Coming October 25: PeerSpot Awards will be announced! Learn more

Vectra AI OverviewUNIXBusinessApplication

Vectra AI is #3 ranked solution in top Network Detection and Response (NDR) tools, #4 ranked solution in Network Traffic Analysis tools, and #5 ranked solution in top Intrusion Detection and Prevention Software. PeerSpot users give Vectra AI an average rating of 9.2 out of 10. Vectra AI is most commonly compared to Darktrace: Vectra AI vs Darktrace. Vectra AI is popular among the large enterprise segment, accounting for 62% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a computer software company, accounting for 20% of all views.
Vectra AI Buyer's Guide

Download the Vectra AI Buyer's Guide including reviews and more. Updated: September 2022

What is Vectra AI?

Vectra threat detection and response is a complete cybersecurity platform that collects, detects, and prioritizes security alerts. The Cognito platform for Network Detection and Response (NDR) detects and responds to attacks inside cloud, data center, Internet of Things, and enterprise networks. The platform also provides automated response capabilities for low-level threats and escalates more severe anomalies to security personnel.

Cognito captures data for multiple relevant sources and enriches it with context and security insights. It starts by deploying sensors across different networks in datacenters, IoT, or enterprise networks. The algorithm extracts relevant metadata from network and cloud traffic. The information can also be non-security information that can help investigation. 

The data is enriched with security context to support critical use cases, such as threat detection, investigation, hunting and compliance. The platform is machine learning-based, which enables it to adapt to any new and current threat scenario. It detects, clusters, prioritizes, and anticipates attacks by using identity and host-level enforcement. 

With the Vectra platform, a person can investigate 50 threats in just two hours. By prioritizing alerts and leveraging threat intelligence, it provides faster results.Vectra solves today’s security challenges for network detection and response. 

One of Vectra’s best features is the emphasis they put in pairing research and data science for security insights. It offers behavior codification with unsupervised, supervised, and deep learning models. 

The pricing is according to a subscription model with a free trial available.Vectra is available for Office 365, Azure AD and AWS Brain.

Features of Vectra AI

  • AI-based threat detection and response. 
  • Detects attacks in real time with behavior-based threat detection. 
  • Consolidates and correlates thousands of events, detecting threats. 
  • Enriches threat investigation with a chain of evidence and data science security insights. 
  • Machine learning techniques, including deep learning and neural networks. 
  • Gives visibility into cyberattackers and analyzes all network traffic. 
  • Continuous updates with new threat detection algorithms. 
  • Provides encryption at rest and in transit. For the AWS version, it offers AES-256 encryption via AWS Key Management Service. 
  • Guaranteed availability according to the SLA of the service selected. 
  • Does not connect to public sector networks. 

Benefits of Vectra AI

  • Behavioral models use AI to find unknown attackers. 
  • Context increases the accuracy of threat hunting. 
  • Allows for proactive action by prioritizing the most relevant information. 
  • Provides a clear picture and extensive context for investigations. 
  • Aids decision-making in the incident response process. 
  • Helps working with large datasets by capturing metadata at scale. 
  • Automates time-consuming analysis. 
  • Reduces the security analysts’ workloads on threat investigations. 

Other advantages of Vectra services include that they can be deployed in the public, private, or hybrid cloud. Support is available via email or online ticketing with an average of 4 hours of response. Phone support is available 24/7. 

Vectra provides full on-site and online training and documentation. Regarding the user interface, it supports several types of web browsers, such as Internet Explorer, Microsoft Edge, Firefox, Chrome, Safari and Opera. However, it is not available for mobile devices.

Reviews from Real Users

Here’s what PeerSpot users of Vectra AI have to say about it:

"One of the core features is that Vectra AI triages threats and correlates them with compromised host devices. From a visibility perspective, we can better track the threat across the network. Instead of us potentially finding one device that has been impacted without Vectra AI, it will give us the visibility of everywhere that threat went. Therefore, visibility has increased for us." - Dave W., Operations Manager at a healthcare company

"It does a reliable job of parsing out the logs of all the network traffic so that we can ingest them into our SIEM and utilize them for threat hunting and case investigations. It is pretty robust and reliable. The administration time that we spend maintaining it or troubleshooting it is very low.” - T.S., Senior Security Engineer at a manufacturing company

Vectra AI was previously known as Vectra Networks, Vectra AI NDR.

Vectra AI Customers

Tribune Media Group, Barry University, Aruba Networks, Good Technology, Riverbed, Santa Clara University, Securities Exchange, Tri-State Generation and Transmission Association

Vectra AI Video

Archived Vectra AI Reviews (more than two years old)

Filter by:
Filter Reviews
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
Head of Information Security at a retailer with 1,001-5,000 employees
Real User
Enables us to understand what our normal traffic is, then pulls out the anomalies for us
Pros and Cons
  • "It has reduced the time it takes to respond to attacks. That comes back to the proactive point. It makes us able to lower down in the kill chain, we can react now, rather than reacting to incidents that happened, we can see an instant, in some cases, as it's being implemented, or as it's being launched."
  • "The false positives and the tuning side of it is something that could use improvement. But that could be from our side."

What is our primary use case?

Vectra AI sits across our entire estate, we have an outsource provider for a lot of our backend systems. It sits in theirs and it sits in our own estates. It's deployed across our other numerous offices across the country. It sits across our entire state.

How has it helped my organization?

We don't have very much in the way of IDS or IPS on our estate, so we're relying on Vectra AI to do that sort of work for us. We're allowing that to look at our traffic and to flag up to us on our system. It helps my analysts investigate other things. We might get other alerts in the estate, Vectra AI is one of the first tools that they'll jump onto, to do further investigation of alerts that are raised up to them. It's a really good tool, not just for what it throws up, but for us to dig into our network as well.

What is most valuable?

What is pretty good is the unknown unknowns. It's the anomalies to the norm and the intelligence behind it that helps us to dig through a mountain of data and find the stuff that's important to us.

It allows us to understand what our normal traffic is, then pulls out the anomalies for us. For instance, a recent use case of it would be that it suddenly picked up that a file transfer was happening out of our estate that we weren't aware of. It hadn't been there before. There was a file transfer that suddenly appeared, that was actually in our estate that hadn't been there before. We would never have been able to see that normally, it's just that Vectra AI saw it. It was okay, it was going to a third-party and it allowed us to investigate it and find it but we would never have seen that without a notification. It understands what should be happening and then usually says "This isn't normal," and it allows us to flag it up and dig deeper into that.

It is very good at reducing alerts by rolling up numerous sellers to create a single incident or campaign for investigation. Although it doesn't reduce, it actually increases our alerts because we wouldn't have seen the stuff in the first place, but when it does create an alert, it pulls all investigative information together. We're not getting hundreds of alerts, we're getting alerts that contain all of the relevant components.

Vectra AI captures network metadata at scale and enriches it with security information. Although, we don't make the most of that, but we've never had a problem with its captures and it captures the correct data for what we want it to do. I think we could be using it better.

The information affects investigations by our security team by allowing them to be more effective and quicker in their investigations.

Vectra AI provides visibility into behaviors across the full life cycle of an attack in our network, beyond just the internet gateway. Although, we found it's flagging up early, so it's not developing to that further stage of that because it's flagging up at an early stage.

Its ability to reduce false positives takes quite a bit of tuning. We've had to put a lot of effort into tuning out false positives, so that's something that we've had to invest our time into. Obviously it's getting better and better as time goes on, but we still have to spend time tuning it.

We've seen our tuning has lessened those processes, but we're still getting more than we would want. That's probably some of our fault. It could be some issues with the way it's set up in certain areas. But, once we tune them out, they're staying tuned out.

It hasn't reduced the security analyst workload in our organization but that was never the purpose of it for us. It's an additional tool in our armory, so it hasn't reduced our workload, but it's made us more efficient.

It makes the team more efficient in speed of response. I would say it makes them more efficient in the breadth of their coverage of what they can respond to. It makes us have a more proactive response to incidents.

It has reduced the time it takes to respond to attacks. That comes back to the proactive point. It makes us able to lower down in the kill chain. We can react now, rather than reacting to incidents that happened, we can see an instant, in some cases, as it's being implemented, or as it's being launched.

It's not all attacks, but I would say that it's a shift less on the material chain. It's things that we might not even have spotted if it hadn't been for Vectra AI, so it's difficult to know how we would quantify that as an amount.

What needs improvement?

The false positives and the tuning side of it are some things that could use improvement but that could be from our side. 

I don't want to criticize the product for performance with our role out of it. It does what it says it's going to do very well. We've got issues with the way we've deployed it in some places, but the support we've had in that is very good as well, so I'm very happy with the support we get.

Buyer's Guide
Vectra AI
September 2022
Learn what your peers think about Vectra AI. Get advice and tips from experienced pros sharing their opinions. Updated: September 2022.
632,779 professionals have used our research since 2012.

For how long have I used the solution?

My company has been using Vectra AI for three years. I've been here for eight or nine months now, but the company has just been using it for three years.

What do I think about the stability of the solution?

We've had absolutely no issues with stability at all.

What do I think about the scalability of the solution?

Scalability is obviously based around the size of the clients that we have. We have had some issues around scalability but that's only because when it was implemented before my time but I know it is scalable. Obviously, we have to put some thought into that, some planning into that from our side, but it is limited on the size of the boxes. To summarize, yes, it is scalable, but it needs planning.

We have four users who use it in my company who are cybersecurity analysts.

Vectra AI is on everything apart from the clouds. Now we're on a journey towards more and more cloud. At least 70% of our company is covered by it. 

We do have plans to increase usage. We want to move to the cloud. 

How are customer service and support?

The support is excellent. We've had really good technical support from Vectra AI all the time. We have very regular catch-ups with them. They always pick the right people to do the calls, and we even have deep-dive sessions with our analysts with them and provide us with training. They've been excellent.

Which solution did I use previously and why did I switch?

We didn't have anything in place before Vectra AI. 

I have used another solution in the past. I used Darktrace where I was before. It compares very favorably with Darktrace. I wouldn't say it was any better or worse.

The UI is quite different, but apart from that, there are obviously slight differences in the analytics behind it, but I'd be struggling to say that one of them was better than the other. They both seem to do what I do well. Vectra AI is a little bit more honest about their capabilities than Darktrace is.

I don't think Vectra AI enables us to answer investigative questions that other solutions are unable to address. I know that there are other solutions that could do it as well. They're as good as everything else out there, but I wouldn't go and say they're massively better. The thing that sells it for me is that the support has been very good. That's one of the bits that keeps me with them.

What was our ROI?

ROI depends on how you quantify that in security. It's really difficult to quantify what you find to a monetary value. We do see a return on investment because it's a good tool that we're using well and it's helping us to keep the company secure. It's really difficult to quantify a monetary value on that or say that you've got return on your investment. I wouldn't want to be without it. You can't put a price on security.

What's my experience with pricing, setup cost, and licensing?

They compare very favorably against the competition in terms of price. Nothing in this area is cheap. There is a lot of value in the products that you're buying, but they have come in at the right price for us in comparison to others. I would say that they're competitive in their pricing.

What other advice do I have?

My advice would be to make sure it is planned and deployed properly. That's a problem with my organization, not a problem with Vectra AI. Otherwise, if you don't build it to the specifications that you were told to, you're going to spend your whole life trying to fix a problem that shouldn't be there. My advice would be the plan and implement as per the plan.

I would rate Vectra AI a nine out of ten. 

Which deployment model are you using for this solution?

