Welcome to the vectra Blog

Featured blog posts

Vectra integrates AI-driven network threat detection and response with AWS VPC Ingress Routing

Cybersecurity

By:

Ethan Durand

December 3, 2019

Vectra now integrates with Amazon Virtual Private Cloud (VPC) Ingress Routing and that our AI platform is currently available in the AWS Marketplace.

Read blog post
Ethan Durand

Chronicle integration: Conduct faster, context-driven investigations into active cyberattacks with Vectra and Chronicle

Security operations

By:

Jitin Dhanani

November 19, 2019

The Cognito threat detection and response platform from Vectra now seamlessly integrates AI-based threat hunting and incident response of Chronicle Backstory, a global security telemetry platform, for increased context during investigations and hunts and greater operational intelligence.

Read blog post
Jitin Dhanani

Swimlane integration: Automate response and speed remediation with Swimlane and Vectra

Security operations

By:

Jitin Dhanani

November 11, 2019

That’s why we are happy to announce the integration of Vectra Cognito automated threat detection and response platform with the Swimlane security orchestration, automation and response (SOAR) platform.

Read blog post
Jitin Dhanani

Forescout integration: Gain real-time visibility and automated response

Security operations

By:

Jitin Dhanani

November 4, 2019

The integration of the Cognito network detection and response platform with the Forescout device visibility and control platform provides inside-the-network threat detection and response, a critical layer of defense in today’s security infrastructure.

Read blog post
Jitin Dhanani

Check Point integration: Gain continuous threat visibility and enforcement

Security operations

By:

Jitin Dhanani

October 28, 2019

The integration between the Cognito automated network detection and response platform and Check Point Next Generation Firewalls empowers security staff to quickly expose hidden attacker behaviors, pinpoint specific hosts involved in a cyberattack and contain threats before data is lost.

Read blog post
Jitin Dhanani

New NIST guidelines on Zero Trust Architecture calls for deeper visibility into the network

Infrastructure

By:

Marcus Hartwig

October 7, 2019

According to NIST, “No enterprise can completely eliminate cybersecurity risk. When complemented with existing cybersecurity policies and guidance, identity and access management, continuous monitoring, and general cyber hygiene, ZTA can reduce overall risk exposure and protect against common threats.”

Read blog post
Marcus Hartwig

All blog posts

How to gain full threat visibility where only the network exists

Security operations
By:
Henrik Davidsson
June 6, 2019

The SOC visibility triad consists of network detection and response (NDR), endpoint detection and response (EDR) and log-based detection (SIEM).

Read blog post

Not all data is created the same

Cybersecurity
By:
Jacob Sendowski, Ph.D.
May 21, 2019

Vectra customers and security researchers respond to some of the world’s most consequential threats. And they tell us there’s a consistent set of questions they must answer when investigating any given attack scenario. Starting with an alert from Cognito Detect, another security tool, or their intuition, analysts will form a hypothesis as to what is occurring.

Read blog post

Don’t do it: Rolling your own production Zeek deployment

Security operations
By:
Rohan Chitradurga
May 15, 2019

In a previous blog, we wrote about the benefits that come with Zeek-formatted metadata. This blog builds on that thread by discussing why our customers come to us as an enterprise solution to support their Zeek deployments.

Read blog post

Three cornerstones of the SOC nuclear triad

Security operations
By:
Kevin Sheu
May 7, 2019

Although NDR and EDR can provide perspective on this, NDR is more critical because it provides perspective where EDR cannot. For example, exploits that operate at the BIOS level of a device can subvert EDR.

Read blog post

Why network metadata is just right for your data lake

Cybersecurity
By:
Kevin Sheu
April 30, 2019

The collection and storage of network metadata strikes a balance that is just right for data lakes and SIEMs. Metadata enables security operations teams to craft queries that interrogate the data and lead to deeper investigations.

Read blog post

Confronting risk and exposure in healthcare networks

Cybersecurity
By:
Chris Morales
April 24, 2019

Attackers intent on stealing personally-identifiable information (PII) and protected health information (PHI) can easily exploit gaps in IT security policies and procedures to disrupt critical healthcare-delivery processes.

