Vectra AI Reviews

We wanted to have an additional layer of protection. We have the standard IDSs and were looking for solutions that provide additional security features.

We are still in the deployment phase and hope to be in production mode soon.

I like the way that Vectra AI focuses on the internal network. Nowadays, most of the attackers are already inside, and they can be inside for many years before they start attacking. With normal monitoring, it's quite difficult to find them.

Vectra AI checks the behavior of the systems. It's much better than, for example, McAfee IDS, which also has some behavioral capabilities. With Vectra AI, it is possible to get some more hits.

What is most important for us is to have one place where we can manage a few brains because we are based on a zero-trust network. As a result, each customer needs to have a separate brain. For the SOC team, we need to have one place where the SOC analyst can go to visit the website and from that site manage all of the customers. Right now, Vectra AI doesn't have this capability, and I would really like to have this feature.

We have been using it for almost two years.

So far, the stability of Vectra has been good compared to that of McAfee IDS. I really like the automatic updates because I am the security engineer and responsible for the tools. I have less work to do, which is really nice.

In the beginning, when we had less throughput, the stability was quite nice, but now, we are reaching 25 GB of throughput. The current device is only capable of 20 GB. I do see some slowness, but I believe that it will be solved by the new brain.

To scale, you would need to know the data center and its average throughput to order the correct brain. We have around 13,000 IPs right now, but we're still growing. The only limitation I see with Vectra AI in terms of scalability is that we cannot have one place to manage all of the brains. Besides that, it's quite straightforward; at each site, we need to have a brain, a physical or virtual one.

Regarding technical support, I am in direct contact with a few people at Vectra. I enjoy cooperating with them. However, it hasn't gone that well with a ticket I created. We had to contact them after waiting for a few weeks. Overall, I'd give technical support a five out of ten.

Neutral

In the beginning, we had some problems because of a misunderstanding between my company and Vectra. During that time, it was quite challenging, but nowadays, everything is straightforward for us. For example, I'm planning the implementation of the new data center, and it's quite straightforward.

We have already deployed all of the sensors and brains. We are waiting for B101 because we need to have a bigger brain and also want to have one on standby. Once we receive the brains, we will deploy integrations with Vectra.

The pricing and licensing are quite straightforward because they're based on IP licenses. As a result, they are easy to count.

From a deployment and operations perspective, it's quite nice. Therefore, I'd give an overall rating of seven out of ten. However, I look forward to increasing the rating when we move into the production phase and see the real output from Vectra AI.

We wanted something to understand what's happening on the network of the company, and we wanted something to protect us against attacks and cyber activities. We wanted visibility into our network and all the threats that we're facing.

It has helped improve our mean time to identify, but I don't have the metrics on time savings because we didn't have anything for that previously.

It hasn't had any effect on the productivity of our organization’s SOC, but it has had a great effect on security.

In terms of the effect of Vectra AI Attack Signal Intelligence for empowering security analysts within our organization to take intelligent action, we are looking at the right risks and nothing more. We save some time for sure, and we empower our security with it. Previously, we couldn't see anything, but now, we are seeing some of the things, and we have already stopped some attacks with it.

The automatic filtering that they provide is valuable. The logic inside that makes some detections instead of us is very useful. We are confident that if we are just looking into it and there is nothing, nothing could happen. That's great.

It's simple to implement. It's simple to analyze. The dashboard is very smart and clean. It's very easy to check something. There are a lot of tools to analyze the detections. It's great.

We got two problems that couldn't be solved because of the philosophy of the product. We are using SMB 3.0, which is an encrypted protocol. When we get some alerts or something, we cannot go deep into the protocol to see what's wrong because it's encrypted. We need to decrypt the protocol in another way, which is quite difficult. We might go back to SMB 2.0 just for this reason, but that's not a good solution.

We did some penetration tests and tried to get some hashes or encrypted passwords from Active Directory. Those hashes didn't provide alerts into Vectra. Vectra doesn't survey them, which is quite problematic because it's a very common attack. They said that it's not the only aspect that would come with that kind of attack, but when somebody tries to get a lot of hashes, we would like that there is an alert because that seems like the start of an attack.

For the hashes issue, it could be very easy for them to make the improvement. They can just change a rule, and that's it, but for encrypted protocols, it could be trickier.

We have been using this solution for two to three years.

There is no problem with stability. Sometimes, alerts can come later. For example, for Office 365, we got the alert one day late, but the problem was coming from the Microsoft side.

We just have one, and that's enough for our needs. Its scalability is good for us because we just have one with multiple probes at the same cost, so that's fine for us.

Their support is very good. They have knowledgeable people with great knowledge of cyber security and cyber risks. I'd rate them a 10 out of 10.

Positive

We weren't using any solution before. We went for Vectra AI because we wanted something to have visibility. We were completely blind to what could happen on the network. With Vectra AI, we aren't so blind.

We stopped some attacks. An attack could cost a lot more than the cost of Vectra. For example, we got an attack before that cost us $100,000. So, Vectra's cost is not so high. The cost of an attack could be worse. If we got encrypted data, it could be worse because we would have to stop the factory, which would cost a lot.

Its cost is too much. It's an investment that we can afford. It's a lot, but it's worth it.

We evaluated Darktrace and one more solution. We also evaluated some SOC and SIEM systems, but we found Vectra AI to be better in comparison to other solutions. It was simple to implement and analyze.

I'd rate Vectra AI a 10 out of 10.

Our primary use case for this solution is for security policy and to detect potential attacks on our networks.

This solution helped our mean time to identify as we can have more precise detection and documentation. At the moment, we're seeing daily detection of between 10 and 20 and if it's on the cloud, we can do 50 to 100 per day.

As we are just beginning to use Vectra AI, I find the simplicity of implementation to be quite valuable. The UI is easy to use and when we send detection to everybody, they easily understand what we are asking at the time. The sections are very precise. 

There is room for improvement in the documentation. We would like to have more details on how it detects what we see. 

