IT Central Station is now PeerSpot: Here's why
Mark Davies - PeerSpot reviewer
Security Operations Specialist at a tech services company with 1,001-5,000 employees
Real User
Filters out the noise and streamlines the investigation process and our ability to get to root cause
Pros and Cons
  • "The dashboard gives me a scoring system that allows me to prioritize things that I should look at. I may not necessarily care so much about one event, whereas if I have a single botnet detection or a brute force attack, I really want to get on top of those."
  • "I'd like to be able to get granular reports and to be able to output them into formats that are customizable and more useful. The reporting GUI is lacking."

What is our primary use case?

We use Vectra AI to sniff the network using Ixia taps so that we can identify potentially malicious activity on the network and at all points of the kill chain. What it's exceptionally good at doing is correlating seemingly unrelated events. It's in our data center, but the versioning is controlled by Vectra. They push it out discreetly so I don't have any touch on that.

How has it helped my organization?

We have 89,000 concurrent IPS that we're analyzing and it's distilled it down to under 1,000 IP addresses that warrant deeper investigation. It's filtering out 99 percent of the traffic that would otherwise be noise, noise that we would never get through. The solution captures network metadata at scale and enriches it with security information, but that's because we are using the API calls to inject our CMDB data into the brain. It speeds things up quite significantly. Being an enterprise, sometimes it can take a day or two just to find the person responsible for looking after a particular server or service. This way, the information is right there at our fingertips. When we open up the GUI, if we have a detection we look at the detection and see the server belongs to so-and-so. We can reach out to that party directly if we need to. It streamlines the investigation process by having the data readily available to us and current. Each one is unique, but typically, from initial detection to completion of validation (that it's innocuous or that there's something else is going on) it's within 24 to 48 hours It also provides visibility into behaviors across the full lifecycle of an attack in our network, beyond just internet gateway. It gives us visibility for when something is inside the network and it's maybe doing a lateral movement that it wouldn't normally be doing. Or if we have a system that has suddenly popped up on the network and we can see that it's a wireless router, for example, we pick that up right away. We can see it and we can deal with it. If people put unauthorized devices on the network — a wireless router from home — we can pick that up right away and deal with it. In addition, Vectra triages threats and correlates them with compromised host devices. We can do a search based on the threat type and get the host. It streamlines things and makes it faster to get to the root cause of an issue. And while it hasn't reduced the security analyst workload in our company, it has reduced the workload in that analysts are not having to look at stuff that absolutely means nothing. There is still a lot to do, but it has allowed us to focus better on the workload that needs to be done. It has also increased our security efficiency. It has reduced the time it takes us to respond to attacks by 100 percent. If you're not aware of it you can't respond to it. Now, it's making us aware of it so we can respond to it, which is a 100 percent improvement. The solution enables us to answer investigative questions that other solutions are unable to address. We will detect the fact that there is some suspicious domain activity going on — a DNS query is going out to MGAs and it really shouldn't be. The other systems are just passing that through, not even realizing that it shouldn't be happening. We see them and we can take action on them.

What is most valuable?

The dashboard gives us a scoring system that allows prioritization of detections that need attention. We may not necessarily be so concerned about any single detection type, or event, but when we see any botnet detections or a brute force attack detections, we really want to get on top of those. 

What needs improvement?

The solution's ability to reduce false positives wasn't very good, initially, because it was picking up so much information. It took the investment of some time and effort on our part to get the triage filters in place in such a fashion that it was filtering out the noise. Once we got to that point, then there was definitely value in time-savings and in percolating up the high-risk events that we need to be paying attention to. I'd like to be able to get granular reports and to be able to output them into formats that are customizable and more useful. The reporting GUI is lacking.
Buyer's Guide
Vectra AI
April 2022
Learn what your peers think about Vectra AI. Get advice and tips from experienced pros sharing their opinions. Updated: April 2022.
598,116 professionals have used our research since 2012.

For how long have I used the solution?

I've been using Vectra for three years.

What do I think about the stability of the solution?

The stability is excellent.

What do I think about the scalability of the solution?

We've had no issues so far with the scalability. Right now, it covers about 90 percent of our network. We are considering increasing the usage to incorporate it in the new cloud environments that we're standing up.

How are customer service and support?

Their technical support is excellent.

How was the initial setup?

I was not involved in the initial setup, but I was involved in a review of the setup when I took it over, to make sure that it is doing what it's supposed to be doing. The initial setup would have been straightforward, but it would have been very large. The implementation strategy would have been to make sure that it got to all the places that it needed to be, and to work out a way to make that happen by getting the Ixia taps into the right locations in our enterprise. In terms of staff from our side involved in deployment, it's web-based so there weren't a lot. Maintenance is ongoing from Vectra and they do it on the back-end. It just works. It's a black box for us.

