just show up on the network, and they're infected because they're not managed by us and people do things with their phones. Now, we're able to actually see those devices hit our internal LAN instead of our guest networks, and we can properly move them over, whereas earlier, we were blind. Now, we have some reasonable assurance that our internal tablets, scan guns, and things like that are not performing abnormal network behavior. So, that's what we use Vectra for.

    We've got a centralized data center with a large number of physical locations throughout the country. So, our network is very distributed. It's very much like a campus. Vectra is really good at reducing the complication of deploying an NDR solution, and that really helps us because we have over 175 stores that we need to capture traffic from, as well as a number of sales offices, regular employee offices, and distribution centers distributed across the country. So, Vectra makes it really easy. We just drop or ship it over there, and it is up and running real quick once it gets there. Shipping takes longer than configuration. So, basically, our network is a centralized data center infrastructure with a large number of stores, distribution centers, and offices geographically dispersed around the country.

    It provides visibility into behaviors across the full lifecycle of an attack in our network beyond just the internet gateway. We tap client to server, server to server, and client and server to internet traffic, and it does a good job. It doesn't have an issue with internal traffic. In terms of the full lifecycle of the attack, Vectra is not designed to interface with or inspect the host. So, we're not seeing host activity obviously. That's what our EDR is doing. Vectra does an okay job. If we get a weird detection, we're also able to see a large number of other activities that happened just before and just after the attack and relate those to it.

    Before we deployed Vectra, we were not monitoring network traffic. So, there was definitely a need and a gap, and Vectra has filled it. We have reliable network logs that are readable, and it does a good job of doing a default set of detections for us. We're very happy with the gap that it has filled.

    It has overall reduced the time to respond to attacks, especially with the PCAP function on the detection, where when it gets a detection, it PCAPs the session. So, we're able to get a lot of context to alerts that we were unable to get before we deployed this because we weren't doing a full PCAP. Because Vectra only PCAPs the session when it triggers a detection, we didn't have to deploy hundreds of terabytes of storage across our network. So, we saved a lot of money there. There are $50,000 to $100,000 storage cost savings because it only captures the full packet capture for traffic that triggers detections. In terms of time, it has saved hundreds of hours. I can't even explain how happy we are with the amount of time it has saved us. Imagine the amount of time it would have taken us to deploy to 175 stores plus dozens of distribution centers and dozens of remote offices. Even if it was just one hour per location for deployment, that makes it hundreds of hours. Vectra, with being so easy to deploy and so easy to maintain and administer, has saved us hundreds of hours just on deployment and standing up the environment alone. I am not counting the maintenance and administration that come along with the solution.

    What is most valuable?

    It does a reliable job of parsing out the logs of all the network traffic so that we can ingest them into our SIEM and utilize them for threat hunting and case investigations. It is pretty robust and reliable. The administration time that we spend maintaining it or troubleshooting it is very low. So, the labor hour overhead is probably our largest benefit from it. We spend 99% of our time in Vectra investigating cases, responding to incidents, or hunting, and only around 1% of our time is spent patching, troubleshooting, or doing anything else. That's our largest benefit from Vectra.

    We've got machine learning and AI detections, but we also have the traditional ability to create our own custom detections and rules that are important to us for compliance. When we were demoing other vendors, a large number of vendors let you make your own rules, but they don't provide their own rules and ML and AI rule engine, or they provide AI and ML, but they don't allow you to make your own rules. Vectra is very nice in that sense. We have detection rules that Vectra provides that are very common to the security industry, such as whenever there's a major event like the SolarWinds event. Those rules get built and deployed for us really quickly. We can manage our own, but then we also have the ML and the AI engine. We really like that. It is one of the few platforms that we've found to be supporting all three options.

    What needs improvement?

    They use a proprietary logging format that is probably 90% similar to Bro Logs. Their biggest area of improvement is finishing out the remaining 10%. That 10% might not be beneficial to their ML engine, but that's fine. The industry standard is Zeek Logs or Bro Logs, or Bro or Zeek, depending on how old you are. While they have 90% of those fields, they're still missing some fields. In very rare instances, some community rules do not have the fields that they need, and we had to modify community rules for our logs. So, their biggest area of improvement would be to just finish their matching of the Zeek standard.