On-premises
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Information Technology Security Engineer II at a mining and metals company with 10,001+ employees
Real User
Helps us focus on higher-level alerts while not bombarding us with alerts on lower-level activities
Pros and Cons
  • "One of the most valuable features is all the correlation that it does using AI and machine learning. An example would be alerting on a host and then alerting on other things, like abnormal behavior, that it has noticed coming from the same host. It's valuable because we're a very lean team."
  • "It does a little bit of packet capture on alert so you can look at the packet capture activity going on, but it doesn't collect a whole lot of data. Sometimes it's only one or two frames, sometimes it does collect more. That's why they have the addition of their Recall platform, because that really does help expand the capability."

What is our primary use case?

We use it as an intrusion detection system to monitor traffic that's going on within our network.

How has it helped my organization?

There was an event that happened before I started here, a ransomware event, and Vectra AI was able to quickly detect and alert on the activity. That greatly reduced the time it took for the company to respond to the incident.

Cognito provides visibility into behaviors across the full life cycle of an attack in the network, beyond just the internet gateway. By detecting everything before the internet gateway, it's able to get a fuller picture of what was going on before the target left the network. It greatly increases our ability to investigate events that occur.

The Vectra product also triages threats and correlates them with compromised host devices. As a result, it helps to reduce the time to respond to incidents.

In addition, it does a really good job of bringing the higher-level alerts to our attention while not bombarding us with alerts on lower-level activities that, I find, we don't usually need to investigate. When I first started using it I was investigating everything and I quickly learned the low-level threats, as shown by their scores, were low for a reason and they really didn't need to be looked at too closely.

I would estimate it has reduced our security analyst workload by around 30 to 40 percent. It has increased our security efficiency and has also reduced the time it takes us to respond to attacks by about 50 percent.

What is most valuable?

One of the most valuable features is all the correlation that it does using AI and machine learning. An example would be alerting on a host and then alerting on other things, like abnormal behavior, that it has noticed coming from the same host. It's valuable because we're a very lean team. It helps reduce workload on our team daily by performing tasks that we don't have to do manually.

It does a really good job of reducing alerts by rolling up numerous alerts to create a single incident or campaign for investigation.

It also does a really good job detecting things. Some things it detects are not really threats, but it is stuff that it should be detecting, even though the behavior, sometimes, isn't malicious.

What needs improvement?

It does a little bit of packet capture on alert so you can look at the packet capture activity going on, but it doesn't collect a whole lot of data. Sometimes it's only one or two frames, sometimes it does collect more. That's why they have the addition of their Recall platform, because that really does help expand the capability.

I would also like to see more documentation or user guides about using the product.

For how long have I used the solution?

I've been using Vectra AI for a little over one year, but it was in place at our location before I started working here.

What do I think about the stability of the solution?

We haven't had any issues other than one power supply failure, but there was a backup power supply and they sent the replacement quickly. Other than that, I haven't seen any issues with stability of the product.

What do I think about the scalability of the solution?

I haven't had any experience in scaling it out beyond what was set up before I started here.

We have about 1,600 employees on site, but I'm not sure how many devices that equates to. Each person has one or more devices. We're scaled out about as far as we can go.

I'm the only person using it directly in our company, as an IT security engineer II.

How are customer service and technical support?

They have very good tech support.

What was our ROI?

Our company definitely saw return on investment when it had the ransomware attack. They were able to stop it quickly. That was definitely a huge savings. Otherise, the company was going to have to shut down production.

What's my experience with pricing, setup cost, and licensing?

I don't really have anything to compare it to, but I would assume the pricing is fair.

I believe they are licensing current devices or hosts. When I was last talking to a rep, we were having to go through a true-up process, but that hasn't started yet.

Which other solutions did I evaluate?

I have thought of evaluating other things, just for evaluation’s sake, but I haven't done so yet.

What other advice do I have?

It's helped me learn how to investigate alerts in a more efficient way.

It also captures network metadata at scale and enriches it with security information. Part of that I was able to witness using a proof of concept for the Cognito Recall platform, which collects all the metadata and then forwards it to an Amazon instance in the cloud. From there you can do a lot of correlation and you can do deep-dives into the data. That was also a really good product, and I would like for us to purchase it, but right now it doesn't look like that's going to happen.

Vectra will alert on activity going to some of our cloud providers, for example Microsoft OneDrive or Teams, but our systems won't really inspect on any type of SSL traffic, and it doesn't provide that much use for external communication that's encrypted. It's something we do not have set up and that's why we're not able to get that full visibility.

Which deployment model are you using for this solution?

On-premises
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Buyer's Guide
Vectra AI
September 2022
Learn what your peers think about Vectra AI. Get advice and tips from experienced pros sharing their opinions. Updated: September 2022.
632,779 professionals have used our research since 2012.
Director, Information Security at a university with 5,001-10,000 employees
Real User
Its artificial intelligence and machine learning helps us with looking at deviations from the norm
Pros and Cons
  • "The solution provide visibility into behaviors across the full lifecycle of an attack in our network, beyond just the Internet gateway. It makes our security operations much more effective because we are now looking not just at traffic on the border, but we're looking at east-west internal traffic. Now, not only will we see if an exploit kit is being downloaded, but we would be able to see then if that exploit kit was then laterally distributed into our environment."
  • "Some of their integrations with other sources of data, like external threat feeds, took a bit more work than I had hoped to get integrated."

What is our primary use case?

One of the reasons we went with this solution was because there is less that we have to customize; it's more commercial off the shelf. Therefore, my team can spend their time doing what's most beneficial for the university, which is protecting it, not upgrading custom software.

We use it to inspect and look for malicious, abusive, or other types of forbidden behavior with our north-south and east-west traffic. We not only look at traffic from our campus to the Internet, but we look at traffic internally in our network as it does network AI. It not only looks when a specific event happens, but whether, "Is this a normal event? Or is it normal for the host to do that?" 

How has it helped my organization?

The Privileged Account Analytics for detecting issues with privileged accounts is very important because, like any organization, we have people from low-privileged, regular users all the way to administrators who have very high levels of privilege. Therefore, a regular student, on their own machine, may run Coinminer on it, which might be something that the student is experimenting with for higher ed. However, it's a very different use case when a staff user on their work issued machine is running it. Cognito will let us discover that very easily and contextualize it, "Is this really the criticality of an alert or a behavior?" It does this not only for the user, but it also lets us see through the DNS and machine name, whether it's a university asset, etc. Also, you can target those users who have a very high level of access by really enriching your analysis of alerts, such as, "I know that this administrative account does do PowerShell stuff because that's one of the main jobs of that sysadmin." Then, if I see that sort of PowerShell behavior from another account that I wouldn't expect it from, then that's a reason for concern.

The solution captures network metadata at scale and enriches it with security information. This provides us context upfront which helps us prioritize.

The solution provide visibility into behaviors across the full lifecycle of an attack in our network, beyond just the Internet gateway. It makes our security operations much more effective because we are now looking not just at traffic on the border, but we're looking at east-west internal traffic. Now, not only will we see if an exploit kit is being downloaded, but we would be able to see then if that exploit kit was then laterally distributed into our environment.

The solution’s ability to reduce false positives and help us focus on the highest-risk threats is very good. The additional context and ability to take other factors that we can feed into it, like our threat intelligence feed or the user identity, helps with running down whether behaviors are legitimate or pose a big risk. It also helps us eliminate false positives where appropriate, such as some of our system admins running PowerShell in a way that looks very suspicious if you saw it from a regular user.

It has reduced the type of analysis needed to run down and get to the bottom of what's really happening. On the flip side, it doesn't miss as much as a human only or more signature oriented approach would. While I don't want to give a false impression that it's going to result in less work, I think the work that we're doing is more efficient. We can do a lot more to protect, because we're able to react and look at what's important. It may not directly translate into, "Oh, well we spend less time on threat hunting and investigating a suspicious behavior," but we're seeing what we need to look at more effectively.

It's easier to get an analyst up to speed and be effective. The solution has helped move approximately 25 percent of the work from our Tier 2 to Tier 1 analysts.

What is most valuable?

I find the network artificial intelligence and machine learning to be most valuable because we have also significantly increased the amount of traffic that we inspect. This has kind of lowered the burden of creating ways to drink from that fire hose of data. The artificial intelligence and machine learning help bubble up to the top things that we should go look at which are real deviations from the norm.

I would assess the solution’s ability to reduce alerts by rolling up numerous alerts to create a single incident or campaign for investigation very highly. Rather than relying on signatures and a human to look if, "Host X has hit these four different signatures," which is probably an indicator of a fairly high confidence that something's not right, the analytics, artificial intelligence, and machine learning in this product tie those events together. It also looks for new events that are out of the ordinary, then gathers those together and tells us to look at specific hosts. This is rather than an analyst having to sift through a bunch of signature hits, and say, "Oh, this host needs to be looked at."

Also, there is a much lower operational burden of maintenance. We used to use open source monitoring tools, which are very good, but they take a lot of work to maintain and leverage. We really like the commercial off the shelf type of approach of the software, not brewing our own.

What needs improvement?

Some of their integrations with other sources of data, like external threat feeds, took a bit more work than I had hoped to get integrated. I think the company has been very responsive, willing to take our feedback, and look at addressing our concerns.

I have asked that they give direct packets capabilities.

For how long have I used the solution?

About a year and a half.

What do I think about the stability of the solution?

It is very stable and easy to maintain compared to the Linux open source solution that we previously used for a long time.

Maintaining the solution isn't even a full FTE, probably more like a quarter. We have to coordinate if we want to get more data into it, as there are some integrations that we do with our threat intelligence feed from our ISAC.

What do I think about the scalability of the solution?

We have talked to several other customers who have much larger environments than ours, so it is very scalable. We have applied it in excess of probably 20,000 devices. We have probably 50,000 to 60,000 active users who might see traffic from it. We have hundreds of thousands in our directory total, but some of those are alumni or adjunct faculty, so they may not be active all the time. We have on order of 700 servers and hundreds of applications. We're not huge, but we're not tiny.

One of the things that is really exciting about partnering with Vectra is they have solutions for the cloud, both Azure and AWS. This will get us that same type of visibility we're getting now with things on our physical campus using cloud services. This is probably where our increased usage will be concentrated on.

How are customer service and technical support?

Vectra's technical support is very good.

Which solution did I use previously and why did I switch?

We switched from an open source solution to Cognito because there was a lower operational maintenance burden and it provided more visibility into our environment. It also has more analysis and initial triage done by the network AI and machine learning.

Vectra enables us to answer investigate questions faster than our open source solutions previously did.

How was the initial setup?

The initial setup was straightforward.

Our initial deployment with north-south and a bit of east-west for our first virtual sensor probably took two to three days at most. 

Long-term, we now have it deployed on every VMware server that is in our environment and it's monitoring probably 500 to 600 inter-server communications (between different servers). That took a little longer because we had to first work with our colleagues here onsite. It wasn't an issue with Vectra. It just took time and we had to arrange some work with internal partners. We did the reference and first setup in a day.

For our implementation strategy, we turned up north-south visibility immediately and brought up a single virtual sensor for our VMware environment. Then, after three months, we revisited it with a team who operates VMware and their servers. We made sure they were comfortable with the resource demands and how well the solution was working. Finally, we were able to have them turn it on for all the VMware servers.

What about the implementation team?

We had very knowledgeable people from the vendor work with our networking group to get the correct traffic to its sensors. This was done remotely/virtually, but it was done very well.

What was our ROI?

Hopefully, this is a sunk cost. We are mitigating risk. We are not expecting to make money on this solution.

The solution has reduced the time it takes us to respond to attacks by approximately 20 percent.

Which other solutions did I evaluate?

We looked at some of Vectra's competitors. We had Snort and also used Bro. We also used Argus and NetFlow collector. Therefore, we looked at what were the products out there that could sort of replicate the things we were doing with a commercial off the shelf product that had artificial intelligence, but not open source.