Read blog post

Lurking in the shadows: Top 5 lateral spread threat behaviors

Cybersecurity
By:
Kevin Sheu
April 1, 2019

When considering how to equip your security teams to identify lateral movement behaviors, we encourage the evaluation of the efficacy of your processes and tools to identify and quickly respond to the top 5 lateral movement behaviors that we commonly observe.

Read blog post

Visibility, detection and response using a SIEM-less architecture

Cybersecurity
By:
Chris Morales
March 20, 2019

There is a new breed of SIEM-less security architecture that allows companies to leverage intelligent people with general IT experience to become the next-generation of security analysts.

Read blog post

Machine learning: The cornerstone of Network Traffic Analytics (NTA)

Threat detection
By:
Eric Ogren
January 26, 2019

Imagine having a security tool that thinks the way you teach it to think, that takes action when and how you have trained it to act. No more adapting your work habits to generic rules written by a third party and wondering how to fill in security gaps that the rules did not tell you about.

Read blog post

AI and the future of cybersecurity work

Artificial intelligence
By:
Sohrob Kazerounian
November 7, 2018

In February 2014, journalist Martin Wolf wrote a piece for the London Financial Times[1] titled Enslave the robots and free the poor. He began the piece with the following quote:

“In 1955,Walter Reuther, head of the US car workers’ union, told of a visit to a new automatically operated Ford plant. Pointing to all the robots, his host asked: How are you going to collect union dues from those guys? Mr. Reuther replied: And how are you going to get them to buy Fords?”

Read blog post

Most attacks against energy and utilities occur in the enterprise IT network

Cybersecurity
By:
Chris Morales
November 1, 2018

The United States has not been hit by a paralyzing cyberattack on critical infrastructure like the one that sidelined Ukraine in 2015. That attack disabled Ukraine's power grid, leaving more than 700,000 people in the dark.

But the enterprise IT networks inside energy and utilities networks have been infiltrated for years. Based on an analysis by the U.S. Department of Homeland Security (DHS) and FBI, these networks have been compromised since at least March 2016 by nation-state actors who perform reconnaissance activities looking industrial control system (ICS) designs and blueprints to steal.

Read blog post

Integrating with Microsoft to detect cyberattacks in Azure hybrid clouds

Security operations
By:
Gareth Bradshaw
September 25, 2018

Microsoft unveiled the Azure Virtual Network TAP, and Vectra announced its first-mover advantage as a development partner and the demonstration of its Cognito platform operating in Azure hybrid cloud environments.

Read blog post

Near and long-term directions for adversarial AI in cybersecurity

Artificial intelligence
By:
Sohrob Kazerounian
September 12, 2018

The frenetic pace at which artificial intelligence (AI) has advanced in the past few years has begun to have transformative effects across a wide variety of fields. Coupled with an increasingly (inter)-connected world in which cyberattacks occur with alarming frequency and scale, it is no wonder that the field of cybersecurity has now turned its eye to AI and machine learning (ML) in order to detect and defend against adversaries.

The use of AI in cybersecurity not only expands the scope of what a single security expert is able to monitor, but importantly, it also enables the discovery of attacks that would have otherwise been undetectable by a human. Just as it was nearly inevitable that AI would be used for defensive purposes, it is undeniable that AI systems will soon be put to use for attack purposes.

Read blog post

2018 Black Hat Superpower Survey: It's about time and talent

Security operations
By:
Chris Morales
August 22, 2018

2018 Black Hat survey: It’s about time and talent

We love Black Hat. It’s the best place to learn what information security practitioners really care about and what is the truth of our industry. Because we want to always be relevant to customers, we figured Black Hat is an ideal event to ask what matters.

Read blog post

Choosing an optimal algorithm for AI in cybersecurity

Artificial intelligence
By:
Sohrob Kazerounian
August 15, 2018

In the last blog post, we alluded to the No-Free-Lunch (NFL) theorems for search and optimization. While NFL theorems are criminally misunderstood and misrepresented in the service of crude generalizations intended to make a point, I intend to deploy a crude NFL generalization to make just such a point.

You see, NFL theorems (roughly) state that given a universe of problem sets where an algorithm’s goal is to learn a function that maps a set of input data X to a set of target labels Y, for any subset of problems where algorithm A outperforms algorithm B, there will be a subset of problems where B outperforms A. In fact, averaging their results over the space of all possible problems, the performance of algorithms A and B will be the same.