    They could provide distributed endpoint logging capability. We have a lot of remote workers nowadays in the day of the pandemic. If they're not connected to our VPN, then we're not capturing that traffic. So, the ability to do the traffic analysis for endpoints that are distributed would be cool. I have no idea how they would do that. I'm not aware of a single vendor that does that, but it would be cool if they could do that. To my knowledge, that's not really possible with the amount of compute power it would take on endpoints. It would be ridiculous. They'd have to really invent something new and novel that doesn't exist today in order to accomplish that. If they do, that would be great. Because I'm a customer already, I would use it. 

    Cost-wise, they're not cheap. They were definitely the most expensive option. Their licensing model is antiquated. We have to pay for licensing based on four different things. They need to simplify their licensing down to just one thing.

    For how long have I used the solution?

    We have been using this solution for around 18 months.

    What do I think about the stability of the solution?

    I'm very happy with it. In the 18 months, I cannot recall any outage. We keep up on all the patching and maintenance, and there have been very few bugs. The SaaS product Recall has always been there when we use it. Our on-prem version has never broke. It seems very stable.

    What do I think about the scalability of the solution?

    It has got no problem with scaling. We picked Vectra because it was able to scale up to our size fairly easily without scaling up the deployment and administration overhead. So, it scales really well. It has no problem handling our volume of data.

    How are customer service and technical support?

    Their technical support is pretty good. They're very responsive. Nine out of 10 times, they understand my problem. They're not perfect, obviously, but at the end of the day, I got answers for the few issues for which I've had to use support. I can only think of one instance where it was painful, and that's why I say nine out of 10 instead of 10 out of 10. The guy just didn't understand what I was asking, and about seven emails later, it got triaged, and the next guy figured it out. Other than that, the first person I email in at support is able to answer my question in that initial response or just one extra email.

    Which solution did I use previously and why did I switch?

    We did not use any similar solution. 

    How was the initial setup?

    We have a couple of SaaS-based products. We use Cognito, Recall, and Stream. Recall is their SaaS-based product where all the logs go into their hosted elastic search instance, which allows us to search and create custom rules and everything like that, and then we pull data from that environment into our on-prem environment. In terms of the deployment of the brain, that's all on-prem. All the sensors are on-prem obviously, but we do use Recall.

    In terms of the effort involved in deployment considering that some of the pieces we use are SaaS-based, it was literally just a toggle switch and an API client and key in the interface, and then it was working. We had to wait for accounting to approve it, and it added a little bit more time to our deployment because of paperwork, but technically, it was pretty simple. We told them we wanted this, and by the time that we got our paperwork done, everything at their end was stood up and ready to go for us.

    It does take two to three weeks for the brain to baseline and establish its ML baseline. The moment it was done with the two-week to three-week machine learning period, it was good. So, it started providing value after three or four weeks after deployment.

    What's my experience with pricing, setup cost, and licensing?

    Their licensing model is antiquated. I'm not a fan of their licensing model. We have to pay for licensing based on four different things. You have to pay based on the number of unique IPs, the number of logs that we send through Recall and Stream, and the size of our environment. They need to simplify their licensing down to just one thing. It should be based on the amount of data, the number of devices, or something else, but there should be just one thing for everything. That's what they need to base their licensing on. 

    Cost-wise, they're not cheap. They were definitely the most expensive option, but you get what you pay for. They're not the cheapest option. I know that their prices scared away a couple of people who have demoed it in the past. Once they got their quote, they were like, "Well, see you later. We can't do this." So, that is an area that they come up short against other people.

    Which other solutions did I evaluate?

    We did evaluate other options. We evaluated rolling Bro or Zeek on our own. We evaluated Security Onion. We also evaluated Corelight and almost picked them. We also investigated a couple of solutions that are significantly more involved than Vectra, just like full managed solutions, but we decided not to do that.

    The main reason for choosing Vectra over all the other solutions was twofold. One was the deployment time and routine administration costs. Its deployment was very simple. The amount of time it would take to deploy and configure was very low. The time it would take to maintain the environment was significantly lower than the other solutions and on par with Corelight.

    The second reason for picking it up is that it allowed us to create our own detection rules. They build rules for us when there are major events, as well as they have the ML and AI engine. This was the only solution that was easy and fast to deploy and maintain, and that was giving us all three options for rule detection. That's why we went with them. Some of the solutions provided all three options, but they were a pain to configure and maintain, and some of them were easy to deploy and maintain, but they didn't provide all three options.