We looked at Corelight, which was more grow only. We also looked at ExtraHop.

We didn't do a formal RFP with this one. We developed some relationships with the management at Vectra, who really wanted to partner with us. We looked at their technology and other competitors in the area, then decided it was a worthwhile (based on their commitment) for us to work with them.

Usually, I'll go to the Gartner Security & Risk Summits and look around at what different vendors are coming out with. That's a very useful venue for learning about new vendors.

What other advice do I have?

We don't have that big of a cloud presence yet. However, the solution would correlate behaviors in our enterprise network and data centers with behaviors we see in our cloud environment because part of our east-west visibility includes our dedicated connections to cloud instances. If it goes over to our commodity Internet, it should see it there too.

I would rate this solution as an eight point five (out of 10).

All opinions in this review are my own.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Manager, IT Security at a energy/utilities company with 201-500 employees
Real User
Produces actionable data using automation reducing our security team's workload
Pros and Cons
  • "Vectra produces actionable data using automation. That has helped us. It's less manpower now to look at incidents, which has definitely increased efficiency. Right now, in a lot of cases, our mean time to detection is within zero days. This tells me by the time something happened, and we were able to detect it, it was within the same day."
  • "I would like to see a bit more strategic metrics instead of technical data. Information that I could show to my executive management team or board would be valuable."

What is our primary use case?

The Detect platform that we have is on-prem. We have what's called "the brain", then we have sensors placed in different key/strategic areas in the organization. It is helping us do a lot of the monitoring. We also have some SaaS offerings from the Recall platform, which look at some of the metadata, etc. If we were doing things like incident response, it gives us a bit more granular type of information to query. However, the Cognito Detect platform is all on-prem.

We are using the latest version.

How has it helped my organization?

We had a gap where we didn't necessarily have a managed service, which we do today, but at the time we needed something that would help us detect malicious behavior and anomalies within the organization. We found that Vectra solved this. We were able to find issues within minutes or hours of them occurring, then we were able to action them rather quickly.

Some of the metrics that we try to show from an incident response perspective are the effectiveness of our controls, like mean time to detection and mean time to remediate. E.g., mean time to detection shows how quickly the organization detects it from when it first occurred, then determines the remediation aspect as well. We take those numbers and correlate them back to how effective our tools are in our organization. Vectra's really helped in the sense that our mean time to detect is within zero the majority of the time, meaning that from the time we detect it to the time it occurred is within zero days. This promotes how effective our controls are.

When we get an alert, we're not wasting hours or so trying to determine if, "I need to find more logs. I need to correlate the data." We're getting actionable data that we are able to action on right away. I have found value in that.

We can find things quickly that users shouldn't have been doing in the organization. Simple things, e.g., all of a sudden we have a user whose exfiltrating a lot of gigs of data. Why are they doing that? We found value there. My very small team does not have to waste cycles on investigating issues when we get a good sense of exactly what is occurring fairly quickly.

We have the solution’s Privileged Account Analytics. We have seen detection on certain cases, and it's been good. It actually is a good feature. We already have an organizational approach to privileged accounts, so we have seen a few detections on it but haven't necessarily seen abuse of privilege because of the way our organization handles privilege management. We are an organization where users don't run with privilege. Instead, everybody runs with their basic user account access. Only those that need it have privileges, like our IT administrators and a few others, and those people are very few and far between. 

If we are investigating something, we may be investigating user behavior. Using the metadata, we can find exactly, "What are all the sites he's going to? Is he exfiltrating any information? Internally, is he trying to pivot from asset to asset or within network elements?' Using that rich set of information, we can find pretty much anything we need now. 

The solution provide visibility into behaviors across the full lifecycle of an attack in our network, beyond just the internet gateway. It augments what we are doing within the organization now. Being able to discover/find everything that is occurring within the kill chain helps us dive down to find the root of the problem. It's been beneficial to us because that's a gap we've always had in the past. While we may have gotten an alert in a certain area, trying to find exactly where it originated from or how it originated was difficult. Now, by utilizing the information that Vectra produces, we can find exactly what the root cause is, which helps with discovering exactly how it originated in the first place.

With a lot of the detections or things that are happening, I would not say they're necessarily malicious. Where I find it very valuable is that it gives us an opportunity to understand exactly how users are sometimes operating as well as how systems are operating. In a lot of cases, we have had to go back and reconfigure things because, "Oh, this was not done." We realized that maybe systems were not setup correctly. I really liked this aspect of the solution because we don't like false positives. We don't want Vectra to produce things that are just noise, which is something that it doesn't do. 

Vectra produces actionable data using automation. That has helped us. It's less manpower now to look at incidents, which has definitely increased efficiency. Right now, in a lot of cases, our mean time to detection is within zero days. This tells me by the time something happened, and we were able to detect it, it was within the same day.

What is most valuable?

It gives you a risk score of everything that you just found. The quadrant approach is useful because if there are things in the lower-left quadrant, then we don't necessarily need to look at them immediately. However, if there's something with a high impact and high risk score, then we will want to start looking at that right away. We found this very valuable as part of our investigative analysis approach.

The solution’s ability to reduce alerts by rolling up numerous alerts to create a single campaign for investigation is very good. Once it starts adding multiple detections, those are correlated to a campaign. Then, all of a sudden, this will increase the risk score. I've found that approach helps us with understanding exactly what we need to prioritize. I find it very useful.

The amount of metadata that the Recall solution produces is enormous. What we can find from that metadata is exceptional. Once you get to know how to use the tool, it's much simpler and more intuitive to use when finding information than using a traditional SIEM, where you have to build SQL type commands in order to retrieve data. So, I do find it very valuable.

What needs improvement?

I would like to see a bit more strategic metrics instead of technical data. Information that I could show to my executive management team or board would be valuable. 

I would like to see some improvements on the integration aspects of it. They are getting better in this. However, most organizations have a plethora of cybersecurity solutions that they run, and I think that there is a bit more that could be done on the integration side. 

For how long have I used the solution?

About four years.

What do I think about the stability of the solution?

The stability is good. I don't think we've ever had an issue with it at all. I don't think I've ever seen it misbehave, crash, or anything like that.

It is continuously updated. Whenever they release a new patch or updates, they push it to the brain (the centralized management).

What do I think about the scalability of the solution?

We have never seen an issue from a scaling perspective. It is not an issue for us.

We have a team of less than four people. We don't really have a Tier 1 or Tier 2. We just have people working in cyber.

There are areas where we would like to increase our capabilities. We have 100 percent visibility for anything leaving the organization. There are some areas within the organization where we would like to monitor some of the internal workings. One of the places where we are looking to expand is into our OT segment. We do have a path for where we would like to see this go.

How are customer service and technical support?

They are very competent and good. They are always able to solve problems.

Which solution did I use previously and why did I switch?

A few years ago when we were looking at this, we had a gap in the organization. We didn't have like a managed service offering. We had an on-prem SIEM, but we didn't have a large team so we didn't have resources fully dedicated to looking to see threats and correlating them with other event logs to see exactly what was occurring. The reason that we didn't have a managed server previously was cost. Therefore, we looked for alternative ways to solve the gap, lower the resource count, and be able to automate and integrate within our enterprise solutions.

How was the initial setup?

It was pretty straightforward. You can plug the appliances in, whether it is into a switch, router, or some other demarc point from a SPAN port, then you let it learn. That is it. There's nothing really you have to do.

Our deployment took days at most. Once you configure it, you just let the system learn. Usually, within a week, it starts to detect things. For it to be effective, it needs to know what the known baseline is.

You plug it in, let it learn, and it's up and running.

What was our ROI?

We saw ROI within the first six month due to the reduced impact on our staff and we have been deploying it for years. 

Vectra has absolutely reduced security analyst workload in our organization. This was the real thing that we were trying to find: How can we do this? With a small team, it is very hard. We have a small team with a large stock of solutions. Therefore, we were looking for the best way to reduce the amount of manual effort that's required for an individual. We've found Vectra has significantly reduced the workload by probably 200 percent for our staff.

Which other solutions did I evaluate?

We looked at NextGen traffic analysis type of solutions, like Darktrace. Then, we looked at Vectra. I found Vectra was a bit more intuitive. I think both products had some really good offerings. What really helped us make a decision was we were trying to find things that help us produce actionable items. I liked Vectra because the one thing it was trying to do is it was show you exactly what is happening in the kill chain. The whole premise behind it was, "These are things that are actually occurring in your network, and they're following a specific pattern." I really liked it because in my view it was very actionable and automated.

I don't want to have to spend cycles on things on unnecessary things. One thing I found with Darktrace was it produces a lot of good things, but it's too much in certain cases. Whereas, I like the way Vectra tells you exactly the things that are happening right now in your network, then groups it based on exactly what the type is, providing you a risk score.

Also, it did seem like it was like a resource built into a box with AI capabilities. I found that the amount of effort we have to spend on analysis from it is a low cost to us. Vectra just fit in well with my team mandate.

I found Darktrace was a bit more noisier than Vectra. Sometimes, when you deal with products like this, the noise is time and effort that you may not necessarily have.

Once we started to do the PoCs, we ran Vectra in certain use cases with the sense of, "Okay, let us know exactly what's kind of going on within the network." What we found in a lot of cases is, and these weren't just cybersecurity incidents that were occurring, and Vectra gave us a good sense of how a lot of our solutions were operating. We ended up finding out, "This is exactly what this solution may be doing. Maybe there is a misconfiguration here or there."

What other advice do I have?

There was no complexity with Vectra; it is very simplistic. However, for the tool to be effective, you want to make sure that you place your sensors in appropriate places. Other than that, you let the tool run and do its thing. There's really no overhead.

I would probably rate it as a nine or 10 (out of 10). We have been extremely happy with the solution. It's been one of the best solutions we have in our enterprise. I would put it at the top of the list.

Which deployment model are you using for this solution?

On-premises
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
John Vicencio - PeerSpot reviewer
Cyber Specialist, Forensics at Richemont
Real User
Makes it much easier for us, as analysts, to engage with and visualize incidents, increasing our efficiency
Pros and Cons
  • "It gives you access, with Recall, to instant visibility into your network through something like a SIEM solution. For us, being able to correlate all of this network data without having to manage it, has provided immediate value. It gives us the ability to really work on the stuff where I and my team have expertise, instead of having to manage a SIEM solution..."
  • "Some of the customization could be improved. Everything is provided for you as an easy solution to use, but working with it and doing specific development could be worked on a bit more in the scope of an incident response team."

What is our primary use case?

We have two use cases. The first is that Vectra's platform allows us to get visibility into anomalous behavior, which, previously, we never really had access to, for threat hunting and incident response. We use it in support of our incident response operations to help supplement our investigations on hosts. We use it to correlate any suspicious activities, which is something that Vectra has been extremely accurate in, when used the right way. 

The second use case is that we've used the Vectra Cognito Recall and Cognito Stream devices. With these integrations, it's given us instant visibility into all the network data as well. That enables us to conduct our own hunts on our network data, data you'd see on a security information and event management (SIEM) solution. It also gives us the ability to correlate with our playbooks because it gives us access to the data itself in much more depth and detail.

How has it helped my organization?

The solution captures network metadata at scale and enriches it with security information. We store metadata for three months. Just to be able to scale the amount of information that we collect on the networks is a problem in itself. We have our SIEM solution that collects all of these logs. Making sure these logs are still sending, that these devices are still sending to our main SIEM, are issues. For Vectra AI, even with three months of retention, with the environment we have, we have never had issues accessing this network data. On top of that, if there are any issues, the support team is amazing in providing feedback and fixing them.