With some hand waving, we can construct an NFL theorem for the cybersecurity domain: Over the set of all possible attack vectors that could be employed by a hacker, no single detection algorithm can outperform all others across the full spectrum of attacks.

Read blog post

Cyberattack detections from more than 250 Vectra customers with over 4 million devices and workloads

Threat detection
By:
Chris Morales
August 8, 2018

Recently, Vectra published the 2018 Black Hat Edition of the Attacker Behavior Industry Report, which covers the period from January through June 2018. While there are plenty of threat-research reports out there, this one offers unique insights about real-world cyberattacker behaviors found in cloud, data center and enterprise networks.

Read blog post

Types of learning that cybersecurity AI should leverage

Artificial intelligence
By:
Sohrob Kazerounian
July 18, 2018

Despite the recent explosion in machine learning and artificial intelligence (AI) research, there is no singular method or algorithm that works best in all cases.

In fact, this notion has been formalized and shown mathematically in a result known as the No Free Lunch theorem (Wolpert and Macready 1997).

Read blog post

Breaking ground: Understanding and identifying hidden tunnels

Cybersecurity
By:
Cognito
July 11, 2018

It’s me again – Cognito. As always, I’ve been hard at work with Vectra to automate cyberattack detection and threat hunting. Recently, we made an alarming discovery: hackers are using hidden tunnels to break into and steal from financial services firms!

Clearly, this is serious business if it involves bad guys targeting massive amounts of money and private information. But what exactly are we dealing with? Let’s dig into what hidden tunnels are and how I find them to uncover the answer.

Read blog post

Neural networks and deep learning

Artificial intelligence
By:
Sohrob Kazerounian
June 13, 2018

Deep learning refers to a family of machine learning algorithms that can be used for supervised, unsupervised and reinforcement learning.

These algorithms are becoming popular after many years in the wilderness. The name comes from the realization that the addition of increasing numbers of layers typically in a neural network enables a model to learn increasingly complex representations of the data.

Read blog post

Giving incident responders deeper context about what happened

Breach
By:
Cognito
June 4, 2018

If you’re joining me for the first time, I want to introduce myself. I am Cognito, the AI cybersecurity platform from Vectra. My passion is hunting-down cyberattackers – whether they’re hiding in data centers and cloud workloads or user and IoT devices.

Cybersecurity analysts are overwhelmed with security events that need to be triaged, analyzed, correlated and prioritized. If you’re an analyst, you probably have some incredible skills but are being held back by tedious, manual work.

Read blog post

How algorithms learn and adapt

Artificial intelligence
By:
Sohrob Kazerounian
May 24, 2018

There are numerous techniques for creating algorithms that are capable of learning and adapting over time. Broadly speaking, we can organize these algorithms into one of three categories – supervised, unsupervised, and reinforcement learning.

Supervised learning refers to situations in which each instance of input data is accompanied by a desired or target value for that input. When the target values are a set of finite discrete categories, the learning task is often known as a classification problem. When the targets are one or more continuous variables, the task is called regression.

Read blog post

AI vs. machine learning

Artificial intelligence
By:
Sohrob Kazerounian
April 26, 2018

“The original question ‘Can machines think?’ I believe to be too meaningless to deserve discussion. Nevertheless, I believe that at the end of the century, the use of words and general educated opinion will have altered so much that one will be able to speak of machines thinking without expecting to be contradicted.” – Alan Turing

Read blog post

The rise of machine intelligence

Artificial intelligence
By:
Sohrob Kazerounian
April 10, 2018

Can machines think?

The question itself is deceptively simple in so far as the human ability to introspect has made each of us intimately aware of what it means to think.

Read blog post

The alarming surge in cryptocurrency mining on college campuses

Cybersecurity
By:
Chris Morales
March 29, 2018

While ransomware attacks like NotPetya and WannaCry were making headlines (and money) in 2017, cryptocurrency mining was quietly gaining strength as the heir apparent when it comes to opportunistic behaviors for monetary gain.