I have been using Vectra AI for about four months.

This solution is stable.

This solution is quite scalable. In the beginning, we had one point of network capturing the traffic. After that, we added two points on top of it and it worked perfectly. At first, we had five gigabits per second and now we have 30 so I'll say it's a good service.

I would rate their support a ten, on a scale from one to ten, with one being the worst and ten being the best. The reason for this rating is that they were with us every step of the way to help and guide us through the process seamlessly.

Positive

Prior to Vectra AI, we used Gatewatcher and Microprobes and also the IPS/IDS firewall. Vectra AI is an additional layer of security.

My opinion – and a strong point for Vectra AI – is that the deployment is not complex and is quite straightforward. It was an easy deployment and someone from the company helped us on each point and guided us through important milestones. If I recall correctly, it lasted for about two weeks.

It's a bit expensive, as you can have a lot of different solutions for free. So, in the beginning, it's more expensive, but as time passes it gets better.

The issue Vectra AI helps us solve is threat prevention.

Overall, I would rate this solution a seven, on a scale from one to ten, with one being the worst and ten being the best. The reason for this rating is that we are still in a tuning phase and it's too early to say anything about detection, but I would put ten for support.

We use Vectra AI to detect incidents because we have offices in 50 countries and 30 to 40 sensors around the world.

We want to be able to have a sensor or a foothold in as many offices as possible, and Vectra AI helps us achieve that goal.

Vectra AI helps us to have more visibility in terms of what happens in our network and the network at large. It increased our understanding and our ability to respond and clean up.

In terms of valuable features, I like the ability to record the traffic and the metadata in the traffic. I also like the ability to rewind the past and be able to understand what happened. Some of my colleagues like the ability to investigate incidents.

Vectra AI has had a positive effect on the productivity of our company's top teams. They use it a lot to understand what's going on. However, we still need to teach people how to use it to its full potential because it's quite a complicated product.

The Sidekick MDR service is quite important to our organization’s security monitoring and management. The Sidekick team is able to give us the ins and outs of what's going on with some incidents. They are able to triage and help us to focus on a particular part of detection. They also gave us advice on how to configure some parts of the product. The two people I worked with from the MDR service are really good at what they do, and it's quite nice to work with them.

The UI/UX and detection could be improved. More detections of specific security events could be useful. We've had a few incidents that were not detected by Vectra. The teams are working on it right now, but more detection is always better.

Vectra AI is quite good at threat detection, however, it cannot respond to threats and attacks in real time by itself. It has to have plugins with other components, such as EDR or other software, to be able to respond properly. By itself, Vectra AI cannot do much, but it's powerful enough to pilot other software.

I've been using Vectra for nine months now.

Vectra AI's stability is quite good.

Scalability-wise, we have many sensors, and Vectra AI seems to handle them all very well.

We have 30,000 devices across 50 countries with close to 2,000 offices. It's an enterprise-scale environment, and Vectra AI has not had any issues.

The engineer who deploys Vectra at my company seeks perfection, and he wasn't happy with everything. However, Vectra's technical support staff handled all of his requests quite well. I would rate them an eight out of ten.

Positive

The product is quite good, and we have a good relationship with the customer success managers and other teams as well.

Overall, I would rate Vector AI an eight on a scale from one to ten with ten being the best.

Our key challenges are:

1. People Management: It is always a struggle to coordinate the few people that we have with the necessary skills to put them on the most important topics or projects.
2. Cloud adoption complexity: You need to figure out which systems, applications, and interfaces are talking to which cloud component in terms of data flow. That is a rather complex topic and usually sold well by the external supplier in terms of marketing to a company. Practically speaking, it is very difficult to elaborate all the connection requirements, on-prem to cloud, cloud to cloud, e.g., what is running where, what should run, and what is not running as it should.

Cognito Platform: We are using the latest on-premises version and some of the cloud services too.

We are mainly operating out of Switzerland. The IT Departments are based in our headquarters.

We have a large network with a lot of points of sales and other geographical locations that are interconnected. We need visibility of all the client-initiated traffic to and from our main data centers and to the Internet. We have good network coverage. Vectra is deployed on different hotspots in our network.

We can detect systems that are not behaving right because they are not configured correctly. We detect access to malicious sites or domains that should not be there, which should have been picked up by our security services that we implement at different times at different types of levels in the network. This is kind of an add-on to all the existing prevention mechanisms and helps us with network hygiene.

Due to an optimal signal-to-noise ratio that Vectra delivers, it gives us confidence to have a realistic chance of catching and stopping real attacks on time.

One of its strongest parts is that the solution captures network metadata at scale and enriches it with security information. We forward events to our team, then we can correlate them even better.

We have almost our complete network covered. This solution is like the absolute base coverage for us. You don't get many alerts, and if you get one, you better look at it because it is a good quality alert. After verification, we respond accordingly. Vectra AI brings great visibility. Without it, we would be blind.

The solution has enabled us to do things now that we could not do before. With Streams enabled, we can easily find out who is using SMB v1, as an example. So, it is a kind of hunting in the network. If you have a detection and need proof, you have network capture. In terms of searching accounts or assets, it is a great platform that allows us to use the default search, i.e., searching for a hostname/IP or the advanced queries for complex searches. This allows you to search back in time, which is very convenient, i.e., if one specific host has had detections in the past.

Cognito Streams gives you a detailed view of what happens in the network in the form of rich metadata. It is just a super easy way to capture network traffic for important protocols, giving us an advantage. This is very helpful on a day-to-day basis. 

The Office 365 detection is a great add-on. It will not only see the local traffic, i.e., the local user but also how the user is connecting to the cloud. If communication has been initiated within our network, we would capture anomalies with on-premises mechanisms. If it is a connection from the Internet to O365 SaaS services, we gain visibility through the Vectra add-on. It depends where the communication was started, but we do have a good, complete picture in a single view.

