AI Security

How Vectra AI works

Vectra has spent more than 10 years researching and developing a cutting-edge technology called Attack Signal Intelligence™. Unlike other approaches, Vectra's AI analyzes and prioritizes the most critical threats tailored to each individual customer's environment.

By understanding attacker behavior and patterns, Vectra reduces unnecessary alerts and focuses on the true positives. This gives security analysts the ability to effectively hunt, investigate, and stop attacks before they become breaches. In the following sections, we will explore the scope and development process of Vectra's technology, including how it collects and generates detections, correlates events into actionable incidents, and handles real attacks with two specific examples.

Developing ML Algorithm for Threat Detection

Vectra's detection system is specifically designed to find attackers and their methods in action, rather than just detecting unusual anomalies. Our team of security researchers and data scientists with diverse backgrounds have a deep understanding of extracting valuable insights from complex data sets. With over ten years of experience, we have developed a collaborative approach to threat detection that effectively identifies attacker behaviors with minimal false positives.

How Vectra develops AI Security algorithms

How Vectra develops security-led AI algorithms

Throughout the detection development process, our security research team leads the way. They constantly monitor and review the methods employed by attackers in the wild, focusing on general methods rather than specific tools or attack groups. For example, instead of solely analyzing the Cobalt Strike beacon, we abstract the actions of this technology and study the attacker's overall method of control. This allows us to build coverage for both present and future tools executing similar methods.

Once an attacker method is identified, our security researchers work alongside our data science team to gather a corpus of malicious and benign samples. Malicious samples are sourced from various places, including customers who voluntarily share anonymized metadata, publicly documented cyber incidents, synthetic data creation algorithms, and internal lab attacks. Benign samples are collected from our extensive data set of anonymized customer metadata.

With the attacker method and supporting data at hand, our security researchers and data science team develop a prototype model with an optimized threshold for detecting these methods. The prototype is deployed in a silent beta mode, gathering feedback from an opt-in customer base to fine-tune the model. Every instance of the attacker method observed, as well as events just below the threshold, are reported back, allowing our data scientists to further refine the model.

This iterative process continues until strict standards of quality are met, ensuring the model's performance in real-world scenarios. The final step involves creating a dedicated user interface that presents the full context of the identified attacker method, along with relevant information about what is normal for the systems in question. The models are then deployed into production and continuously monitored to ensure their efficacy. Any necessary improvements are made to the detection system using the same pipeline used for data collection.

The results are models that do not require frequent tuning and effectively detect current and future generations of attacker tools. Our security-led approach excels at detecting attacker actions, going beyond detecting strange events.

Real-time Streaming Engine for Actionable Results

When it comes to protecting your organization, every second counts. That's why delays in alerting can give attackers a dangerous advantage. But with Vectra's real-time streaming engine, you can stay one step ahead.

Unlike traditional batch processing, Vectra's algorithms run on streaming data, ensuring immediate detection without any delay. This means attackers have less time to progress their attacks, giving you ample opportunity to stop them in their tracks.

But it's not just about speed – it's also about scale. As the size and complexity of enterprise networks, cloud deployments, and SaaS services continue to grow, so does the amount of data that needs to be processed. This is where Vectra's real-time streaming engine shines.

Designed to support large international enterprises, Vectra's streaming engine can handle even the most massive amounts of data. It effortlessly extracts the necessary information to build long-term learning models, without any issues of data size.

And let's not forget about the power of history. Algorithms that use unsupervised learning rely on a wealth of data to be truly effective. By learning from streaming data, Vectra's algorithms are able to factor in months of historical data and millions of events. This means the highest quality alerts and the most accurate detection in the industry.

Artificial Intelligence for Threat Correlation

Vectra goes beyond identifying individual attacker methods. With our advanced AI technology, we correlate actions to swiftly detect, categorize, and prioritize actively progressing attacks. Our correlation algorithm analyzes behaviors across accounts, hosts, network, and the cloud to provide a clear signal of any security incident.

But how do we attribute these behaviors to stable anchors such as accounts or host machines? In network and hybrid-cloud environments, we utilize a groundbreaking algorithm called host-id. This algorithm allows us to attribute transient IPs to stable host machines based on observed artifacts, including Kerberos host principals, DHCP MAC addresses, and cookies. With this attribution, we can accurately identify and track attacker behavior and metadata flow associated with a specific host machine, not just the IP.

However, attribution in AWS comes with its own challenges. Events are recorded in the AWS control plane and associated with Assumed Roles, rather than underlying user accounts. This means that any number of accounts can assume a given Role, making it difficult to trace the origin of an attack. That's where our custom-built technology, Kingpin, comes in. Kingpin can unravel the chaining of Roles to attribute observed attacks to an underlying user, giving you the crucial information needed for effective response.

Once we have attributed attacker behaviors to stable indicators, we then correlate them together to identify the underlying behavioral profile of the system. This allows us to label and prioritize progressing threats for immediate attention. Our correlation algorithm mimics the actions taken by our expert analysts and security researchers, ensuring that you receive the same level of threat classification and analysis.