Read blog post

Alan Turing and the birth of machine intelligence

Artificial intelligence
By:
Sohrob Kazerounian
March 15, 2018

"We man compare a man in the process of computing a real number to a machine which is only capable of a finite number of conditions..." - Alan Turing

It is difficult to tell the history of AI without first describing the formalization of computation and what it means for something to compute. The primary impetus towards formalization came down to a question posed by the mathematician David Hilbert in 1928.

Read blog post

Vectra integrates AI-driven network threat detection and response with AWS VPC Ingress Routing

Cybersecurity
By:
Ethan Durand
December 3, 2019

Vectra now integrates with Amazon Virtual Private Cloud (VPC) Ingress Routing and that our AI platform is currently available in the AWS Marketplace.

Read blog post

RDP attacks and the organizations they target

Cybersecurity
By:
John Chavez
September 25, 2019

By analyzing data in the 2019 Black Hat Edition of the Attacker Behavior Industry Report from Vectra, we determined that RDP abuse is extremely prevalent in the real world. 90% of the organizations where the Cognito platform is deployed exhibited some form of suspicious RDP behaviors from January-June 2019.

Read blog post

2019 Black Hat survey: The network is transforming

Cybersecurity
By:
Marcus Hartwig
August 19, 2019

For the second year in a row, we conducted the Vectra superhero survey at Black Hat. The survey is a quick six-question poll that helps us understand the current cloud adoption and top-of-mind concerns of attendees.

Read blog post

Ransomware doesn’t discriminate. It only cares about money.

Cybersecurity
By:
Chris Morales
August 7, 2019

Modern ransomware has been heavily weaponized, has a sweeping blast radius and is a staple tool in the attacker’s arsenal. In a call to arms, cloud and enterprise organizations everywhere are scrambling to detect and respond early to ransomware attacks.

Read blog post

Survival guide: Being secure at Black Hat 2019

Cybersecurity
By:
Ethan Durand
July 25, 2019

Tens of thousands of hackers and security researchers congregate in Las Vegas to participate in one of the largest hacker conventions in the world. Many of them are out to hack your device and put you on the infamous Wall of Sheep.

Read blog post

Encrypted command and control: Can you really cover your tracks?

Cybersecurity
By:
Jacob Sendowski, Ph.D.
July 16, 2019

Most sessions on the internet today are encrypted. By any measure, more than half of all internet traffic uses TLS to encrypt client/server communication.

Read blog post

Securing your AWS workloads with Vectra Cognito

Cybersecurity
By:
Gareth Bradshaw
June 25, 2019

Vectra announced a close-knit development partnership with Amazon, beginning with the integration of its Cognito platform in AWS environments.

Read blog post

Threat Behaviors in the Attack Lifecycle

Cybersecurity
By:
Chris Morales
June 20, 2019

There are multiple phases in an active cyberattack and each is a perilous link in a complex kill-chain that gives criminals the opportunity to spy, spread and steal critical information in native and hybrid cloud workloads and user and IoT devices.

Read blog post

Comparing Vectra and Verizon threat research

Cybersecurity
By:
Chris Morales
June 18, 2019

As the transformation of healthcare through new medical technology continues to move forward, healthcare organizations must remain mindful about what technologies are in place, how they are utilized, and when unauthorized actions occur.

Read blog post

Vectra will keep working to secure the cloud with the just announced $100 million in funding

Cybersecurity
By:
Hitesh Sheth
June 10, 2019

Today, I am thrilled to share the news that Vectra has completed a $100 million Series E funding round led by TCV, one of the largest growth equity firms backing private and public technology companies.

Read blog post

Not all data is created the same

Cybersecurity
By:
Jacob Sendowski, Ph.D.
May 21, 2019

Vectra customers and security researchers respond to some of the world’s most consequential threats. And they tell us there’s a consistent set of questions they must answer when investigating any given attack scenario. Starting with an alert from Cognito Detect, another security tool, or their intuition, analysts will form a hypothesis as to what is occurring.

Read blog post

Why network metadata is just right for your data lake

Cybersecurity
By:
Kevin Sheu
April 30, 2019

The collection and storage of network metadata strikes a balance that is just right for data lakes and SIEMs. Metadata enables security operations teams to craft queries that interrogate the data and lead to deeper investigations.