Vectra AI is really focusing on the most critical, severe detections. That is the key point of this platform for us. It gives you enough details and data, if you need it. However, for daily operations, we are just getting the priority 1 alerts that we need, and nothing more.

We use the solution’s Privileged Account Analytics for detecting issues with privileged accounts. This is important to our organization because you need to monitor and control privileged accounts.

The detection model and correlation of events, e.g., you are only having one priority event a day, go hand in hand. They have awesome detection models and very good algorithms. Out-of-the-box, you get a decent severity matrix and great consolidation. This is what has made this platform so usable to us over the last three to four years. We can rely on these detections and on its event generating mechanism that clearly focuses on the most important priority one cases.

If you hit a certain number of rules, triage filters, or groups, the UX responds more slowly. However, we have a complex network and a lot of rules. So, our setup might not be a typical implementation example. We even had UX engineers onsite, and they looked at issues, improvements, and user feedback. Since then, it has gotten a lot better, they even built in features that we specifically requested for our company.

We know that Vectra AI sensors for cloud IaaS deployments have been released and we are planning to deploy those shortly.

We have been using it for four years.

Great! Currently, our Brain shows 190 days uptime (last reboot initiated by us). There have been no operational issues at all. I can't complain.

Scalability is another very good selling point. It is easy to deploy virtual sensors as well as other sensors, which is a big plus.

We have a team of three people, mainly security officers, who are investigating or following up on detections and alerts. We also use the Vectra AI Sidekick Services, which helps a lot by providing a skillful set of people who look into things with a great customer perspective. We have roughly 20 to 30 people who, from time to time, get details on detections or campaigns that they need to look at.

The technical support is fast, customer-oriented, and has a great skill set.

When we started with Vectra AI, we noticed certain things that could be done better from the UI experience and workflow. We had a lot of input. They built this into their software. Some of the features that customers use today are there because we said, "Well, guys do it like that because everybody can profit from that," and they said, "Well, that is a great idea. Let's do it."

Positive

We did not use another solution before Cognito.

The initial setup was straightforward. 

We already had an existing on-prem installation, so adding Office 365 detection was straightforward. It took about half an hour.

After we deployed this solution in our network, it took about two weeks for it to begin to add value to our security operations.

They brought in the requirements and said, "We need this amount of time, as well as this type of rack, space, power, and network configuration." We prepared that, then they were able to set things up in a very short manner. It took maybe a day, then we were set and traffic was flowing in. This was one of our smoothest installations in the last years. After two days, we saw all the needed network traffic. So, implementation and initial setup were very fast.

We are still a happy customer after four years.

In terms of detection, we have seen ROI from finding out stuff as well as preventing, hunting, and intelligence gathering.

Cost is a big factor, as always. However, I think we have a very good price–performance ratio.

We looked at least five different vendors, including Cisco and Darktrace, in PoCs.

Vectra AI said what they are able to do in terms of detection and performance in their sales pitch, which they proved later in their technical PoC, to the point. They were actually the only ones who could.

Vectra AI has a very short deployment time compared to other solutions that we tried.

Do a PoC. Only a PoC will show you if something works or not. I know it takes time but do a POC or a test installation. We did the PoC directly in the production network, which was the best thing to do as we got results very quickly.

Vectra AI enables you to see more. It is their visibility strength that makes the platform so great. Because they really look at severity conditions and do a great correlation, it is time invested wisely. If Vectra shows a high score threat, you must look after it.

In terms of our security stack, this is the most essential cybersecurity tool we use. We are planning to use Vectra as well in the cloud. If they are able to deliver the same performance and capabilities in the cloud sensor, then it will be a really strong foundation that everybody should have in one way or the other.

There is manual input i.e., Triaging is something that you have to do. But in terms of workflow, it has been designed by security people for security people. It provides a very smooth and fast way to set up manual rules or triage filters.

I would rate this solution as 10 out of 10.

We started with it as a replacement for the functionality we had in our SIEM solution. We mainly wanted a detection metric and something that was smart enough to detect some of the more complex attacks because we can have flow data and do nothing with it. We wanted to have some strong alerting capabilities on that. We were looking to get a detailed attack and AI perspective on it. We didn't want something that only sees something as malicious and can alert on it but also detect things that are a little bit out of the ordinary, which was something we could get with this.

It has definitely improved our mean time to identify. In some specific cases, it's making it a lot easier because the enrichment features do help in getting a more detailed view of what's going on. For example, if we see a certain connection or something that's potentially a command and control channel, we can look at who logged in last and what other processes are there. We also have a connection to our SIEM solution, so we can check what's going on there as well. So, it really helps, but it's hard to measure the time savings because we previously didn't have a solution that had the same capabilities as Vectra AI.

It has definitely had an impact on our productivity. Previously, we did have some issues with getting a more detailed view of the network because we could only do it through event-based logs from the network devices, such as firewalls and switches that were providing us with additional information. Now, because it's more detailed and also across the branch offices—which was a big point for us—we do have a more efficient structure. We don't need to do that much additional effort to get to the root cause of problems, which was an issue before.

One of the things that we didn't expect to happen was that our network team also jumped on it faster than we thought. In most cases, if it's a security tool that's working on the network part, they can also use it to find out certain flaws that have been in the system. Certain flaws, related to some legacy stuff, were already there for quite a few years, which they couldn't explain at first, but we could explain them based on the timing of certain things. For example, there were about 200 SSH connections within a night. They had seen the traffic, but they couldn't relate it to anything specifically, whereas because we saw it, we knew that it was one of our main Unix machines. We knew it was doing some kind of backup at that time. We then went to talk to the system engineer, and he could confirm that he was using a badly written script that was doing 200 connections instead of just one and sending all 200 files across it.

It's well-built, so it does its thing as a Threat Detection and Response platform for detecting and responding to threats and attacks in real-time. We use the detections that come out of Vectra, and we send them over to our SIEM solution. Especially when it comes to high alerts or alerts with high certainty and high impact, we look at them immediately, and then someone also goes through it every day to clean up. If there are certain things that we need to check, we will check them anyway. Anything that's lower on the priority list is taken care of later in the day.