    What other advice do I have?

    It is pretty straightforward. Plug it in and use aggregators in front of the sensors to aggregate multiple tap sources into a single sensor. The sensors can handle it. They de-duplicate everything. There is no need to purchase a sensor for every tap. Truncate all that traffic into an aggregator and have it come out one feed into the sensor. There is no issue there with the Vectra sensor being able to carve out all that. They're powerful enough to do that. Vectra recommends that. So, if someone is purchasing Vectra, they're going to hear that from them. With Vectra, you're picking reliable and fast among cheap, reliable, and fast.

    In terms of Vectra's ability to reduce alerts by rolling up numerous alerts to create a single incident or campaign for investigation, we do not generate a lot of incidents. We're pretty quick off the gun on detections. We're responding to detections before subsequent detections are detected and become an incident. We maybe get one incident a week, so I don't know if I can comment on that effectively.

    We don't use privileged account analytics from Vectra for detecting issues with privileged accounts. In terms of its detection model for providing security around things like Power Automate or other anomalies at a deeper level, we don't use Power Automate, but we use their anomaly detection, and it is very interesting. While it always does provide us something interesting to look at, more times than not, it is our IT admin who does anomaly detection. So, we learn a lot, and it brings odd things to our attention, but with anomaly detection, it has usually been our IT admin.

    In terms of Vectra helping our network's cybersecurity and risk-reduction efforts in the future, I'm hoping that one day, we can achieve even client-to-client inspection. Vectra should stay up with the times, and they shouldn't start coasting, which I don't see at all. They fill a good gap, and they do that well. We're just going to leave them filling that gap until the time comes where that is no longer a need, which I don't foresee. So, I don't know if they're going to do anything more than inspect network traffic and provide us an alerting engine on anomalous or malicious network traffic. That's their niche, so that's what they're going to do, probably just more of it. As we grow, we'll deploy more Vectra sensors to capture that extra traffic. I see them scaling very well.

    I would rate this solution a solid eight out of 10. It loses a star for not adhering to Bro Logs in my book, and there is no perfect 10.

    Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
    PeerSpot user
    Head of IT Security, Acting CISO at a retailer with 10,001+ employees
    Real User
    Top 20
    We can detect systems that are not behaving right because they are not configured correctly
    Pros and Cons
    • "Cognito Streams gives you a detailed view of what happens in the network in the form of rich metadata. It is just a super easy way to capture network traffic for important protocols, giving us an advantage. This is very helpful on a day-to-day basis."
    • "If you hit a certain number of rules, triage filters, or groups, the UX responds more slowly. However, we have a complex network and a lot of rules. So, our setup might not be a typical implementation example. We even had UX engineers onsite, and they looked at issues, improvements, and user feedback. Since then, it has gotten a lot better, they even built in features that we specifically requested for our company."

    What is our primary use case?

    Our key challenges are:

    1. People Management: It is always a struggle to coordinate the few people that we have with the necessary skills to put them on the most important topics or projects.
    2. Cloud adoption complexity: You need to figure out which systems, applications, and interfaces are talking to which cloud component in terms of data flow. That is a rather complex topic and usually sold well by the external supplier in terms of marketing to a company. Practically speaking, it is very difficult to elaborate all the connection requirements, on-prem to cloud, cloud to cloud, e.g., what is running where, what should run, and what is not running as it should.

    Cognito Platform: We are using the latest on-premises version and some of the cloud services too.

    We are mainly operating out of Switzerland. The IT Departments are based in our headquarters.

    We have a large network with a lot of points of sales and other geographical locations that are interconnected. We need visibility of all the client-initiated traffic to and from our main data centers and to the Internet. We have good network coverage. Vectra is deployed on different hotspots in our network.

    How has it helped my organization?

    We can detect systems that are not behaving right because they are not configured correctly. We detect access to malicious sites or domains that should not be there, which should have been picked up by our security services that we implement at different times at different types of levels in the network. This is kind of an add-on to all the existing prevention mechanisms and helps us with network hygiene.

    Due to an optimal signal-to-noise ratio that Vectra delivers, it gives us confidence to have a realistic chance of catching and stopping real attacks on time.