What other advice do I have?

Take time to understand how the triage filtering works and standardize it early on. Use a  standardized naming convention and be consistent. It's a very effective tool, but if you don't pay attention to what it's telling you, then it's like anything else. If you don't use it, then it's no good. You have to trust that what it's telling you is correct and then you can take the appropriate action. For the most part, the users who log into it in our company are people on the security operations team. It's pretty much a closed tool. Access is limited to the people in the security center of excellence. In terms of the solution's ability to reduce alerts by rolling up numerous alerts to create a single incident or campaign for investigation, we don't use it that way. We've set up enough triage filters over the course of the last year-and-a-half to get all the noise out of the way; stuff that is either innocuous or really isn't bad. Then we're focusing on what's left, which is typically, for lack of a better term, the bad stuff or the stuff that we need to pay attention to. Regarding the solution's privileged account analytics for detecting issues with privileged accounts, we've used it, but not to the extent that we would like to. We just don't have enough manpower to be able to do that at this point. But it's important because we can see when an account is doing something that it shouldn't be doing, or that it doesn't normally do, or that it's connecting to a place that it doesn't normally connect to, or that it's escalating its privileges unexpectedly. We see all that and then we can respond accordingly.

Which deployment model are you using for this solution?

On-premises
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Information Technology Security Engineer II at a mining and metals company with 10,001+ employees
Real User
Top 10
Helps us focus on higher-level alerts while not bombarding us with alerts on lower-level activities
Pros and Cons
  • "One of the most valuable features is all the correlation that it does using AI and machine learning. An example would be alerting on a host and then alerting on other things, like abnormal behavior, that it has noticed coming from the same host. It's valuable because we're a very lean team."
  • "It does a little bit of packet capture on alert so you can look at the packet capture activity going on, but it doesn't collect a whole lot of data. Sometimes it's only one or two frames, sometimes it does collect more. That's why they have the addition of their Recall platform, because that really does help expand the capability."

What is our primary use case?

We use it as an intrusion detection system to monitor traffic that's going on within our network.

How has it helped my organization?

There was an event that happened before I started here, a ransomware event, and Vectra AI was able to quickly detect and alert on the activity. That greatly reduced the time it took for the company to respond to the incident.

Cognito provides visibility into behaviors across the full life cycle of an attack in the network, beyond just the internet gateway. By detecting everything before the internet gateway, it's able to get a fuller picture of what was going on before the target left the network. It greatly increases our ability to investigate events that occur.

The Vectra product also triages threats and correlates them with compromised host devices. As a result, it helps to reduce the time to respond to incidents.

In addition, it does a really good job of bringing the higher-level alerts to our attention while not bombarding us with alerts on lower-level activities that, I find, we don't usually need to investigate. When I first started using it I was investigating everything and I quickly learned the low-level threats, as shown by their scores, were low for a reason and they really didn't need to be looked at too closely.

I would estimate it has reduced our security analyst workload by around 30 to 40 percent. It has increased our security efficiency and has also reduced the time it takes us to respond to attacks by about 50 percent.

What is most valuable?

One of the most valuable features is all the correlation that it does using AI and machine learning. An example would be alerting on a host and then alerting on other things, like abnormal behavior, that it has noticed coming from the same host. It's valuable because we're a very lean team. It helps reduce workload on our team daily by performing tasks that we don't have to do manually.

It does a really good job of reducing alerts by rolling up numerous alerts to create a single incident or campaign for investigation.

It also does a really good job detecting things. Some things it detects are not really threats, but it is stuff that it should be detecting, even though the behavior, sometimes, isn't malicious.

What needs improvement?

It does a little bit of packet capture on alert so you can look at the packet capture activity going on, but it doesn't collect a whole lot of data. Sometimes it's only one or two frames, sometimes it does collect more. That's why they have the addition of their Recall platform, because that really does help expand the capability.

I would also like to see more documentation or user guides about using the product.

For how long have I used the solution?

I've been using Vectra AI for a little over one year, but it was in place at our location before I started working here.

What do I think about the stability of the solution?

We haven't had any issues other than one power supply failure, but there was a backup power supply and they sent the replacement quickly. Other than that, I haven't seen any issues with stability of the product.

What do I think about the scalability of the solution?

I haven't had any experience in scaling it out beyond what was set up before I started here.

We have about 1,600 employees on site, but I'm not sure how many devices that equates to. Each person has one or more devices. We're scaled out about as far as we can go.

I'm the only person using it directly in our company, as an IT security engineer II.

How are customer service and technical support?

They have very good tech support.

What was our ROI?

Our company definitely saw return on investment when it had the ransomware attack. They were able to stop it quickly. That was definitely a huge savings. Otherise, the company was going to have to shut down production.

What's my experience with pricing, setup cost, and licensing?