One of the things that we are missing a bit is the capability to add our own rules to it. At the moment, the tech engine does its thing, but we have some cool ideas to make additional rules. There should be an option in the platform to add custom rules, or there should be some kind of user group where we can suggest them for the roadmap and see if they get evaluated and get transparent communication on whether they will be implemented in the product or not. I understand that not everything can be implemented in the product, but if everyone presses the plus one button, then you know that there's a need for it. 

There is the concept of groups within Vectra. You have IP groups, host groups, and domain groups. Wild cards would be very handy there, or side ranges would be a good one to start with. One of the big things that some of our operational people complain about is that if it's an IP and it has reverse look-ups, why do they need to make two groups—an IP group and a hostname group—just to get the same feature set?

It has been almost three years, so it has been a while.

We haven't had any issues. It's very stable, so no problem.

Their support is pretty good. They follow up fast. It's not like most other support centers we've seen in the past. They are really focused on getting us faster input.

I'd rate them a nine out of ten because there is always a little bit of room for improvement, but normally, they follow up really nicely. As opposed to others, where you mostly hear good product, bad support, in this case, it's good product, good support. That's something to keep in mind.

Positive

We had a SIEM solution that was mainly focused on event-based logging, not necessarily on the network part. We were looking at more of a network IDS solution, and that's where Vectra came in. We wanted something that was easy to use as we didn't want too much platform maintenance. We wanted something to plug into the box and make it work. At first, we didn't believe that we would be able to find something like that after we had seen Darktrace, their biggest competitor, but in the end, Vectra was a perfect fit for us because it made it very easy to insert it into our branch offices as well.

We started from scratch. Three years ago, it was harder to start with than nowadays because back then, it was still in the beginning. The Belgian team that helped us with it also didn't have the experience at that time, whereas now, it's definitely not hard to set up. It's just a matter of knowing the right things, but the support portal really helps. There's good documentation on the setup as well.

From a security perspective, it's always hard to find a return on investment. If you look from the risk mitigation perspective and what's the worst that can happen, if we can stop attacks sooner, it would result in lesser costs on remediation afterward because we were fast on the initial attack.

From a licensing perspective, the Vectra detect platform is pretty doable. Also, the hardware prices are nothing that we're not used to. The stream part is a little overpriced compared to the detect part. The reason is that you need to stream data to detect events anyway, so the data is in there. The only thing that's not available is the UI to be able to look at the stream data, which is also on the appliances but is just not activated. That's mainly the thing that we want to improve on.

We looked at the SIEM solutions and flow-capturing devices. At the time, there was also an open-source product, but I don't remember the name. It was Suricata-based, but it fell off pretty quickly because of the high platform maintenance that would have come with it.

At the moment, we don't let them do intelligent blocks. We do it ourselves, so we are still putting a manual process in place for that. We also haven't yet used Vectra MDR services.

I'd rate Vectra AI an eight out of ten. They can still move a little bit further with the streams. Especially now that ChatGPT and AI have come into the picture, we all need to up our game on the AI part.

In terms of deployment, we have one brain and seven physical sensors. We're currently working on deploying a large number of virtual sensors, but those aren't done yet. We also have a SIEM and an EDR.

There are a large number of difficult-to-manage devices on a network. Traditional security vendors do a great job of making sure that workstations and servers are properly protected, secured, and observed, but they fall short when we're talking about odd peripherals, such as printers, scan guns, tablets, guest devices, and things like that. That's what Vectra helps us see. I can't tell the number of employee guest phones that just show up on the network, and they're infected because they're not managed by us and people do things with their phones. Now, we're able to actually see those devices hit our internal LAN instead of our guest networks, and we can properly move them over, whereas earlier, we were blind. Now, we have some reasonable assurance that our internal tablets, scan guns, and things like that are not performing abnormal network behavior. So, that's what we use Vectra for.

We've got a centralized data center with a large number of physical locations throughout the country. So, our network is very distributed. It's very much like a campus. Vectra is really good at reducing the complication of deploying an NDR solution, and that really helps us because we have over 175 stores that we need to capture traffic from, as well as a number of sales offices, regular employee offices, and distribution centers distributed across the country. So, Vectra makes it really easy. We just drop or ship it over there, and it is up and running real quick once it gets there. Shipping takes longer than configuration. So, basically, our network is a centralized data center infrastructure with a large number of stores, distribution centers, and offices geographically dispersed around the country.

It provides visibility into behaviors across the full lifecycle of an attack in our network beyond just the internet gateway. We tap client to server, server to server, and client and server to internet traffic, and it does a good job. It doesn't have an issue with internal traffic. In terms of the full lifecycle of the attack, Vectra is not designed to interface with or inspect the host. So, we're not seeing host activity obviously. That's what our EDR is doing. Vectra does an okay job. If we get a weird detection, we're also able to see a large number of other activities that happened just before and just after the attack and relate those to it.

Before we deployed Vectra, we were not monitoring network traffic. So, there was definitely a need and a gap, and Vectra has filled it. We have reliable network logs that are readable, and it does a good job of doing a default set of detections for us. We're very happy with the gap that it has filled.

It has overall reduced the time to respond to attacks, especially with the PCAP function on the detection, where when it gets a detection, it PCAPs the session. So, we're able to get a lot of context to alerts that we were unable to get before we deployed this because we weren't doing a full PCAP. Because Vectra only PCAPs the session when it triggers a detection, we didn't have to deploy hundreds of terabytes of storage across our network. So, we saved a lot of money there. There are $50,000 to $100,000 storage cost savings because it only captures the full packet capture for traffic that triggers detections. In terms of time, it has saved hundreds of hours. I can't even explain how happy we are with the amount of time it has saved us. Imagine the amount of time it would have taken us to deploy to 175 stores plus dozens of distribution centers and dozens of remote offices. Even if it was just one hour per location for deployment, that makes it hundreds of hours. Vectra, with being so easy to deploy and so easy to maintain and administer, has saved us hundreds of hours just on deployment and standing up the environment alone. I am not counting the maintenance and administration that come along with the solution.

