Revolutionizing Network Detect and Response with Vectra AI

Table of Contents

1. Introduction
2. Differentiating Ourselves in the Space of Network Detect and Response
3. Unique Ways of Detecting Adversarial Behavior on a Network
4. How We Bring Our Solution to Bear to Solve Problems
5. Understanding Privilege Within an Environment
6. Vectra's Passive Observing of Network Traffic and Learning Privilege
7. How We Build Our Detection Models
8. Examples of Detections That We Can Fire Out of the Box
9. Flexible Topology
10. Vector UI

Vectra AI: Differentiating Ourselves in the Space of Network Detect and Response

Vectra AI is a company that is bringing purpose-built AI and ML to the space of network detect and response. We Are not just using buzzword AI and ML to solve the problem of uncovering attacker and adversarial behavior on a network. We do this in a number of unique ways that differentiate us from other solutions in the market.

Unique Ways of Detecting Adversarial Behavior on a Network

One of the ways we differentiate ourselves is that we don't require any Type of signatures to be loaded into uncovering the detections that will surface in our solution. We also don't require that You install any kind of agent or endpoint to be able to observe these behaviors and surface these detections. At the same time, we also don't require that you decrypt any of your network traffic because that creates its own data spillage issues. We can actually provide these highly efficacious network detections without the need to decrypt any of the network traffic. Lastly, we're able to run in fully air-gapped environments so we have no requirement that you call back to any kind of cloud brain or cloud processing capability to provide any of these capabilities.

How We Bring Our Solution to Bear to Solve Problems

We bring our solution to bear to solve the problems that a lot of people are trying to address via building the next generation zero trust network. Collapsing down everything to a least privileged access model from both a user and a host and service perspective is really hard. Paper architectures are great at providing notionally how this might look, but once you look at today's operational processes and procedures and then layering that in with essentially bolting everything down to the point that it just simply stops working, it becomes clear that a different approach is needed.

With Vectra's passive observing of network traffic and learning privilege and access of both users and hosts, we can actually help accelerate that Journey. This is anywhere from a five to ten year plus undertaking for most organizations. We can do this by basically showing that users may be granted a certain amount of privilege but in fact routinely they're only leveraging a subset of that access and privilege. If we can sit there and map out who has capabilities to do what before we start tightening down the bolts associated with that privilege, we can ensure that we're not breaking or impacting any mission-critical capabilities or access that certain individuals or servers or services may need to access. So it's very much a journey, and I think Vectra can be one part of an organization's toolset in approaching this particular problem.

Understanding Privilege Within an Environment

Understanding privilege within an environment is important not only because if you're concerned about insider threat, somebody with legitimate system access may misuse the system with which they've been granted access to, but also because credentials have somehow been swiped and so there is a bad actor working within the network aping the persona and requisite access associated with an individual whose credentials have been swiped. The untrained models as they're learning within an environment are also continuously forgetting. What that means is that an adversary or an insider bad actor can't try and disguise themselves amidst the normal goings-on within a network and appear normal. The attacker has to follow a certain almost archetypal set of behaviors to advance their access and presence within a network, and that's what Vectra is focused on uncovering.

Vectra's Passive Observing of Network Traffic and Learning Privilege

Vectra is a sensor and brain topology. We hang our sensors off of tap or span or packet broker aggregators. We capture raw network traffic and enrich the metadata associated with the raw network capture data. We forward all of that traffic from those sensors over to a brain, and within the brain, that's where Vectra's patented AI and ML algorithms, a combination of trained and untrained algorithms about 75 plus at most recent count, interrogate all of that network metadata and track all of that network traffic metadata. We feed all of the observed metadata through all of the different models so that we're not going to necessarily miss any particular type of signal, as opposed to using just a predefined set of generic algorithms. We use a combination of trained and untrained models. The train models are better suited to uncovering some of the types of behaviors that those are better suited to uncovering, as well as give you an example to what the untrained models have been built to do specifically around the concept of understanding privilege within an environment.

How We Build Our Detection Models

We build our detection models by analyzing attacker TTPs and looking at the countermeasures that one might need to take in order to address those types of known attacker behaviors. Rather than just use a handful of generic algorithms, we're actually analyzing the raw attacker behaviors that have mapped again back to MITRE attack and defend that these adversaries have to take once they've established presence within a network. We're not focused on the initial method of compromise. We're not using any kind of signatures. We're literally looking at the raw attacker behaviors that have mapped again back to MITRE attack and defend that these adversaries have to take once they've established presence within a network.

Examples of Detections That We Can Fire Out of the Box

We can fire out of the box a handful of detections, such as understanding adversarial C2. We're able to detect real attacker-Based command and control without the need to decrypt any of the traffic. We're analyzing that in over 22 Dimensions to give you real confidence in the signal that we're providing that there's something actually actionable going on within the environment. We're also looking at perhaps a suspicious sign-on. If somebody's pivoted from an on-premises environment into say an M365 environment, we're actually analyzing that in over 22 dimensions to give you real confidence in the signal that we're providing that there's something actually actionable going on within the environment.

Flexible Topology

Our topology is pretty flexible. We can support a host of sensors feeding into a single brain, and that can be through either a combination of physical appliances or virtual appliances both at the brain and sensor configuration. We're protecting not only on-premises assets from a user account and host and services perspective, but for folks that are leveraging clouds or even tracking detections on wholly air-gapped embedded weapon systems, if it passes through one of the entry points where we have one of Vectra sensors placed, we're going to be able to observe that network traffic and grab the enriched metadata from it.

Vector UI

When somebody logs into the Vectra UI, we might be monitoring 100,000 hosts, but we're only going to be surfacing what we view as with a high level of confidence actionable detections. Anything beneath that line is kind of opportunistic hunting. They're plotted against the threat and certainty score, not only the detected behaviors but also the users or hosts are then aggregated to provide a unified score for both user accounts as well as hosts. We're stitching together over time what these entities are so that we're giving you a robust view as to what a host looks like. Similarly, we're understanding users and their observed privileges and mapping over time and contextualizing the behaviors associated with each.