It has actually increased our security analyst workload, but in a good way. It has reduced the amount of stuff that we used to look at, and has allowed us to re-approach our C-CERT from signature-based detections to more behavioral-based detections. It has reduced the amount of boring work and work that is on the host, to more thought-provoking work based on behavioral data. We're now able to approach our C-CERT from a risk perspective and a numbers perspective.

It has reduced that boring work drastically and it reduces the time to investigate incidents in general. While it has definitely added a bunch of incidents for us to look at, it has reduced the workload of how we work those incidents. It makes them not only much easier to engage with and easier to visualize, but also enables us, as analysts, to work in a much more efficient and simple way.

Vectra has also helped move work from our Tier 2 to our Tier 1 analysts. Eighty percent of our Tier 1 analysts are doing Tier 2 work.

Finally, the solution has reduced the time it takes us to respond to attacks. It has gone from on the order of hours to less than 10 minutes to 30 minutes.

What is most valuable?

The most valuable features are Cognito Recall and Cognito Detect.

I didn't think Vectra AI actually provided this functionality, but essentially it gives you access, with Recall, to instant visibility into your network through something like a SIEM solution. For us, being able to correlate all of this network data without having to manage it, has provided immediate value. It gives us the ability to really work on the stuff where I and my team have expertise, instead of having to manage a SIEM solution, as that is a whole undertaking in itself. It has expedited all our investigations and hunting activities because it's all there and available, and they manage it.

We use their Privileged Account Analytics for detecting issues with privileged accounts. Given that we're a global company with over 35,000 machines, the machine learning-type of analysis or visibility into baselining behavior in privileged accounts in the environment is something Vectra does amazingly. It's amazing the visibility that I get. Not only is it providing a baseline to understand the behaviors of how IT, for example, is acting globally and in all these different regions, but it also gives me an ability to get much more granular and understand more of the high-risk behaviors, rather than the behaviors that we expect from IT. Usually, malware attackers and normal IT activities look the same. It's about discerning what's outside of baseline, and Vectra does this amazingly, incorporating not only the account privileges but the context of what these accounts are doing on hosts, on top of that.

The solution also provides visibility into behaviors across the full life cycle of an attack, visibility into the attacker kill-chain. I personally do red-team testing and threat hunting and, in addition to the detections which Vectra has already caught, it's been able to outline a full attack from an external red team that came in and tested with us. Not only did it show exactly what they did, but it was even able to provide a profile of the type of behavior that this exhibited, which was an external actor. In my own attacks that I've conducted on the network, it's been able to detect everything and properly align it in a kill-chain fashion. That is extremely helpful in investigations because it helps align the host data a little bit when you have visibility of the network in such a way.

Vectra also triages threats and correlates them with compromised host devices.

What needs improvement?

Some of the customization could be improved. Everything is provided for you as an easy solution to use, but working with it and doing specific development could be worked on a bit more in the scope of an incident response team. In my opinion, it's built as a solution for everything, instead of it being part of a bunch of other tools.

For example, we have a source solution which will orchestrate the ability for us to use a host EDR and the ability for us to use Vectra. We see Vectra from a purely network standpoint. Therefore, we don't want it to be the incident manager where we have to fill in specific things to be fixed. We think the integration with source solutions could be better. It tries to treat itself as an incident resolution platform.

For how long have I used the solution?

I have been using Vectra AI for three to four years.

What do I think about the stability of the solution?

It has never crashed. It's always working. And they always resolve any issue before you can act. They'll alert you of an issue and then they'll report that it's fixed. They're very proactive.

What do I think about the scalability of the solution?

In terms of instant access to the data and scalability, we've never seen issues with the platform at all. We use it everywhere, across all our regions across over 35,000 devices. We have plans to increase usage of the solution and the capacity.

We have less than 10 people working with the solution and they're all C-CERT incident responders and investigators. And we have one person, a C-CERT specialist, for maintenance of the solution but he is barely doing that anymore because they have a support team that helps alert us to any issues.

How are customer service and technical support?

I've found that Vectra in general, away from the platform, has been extremely helpful and given me any support that I need on investigations or in trying to reduce the amount of noise. They have allowed me to do this, but it requires a lot of work upfront.

How was the initial setup?

Looking back at the setup now, it was straightforward because of the support that they provided. I'm not sure how long the overall deployment took but it may have taken a couple of months.

We had to install specific brains in multiple regions. We were given instructions on where to install specific network nodes and sensors to be able to collect information where the brains were located. All of this configuration was provided directly from them. They sent the devices over to our data centers along with documentation to support the devices.

What was our ROI?

We have definitely seen return on our investment (ROI). While our analysts are working on "more" incidents, the efficiency of the way they're working, due to the way that Vectra has broken down its platform and its data, has exponentially decreased the response times to incidents. It has also trained them indirectly because with the story-lining, the way that it creates these detections, analysts receive them and pick them up much quicker than they would in a normal security class.

Which other solutions did I evaluate?

We evaluated other options. I wasn't the person who decided on Vectra AI at the time, but we were looking at Darktrace and other machine learning-type solutions.

Vectra fit the niche of what we needed, from the perspective of the former C-CERT manager. Also the feedback we got from their team and the support we've had with them really pushed us to work with them. They were very collaborative and we believed in what they were doing when they initially started working with us all those years ago.

What other advice do I have?

My advice would be to really utilize the support and collaborate with Vectra. The solution requires heavy usage and customization to your environment. They provide the guidelines and you just have to be able to fill in the specifics. If you don't do that, it's not an effective tool. It is a really hands-on tool.

Vectra has done a really good job of giving you visibility into the type of behavior into which you want visibility. But reducing the number of alerts really depends more on the analyst who is operating it and working with it.

As for its ability to reduce false positives and help us focus on the highest-risk threats, the term "false positive," especially in this scope of machine learning, doesn't seem to me to apply. Vectra gives you visibility into what you want to see. It gives us visibility into the exact behaviors which we sometimes have issues trying to create detections for on the host. And on the network it's collected and brought it all together. We get really good visibility into all of the risky behaviors. Vectra provides the whole context, on the network, of what it sees in terms of a risky behavior and provides a story with it.

In comparison to some of the other tools that I've come across in this category, I would definitely give it a 10 out of 10.

Which deployment model are you using for this solution?

On-premises
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Sr. Specialist - Enterprise Security at a mining and metals company with 5,001-10,000 employees
Real User
Scoring and correlation really help in focusing our security operations on critical issues
Pros and Cons
  • "The solution's ability to reduce alerts, by rolling up numerous alerts to create a single incident or campaign, helps in that it collapses all the events to a particular host, or a particular detection to a set of hosts. So it doesn't generate too many alerts. By and large, whatever alerts it generates are actionable, and actionable within the day."
  • "One thing which I have found where there could be improvement is with regard to the architecture, a little bit: how the brains and sensors function. It needs more flexibility with regard to the brain. If there were some flexibility in that regard, that would be helpful, because changing the mode of the brain is complex. In some cases, the change is permanent. You cannot revert it."

What is our primary use case?

Our main intention was to see what type of visibility, in terms of detections, Vectra could give us. 

We use it on both our manufacturing perimeter and at the internet perimeter. That's where we have placed the devices. We have placed it across four sites, two in UAE and two outside UAE.

How has it helped my organization?

What we have seen over the course of the three to four months it has been in place is that it has not found anything bad. That's good news because nothing specific has happened. But we have identified a lot of misconfigurations as well as some information on how applications are working, which was not known earlier. The misconfigurations that became known because of Vectra have been corrected.

It has given us the opportunity to understand some of the applications better than we had understood them before because some of the detections required triage and, while triaging, or in that investigation, we found how applications work. That is one of the main benefits.

We did a red team penetration exercise and almost all the pen activities were picked up by Vectra. That is another big benefit that we have seen through the deployment of the device.

Apart from the network traffic, a lot of the privileged accounts get monitored. It focuses on the service, the machine, and the account. We have seen many of the privileged accounts flagged with alerts whenever they're doing any activity which they do not normally do. We can see that it is the admin accounts or our support team accounts where the activity is happening. It is important because any privileged access which sees increased activity becomes a cause for suspicion. It's something that we need to be watchful for. It's a very useful feature because a privileged account can propagate more easily than an account that is not privileged.

These are all examples of the kind of information which is of great value, information that we didn't have earlier.

The detections, as well as the host ratings, allow us to focus in cases where we are pressured for time and need to do something immediately. We can focus on the critical and high hosts, or on the detections that have a very high score. If you do a good job in the rules and policy configuration, the alerts are not too numerous. A person can easily focus on all the alerts. But as of now we focus on the critical, high, and medium. The scoring and the correlation really help in focusing the security operations.

While I wouldn't say Vectra AI has reduced our security analyst's workload, it allows him to focus. It's a new tool and it's an additional tool. It's not like we implemented this tool and removed another one. It doesn't necessarily reduce his total time, but what it definitely does is it allows him to prioritize more quickly. Previously, he would be looking at all the other tools that we have. Here, it allows him to focus so things of serious concern can be targeted much faster and earlier. The existing tools remain. But Vectra is something to help give more visibility and focus. In that sense, it saves his time. Vectra is very good for automated threat-hunting, so you get to pick out things faster. All the other tools give you a volume of data and you have to do the threat-hunting manually.

Also, the technical expertise required to do the hunting part is much less now, because the tool does it for you. I wouldn't say that it has moved work from tier 2 to tier 1, but both of them can use their time and efforts for resolving problems rather than searching for actual threats. You cannot do away with tier 2 people, but they can have a more focused approach, and the tier 1 people can do less. It reduces the work involved in all their jobs.

In addition, it has definitely increased our security efficiency. The red team exercise is a very clear-cut example of how efficiency has been enhanced, because none of the other tools picked these things up. Vectra was the only tool that did.

It makes our workforce more efficient, and makes them target the actual threats, and prioritizes their efforts and attention. Whether that eventually leads to needing fewer people is a different question. Quantifying it into a manpower piece is probably more an HR issue. But improved efficiency is definitely what it provides. If I needed three or four tier 2 people before, I can manage with one or two now.

And Vectra has definitely reduced the time it takes us to respond to attacks. It's a significant reduction in time. In some cases, the key aspect is that, more than saving time, it detects things which other tools don't. It helps us find things before they actually cause damage. The other tools are more reactive. If your IPS and your signatures are getting hit, then you're already targeted. What Vectra achieves is that it alerts us at the initial phase, during the pre-damage phase. During the red team exercise we had, it alerted us at their initial recon phase, before they actually did anything. So more than saving time, it helps prevent an attack.

What is most valuable?

The solution's ability to reduce alerts, by rolling up numerous alerts to create a single incident or campaign, helps in that it collapses all the events to a particular host, or a particular detection to a set of hosts. So it doesn't generate too many alerts. By and large, whatever alerts it generates are actionable, and actionable within the day. With the triaging, things are improving more and more because, once we identify and investigate and determine that something is normal, or that it is a misconfiguration and we correct it, in either of these two instances, gradually the number of alerts is dropping. Recently, some new features have been introduced in the newer versions, like the Kerberos ticketing feature. That, obviously, has led to an initial spike in the number of tickets because that feature was not there. It was introduced less than a month back. Otherwise, the tickets have been decreasing, and almost all the tickets that it generates need investigation. It has very rarely been the situation that a ticket has been raised and we found that it was not unique information.

Also, we have seen a lot of detections that are not related to the network. Where we have gained extra value in terms of the internet is during data exfiltration and suspicious domains access.

The detections focus on the host, and the host's score is dependent on how many detections it triggers. We have seen with many of our probing tools, without triaging, that these hosts pretty quickly come into the high-threat quadrant. Its intelligence comes from identifying vulnerable hosts along with the triaging part. That's something that we have seen.