It does a reliable job of parsing out the logs of all the network traffic so that we can ingest them into our SIEM and utilize them for threat hunting and case investigations. It is pretty robust and reliable. The administration time that we spend maintaining it or troubleshooting it is very low. So, the labor hour overhead is probably our largest benefit from it. We spend 99% of our time in Vectra investigating cases, responding to incidents, or hunting, and only around 1% of our time is spent patching, troubleshooting, or doing anything else. That's our largest benefit from Vectra.

We've got machine learning and AI detections, but we also have the traditional ability to create our own custom detections and rules that are important to us for compliance. When we were demoing other vendors, a large number of vendors let you make your own rules, but they don't provide their own rules and ML and AI rule engine, or they provide AI and ML, but they don't allow you to make your own rules. Vectra is very nice in that sense. We have detection rules that Vectra provides that are very common to the security industry, such as whenever there's a major event like the SolarWinds event. Those rules get built and deployed for us really quickly. We can manage our own, but then we also have the ML and the AI engine. We really like that. It is one of the few platforms that we've found to be supporting all three options.

They use a proprietary logging format that is probably 90% similar to Bro Logs. Their biggest area of improvement is finishing out the remaining 10%. That 10% might not be beneficial to their ML engine, but that's fine. The industry standard is Zeek Logs or Bro Logs, or Bro or Zeek, depending on how old you are. While they have 90% of those fields, they're still missing some fields. In very rare instances, some community rules do not have the fields that they need, and we had to modify community rules for our logs. So, their biggest area of improvement would be to just finish their matching of the Zeek standard.

They could provide distributed endpoint logging capability. We have a lot of remote workers nowadays in the day of the pandemic. If they're not connected to our VPN, then we're not capturing that traffic. So, the ability to do the traffic analysis for endpoints that are distributed would be cool. I have no idea how they would do that. I'm not aware of a single vendor that does that, but it would be cool if they could do that. To my knowledge, that's not really possible with the amount of compute power it would take on endpoints. It would be ridiculous. They'd have to really invent something new and novel that doesn't exist today in order to accomplish that. If they do, that would be great. Because I'm a customer already, I would use it. 

Cost-wise, they're not cheap. They were definitely the most expensive option. Their licensing model is antiquated. We have to pay for licensing based on four different things. They need to simplify their licensing down to just one thing.

We have been using this solution for around 18 months.

I'm very happy with it. In the 18 months, I cannot recall any outage. We keep up on all the patching and maintenance, and there have been very few bugs. The SaaS product Recall has always been there when we use it. Our on-prem version has never broke. It seems very stable.

It has got no problem with scaling. We picked Vectra because it was able to scale up to our size fairly easily without scaling up the deployment and administration overhead. So, it scales really well. It has no problem handling our volume of data.

Their technical support is pretty good. They're very responsive. Nine out of 10 times, they understand my problem. They're not perfect, obviously, but at the end of the day, I got answers for the few issues for which I've had to use support. I can only think of one instance where it was painful, and that's why I say nine out of 10 instead of 10 out of 10. The guy just didn't understand what I was asking, and about seven emails later, it got triaged, and the next guy figured it out. Other than that, the first person I email in at support is able to answer my question in that initial response or just one extra email.

We did not use any similar solution. 

We have a couple of SaaS-based products. We use Cognito, Recall, and Stream. Recall is their SaaS-based product where all the logs go into their hosted elastic search instance, which allows us to search and create custom rules and everything like that, and then we pull data from that environment into our on-prem environment. In terms of the deployment of the brain, that's all on-prem. All the sensors are on-prem obviously, but we do use Recall.

In terms of the effort involved in deployment considering that some of the pieces we use are SaaS-based, it was literally just a toggle switch and an API client and key in the interface, and then it was working. We had to wait for accounting to approve it, and it added a little bit more time to our deployment because of paperwork, but technically, it was pretty simple. We told them we wanted this, and by the time that we got our paperwork done, everything at their end was stood up and ready to go for us.

It does take two to three weeks for the brain to baseline and establish its ML baseline. The moment it was done with the two-week to three-week machine learning period, it was good. So, it started providing value after three or four weeks after deployment.

Their licensing model is antiquated. I'm not a fan of their licensing model. We have to pay for licensing based on four different things. You have to pay based on the number of unique IPs, the number of logs that we send through Recall and Stream, and the size of our environment. They need to simplify their licensing down to just one thing. It should be based on the amount of data, the number of devices, or something else, but there should be just one thing for everything. That's what they need to base their licensing on. 

Cost-wise, they're not cheap. They were definitely the most expensive option, but you get what you pay for. They're not the cheapest option. I know that their prices scared away a couple of people who have demoed it in the past. Once they got their quote, they were like, "Well, see you later. We can't do this." So, that is an area that they come up short against other people.

We did evaluate other options. We evaluated rolling Bro or Zeek on our own. We evaluated Security Onion. We also evaluated Corelight and almost picked them. We also investigated a couple of solutions that are significantly more involved than Vectra, just like full managed solutions, but we decided not to do that.

The main reason for choosing Vectra over all the other solutions was twofold. One was the deployment time and routine administration costs. Its deployment was very simple. The amount of time it would take to deploy and configure was very low. The time it would take to maintain the environment was significantly lower than the other solutions and on par with Corelight.

The second reason for picking it up is that it allowed us to create our own detection rules. They build rules for us when there are major events, as well as they have the ML and AI engine. This was the only solution that was easy and fast to deploy and maintain, and that was giving us all three options for rule detection. That's why we went with them. Some of the solutions provided all three options, but they were a pain to configure and maintain, and some of them were easy to deploy and maintain, but they didn't provide all three options.