Read blog post

Confronting risk and exposure in healthcare networks

Cybersecurity
By:
Chris Morales
April 24, 2019

Attackers intent on stealing personally-identifiable information (PII) and protected health information (PHI) can easily exploit gaps in IT security policies and procedures to disrupt critical healthcare-delivery processes.

Read blog post

Lurking in the shadows: Top 5 lateral spread threat behaviors

Cybersecurity
By:
Kevin Sheu
April 1, 2019

When considering how to equip your security teams to identify lateral movement behaviors, we encourage the evaluation of the efficacy of your processes and tools to identify and quickly respond to the top 5 lateral movement behaviors that we commonly observe.

Read blog post

Visibility, detection and response using a SIEM-less architecture

Cybersecurity
By:
Chris Morales
March 20, 2019

There is a new breed of SIEM-less security architecture that allows companies to leverage intelligent people with general IT experience to become the next-generation of security analysts.

Read blog post

Most attacks against energy and utilities occur in the enterprise IT network

Cybersecurity
By:
Chris Morales
November 1, 2018

The United States has not been hit by a paralyzing cyberattack on critical infrastructure like the one that sidelined Ukraine in 2015. That attack disabled Ukraine's power grid, leaving more than 700,000 people in the dark.

But the enterprise IT networks inside energy and utilities networks have been infiltrated for years. Based on an analysis by the U.S. Department of Homeland Security (DHS) and FBI, these networks have been compromised since at least March 2016 by nation-state actors who perform reconnaissance activities looking industrial control system (ICS) designs and blueprints to steal.

Read blog post

Breaking ground: Understanding and identifying hidden tunnels

Cybersecurity
By:
Cognito
July 11, 2018

It’s me again – Cognito. As always, I’ve been hard at work with Vectra to automate cyberattack detection and threat hunting. Recently, we made an alarming discovery: hackers are using hidden tunnels to break into and steal from financial services firms!

Clearly, this is serious business if it involves bad guys targeting massive amounts of money and private information. But what exactly are we dealing with? Let’s dig into what hidden tunnels are and how I find them to uncover the answer.

Read blog post

The alarming surge in cryptocurrency mining on college campuses

Cybersecurity
By:
Chris Morales
March 29, 2018

While ransomware attacks like NotPetya and WannaCry were making headlines (and money) in 2017, cryptocurrency mining was quietly gaining strength as the heir apparent when it comes to opportunistic behaviors for monetary gain.

Read blog post

BGP hijackers: “This traffic is going to Russia!”

Cybersecurity
By:
Chris Morales
December 14, 2017

Traffic sent to and from major internet sites was briefly rerouted to an ISP in Russia by an unknown party. The likely precursor of an attack, researchers describe the Dec. 13 event as suspicious and intentional.

According to BGPMON, which detected the event, starting at 04:43 (UTC) 80 prefixes normally announced by several organizations were detected in the global BGP routing tables with an Origin AS of 39523 (DV-LINK-AS), out of Russia.

Read blog post

Gain Visibility and Automate Threat Hunting in the Cloud with Gigamon and Vectra

Cybersecurity
By:
Chris Morales
September 13, 2017

As enterprises migrate to the cloud, strong perimeter defenses are not enough to stop cyber attackers from infiltrating the network. Together, Gigamon and Vectra enable organizations to gain network visibility and automate threat management - providing continuous monitoring of network traffic to pinpoint cyber attacks that evaded perimeter defenses.

Chris Morales, Head of Security Analytics at Vectra joins us to discuss what challenges he sees customers facing when moving to Amazon Web Services (AWS) and how Gigamon and Vectra can help them.

Read blog post

Man + machine is the winning combo for combating cyber threats

Cybersecurity
By:
Chris Morales
August 10, 2017

In the fight against cyber-attacks, time is money. According to the Ponemon institute, the average cost of a data breach is $3.62 million. Reducing the time to detect and time contain an incident can significantly mitigate the cost of a breach, and possibly prevent it.

Maturity level and effectiveness are two of the most important measurements of SOC performance. Maturity reflects an enterprise’s development level regarding its approach to managing cybersecurity risk, including risk and threat awareness, repeatability, and adaptiveness. Effectiveness is a measurement of the SOC’s ability to detect and respond to an incident as it happens.