I don't really have anything to compare it to, but I would assume the pricing is fair.

I believe they are licensing current devices or hosts. When I was last talking to a rep, we were having to go through a true-up process, but that hasn't started yet.

Which other solutions did I evaluate?

I have thought of evaluating other things, just for evaluation’s sake, but I haven't done so yet.

What other advice do I have?

It's helped me learn how to investigate alerts in a more efficient way.

It also captures network metadata at scale and enriches it with security information. Part of that I was able to witness using a proof of concept for the Cognito Recall platform, which collects all the metadata and then forwards it to an Amazon instance in the cloud. From there you can do a lot of correlation and you can do deep-dives into the data. That was also a really good product, and I would like for us to purchase it, but right now it doesn't look like that's going to happen.

Vectra will alert on activity going to some of our cloud providers, for example Microsoft OneDrive or Teams, but our systems won't really inspect on any type of SSL traffic, and it doesn't provide that much use for external communication that's encrypted. It's something we do not have set up and that's why we're not able to get that full visibility.

Which deployment model are you using for this solution?

On-premises
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Buyer's Guide
Vectra AI
April 2022
Learn what your peers think about Vectra AI. Get advice and tips from experienced pros sharing their opinions. Updated: April 2022.
598,116 professionals have used our research since 2012.
Head of Information Security at a financial services firm with 51-200 employees
Real User
Top 20
Highly successful in detecting red team engagements and giving clear broad-level assurance
Pros and Cons
  • "The administrative privilege detection feature is the most valuable feature. The admin accounts are often highly accessible to the high-risk component of the environment. If those accounts are compromised or are being used in a suspicious manner, that's high-fidelity events for us to look into."
  • "Integration with other security components needs improvement. It should have true integration as opposed to just being a separate pane of glass."

What is our primary use case?

We use Cognito.

The biggest challenge we face in protecting the organization against cyber attacks is mean time to detection, operating from a position of an assumed breach. Then being able to detect breaches or malicious traffic within the environment as quickly as possible to reduce dwell time.

We have a small environment with only 300 users. It's very technically focused given the market that we operate in. There are two data centers, four offices, a small IT and security team. Cognito allows us to make the best investment for the most return, given we don't have dedicated SOC analysts looking at a SIEM environment.

How has it helped my organization?

Cognito is highly successful in detecting red team engagements and giving clear broad-level assurance and confidence in the product.

It captures network metadata at scale and enriches it with security information. The add-on of Recall is an invaluable investigation tool. It's able to look back and triage incidents.

We have been enabled to do things now that we could not do before: 

  • There is more detailed visibility into network behavior. 
  • We have the ability to pull out anomalies. 
  • The high-fidelity alerts allow our team to focus on what's important.

What is most valuable?

The administrative privilege detection feature is the most valuable feature. The admin accounts are often highly accessible to the high-risk component of the environment. If those accounts are compromised or are being used in a suspicious manner, those are high-fidelity events for us to look into.

Its ability to reduce alerts by rolling up numerous alerts to create a single incident or campaign for investigation is very useful. Given that we are not a dedicated SOC environment, having to trawl through several false positives is not something that we have the capacity for.

Cognito theoretically provides us with visibility into behaviors across the full lifecycle of an attack in our network beyond just the internet gateway. It has not been fully tested. But hypothetically it would give us full visibility into your attack chain.

We use privileged account analytics for detecting issues with privileged accounts.

What needs improvement?

Integration with other security components needs improvement. It should have true integration as opposed to just being a separate pane of glass.

For how long have I used the solution?

I have been using Vectra AI for three years. 

What do I think about the stability of the solution?

Their stability is bulletproof. 

What do I think about the scalability of the solution?

We're using it across our entire estate, so we don't have plans to increase usage. It's been adopted 100%. 

How are customer service and technical support?

Their support is excellent. They're very responsive. Exactly as you would hope for from a vendor, which is rare.

Which solution did I use previously and why did I switch?

Vectra AI displaced an EOL North South solution.

How was the initial setup?

The initial setup was very straightforward. 

We had appliances in each physical data center. It took three or four days to see results.

Deployment time is equivalent to other solutions we have tried. The learning curve and speed of efficiencies are higher coming from Vectra.

What about the implementation team?

We deployed it with the assistance of Vectra. Our experience with them was exceptional. The engineers knew the product. Vectra is extremely responsive to assisting with technical issues. It was a very good experience.

What was our ROI?

It's hard to scientifically quantify ROI but I would say we have seen ROI, certainly from the risk and threat perspective.

After we deployed the solution it instantly began to add value to our security operations.

What's my experience with pricing, setup cost, and licensing?

Pricing is comfortable. I have no issues with the pricing structure at the moment.