What needs improvement?

One thing which I have found where there could be improvement is with regard to the architecture, a little bit: how the brains and sensors function. It needs more flexibility with regard to the brain. If there were some flexibility in that regard, that would be helpful, because changing the mode of the brain is complex. In some cases, the change is permanent. You cannot revert it. I would like to see greater flexibility in doing HA without having to buy more boxes just to do it.

Another area they could, perhaps, look at is with OT (operational technology) specifically. Vectra is very specific to IT-related threats. It really doesn't have OT in its focus. We are using another tool for that, but maybe that is another area they can consider venturing into.

It's being used by my team of four or five people. Once we hand it over to operations, then the team size will increase significantly. It will grow to about 10 to 15 people.

For how long have I used the solution?

We have been using Vectra AI four about four months.

What do I think about the stability of the solution?

Stability-wise, we've not had any issues, although it has only been three or four months. We had some slight bugs in there, bugs that were related to the triaging and how we used the conditions. But stability-wise, we've had no problem. 

There were some software issues, bugs, but then nothing major. There were minor cosmetic and syntax-based issues while raising the conditions. Apart from that, no issues with the stability.

What do I think about the scalability of the solution?

Currently we are in the process of expanding it to two more remote sites. One is in West Africa, in Guinea, and another one in the U.S. Those are more recent deployments, in place less than a month. We are in the process of creating the policies, and triaging, and investigations for those. That's ongoing. With those sites, the benefit realization is still pending because we just started the traffic loading.

The scalability part is where the architecture comes in. That's one of the areas for improvement that I would like to recommend. Unless you have dedicated brains doing anything other than brain functions, it doesn't become scalable. If you have a brain in mixed mode, your scalability is limited. Also, the brain's capacity gets reduced based on its function, so if it's in mixed mode, the capacity is less. If it's in brain mode, the capacity is more. If it's in sensor mode, the capacity is different. It makes scalability difficult. Unless you go for two big brains with your highest capacity device and then you keep adding.

When I spoke to our internal success team at Vectra, they mentioned that this is something that they're planning to fix in the near future with an upgrade.

How are customer service and technical support?

Whenever we have raised issues we have gotten timely responses. Getting support is fairly easy compared to some of the other technologies that we have. A simple email is sufficient to get attention from their support team. They have a remote access feature wherein we don't necessarily have to give a WebEx. We just simply enable the remote access on the device, and the remote team can log in, and have a look, and understand what the problem is.

How was the initial setup?

The problem was the architecture. Once we arrived at an architecture, it was simple. What takes time is to build the architecture plan because of the way the brains work. We had to agree on a design. Once you agree on the architecture, the implementation is pretty straightforward.

The initial architecture design took some time, a week or so. The implementation was done within a day.

Our implementation strategy was to have an HA setup for each site. We put two brains into mixed mode, but then we found out that if we put it in mixed mode, HA is not possible. So we set it up as a standby and we configured manual scripts to transfer the file from one brain to the other brain. That's how we are managing it now. If we want to go live on the standby brain, we just import the configuration and go live, if there is a failure.

It's a little bit manual process for us. If it has to be automated, I believe the brains cannot be in mixed mode. That was where we faced the initial problem, I mean, for the architecture part. So we have two brains configured in mixed mode and we have a couple of sensors on the OT side, sensors that are talking to these brains. The sensors are there in the OT connectivity, the active or standby firewalls, and this is repeated on the other site as well.

Two or three people are enough for the deployment. They should have a sound understanding of the network and an idea of how the architecture and the applications function. One person from the architecture team and one person from the network or security team are sufficient to understand how to get maximum utilization from Vectra.

What was our ROI?

In terms of visibility and security improvement, we have definitely seen a return on our investment.

What's my experience with pricing, setup cost, and licensing?

We have a one-year subscription that covers support and everything. There is no other overhead.

Which other solutions did I evaluate?

We evaluated Darktrace, in addition to Vectra, each in a PoC. We chose Vectra because the things that Vectra picked up were far more useful, and necessary from an enterprise point of view. Darktrace was a bit noisier.

What other advice do I have?

One thing we have learned using Vectra is that anomaly detection is a critical component of security; a non-signature-based technology is very critical. It helps pick up things that other tools, which are more focused on active threats, will miss. That is one major lesson that we have picked up from Vectra.

My advice would be that you need to focus, because the licensing is based heavily on IPs and area of coverage, although predominantly IPs. You need to have a very clear idea of what areas you want to cover, and plan according to that. Full coverage, sometimes, may not be practical because, since it's a detection tool, covering everything for large organizations is complicated. Focus on critical areas first, and then expand later on.

Also, the architecture part needs to be discussed and finalized early on, because there is a limited flexibility, depending on which model you choose to take.

The solution captures network metadata at scale and enriches it with security information, but the full realization of that will come with Cognito Stream, which we have yet to implement. Right now we are on Cognito Detect. Cognito Stream is something that we are working on implementing, hopefully within the next month or so. Once that comes online, the enriched metadata will have greater value. As of now, the value is there and it's inside Vectra, but we don't see that information — such as Kerberos tokens, or certificates, or what the encryption is — unless it leads to a detection. Only in that event do we currently see that information.

The Cognito Stream can feed into our SIEM and then we will have rich information about all the metadata which Vectra has in our data lake.

Which deployment model are you using for this solution?

On-premises
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Global Security Operations Manager at a manufacturing company with 5,001-10,000 employees
Real User
Aggregates information on a host and host basis so you can look at individual detections and how they occur over time
Pros and Cons
  • "One of the most valuable features of the platform is its ability to provide you with aggregated risk scores based on impact and certainty of threats being detected. This is both applied to individual and host detections. This is important because it enables us to use this platform to prioritize the most likely imminent threats. So, it reduces alert fatigue follow ups for security operation center analysts. It also provides us with an ability to prioritize limited resources."
  • "You are always limited with visibility on the host due to the fact that it is a network based tool. It gives you visibility on certain elements of the attack path, but it doesn't necessarily give you visibility on everything. Specifically, the initial intrusion side of things that doesn't necessarily see the initial compromise. It doesn't see stuff that goes on the host, such as where scripts are run. Even though you are seeing traffic, it doesn't necessarily see the malicious payload. Therefore, it's very difficult for it to identify these type of host-driven complex attacks."

What is our primary use case?

We use Vectra with the assumption that our other defensive controls are not working. We rely on it to be able to detect anomalous activities on our network and trigger investigation activities. It's a line of detection assuming that a breach occurred or has been successful in some way. That's our primary use case.

We have it in some of other use cases, like anomalous network activity and detection for things. E.g., we are trying to refine or improve suspicious internal behaviours because we are a development technology company. We have developers doing suspicious things all the time. Therefore, we use it to help us identify when they are not behaving correctly and improve our best practices.

We have it predominantly on-prem, which is a combination of physical and virtual sensors. We also have a very minor element on the cloud where we are trialing a couple of components that are not fully deployed. For the cloud deployment, we are using Azure.

We are on the latest version of Cognito.

How has it helped my organization?

We have a limited use of Vectra Privileged Account Analytics for detecting issues with privileged accounts at the moment. That is primarily due to the fact that our identity management solution is going through a process of improving our privileged account management process, so we are getting a lot of false positives in that area. Once our privilege account management infrastructure is fully in place and live, then we will be taking on more privileged account detections and live SOC detections to investigate. However, at the moment, it has limited applicability.

We have a lot of technically capable people with privilege who are able to do things they should or should not be able to do, as they're not subject-matter experts when it comes to things like security. They may make a decision to implement or download a piece of software, implement a script, or do something that gets the job done for them. However, this opens us up to major security risk. These are the types of activities that the tool has been able to identify, enabling us to improve communication with those individuals or teams so they improve their business process to a more secure or best practice approach. This is a good example of how the solution has enabled us to identify when people are engaging in legitimate risky activities, and we're able to identify and engage with them to reduce risk within the network.

It has enabled our security analysts to have more time to look at other tools. We have many tools in place, and Vectra is just one of them. Their priority will always be to deal with intrusion attempt type of alerts, such as malware compromise or misuse of credentials. Vectra was able to simplify the process of starting a threat hunting or investigation activity on an anomaly. Previously, we weren't able to do this because the amount of alerts and volume of data were just too large. Within our security operations, they can now review large volumes of data that provide us with indicators of compromise or anomalous behaviour. 

By reducing false positives, we are able to take on more procedures and processes. We have about seven different tools providing alerts and reporting to the SOC at any one time. These range from network-based to host-based to internet-based alerts and detections. We are more capable to cover the whole spectrum of our tooling. Previously, we were only able to deal with a smaller subset due to the sheer workload. 

In some regards, I find that Vectra probably create more investigative questions. E.g., we need to find answers from other solutions. So, it is raising more questions than it is specifically answering. However, without Vectra, we wouldn't know the questions to ask in the first place. We wouldn't know what anomalies were occurring on our network.

Vectra data provides us with an element of enrichment for other detections. For example, if we see a detection going onto a single host, we could then look at that activity in Vectra to see whether there are suspicious detections occurring. This would give us the high percentage of confidence that the compromise was more severe than a normal malware alert, e.g., destructive malware or commander control malware enabling someone to pivot horizontally across the network. Vectra provides us with that insight. This enables us to build up an enriched view quickly.

What is most valuable?

One of the most valuable features of the platform is its ability to provide you with aggregated risk scores based on impact and certainty of threats being detected. This is both applied to individual and host detections. This is important because it enables us to use this platform to prioritize the most likely imminent threats. So, it reduces alert fatigue follow ups for security operation center analysts. It also provides us with an ability to prioritize limited resources.

It aggregates information on a host and host basis so you can look at individual detections and how they are occurring over time. Then, you can have a look at the host scores too. One of the useful elements of that is it is able to aggregate scores together to give you a realistic view of the current risk that the host plays in your network. It also ages out detections over time. Then, if that host is not been seeing doing anything else that fits into suspicious detection, it will reduce its risk score and fall off of the quadrant where you are monitoring critical content for hosts that you're trying to detect. 

When you are analyzing and triaging detections and looking for detection patterns, you are able to create filters and triage detections out. Then, in the future, those types of business usual or expected network behaviours don't create false positive triggers which would then impact risk scores. 

Without the detection activities that come from Vectra, we wouldn't have been able to identify the true cause of an event's severity by relying on other tools. This would have slipped under the radar or taken a dedicated analyst days to look for it. Whereas, Vectra can aggregate the risk of multiple detections, and we are able to identify and find them within a couple of hours. 

What needs improvement?

You are always limited with visibility on the host due to the fact that it is a network based tool. It gives you visibility on certain elements of the attack path, but it doesn't necessarily give you visibility on everything. Specifically, the initial intrusion side of things that doesn't necessarily see the initial compromise. It doesn't see stuff that goes on the host, such as where scripts are run. Even though you are seeing traffic, it doesn't necessarily see the malicious payload. Therefore, it's very difficult for it to identify these type of host-driven complex attacks.

It only shows us a view of suspicious behaviours. It doesn't show us a view of key or regularly attacked company targets. This could be because we don't have one of the other tools or products that Vectra provides, such as Stream or Recall. 

My challenge with the detection alerting platform, Cognito, is it tells us this host is behaving suspiciously and is targeting these other machines, but it won't give you a view when a host is the target of multiple attacks. This because you may have a key assets, such as domain controllers or configuration management servers. These are key assets which may get targeted. If you're a savvy attacker, you spread out your attack across multiple sources to try and hide them across the network. That is where the solution falls a bit short. It is trying to build that chain of relationships across detections and also trying to show detections from a perspective of a victim rather than the perspective of an attacker. I have expressed these concerns to Vectra and they are currently in as feature requests.