    One of its strongest parts is that the solution captures network metadata at scale and enriches it with security information. We forward events to our team, then we can correlate them even better.

    We have almost our complete network covered. This solution is like the absolute base coverage for us. You don't get many alerts, and if you get one, you better look at it because it is a good quality alert. After verification, we respond accordingly. Vectra AI brings great visibility. Without it, we would be blind.

    The solution has enabled us to do things now that we could not do before. With Streams enabled, we can easily find out who is using SMB v1, as an example. So, it is a kind of hunting in the network. If you have a detection and need proof, you have network capture. In terms of searching accounts or assets, it is a great platform that allows us to use the default search, i.e., searching for a hostname/IP or the advanced queries for complex searches. This allows you to search back in time, which is very convenient, i.e., if one specific host has had detections in the past.

    What is most valuable?

    Cognito Streams gives you a detailed view of what happens in the network in the form of rich metadata. It is just a super easy way to capture network traffic for important protocols, giving us an advantage. This is very helpful on a day-to-day basis. 

    The Office 365 detection is a great add-on. It will not only see the local traffic, i.e., the local user but also how the user is connecting to the cloud. If communication has been initiated within our network, we would capture anomalies with on-premises mechanisms. If it is a connection from the Internet to O365 SaaS services, we gain visibility through the Vectra add-on. It depends where the communication was started, but we do have a good, complete picture in a single view.

    Vectra AI is really focusing on the most critical, severe detections. That is the key point of this platform for us. It gives you enough details and data, if you need it. However, for daily operations, we are just getting the priority 1 alerts that we need, and nothing more.

    We use the solution’s Privileged Account Analytics for detecting issues with privileged accounts. This is important to our organization because you need to monitor and control privileged accounts.

    The detection model and correlation of events, e.g., you are only having one priority event a day, go hand in hand. They have awesome detection models and very good algorithms. Out-of-the-box, you get a decent severity matrix and great consolidation. This is what has made this platform so usable to us over the last three to four years. We can rely on these detections and on its event generating mechanism that clearly focuses on the most important priority one cases.

    What needs improvement?

    If you hit a certain number of rules, triage filters, or groups, the UX responds more slowly. However, we have a complex network and a lot of rules. So, our setup might not be a typical implementation example. We even had UX engineers onsite, and they looked at issues, improvements, and user feedback. Since then, it has gotten a lot better, they even built in features that we specifically requested for our company.

    We know that Vectra AI sensors for cloud IaaS deployments have been released and we are planning to deploy those shortly.

    For how long have I used the solution?

    We have been using it for four years.

    What do I think about the stability of the solution?

    Great! Currently, our Brain shows 190 days uptime (last reboot initiated by us). There have been no operational issues at all. I can't complain.

    What do I think about the scalability of the solution?

    Scalability is another very good selling point. It is easy to deploy virtual sensors as well as other sensors, which is a big plus.

    We have a team of three people, mainly security officers, who are investigating or following up on detections and alerts. We also use the Vectra AI Sidekick Services, which helps a lot by providing a skillful set of people who look into things with a great customer perspective. We have roughly 20 to 30 people who, from time to time, get details on detections or campaigns that they need to look at.

    How are customer service and support?

    The technical support is fast, customer-oriented, and has a great skill set.

    When we started with Vectra AI, we noticed certain things that could be done better from the UI experience and workflow. We had a lot of input. They built this into their software. Some of the features that customers use today are there because we said, "Well, guys do it like that because everybody can profit from that," and they said, "Well, that is a great idea. Let's do it."

    How would you rate customer service and support?

    Positive

    Which solution did I use previously and why did I switch?

    We did not use another solution before Cognito.

    How was the initial setup?

    The initial setup was straightforward. 

    We already had an existing on-prem installation, so adding Office 365 detection was straightforward. It took about half an hour.

    After we deployed this solution in our network, it took about two weeks for it to begin to add value to our security operations.

    What about the implementation team?

    They brought in the requirements and said, "We need this amount of time, as well as this type of rack, space, power, and network configuration." We prepared that, then they were able to set things up in a very short manner. It took maybe a day, then we were set and traffic was flowing in. This was one of our smoothest installations in the last years. After two days, we saw all the needed network traffic. So, implementation and initial setup were very fast.