It is pretty straightforward. Plug it in and use aggregators in front of the sensors to aggregate multiple tap sources into a single sensor. The sensors can handle it. They de-duplicate everything. There is no need to purchase a sensor for every tap. Truncate all that traffic into an aggregator and have it come out one feed into the sensor. There is no issue there with the Vectra sensor being able to carve out all that. They're powerful enough to do that. Vectra recommends that. So, if someone is purchasing Vectra, they're going to hear that from them. With Vectra, you're picking reliable and fast among cheap, reliable, and fast.

In terms of Vectra's ability to reduce alerts by rolling up numerous alerts to create a single incident or campaign for investigation, we do not generate a lot of incidents. We're pretty quick off the gun on detections. We're responding to detections before subsequent detections are detected and become an incident. We maybe get one incident a week, so I don't know if I can comment on that effectively.

We don't use privileged account analytics from Vectra for detecting issues with privileged accounts. In terms of its detection model for providing security around things like Power Automate or other anomalies at a deeper level, we don't use Power Automate, but we use their anomaly detection, and it is very interesting. While it always does provide us something interesting to look at, more times than not, it is our IT admin who does anomaly detection. So, we learn a lot, and it brings odd things to our attention, but with anomaly detection, it has usually been our IT admin.

In terms of Vectra helping our network's cybersecurity and risk-reduction efforts in the future, I'm hoping that one day, we can achieve even client-to-client inspection. Vectra should stay up with the times, and they shouldn't start coasting, which I don't see at all. They fill a good gap, and they do that well. We're just going to leave them filling that gap until the time comes where that is no longer a need, which I don't foresee. So, I don't know if they're going to do anything more than inspect network traffic and provide us an alerting engine on anomalous or malicious network traffic. That's their niche, so that's what they're going to do, probably just more of it. As we grow, we'll deploy more Vectra sensors to capture that extra traffic. I see them scaling very well.

I would rate this solution a solid eight out of 10. It loses a star for not adhering to Bro Logs in my book, and there is no perfect 10.

Vectra was deployed to give us a view of what is happening on the user network. It helps us to check what is being done by users, if that is compliant with our policies, and if what they're doing is dangerous. It covers cyber security stuff, such as detecting bad proxies, malware infections, and using packet defense on strange behaviors, but it can also be used to help with the assessment of compliance and how my policies will apply.

We also use Vectra to administer servers and for accessing restricted networks.

There are on-prem modules, which are called Cognito Detect, the NDR/IDS solution, which captures traffic. We also have the SaaS data lake, and we also have the Cognito Detect for Office 365, which is a SaaS-type sensor within the O365 cloud.

If we didn't have Vectra and the Detect for Office 365, it would be very difficult to know if our Office 365 was compromised. We tried, in the past, to do it with a SIEM solution consuming Office 365 logs and it was really time-consuming. The Office 365 Detect solution has the exact same "mindset" as the Detect solution for networks. It's almost like we can deploy it in the fire-and-forget mode. You deploy the solution and everything is configured. You have all the relevant alerts out-of-the-box. If you want to, you could tweak, configure, contextualize, and rewrite the parser, because some things might be out of date,  and customize the solution. For a big company with a large team it might be feasible, but for small companies, it's an absolute showstopper. The Detect for Office 365 gives us a lot of visibility and I'm very pleased with the tool.

We use three services from Vectra: Cognito Detect, Detect for Office 365, and Cognito Recall, and we are leveraging all these services within the SOC team to have proper assessments. We even use these tools to prepare the new use cases that we want to implement into our SIEM solution. Recall stores all the metadata that is brought up from Cognito Detect at a central point, data-lake style, with an elastic stack and a Kibana interface available for everybody. Using this, we can try to see what are the general steps.
Without this, I would not have been able to have my SOC analyst do the job. Creating a data lake for cyber security would be too expensive and too time-consuming to develop, deploy, and maintain. But with this solution, I have a lot of insight into my network.

An additional thing that is very convenient with the Recall and Detect interfaces is that you can do use cases involving individuals in Recall and have them triggered in Detect. For example, we found ways to track down if users are trying to bypass proxies, which might be quite a mess in a network. We found a type of search within Recall and have it triggering alerts in Detect. As a result, things can be managed.

It's so efficient that I'm thinking about removing my SIEM solution from our organization. Ours is a small organization and having a SIEM solution is really time-consuming. It needs regular attention to properly maintain it, to keep it up and running, consume all the logs, etc. And the value that it's bringing is currently pretty low. If I have to reduce costs, I will cut costs on my SIEM solution, not on Vectra.

The solution also provides visibility into behaviors across the full life cycle of an attack in our network, beyond just the internet gateway. It provides a lot of insight on how an attack might be coming. There are multiple phases of an attack that can be detected. And there is a new feature where it can even consume intelligence feeds from Vectra, and we can also push our own threat-intelligence feeds, although these have to be tested. The behavioral model of the Detect solution also covers major malware and CryptoLockers. I know it's working. We tested some cases and they showed properly in the tool. I'm quite reassured.

It triages threats and correlates them with compromised host devices. One of the convenient things about Detect is that it can be used by almost anybody. It's very clear. It's quite self-explanatory. It shows quadrants that state what is low-risk and what is high-risk. It is able to automatically pinpoint where to look. Every time we have had an internal pen test campaign, the old pen test workstation has popped up right away in the high-risk quadrant, in a matter of seconds. To filter out false positives it can also provide rules that state, "Okay, this is the standard behavior. This subnet or this workstation can do this type of thing." That means we can triage automatically. It also has some features which aren't so obvious, because they are hidden within the interface, to help you to define triage rules and lower the number of alerts. It looks at all your threat or alert landscapes, and says, "Okay, you have many alerts coming from these types of things, so this group of workstations is using this type of service. Consider defining a new, automated triage rule to reduce the number of alerts."