There is another feature in place which takes additional data feeds, such as DHCP IP allocation data. Their inputs are taken from Windows event logs, and that's the format they have in place. They use that to provide them with a more accurate view of host identities. If you are only relying on IP addresses, and IP addresses change over time, it's sometimes very difficult to show a consistent view of a system behaviour over time, as the IP can change per month. Unfortunately, because their DHCP data is taken from Windows host events and our DHCP data is taken from a Palo Alto system that generates the IP leasing, the formats are incompatible. I think taking different formats for that type of data is something else we have a feature request in for. At the moment, we don't have an accurate view, or confidence, that they are resolving when an IP address changes from host to host. So, we may be missing an accurate view of risk on some of those hosts. 

We also have the same problem with VPN and Citrix. E.g., if you're on the network and on IP address A, then you come in via the VPN, you're now on IP address B. Thus, if you're spreading your suspicious behaviour across both the internal network and VPN, then across Citrix, we don't get to join all that information up. They are seen as three different systems, so it causes a bit of a problem trying to correlate that type of event data.

For how long have I used the solution?

If you include the proof of concept, I have been using Vectra for three years.

What do I think about the stability of the solution?

There are no concerns regarding the stability. It seems to be very reliable. I've had one sensor in two and a half years become corrupt and need to be rebuilt. That's it.

Day-to-day maintenance takes half an FTE to one FTE a day. There is no maintenance really required on the platform. All we need to do is monitor for when a health alarm occurs (a sensor is not working), then we raise the relevant request with the teams to investigate. Maintaining the health of the platform requires a feed into our operations team to be able to look at our monitor to determine when the health is degrading. Doing general health, like detection filters, triage filters, reviewing, looking for patterns and anomalies, and creating new filters, needs a daily dedicated FTE.

What do I think about the scalability of the solution?

The scalability is brilliant. It is able to cope with virtual sensors. You can increase the hardware that supports the image and it will work with the high bandwidth of the data going through. There are no concerns in terms of the scalability.

It does create capture network data at scale because we have it deployed at over a 100 geographically split sites. We have over 8000 users on cloud. So, it's able to deal with the network traffic very easily, providing us with additional information. If we were just relying on things like firewalls and packet capture applications, we wouldn't get to that enrichment of a security context put on top of normal network traffic. 

Mainly, there are five people dedicated to using the platform: Tier 2 security analysts and an operations director. However, that is widen out to whomever we are raising the support requirements to, like the Tier 3s. When raised, we also enable the shared link so they can go into the platform and look at the data associated with the detection on that host. So, there is a wider volume of people who use the solution to get information for specifically requested cases. 

How are customer service and technical support?

The technical support is very good. They always respond within a short amount of time to provide expert information and have always been helpful in trying to work through problems to find a good solution.

Which solution did I use previously and why did I switch?

Previously, we had a general sensor solution taking logs. We didn't have an equivalent detection platform for our network nor did we have a tool capable of providing us with competent intrusion detection capabilities post-breach. Our main SIEM logging platform was generating over a 1000 alerts a day. It was bloated and unusable when trying to identify events/anomalies that were occurring. Once we implemented Vectra, it was able to give us a refined view and tell us which things we need to prioritize so we were able to reduce our workload from a 1000 alerts a day down to 10.

How was the initial setup?

The initial setup was relatively straightforward. It was pretty much plug and play.

The initial pilot deployment took weeks, but that was because the scope kept on changing. However, the initial deployment only took hours. 

It has not helped us move work from our Tier 2 to Tier 1 analysts, but this is a fault in our implementation. The structure of our organization hasn't necessarily changed. We don't have Tier 1 security analysts. Therefore, we don't have the capacity or capability for them to deal with these types of detections. We have to leave our Vectra detection and activities with our Tier 2s.

We now have an implementation strategy. We have virtualized sensors in most locations rather than physical sensors. We only have physical sensors in the areas where there is high bandwidth traffic, such as key internal data centers. The virtual centers for local offices are sufficient for the volume of traffic there. We only deploy in areas that are key risks. We also only deploy and monitor network zones which are of significant risk, so we don't monitor our guest WiFi subnet nor do we monitor our development network subnets. Therefore, we keep our segregated networks and zoning structure consistent so we are able to only monitor for priority areas.

What about the implementation team?

Vectra had an engineer come down. They plugged the device in and set it up. Since the firewall rules were already in place, it was working.

Assuming the firewall rules are already in place for the physical sensor, it needs one person plugging it in and putting it into a rack. If it is a virtual sensor, then it is just somebody who can deploy the virtual image onto the virtual infrastructure and switch it on. It takes two dedicated people to deploy. If you have a network team and a server team, then you will need one of each of those skill sets to be able to deploy the tool. It all depends on how your organization is structured.

What was our ROI?

It has increased our security efficiency because we can now do more with the tool. E.g., if we had a data analyst who was creating models and searching the data to identify the same types of the numbers/behaviours within Vectra, we would need at least two or three FTEs.

Vectra has reduced the time it takes us to respond to attacks. In 2019, we conducted a red team activity. The Vectra appliance was able to alert the red team on activity within three hours of the test starting. Prior tests to that, in real life or red team scenarios, we were potentially looking at days. However, we also tightened controls prior to that testing period. While Vectra has done an amazing job in reducing the time to respond, there are so many other things that we also have put in place which have contributed towards it.

Vectra has saved us weeks, if not months, in terms of the ability to identify a breach. Our process has been reduced down to hours, which is a potentially massive return on investment, if we were compromised. From an insurance perspective, the return investment is fantastic. 

From an FTE perspective, while it reduces the number of events that we have to look up and the number of alerts, we now have very specific things where we need to ask questions. Therefore, it's creating more work which we weren't capable of doing. 

What's my experience with pricing, setup cost, and licensing?

At the time of purchase, we found the pricing acceptable. We had an urgency to get something in place because we had a minor breach that occurred at the tail end of 2016 to the beginning of 2017. This indicated we had a lack of ability to detect things on the network. Hence, why we moved quickly to get into the tool in place. We found things like Bitcoin mining and botnets which we closed quickly. In that regard, it was worth the money. Three years later, the license is now due for renewal so we will need to review it and see how competitive it is versus other solutions.

When we implemented the physical sensors, there were costs for support in terms of detection review sessions. We had a monthly session where an analyst would talk through the content, types of detections that they were seeing, etc. 

We have a desire to increase our use. However, it all comes down to budget. It's a very expensive tool that is very difficult to prove business support for. We would like to have two separate networks. We have our corporate network and PCI network, which is segregated due to payment processing. We don't have it for deployed in the PCI network. It would be good to have it fully deployed there to provide us with additional monitoring and control, but the cost associated with their licensing model makes it prohibitively expensive to deploy.

Which other solutions did I evaluate?

We did review the marketplace and look around. For example, we looked online at Darktrace, but we didn't run a side by side comparison to see which one would work better.

Vectra was the only tool in which we did a physical pilot or proof of concept. Vectra stood out for its simplicity and the general confidence that I had with the people whom I was engaging and having conversations with at that time. I am very much a people person. If I talk to people and don't get the impression they know what they're talking about, then that will reduce my confidence in their product. E.g., our initial engagement with Darktrace wasn't good enough to provide confidence in their platform, and we had to move quickly.

What other advice do I have?

Make sure you have a dedicated resource committed to daily use of the tool. Because the selling point is it frees up your time, reducing the amount of time you need to spend on it so you don't have to commit resources. Then, you find yourself in an implementation two years later and you don't have committed resources who use it daily or are committed to it full-time. This means you don't maintain things like the triad rules and filters. Even though the sales material says it makes it easier and reduces alert fatigue, it doesn't give more time. You still need to have a dedicated resource to operate the tool, which we never committed at the beginning.

Having an established mature team structure is really important as well. Making sure people are aware of their role and how their role fits into the use of the tool is key. Whereas, we were building a security operation center (SOC) at the same time that we took on the tool, so our analyst activities have evolved around the incorporation of the tool into the organization and it's not necessarily a mature approach.

I would rate this solution as an eight (out of 10).

Which deployment model are you using for this solution?

On-premises
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Cyber Security Analyst at a financial services firm with 1,001-5,000 employees
Real User
Reduces the times between an alert and a ticket coming up
Pros and Cons
  • "It is doing some artificial intelligence. If it sees a server doing a lot of things, then it will assume that is normal. So, it is looking for anomalous behavior, things that are out of context which helps us reduce time. Therefore, we don't have to look in all the logs. We just wait for Vectra to say, "This one is behaving strange," then we can investigate that part."
  • "We would like to see more information with the syslogs. The syslogs that they send to our SIEM are a bit short compared to what you can see. It would be helpful if they send us more data that we can incorporate into our SIEM, then can correlate with other events."

What is our primary use case?

The original use case was because we had some legacy stuff that doesn't do encryption at rest. Compliancy-wise, we had to put in some additional mitigating actions to protect it. That was the start of it. Then, we extended it to check other devices/servers within our network as well.

We are on the latest version.

How has it helped my organization?

It is doing some artificial intelligence. If it sees a server doing a lot of things, then it will assume that is normal. So, it is looking for anomalous behavior, things that are out of context which helps us reduce time. Therefore, we don't have to look in all the logs. We just wait for Vectra to say, "This one is behaving strange," then we can investigate that part.

We have implemented it fully now. We have done some training and filtering on it. Now, every alert that we see means that we need to investigate. It sees roughly 300 events a day. The majority are normal behavior for our company. So, there are about 10 to 15 events a day that we need to investigate.

The solution triages threats and correlates them with compromised host devices. It looks at a certain IP address, and if you're doing something strange, then it will give us an alert. E.g., normally John Doe is logged into it for four days, going to server XYZ. If all of a sudden, it's in a different timescale, going to server B, then it will send us an alert.

We have privileged accounts. They have a specific names, and if I see those names, then I investigate a bit more thoroughly. That's our policy. I don't know whether Vectra does anything different with them.

The solution gives us more tickets. If we did not have Vectra, we wouldn't have those tickets. So, it's actually increasing them. However, it is improving our security with a minimum amount of work. That's the whole purpose of the device. We have 10 to 15 events that we need to look into a day, and that is doable.

The solution creates more work for us, but it is work that we are supposed to do. We need more FTEs because we need more security.

What is most valuable?

We mainly use it for the detection types, checking dark IPS or command-and-control traffic. 

We bought Recall so we can have more information. Recall is an addition onto Vectra. We haven't enabled Recall yet, but we will. So, if there is an incident, we can investigate it a bit further with Vectra devices before going into other tools and servers. This gives us the metadata for network traffic. So, if we have a detection, we can check with Recall what other traffic we are seeing from that device, if there is anything else. It's mainly a quick and dirty way of looking at it and getting some extra information to see whether it's malicious.

We found that the solution captures network metadata at scale and enriches it with security information. This is one of the reasons why we added Recall, so the alert gives us information on where we need to look, then we can investigate a bit further. For example, a certain device is sending data to command-and-control server, then we can investigate whether that is really happening or just a false alarm with the metadata in Recall. It makes it easier to find out.

What needs improvement?

We would like to see more information with the syslogs. The syslogs that they send to our SIEM are a bit short compared to what you can see. It would be helpful if they send us more data that we can incorporate into our SIEM, then can correlate with other events. We have mentioned this to Vectra.

It does some things that I find strange, which might be the artificial intelligence. E.g., sometimes you have a username for a device, then it makes another. It detects the same device with another name, and that's strange behavior. This is one of the things that we have with Vectra support at the moment, because the solution is seeing the device twice. 