    We are still a happy customer after four years.

    What was our ROI?

    In terms of detection, we have seen ROI from finding out stuff as well as preventing, hunting, and intelligence gathering.

    What's my experience with pricing, setup cost, and licensing?

    Cost is a big factor, as always. However, I think we have a very good price–performance ratio.

    Which other solutions did I evaluate?

    We looked at least five different vendors, including Cisco and Darktrace, in PoCs.

    Vectra AI said what they are able to do in terms of detection and performance in their sales pitch, which they proved later in their technical PoC, to the point. They were actually the only ones who could.

    Vectra AI has a very short deployment time compared to other solutions that we tried.

    What other advice do I have?

    Do a PoC. Only a PoC will show you if something works or not. I know it takes time but do a POC or a test installation. We did the PoC directly in the production network, which was the best thing to do as we got results very quickly.

    Vectra AI enables you to see more. It is their visibility strength that makes the platform so great. Because they really look at severity conditions and do a great correlation, it is time invested wisely. If Vectra shows a high score threat, you must look after it.

    In terms of our security stack, this is the most essential cybersecurity tool we use. We are planning to use Vectra as well in the cloud. If they are able to deliver the same performance and capabilities in the cloud sensor, then it will be a really strong foundation that everybody should have in one way or the other.

    There is manual input i.e., Triaging is something that you have to do. But in terms of workflow, it has been designed by security people for security people. It provides a very smooth and fast way to set up manual rules or triage filters.

    I would rate this solution as 10 out of 10.

    Which deployment model are you using for this solution?

    Hybrid Cloud

    If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

    Other
    Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
    PeerSpot user
    Head of Information Security at a financial services firm with 51-200 employees
    Real User
    Top 20
    Highly successful in detecting red team engagements and giving clear broad-level assurance
    Pros and Cons
    • "The administrative privilege detection feature is the most valuable feature. The admin accounts are often highly accessible to the high-risk component of the environment. If those accounts are compromised or are being used in a suspicious manner, that's high-fidelity events for us to look into."
    • "Integration with other security components needs improvement. It should have true integration as opposed to just being a separate pane of glass."

    What is our primary use case?

    We use Cognito.

    The biggest challenge we face in protecting the organization against cyber attacks is mean time to detection, operating from a position of an assumed breach. Then being able to detect breaches or malicious traffic within the environment as quickly as possible to reduce dwell time.

    We have a small environment with only 300 users. It's very technically focused given the market that we operate in. There are two data centers, four offices, a small IT and security team. Cognito allows us to make the best investment for the most return, given we don't have dedicated SOC analysts looking at a SIEM environment.

    How has it helped my organization?

    Cognito is highly successful in detecting red team engagements and giving clear broad-level assurance and confidence in the product.

    It captures network metadata at scale and enriches it with security information. The add-on of Recall is an invaluable investigation tool. It's able to look back and triage incidents.

    We have been enabled to do things now that we could not do before: 

    • There is more detailed visibility into network behavior. 
    • We have the ability to pull out anomalies. 
    • The high-fidelity alerts allow our team to focus on what's important.

    What is most valuable?

    The administrative privilege detection feature is the most valuable feature. The admin accounts are often highly accessible to the high-risk component of the environment. If those accounts are compromised or are being used in a suspicious manner, those are high-fidelity events for us to look into.

    Its ability to reduce alerts by rolling up numerous alerts to create a single incident or campaign for investigation is very useful. Given that we are not a dedicated SOC environment, having to trawl through several false positives is not something that we have the capacity for.

    Cognito theoretically provides us with visibility into behaviors across the full lifecycle of an attack in our network beyond just the internet gateway. It has not been fully tested. But hypothetically it would give us full visibility into your attack chain.

    We use privileged account analytics for detecting issues with privileged accounts.

    What needs improvement?

    Integration with other security components needs improvement. It should have true integration as opposed to just being a separate pane of glass.

    For how long have I used the solution?

    I have been using Vectra AI for three years. 

    What do I think about the stability of the solution?

    Their stability is bulletproof. 

    What do I think about the scalability of the solution?

    We're using it across our entire estate, so we don't have plans to increase usage. It's been adopted 100%. 

    How are customer service and technical support?