To give you numbers, with my SIEM I'm monitoring some IDS stuff within my network. Everything is concentrated within my SIEM. From my entire site, IDS is giving me about 5,000 more alerts than my Vectra solution. Of course it will depend on how it is configured and what types of alerts it is meant to detect, but Vectra is humanly manageable. You don't have to add something to make the triage manageable, using some time-consuming fine-tuning of the solution, requiring expertise. This is really a strong point with Vectra. You deploy it, and everything is automatically done and you have very few alerts.

Its ability to reduce false positives and help us focus on the highest-risk threats is quite amazing. I don't know how they made their behavioral or detection models, but they're very efficient. Each alert is scored with a probability and a criticality. Using this combination, it provides you insights on alerts and the risks related to alerts or to workstations. For example, a workstation that has a large number of low-criticality alerts might be pinpointed as a critical workstation to have a look at. In fact, in the previous pen test we launched, the guys were aware that the Vectra solution was deployed so they tried some less obvious tests, by not crawling all the domain controllers, and things like that. Because there were multiple, small alerts, workstations were pinpointed as being in the high-risk quadrant. This capability is honestly quite amazing.

And, of course, it has reduced the security analyst workload in our organization, on the one hand, but on the other it has increased it. It reduces the amount of attention analysts have to pay to things because they rely on the tool to do the job. We have confidence in its capability to detect and warn only on specific things of interest. But it also increases the workload because, as the tool is quite interesting to use, my guys tend to spend some time in Recall to check and fix things and to try to define new use cases. Previously, I had four analysts in my shop, and every one of them was monitoring everything that was happening on the network and in the company on a daily basis. Now, I have one analyst who is specialized in Vectra and who is using it more than the others. He is focusing on tweaking the rules and trying to find new detections. It brings us new opportunities, in fact. But it has really reduced the workload around NDS.

In addition, it has helped move work from our Tier 2 to our Tier 1 analysts. Previously, with my old IDS, all the detection had to be cross-checked multiple times before we knew if it was something really dangerous or if it was a false positive or a misconfiguration. Now, all the intelligence steps are done by the tool. It does happen that we sometimes see a false positive within the tool, but one well-trained analyst can handle the tool. I would say about 20 to 30 percent of work has moved from our Tier 2 to our Tier 1 analysts, at a global level. If I focus on only the network detections, by changing all my IDS to Vectra, the number is something like more than 90 percent.

It has increased our security efficiency. If I wanted to have the same type of coverage without Vectra, I would need to almost double the size of my team. We are a small company and my team has five guys in our SOC for monitoring and Tier 1 and Tier 2.

It reduces the time it takes for us to respond to attacks. It's quite difficult to say by how much. It depends on the detections and threat types. Previously, we had an antivirus that was warning us about malicious files that were deployed on a workstation within one year. Now, we can detect it within a few minutes, so the response time can be greatly enhanced. And the response time on a high-criticality incident would go from four hours to one hour.

The most valuable feature for Cognito Detect, the main solution, is that external IDS's create a lot of alerts. When I say a lot of alerts I really mean a lot of alerts. Vectra, on the other hand, contextualizes everything, reducing the number of alerts and pinpointing only the things of interest. This is a key feature for me. Because of this, a non-trained analyst can use it almost right away.

It's very efficient. It can correlate multiple sources of alerts and process them through specific modules. For example, it has some specific patterns to detect data exfiltration and it can pinpoint, in a single area, which stations have exfiltrated data, have gathered data, and from which server at which time frame and with which account. It indicates which server the data is sent to, which websites, and when. It's very effective at concentrating and consolidating all the information. If, at one point in time, multiple workstations are reaching some specific website and it seems to be suspicious, it can also create detection campaigns with all the linked assets. Within a single alert you can see all the things that are linked to the alert: the domains, the workstation involved, the IPs, the subnets, and whatever information you might need.

The key feature for me for Detect for Office 365 is that it can also concentrate all the information and detection at one point, the same as the network solution does. This is the key feature for me because, while accessing data from Office 365 is possible using Microsoft interfaces, they are not really user-friendly and are quite confusing to use. But Detect for Office 365 is aggregating all the info, and it's only the interesting stuff.

We are still in the process of deploying the features of Detect for Office 365, but currently it helps us see mailboxes' configurations. For example, the boss of the company had his mailbox reconfigured by an employee who added some other people with the right to send emails on his behalf, and it was a misconfiguration. The solution was able to pinpoint it. Without it, we would never have been able to see that. The eDiscovery can track down all the accesses and it even helped us to open an incident at Microsoft because some discoveries were made by an employee that were not present in the eDiscovery console on the protection portal from Office 365. That was pinpointed by Vectra. After asking the user, he showed that he was doing some stuff without having the proper rights to do so. We were able to mitigate this bit of risk.

It also correlates behaviors in our network and data centers with behaviors we see in our cloud environment. When we first deployed Vectra, I wanted to cross-check the behavioral detection. After cross-checking everything, I saw that everything was quite relevant. On the behavioral side, the Office 365 module can alert us if an employee is trying to authenticate using non-standard authentication methods, such as validating an SMS as a second factor or authenticating on the VPN instead of the standard way. The behavioral model is quite efficient and quite well deployed.

Vectra is still limited to packet management. It's only monitoring packet exchanges. While it can see a lot of things, it can't see everything, depending on where it's deployed. It has its limits and that's why I still have my SIEM.

I am in contact with the Vectra team, if not weekly then on a monthly basis, to propose improvements. For the time being, the main improvement I can see would be to integrate with more external solutions. Since Vectra provides an API, that  should be quite easy to handle. For example, we're using an open source ticketing system within our team and I want to have it handled properly by Vectra. We'll go forward on that with the API. 