For how long have I used the solution?

We started the pilot roughly a year ago. So, we started small with a pilot on part of the systems, then with two other vendors. Afterwards, we decided to buy it.

Now, it's almost in production. It's still a project in the end phase, as we are still implementing it. But, most of it has been running for a year.

What do I think about the stability of the solution?

So far, the stability has been good. There are no issues. It's never been down. It has been updating automatically on a regular basis and there are no issues with that where it has stopped working.

One person will be responsible for the deployment, maintenance, and physical upkeep; a person from the service delivery team will keep the device up and running. The security analysts (my team) deal with the alerts and filtering.

What do I think about the scalability of the solution?

The part that we designed is not really scalable. They have options, and there is some room for improvement. If we need to scale up, which we have no intention of doing, then the physical devices need to be swapped over for a bigger one. Other than that, we have some leeway. This came up in the design with, "What are your requirements?" and those requirements have been met, so that's fine. They will probably be met for the foreseeable future.

At the moment, we don't have Tier 1 and Tier 2. Instead, we have a small team who does everything. I am mostly using it. There will be three security analysts. Then, we have a number of information security officers (ISOs) who will have a read-only role, where they can see alerts to keep an eye on them, if they want, and be able to view the logging and see if they need more information. But, there are three people who will be working with Vectra alerts.

How are customer service and technical support?

We are in contact with the Vectra service desk. If you send them ideas, they talk about them and see if they can incorporate them.

Which solution did I use previously and why did I switch?

We decided that we wanted to have an alert within 30 minutes, which is doable with this solution. It fulfills our needs. However, we didn't have this before, so it has increased our time, but for things we need to do.

How was the initial setup?

The initial setup is relatively straightforward. They have security on a high level. There are a lot of logins with passwords and very long passwords. This made it go a bit longer. However, the implementation is relatively easy compared to other devices.

We made a design. That's what we implemented.

What about the implementation team?

Initially, it was set up in conjunction with Vectra. When we put it into production, the majority was done by me, then checked by a Vectra engineer. If I had issues, I just contacted Vectra support and they guided me through the rest of it.

The Vectra team is nice and helpful. The service desk is fast. They know what they are doing, so I have no complaints on that part. We have a customer service person who knows about our environment and can ask in-depth questions. He came over as well for the implementation to check it, and that was fine. The work was well done.

What was our ROI?

The solution has reduced the time it takes us to respond to attacks. It sends an email to our SIEM solution. From that SIEM solution, we get emails and tickets. Therefore, the time between an alert coming up and a ticket is reduced. This is for tickets that we monitor regularly. Within 15 to 20 minutes, it gives us an alert for the things that we want. Thus, it has greatly reduced our measurable baseline.

The return of investment is we have tested it so sometimes we have auditors who do pen tests and see them. That's the goal. It seems to be working. We haven't found any actual hackers yet, so I'm not completely a 100 percent certain. However, we found auditors who are trying to do pen tests, which essentially the same thing.

What's my experience with pricing, setup cost, and licensing?

The license is based on the concurrent IP addresses that it's investigating. We have 9,800 to 10,000 IP addresses. 

There are additional features that can be purchased in addition to the standard licensing fee, such as Cognito Recall and Stream. We have purchased these, but have not implemented them yet. They are part of the licensing agreement.

Which other solutions did I evaluate?

We investigated Darktrace, Vectra, and Cisco Stealthwatch.

Darktrace and Vectra plus Recall were similar in my opinion. Darktrace was a bit more expensive and complex. Vectra has a very nice, clean web GUI. It easier to understand and cheaper, which is one of the main reasons why we chose Vectra over Darktrace.

Darktrace and Vectra are very different, but eventually for what we wanted it to do, they almost did the same thing. Because Darktrace was a bit more expensive, it was a financial decision in the end.

I did the comparison between Darktrace and Vectra. They did almost the same thing. Sometimes, there are differences that Darktrace did detect and Vectra didn't. For the majority, we didn't find any actual hackers. So, it's all false positives, eventually. Both of them are very similar. The big thing is the hacker activity. They both detected it in the same way. But, in the details, they were different.

The options for Stealthwatch were a bit limited in our opinion for what we wanted it to do. Stealthwatch is network data, and that's it.

What other advice do I have?

Start small and simple. Work with the Vectra support team.

The solution’s ability to reduce false positives and help us focus on the highest-risk threats is the tricky part because we are still doing the filtering. The things it sees are out of the ordinary and anomalous. In our company, we have a lot of anomalous behavior, so it's not the tool. Vectra is doing what it's supposed to do, but we need to figure out whether that anomalous behavior is normal for our company. 

The majority of the findings are misconfigurations of servers and applications. That's the majority of things that I'm investigating at the moment. These are not security risks, but need to be addressed. We have more of those than I expected, which is good, but not part of my job. While it's good that Vectra detects misconfiguratons, there are not our primary goal.

The solution is an eight (out of 10). 

We don't investigate our cloud at the moment.

Which deployment model are you using for this solution?

On-premises
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Head of Information Security at a insurance company with 1,001-5,000 employees
Real User
Gives us that extra chance to stop a disaster before it happens
Pros and Cons
  • "One of the key advantages for us is we define a 24/7 service around it. We use far more of Vectra alerts than we do with our SIEM product because we understand that when we get an alert from Vectra we actually need to do something about it."
  • "The solution has not reduced the security analyst workload in our organization because we still need to SIEM. Unfortunately, while Vectra, for us, is a brilliant tool for network investigations, giving wonderful visibility, it doesn't go the whole way to replace our SIEM that is needed for compliance. So, I still have the same amount of alerting and logging that I did before. It gives us more defined ability to see incidents, but it doesn't give us enough information to satisfy a PCI or 27001 audit."

What is our primary use case?

One of the biggest things is the visibility of stopping or identifying any infection as soon as possible. In this case, if someone downloads something malicious to their workstation, we have a number of controls in place. However, it wasn't so much the endpoint. It was the spreading of a worm type scenario or a WannaCry type thing. Anything that could potentially spread after the initial infection, which is where we wanted to come in and get that visibility.

It was key for us to have something that we could use for identifying as soon as possible, which would be call center initiated. That was probably our biggest thing: To push it in that direction, as we're a regulated company from the FCA. They drive us continually for improvement and behavioral analysis. Network analysis sort of falls into that bucket.

We already have a SIEM, which some people would argue gives us a lot of that visibility. It doesn't tend to give it the focus that we need. From Vectra, we get a lot of alerts of, "This is happening," or, "This is unusual." This is a lot easier than waiting for a couple of logs to come in, then a bit of AI logic at the back of it to potentially push it in that direction. It's very much for us to get a view of a potential attack, then deal with it as quickly as possible. To pinpoint where it's coming from, and where it is going to go.

One of the biggest things that I wanted to ensure is that it covered our call centers because that is where I see my biggest risk. So, I was really key on getting sensors across all geographic locations within the UK and in all of our small communication rooms.

It is all on-premise. We have a number of call centers spread around the UK. We look at all east-west traffic, as well as north-south. It all goes into our brain in our data center. We do have some branches out in Azure, but we're waiting on the new plugin that they are trying to develop. We are just starting in on our cloud journey and most of our infrastructure is in still private cloud. We haven't really gotten to the point where we have public cloud.

We're up-to-date, but I don't know the exact version number that we are on.

How has it helped my organization?

The key improvement for us were:

  1. The additional monitoring 24/7, and using the high fidelity alerting from Vectra rather than SIEM, This was our biggest change. We have managed to leverage that rather more than our SIEM, which just throws out loads of spam. 
  2. The FCA requirements to build on behavior monitoring.
  3. The use case of the call center with its high turnaround of staff who are perhaps not as clued in or engaged in our user awareness program as they could be. 
  4. Lack of end user deployment is another big improvement. We wanted something that was easy to deploy, or get up and running really quickly. It took a couple of weeks to rid of the alerts that we didn't want, but the actual involvement from the network teams was minimal, which was really good for us because we just don't have the resource to spend a lot of time trying to configure devices.

We use the solution’s Privileged Account Analytics for detecting issues with privileged accounts. Although I haven't seen a huge amount of alerts. We have a quarterly QBR, and they mentioned it the day before the QBR and noticed an alert pop up.

One of the key things for us is we have an annual pen test (an internal one), that's not as involved as a full red team. But, it's enough for the pen test to sit with the SOC guys, then we put the different tool sets together, what they're doing, and how that reacts to our Vectra,  SIEM, and endpoint AV. To see what picks up where, so it gives us an ability to check those tool sets that we have.

From a Vectra point, it will pick up a number of different things. But, it will also miss a number of different things. That's how pen testers work. They work covertly. So, it's really good for us to see what we can do and what we can't. Then, that feedback goes back to Vectra. We say, "Okay, well why didn't we pick up this?" They'll come up with a reason or they'll take it away and find something out about it. That's really good and a nice part of the service. We get to check to make sure the tool sets are working, but we also provide feedback and they're very open to that type of feedback.

I believe the solution has increased our security efficiency. It's hard to prove without having a direct attack. But, I get challenged about ransomware from my board, to say, "How do we defend against ransomware?" That's a big topic. One of the key things was when Vectra went in, it saw a developer run a script, which essentially changed the names for a number of files and put a different extension on, but they were doing some development type work. That's how their script ran, and it identified that as ransomware, which is a great thing to say. 

Although there was no encryption or malice involved, it did create new files, rename files, and delete old files, which essentially is what ransomware does anyway. It followed the same sort of logic to it,  I can report that back. "We do have some protection. It wouldn't stop it. But we could limit the amount of damage that it may do." 

I don't know about other companies, but I get the feeling most people look to identify rather than block. We're not a high-end bank. We are not going to stop people working. We're going to investigate what they're trying to do. That's just our risk appetite. We have to work. Unless it's absolutely 100 percent, we won't stop them. We would just look at it afterwards. So, all our alerting, we don't have any orchestration at the back of it to say, "Okay, if this happens, then I'm going to play that port in a firewall or I'm going to drop that from there." We won't do that. Humans will all be part of that process. We'll get a call, then we will make a crisis management team decision, etc. That's how we operate.

If, for instance, our AV doesn't pick it up. I think that is where Vectra will come in. So, if somebody gets infected and maybe hasn't picked it up. That's where, if that worm spread and our endpoint signatures weren't up-to-date, they went into zero day, and nobody knew about it. Vectra would give us that opportunity. It would potentially give us something that would say, "Well, this is not normal. This machine does not communicate with all these other machines like it is now." That's where we see it coming in. It gives us that extra chance to stop a disaster before it happens, or at least limit the amount of potential output of damage that that an incident can do.

Zero days are always very difficult. If the AV vendor doesn't know about it, it's not going to be able to tell me about it, stop it, quarantine it, or do anything. Having a tool set like this, which monitors network traffic for anomalies, it gives us that chance. I can't say that it definitely will pick it up, but there's another opportunity for us to reduce the amount of damage that can be done.

What is most valuable?

It gives us the point of where something is happening, which is the key thing for us. (I know that there is a back-end recall, which probably gives a lot more data, but we don't use that.) We then leverage our SIEM product to provide us logs from those specific sources that it's talking about, giving us that information. It is the accuracy of: It is happening here and on this particular host, then it's going to here to this particular host. It's that focus which is probably the most advantageous to us.

The logic behind Vectra's ability to reduce alerts by rolling up numerous alerts to create a single incident or campaign for investigation grows with severity, as there are additional alerts around that particular host. This is a useful feature rather than spamming alerts. But, we've never really had an issue with a lot of alerts. We really do triage our alerts quite well and have a good understanding of what does what. 