    Their support is excellent. They're very responsive. Exactly as you would hope for from a vendor, which is rare.

    Which solution did I use previously and why did I switch?

    Vectra AI displaced an EOL North South solution.

    How was the initial setup?

    The initial setup was very straightforward. 

    We had appliances in each physical data center. It took three or four days to see results.

    Deployment time is equivalent to other solutions we have tried. The learning curve and speed of efficiencies are higher coming from Vectra.

    What about the implementation team?

    We deployed it with the assistance of Vectra. Our experience with them was exceptional. The engineers knew the product. Vectra is extremely responsive to assisting with technical issues. It was a very good experience.

    What was our ROI?

    It's hard to scientifically quantify ROI but I would say we have seen ROI, certainly from the risk and threat perspective.

    After we deployed the solution it instantly began to add value to our security operations.

    What's my experience with pricing, setup cost, and licensing?

    Pricing is comfortable. I have no issues with the pricing structure at the moment.

    There are no additional costs that I'm aware of unless you layer on MSP, additional soft services, or professional services. But for the solution itself, I don't believe there are.

    Which other solutions did I evaluate?

    We looked at Darktrace. 

    What other advice do I have?

    I think the solution would help the network, cybersecurity, and risk reduction efforts in the future if we were to adopt a SOC, it would be a key threat feed to that environment. As they continue to iterate and enhance the product, it's a critical security component for us now and for the future.

    Two security senior analysts work on this solution.

    My advice to anybody considering this solution is: don't delay. It does exactly what it's sold to do. It does it efficiently and effectively.

    I would rate Vectra AI Cognito a nine out of ten. 

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
    PeerSpot user
    Security Center Coordinator at a comms service provider with 11-50 employees
    Real User
    Keeps up with our network traffic and provides context to alerts
    Pros and Cons
    • "It keeps up with the network traffic, which is a good thing. It provides more context to plain alerts compared to using an older system. So, it helps an analyst reduce the information overload."
    • "I would like more integrations with IOCs and threats currently on the Internet. I would also like to know which threats are based on zero-day attacks, current botnets, etc. Therefore, I would like more information on external threats."

    What is our primary use case?

    From our research network in Sweden, we use it to communicate to and from the Internet. The deployment is on our Internet-facing services. We facilitate monitoring for universities who need this as well.

    One of the biggest challenges facing us today is data growth and the continual diversification of the IT landscape. It is a very heterogeneous model, where you have on-premises, hybrid, and cloud solutions, as well as service providers, where everything is communicating back and forth towards each other.

    We just have one SOC in Sweden.

    How has it helped my organization?

    It keeps up with the network traffic, which is a good thing. It provides more context to plain alerts compared to using an older system. So, it helps an analyst reduce the information overload. 

    Vectra AI triages threats and correlates them with the compromised host device. That is how the functionality works. It helps us prioritize which hosts to look into.

    What is most valuable?

    It works over the hours when an analyst is not available, so the work keeps going. It can help you prioritize certain traffic patterns and things that you need to handle.

    It is a good system that goes hand in hand for both junior and senior analysts. I see it as a nice add-on there.

    What needs improvement?

    I would like more integrations with IOCs and threats currently on the Internet. I would also like to know which threats are based on zero-day attacks, current botnets, etc. Therefore, I would like more information on external threats.

    For how long have I used the solution?

    We have been using it for evaluation and collaboration together with our customers for the past two years. We have had it in our own production environment for half a year.

    What do I think about the stability of the solution?

    We haven't had any major disruptions. We had one hardware error after delivery, but that was taken care of.

    Not much maintenance is needed.

    What do I think about the scalability of the solution?

    It scales nicely since they separate the sensor node from the brain node.

    You can scale up to sensors and separate the architecture as you grow. So, you can define your initial steps first. then have a more mature hardware later on.

    We are a team of less than 10 people. We have network engineers, security analysts, incident handlers, and operators. We have a broad team.

    How are customer service and support?

    We have only had direct contact with the customer success team, and that has been great.

    How would you rate customer service and support?

    Positive

    Which solution did I use previously and why did I switch?

    We previously used open-source SIEM models. We switched to Vectra AI to help with the automation of alerts.

    How was the initial setup?

    The initial setup was fairly straightforward.