Another area for improvement that I have pinpointed is that the Office 365 solution and the Detect solution cannot match the same users. That means we have two "different worlds" currently, the world from Office 365, which is bringing alerts based on users' emails and email addresses. And we have the network world, which is bringing an Active Directory view. On the one hand we are seeing emails or email addresses, and on the other hand we are seeing things like logons on to the domain controller. From time to time, it does not match and the tool cannot currently cross-check this info and consolidate everything. I would like to be able to see that detection related to one workstation and covering a user: what he is using, what services he is using, and what he did with his Office 365 and configuration. That would help. 

Another major feature would be to have all logs pushed to Cognito Detect, and all these logs should be also pushed to Recall. Currently, within Recall, I can't call up the Office 365 detections and I would love to do so. 

The last point would be an automated IoT threat feed consumption by the tool.

I have been using Vectra for two years.

The stability is absolutely flawless. The last time it was rebooted was almost two years ago. 

The only thing we have seen was some interruption in log feeding to the Recall instance, the SaaS solution. I had a quick call with a product manager in Europe and he was very keen to share information about this issue and willing to improve it.

So, within two years we have faced one stability incident. This incident lasted less than two hours and it was not on the monitoring solution but more on the data lake solution.

The scalability is very good. From the financial perspective, we are not limited by the number of sensors. We can deploy as many virtual sensors as we want. The key factor is the IP addresses that are being monitored. In terms of technical scalability, we have one brain appliance, one very big sensor, and multiple virtual sensors, and I don't see any limits with this solution.

We are currently using all the things that it's possible to use in this solution. One thing I like with Vectra is that it's updated very frequently. Almost every month new features are popping up: new detections, new dashboards, new ways to handle things. That's quite good. I work with our SOC team so that they can use everything right away.

The tech support is surprisingly good. We had questions, we faced some slight issues, and we always got very quick answers. Things are taken into account within a few minutes and answers usually come in less than two hours.

To deploy Recall, which is the data lake in SaaS, or to deploy the Office 365 sensor, it was effortless. It was just a quick call and, within minutes, everything was set up.

It was set up the same way the solution is behaving. It's a turnkey solution. You deploy it and everything works. The configuration steps are minimal. It's exactly the same for the SaaS solution. You deploy the tool and you just have to accept and do very basic configuration. For Office 365, you have to grant rights for the sensors to be able to consume API logs and so on. You grant the rights and everything is properly set up. It's exactly the same for Recall. It was a matter of minutes, and not a matter of days and painful configurations.

In terms of maintenance it is very easy and takes no time. It's self-maintaining, aside from checking if backups have properly ended. And in terms of deployment, when we add a network segment, we have to work a bit to determine where to deploy the new sensors, but the deployment model is quite easy. The Vectra console is providing the OVA to provide a virtual sensor for deployment. It can also automate the deployment of the sensor if you link it with vCenter, which we have not done. But it's very easy. It's absolutely not time-consuming.

If I compare the deployment time to other solutions, it's way easier and way quicker. If I compare it to my standard IDS, in terms of deployment and coverage, it's twice or three times better.

We were in contact with Vectra a lot at the beginning to plan the deployment, to check if everything was properly set up. But the solution is quite easy to set up. The next decisions we had were focused on how to enhance the solution: what seemed to be missing from the tool and what we needed for better efficiency.

The guys from Vectra were more providing guidance in terms of where the sensors needed to be deployed and that was about it.

We had a third-party integrator, Nomios, that provided the appliances, but they did not do anything aside from the delivery of appliances to our building. Our team took the hardware and racked it into the data center on its own. With just a basic PDF, we set up the tool within minutes. The integrator was quite unnecessary.

Nomios are nice guys, but we have deployed some of other solutions with them and we were not so happy about the extra fees. We were not the only ones who were not happy about that. We tried to deploy the ForeScout products with Nomios and it was quite a mess. But they have helped us with other topics and they have been quite efficient with those. So they are good on some things and on other things they are not good.

It's ineffective to speak just about the cost of the solution, because all the solutions are costly. They are too costly if we are only looking at them from a cost perspective. But if I look at the value I can extract from every Euro that I spend on Vectra, and compare it to every Euro I spend on other solutions, the return on investment on Vectra is way better.

ROI is not measurable in my setup, but I can tell you that Vectra is way more cost-efficient than my other solution. The other solution is not expensive, but it's very time-consuming and the hardware on which it's running it's quite expensive. If I look at the global picture, Vectra is three or four times more cost-efficient than my other solution.

The pricing is very good. It's less expensive than many of the tools out there.

I evaluated Darktrace but it wasn't so good. Vectra's capabilities in pinpointing things of interest are way better. With Darktrace, it is like they put a skin of Kibana on some standard IDS stuff.

Vectra enables us to answer investigative questions that other solutions are unable to address. It provides an explanation of why it has detected something, every time, and always provides insights about these detections. That's very helpful. Within the tool, you always have small question marks that you click on and you have a whole explanation of everything that has been detected: Why has it been detected and what work is the recommended course of action. This approach is very helpful because I know that if I ask somebody new, within our team, to use Vectra, I don't have to spend months or days in training for him to be able to handle the solution properly. It's guided everywhere. It's very easy to use.

Do not be afraid to link Vectra to the domain controller, because doing so can bring a lot of value. It can provide a lot of information. It gets everything from the domain controller and that is very efficient.

You don't need any specialized skills to deploy or use Vectra. It's very intuitive and it's very efficient.

We are in the process of deploying the solution’s Privileged Account Analytics for detecting issues with privileged accounts. We are using specific accounts to know whether they have reached some servers. It's quite easy with all these tools to check whether or not a given access to a server is a legitimate one or not.

We don't use the Power Automate functionality in our company, but I was very convinced by their demonstration, and an analyst in my team played with it a bit to check whether or not it was working properly. These are mostly advanced cases for companies that are using Office 365 in a mature manner, which is not the case for our company at the moment.

In our company, less than 10 people are using the Detect solution, and five or six people are using Recall. But we are also extracting reports that are provided to 15 to 20 people.