One of the key advantages for us is we define a 24/7 service around it. We use far more of Vectra alerts than we do with our SIEM product because we understand that when we get an alert from Vectra we actually need to do something about it. You can't really say you don't get false positives, as the action has happened. It's whether we consider that action as a concern rather than a SIEM that sort of gives you a bit of an idea of, "That may be something you're interested in." Whereas, Vectra says, "This has happened. Is this something you would consider normal?" I think that's the bit that we like. It just says, "Is this normal behavior or isn't this normal?" Then, it's up to us to define whether that is or isn't, which we like. 

The solution provides visibility into behaviors across the full lifecycle of an attack in our network, beyond just the internet gateway, because we do east-west traffic. So, it looks at the entire chain across there. We're fortunate enough not to be in a position that we've seen a meaningful attack. When we do have pen testers come in, we can see quite clearly how they pick traffic up and how it develops from a small or medium alert to go to higher severity, then how it adds all those events together to give more visibility. 

The solution does a reasonable job of prioritizing threats and correlating them with compromised host devices. We use that as how we react to it, so we leverage their rating system. We are reasonably comfortable with it. At the end of the day, we actually spend a lot of time and effort to tweak it. It's never going to be right for every company because it depends on what your priorities are within the company, but we do leverage what they provide. If it is a high, we will treat it as a high, and we will have SLAs around that. If it's a low, we'll be less concerned, and the events that come out pretty much lead to that. The events that we see and the type of activity going on, it makes sense why it's a low, medium, or high. Just because a techie has done a port scan, that doesn't mean we need to run around shouting, "Who has done this?"

When we originally put it in, it was really quite interesting to see. Picking up the activities from the admin user and what they were doing, then going, "By the way, why have you done that?" Then looking at a scan and going, "Well, how did you know that?" So, it's sort of cool to pick up that type of stuff. We tend to trust what it tells us.

What needs improvement?

Room for improvement depends on how their strategy and roadmap develops, as they have a lot of third-parties that they integrate with, e.g., more orchestration around what alerts and what to do with afterwards. They don't pretend to be working in that space. That is a third-party type activity.

There are always the little things that they could do a bit better, like grouping or triage filters. Clearly, they've taken that onboard and developed those over the course of the last 18 months to two years to put these additional functions in. My guys are constantly saying, "Oh, it'd be useful to do this and useful to do that."

The solution has not reduced the security analyst workload in our organization because we still need to SIEM. Unfortunately, while Vectra, for us, is a brilliant tool for network investigations, giving wonderful visibility, it doesn't go the whole way to replace our SIEM that is needed for compliance. So, I still have the same amount of alerting and logging that I did before. It gives us more defined ability to see incidents, but it doesn't give us enough information to satisfy a PCI or 27001 audit. 

For how long have I used the solution?

I have been using this solution for about two years.

What do I think about the stability of the solution?

Interestingly enough, when we first got Vectra, we had a number of problems with it. The guys were all over the solution trying to fix it. It turned out to be a hardware issue. I think they ended up changing their supplier. They just ripped everything out and put a load of new equipment in. This was identified about three months after it being here. 

These things happen. There's not a lot you can do about it. However, they were really good and didn't make any excuses, apart from, "It can only be the hardware," which it was. Once they put the new hardware in, everything went really well.

Very few people are required for maintenance. We just generally run the alerts now. I have a guy spend probably less than an hour a day, maybe less than that, putting out fires and alerts. Then we investigate that, depending on its severity. The actual hardware maintenance is nothing. We'll just keep an eye on it or get an alert if an interface has gone down.

What do I think about the scalability of the solution?

One of the biggest things that we wanted to implement was something that was easy to do. Our problem, as well as I'm sure a number of other companies, is the amount of resources to install these new technologies, then how the resource center operates and uses these technologies. It's great having all these additional add-ons here, there and everywhere, but my team is quite small. So, it had to be quite easy. It has to be quite focused. Hence, we went with Vectra.

At the moment, we have a hardware brain and are not near the limit of that. To go from that, I think Vectra was looking at some sort of applied solution, but it would then be a change. So, we're down to limitations of the hardware. I always say, "If we bought a massive company, we would probably have to redesign and architect the solution." At the moment, they made sure that we have some growing room. 

Our purchase was a one time thing for the entire company, otherwise we would be leaving ourselves exposed. Just this week, I took a Vectra device up to a new company that we purchased and stuck it in there. It is really that simple. We'll probably end up with a bit of traffic because we will see a lot of new servers and workstations that we have to do triage around.

We have probably 3,500 to 4,000 users across the UK. My team is quite small. I have a couple of guys who are cyber-related.

How are customer service and technical support?

The technical support is brilliant and really responsive. That is probably down to the fact that they are a small company. Their guys respond instantly, normally within the day that they have somebody online and having a look at it, or they're putting it away and the communication is excellent. They will say, "Okay, we'll put it back to the developers," and then they give us updates, which is really efficient.

Vectra is growing at the moment. They support us very well. They do seem to rely on key people. Would my service be the same if they got rid of our technical manager? I don't know. They are a small, close family team, which is really good. Whether that would change when it's a few key people left, I don't know. But I know they are growing as a company as well, so let's hope they scale it in proportion to their customer base. Only time will tell. Other companies I've got at the moment grew too quickly in the services and service suffered as a part of that.

Which solution did I use previously and why did I switch?

It isn't a tool set to replace a current tool set. It's just an additional feature. For me, it has only increased our workload, but that's because we had nothing there before.

We did not previously have a network monitoring solution. We have a toolset that does event log monitoring, but nothing across the network itself. I think we have basic flow visiblity, and the network team use that. However, there is no real way of investigating individual network packets, then using them for anything in particular.

How was the initial setup?

The initial setup was easy. We have multiple sites, so we had to go around and travel to different sites. However, the actual brain was conifgured in a few hours. Once it was up, it was up. The network guys did nothing after that point. My guys probably spent a couple of days, over the course of a month just tweaking it. Then, it gradually goes down as we get a new server pop up, which might add a bit of additional alerting. Once we get a handle on that, then it comes down to something really quite manageable.

The priority for us was to get the main call center up and running at the start. We needed the brain up and do the implementation to see the east-west traffic in our call center. Then, we brought on additional sites, depending on the size around the UK, as we monitored it. 

What about the implementation team?

We used the Vectra guys for the implementation. Our technical engineer came in, going into the data centers with our network engineer (or remotely), then set it up.

For the actual deployment within the data center and around the sites, just two people were needed one form each company. After that, it was the configuration of the alerting which took one of the SOC guys suing Vectra for reference.

They provide us a health check and provide us with recommendations on what we need to do every quarter, which is perfect. There is nobody else who does that. That is probably part of the advantage of being a smaller company. 

Once every quarter, they'll put health and safety in, and say, "Alright, these are the new functions. This is what you need to turn on. That's not quite working. Those haven't fired. You might want to look at removing those." This is really good to see, because I get a lot of vendors, who once they've sold you a technology, they don't really care. They go, "Yep, there you go." They don't look at what you installed, how you've installed it, provide any recommendations, or look at how it's performing. 

This provides me the assurance my SOC guys are doing a good job, we are on top of any changes and the assurance we are getting the most of the solution.

Vectra has pretty much forced this upon us, which is really good because everyone is very busy. Before you know it, the months turn to years and disappear. 

What was our ROI?

ROI is a difficult one for security tools. You can argue that if you don't see anything where you did investment, this is the reason to have good security tools: not to have an incident. You only really know when bad things happen, and you're in the middle of it. Otherwise, it's doing what it needs to do to stop or identify an issue in the first place.

What's my experience with pricing, setup cost, and licensing?

We are running at about 90,000 pounds per year. The solution is a licensed cost. The hardware that they gave us was pretty much next to nothing. It is the license that we're paying for. I think if we outgrow our current hardware, then we will have a look at bigger hardware or some sort of distribution. I'm sure they have a number of different options for larger companies. I don't see that being a major issue for us in the next three to five years.

We don't have complete visibility because we don't have all of that metadata surrounding it. Sometimes there might be more metadata before, it might be something afterwards, or there might be something missing, but we accept that because we don't have the funds to pay for the additional functionality that it can provide its a trade off.

Which other solutions did I evaluate?

When we started off, apart from money, we had to look at behavioral analysis. We weren't sure where we wanted to go with the solution, whether we wanted to look at the endpoint or network. So, after a RFI, to define which direction we wanted to go, we thought that we would go down the network analysis route.

Because we have call centers, there is normally a high turnover of staff. The jobs themselves are quite intense and people move around quite a lot, it was key for us to get some visibility in what those guys are doing. We thought, "Although we do a lot of user awareness and logging, this is probably where our weakest link is." It was a case of somebody potentially clicking on a malicious link, some sort of phishing attack which was probably, or is probably, going to cause us the most pain.

We looked at Darktrace and there was another option that dropped out. So, we looked at the main players in that area. We decided on the behavior analysis for network, then we took the top three: Vectra, Darktrace, and another solution. 

It came down to Darktrace and Vectra. Darktrace looked much prettier than Vectra, unfortunately the support that we'd heard about and reviews that we read, led to, "Here's the new tool set. Off you go". This is what we didn't want. We wanted somebody to hold our hand, then give us the support we needed to ensure we get the best out of the tool set.

It obviously comes down to price as well and we feel we picked the best product that fitted us. We did quite a lot of due diligence on both. I went to different places that got both installed and got references from both. I firmly believe that both products would have done the job well. However, the support from Vectra along with their customers' references to say how good it was, I think we made made the right decision.


What other advice do I have?

People do a lot more than we actually see. Looking at the test and development guys, sometimes they do things that they don't understand. So, they will do it because it works. The actual things that are behind the scenes are the sort of things that happen, and they don't really understand. If there's something that's really complicated, they're people that have initiated it that don't really know what it is. That is always a problem, because in our sort of company, we have a lot of developers who are doing a lot of coding and things like that, but they're not 100 percent on all the other things that they affect, such as the supporting applications underneath it. 

They are making a change on one particular app, but it's using the other apps underneath it to develop that and push that across to something else. All these extra, different steps that they are completely oblivious to where we go, "Actually, you've just done this." They go, "Well, I don't know, I just ran the script over here. I don't know why that would happen." But, it'll do a LDAP lookup or connect to a share. Those are the sort of things that you get a lot of visibility from people who don't understand. So, that can become tricky. That's pretty much par for the course for a lot of security tool sets. Where you have a couple of people who know one particular aspect, but don't really understand everything that's going on. To be fair, IT is a big area. You can't expect everyone to know everything of everything, not when you're not working in a massive IT structure, and the security team is a small department.

You need to be quite key on your business case and what you're expecting from it. Be 100 percent sure on your use cases. It's an excellent tool. It doesn't create a huge amount of overhead, but it is a tool that you need to keep on top of. The more you keep on top of it and get it right at the start, the easier it will make your life going forward. Don't just stick it in, then leave it to whirl away as a lot of people do. You have to spend that bit of extra time, and it's not huge amount of time, and leverage other teams. 

The way they do their customer success is really good. There's nothing bad that I've got to say apart from the costs, but nothing's free, is it?

It has to be up there with my favorite security tool set at the moment. I am quite lean on scores, but the solution is definitely nine (out of 10). If I look at all my other security tool sets, this is the one that my guys value the most.

Which deployment model are you using for this solution?

On-premises
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Buyer's Guide
Download our free Vectra AI Report and get advice and tips from experienced pros sharing their opinions.
Updated: September 2022
Buyer's Guide
Download our free Vectra AI Report and get advice and tips from experienced pros sharing their opinions.