There are no additional costs that I'm aware of unless you layer on MSP, additional soft services, or professional services. But for the solution itself, I don't believe there are.

Which other solutions did I evaluate?

We looked at Darktrace. 

What other advice do I have?

I think the solution would help the network, cybersecurity, and risk reduction efforts in the future if we were to adopt a SOC, it would be a key threat feed to that environment. As they continue to iterate and enhance the product, it's a critical security component for us now and for the future.

Two security senior analysts work on this solution.

My advice to anybody considering this solution is: don't delay. It does exactly what it's sold to do. It does it efficiently and effectively.

I would rate Vectra AI Cognito a nine out of ten. 

Which deployment model are you using for this solution?

On-premises
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Security Center Coordinator at a comms service provider with 11-50 employees
Real User
Keeps up with our network traffic and provides context to alerts
Pros and Cons
  • "It keeps up with the network traffic, which is a good thing. It provides more context to plain alerts compared to using an older system. So, it helps an analyst reduce the information overload."
  • "I would like more integrations with IOCs and threats currently on the Internet. I would also like to know which threats are based on zero-day attacks, current botnets, etc. Therefore, I would like more information on external threats."

What is our primary use case?

From our research network in Sweden, we use it to communicate to and from the Internet. The deployment is on our Internet-facing services. We facilitate monitoring for universities who need this as well.

One of the biggest challenges facing us today is data growth and the continual diversification of the IT landscape. It is a very heterogeneous model, where you have on-premises, hybrid, and cloud solutions, as well as service providers, where everything is communicating back and forth towards each other.

We just have one SOC in Sweden.

How has it helped my organization?

It keeps up with the network traffic, which is a good thing. It provides more context to plain alerts compared to using an older system. So, it helps an analyst reduce the information overload. 

Vectra AI triages threats and correlates them with the compromised host device. That is how the functionality works. It helps us prioritize which hosts to look into.

What is most valuable?

It works over the hours when an analyst is not available, so the work keeps going. It can help you prioritize certain traffic patterns and things that you need to handle.

It is a good system that goes hand in hand for both junior and senior analysts. I see it as a nice add-on there.

What needs improvement?

I would like more integrations with IOCs and threats currently on the Internet. I would also like to know which threats are based on zero-day attacks, current botnets, etc. Therefore, I would like more information on external threats.

For how long have I used the solution?

We have been using it for evaluation and collaboration together with our customers for the past two years. We have had it in our own production environment for half a year.

What do I think about the stability of the solution?

We haven't had any major disruptions. We had one hardware error after delivery, but that was taken care of.

Not much maintenance is needed.

What do I think about the scalability of the solution?

It scales nicely since they separate the sensor node from the brain node.

You can scale up to sensors and separate the architecture as you grow. So, you can define your initial steps first. then have a more mature hardware later on.

We are a team of less than 10 people. We have network engineers, security analysts, incident handlers, and operators. We have a broad team.

How are customer service and support?

We have only had direct contact with the customer success team, and that has been great.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

We previously used open-source SIEM models. We switched to Vectra AI to help with the automation of alerts.

How was the initial setup?

The initial setup was fairly straightforward.

The deployment was done over the pilot phase. We changed the links and aggregation a bit on the networking side, but the work was fairly quick.

What about the implementation team?

We had a good dialogue with Vectra regarding the initial setup.

What was our ROI?

After deploying Vectra AI in our network, it began to add value to our security operations within a week.

We have not yet seen ROI, but we are growing our usage. We need to offload at least one analyst or have it do the work of a couple of analysts over time. 

What's my experience with pricing, setup cost, and licensing?

We had a pricing meeting for the solution, where we set up a certain set of requirements that Vectra could fit on both price and quality.

Which other solutions did I evaluate?

We evaluated three or four different solutions.

Vectra's licensing model could scale to our research network, which has multiple, 100-gigabit links. Other competitors could not scale that for us. 

What other advice do I have?

Set up specific threat scenarios that you are looking into, then monitor and evaluate on that. For example, it could be a botnet or certain user behavior. Also, the solution works best within an enterprise.

We are currently evaluating upgrading our SIEM and EDR technologies. When we extend our scope of the traffic that we are monitoring, Vectra AI will possibly enable us to do things that we could not do before, which would be a nice side effect.

There are still quite a lot of alarms coming in. It helps to reduce the amount of alerts that an older IDS-based system would have had. While there are still a lot of alarms, there are less alarms than the traditional IDS.

I would rate the solution as nine out of 10.

Which deployment model are you using for this solution?

On-premises
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Flag as inappropriate
Buyer's Guide
Download our free Vectra AI Report and get advice and tips from experienced pros sharing their opinions.
Updated: April 2022
Buyer's Guide
Download our free Vectra AI Report and get advice and tips from experienced pros sharing their opinions.