    The deployment was done over the pilot phase. We changed the links and aggregation a bit on the networking side, but the work was fairly quick.

    What about the implementation team?

    We had a good dialogue with Vectra regarding the initial setup.

    What was our ROI?

    After deploying Vectra AI in our network, it began to add value to our security operations within a week.

    We have not yet seen ROI, but we are growing our usage. We need to offload at least one analyst or have it do the work of a couple of analysts over time. 

    What's my experience with pricing, setup cost, and licensing?

    We had a pricing meeting for the solution, where we set up a certain set of requirements that Vectra could fit on both price and quality.

    Which other solutions did I evaluate?

    We evaluated three or four different solutions.

    Vectra's licensing model could scale to our research network, which has multiple, 100-gigabit links. Other competitors could not scale that for us. 

    What other advice do I have?

    Set up specific threat scenarios that you are looking into, then monitor and evaluate on that. For example, it could be a botnet or certain user behavior. Also, the solution works best within an enterprise.

    We are currently evaluating upgrading our SIEM and EDR technologies. When we extend our scope of the traffic that we are monitoring, Vectra AI will possibly enable us to do things that we could not do before, which would be a nice side effect.

    There are still quite a lot of alarms coming in. It helps to reduce the amount of alerts that an older IDS-based system would have had. While there are still a lot of alarms, there are less alarms than the traditional IDS.

    I would rate the solution as nine out of 10.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
    PeerSpot user
    SOC Administrator at The National Commercial Bank
    Real User
    Gives alerts on suspicious activities; stable and scalable, with excellent technical support
    Pros and Cons
    • "What I like best about Vectra AI is that it alerts you about suspicious activities."
    • "An area for improvement in Vectra AI is reporting because it currently needs some details. For example, when you download a report from Vectra AI, you won't see complete information about the alerts or triggers. Another area for improvement in the tool is that sometimes, an alert has high severity, yet it's marked as low severity. Vectra AI should have a mechanism to change the severity level from low to high or critical."

    What is our primary use case?

    Vectra AI is an NDR tool, and my company is using it for security and insider threat detection purposes.

    What is most valuable?

    What I like best about Vectra AI is that it alerts you about suspicious activities.

    What needs improvement?

    An area for improvement in Vectra AI is reporting because it currently lacks some details. For example, when you download a report from Vectra AI, you won't see complete information about the alerts or triggers.

    Another area for improvement in the tool is that sometimes, an alert has high severity, yet it's marked as low severity. Vectra AI should have a mechanism to change the severity level from low to high or critical.

    For how long have I used the solution?

    I've been using Vectra AI for two years now.

    What do I think about the stability of the solution?

    Vectra AI is a stable tool.

    What do I think about the scalability of the solution?

    Vectra AI is a scalable tool.

    How are customer service and support?

    My company has a dedicated support team for Vectra AI, so I have the support team's direct contact number and WhatsApp number.

    The technical support is excellent, so my rating is five out of five.

    How was the initial setup?

    The initial setup for Vectra AI wasn't that complex. It won't take long if your environment is ready, with all required ports open. Setting up Vectra AI would be easy.

    What about the implementation team?

    We implemented Vectra AI together with their technical support team.

    What's my experience with pricing, setup cost, and licensing?

    My company pays for the Vectra AI licensing fee yearly. I know the figure because my company recently renewed the license, and it's okay, at least for the financial sector.

    What other advice do I have?

    I'm the admin of Vectra AI, a tool implemented in my company.

    The tool was updated three or four months ago, but I'm unsure if I have the latest release.

    My company has two SOCs in different areas, so all SOC analysts log in or use Vectra AI, with the alerts forwarded to Splunk. One person is the admin in-house, but he works with support because the tool is customized for my company, as any command can't be run in Linux.

    I'd recommend Vectra AI to others looking for an NDR solution.

    Vectra AI is excellent for NDR purposes, in general. I'm rating it as ten out of ten based on my experience because I'm investigating the Vectra AI alerts. It triggers alerts for suspicious activities, so it's an excellent tool.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    PeerSpot user
    Buyer's Guide
    Download our free Vectra AI Report and get advice and tips from experienced pros sharing their opinions.
    Updated: November 2022
    Buyer's Guide
    Download our free Vectra AI Report and get advice and tips from experienced pros sharing their opinions.