We conducted a survey.

Read blog post

Goldeneye. Petya. WannaCry. It's all ransomware.

Cybersecurity
By:
Chris Morales
June 28, 2017

We are seeing another outbreak of ransomware that appears to be a combination of previous other ransomware campaigns. As is always the case, criminal gangs learn from each other.

Petya was successful in 2016 using email attack campaigns and a ransomware-as-a-service business model. Wannacry introduced new worm propagation techniques proving highly successful in hitting thousands of systems in a short time span last month.

Read blog post

Fighting the ransomware pandemic

Cybersecurity
By:
Chris Morales
May 13, 2017

What just happened?

A ransomware attack is spreading very rapidly among unpatched Windows systems worldwide. This morning, the attack was initially believed to target the UK National Health Service, but throughout the day, it has become apparent this is a global attack.

Kaspersky labs reported on Friday afternoon that at least 45,000 hosts in 74 countries were infected. Avast put the tally at 57,000 infections in 99 countries. All this, during just 10 hours. Of those infected hosts, Russia, Ukraine and Taiwan were the top targets.

Read blog post

The existential threat of IP theft

Cybersecurity
By:
Kevin Kennedy
April 20, 2017

Confusion reigns on the origin of the term "bullseye." Some say it started when English archers showed off their accuracy by shooting arrows through the empty eye socket of a bull skull. Others contend it was a reference to a blemish in the center of a glass window pane.

Read blog post

Don't blow your IT security budget on flow analysis

Cybersecurity
By:
Hitesh Sheth
April 10, 2017

This blog was originally published on LinkedIn.

Vendors who are trapped in a time warp often tout traffic flow analysis as a great way to detect and analyze behavior anomalies inside networks. I have a problem with that because it’s decades-old technology dressed in a new suit.

Read blog post

Stealthy ransomware: Extortion evolves

Cybersecurity
By:
Kevin Kennedy
March 29, 2017

It seems like a new variant or victim of ransomware is in the news every day. It’s newsworthy because it works so well and causes widespread destruction.

So when the recent wave of stories hit about PetrWrap, a variation of the widely known Petya ransomware strain, it was easy to miss the significance. The “no-honor-among-thieves” narrative crowded out its true importance.

Read blog post

An immigrant CEO's story

Cybersecurity
By:
Hitesh Sheth
March 7, 2017

This blog was originally published onMedium.

Growing up in Kenya, I shared a one-bedroom apartment with my family. In fact, I slept in the laundry/storage room in the constant presence of family laundry and stacks of suitcases. You might say I’ve been sensitive to the invasive presence of others from an early age.

Read blog post

Splunk integration: A deep dive into the adaptive security architecture

Cybersecurity
By:
Chris Morales
February 9, 2017

Integration decreases cost and increases effectiveness. For this reason, Vectra is adaptive by design. Everything we do considers how to help our customers be more efficient and faster at fighting attacks. Sometimes it involves determining where to deliver sophisticated threat intelligence beyond the Vectra. Working with Splunk is a great example of this integration.

According to Gartner, “The goal is not to replace traditional SIEM systems, but rather to provide high-assurance, domain specific, risk-prioritized actionable insight into threats, helping enterprises to focus their security operations response processes on the threats and events that represent the most risk to them."

Read blog post

An analysis of the Shamoon 2 malware attack

Cybersecurity
By:
Chris Morales
February 7, 2017

Saudi officials recently warned organizations in the kingdom to be on the alert for the Shamoon 2 malware, which cripples computers by wiping their hard disks. In 2012, Shamoon crippled Saudi Aramco and this new variant was reportedly targeted at the Saudi labor ministry as well as several engineering and manufacturing companies.

During a recent analysis, Vectra Networks came across a malicious component that appears to be used in conjunction with spear-phishing-delivered malicious documents.

Read blog post

What’s an adaptive security architecture and why do you need it?

Cybersecurity
By:
Mike Banic
February 2, 2017

As long as I can recall, enterprises have always relied on prevention and policy-based controls for security, deploying products such as antivirus software, IDS/IPS and firewalls.

But as we now know, and industry research firms have stated, they aren’t enough to adequately deal with today’s threat environment, which is flooded by a dizzy array of advanced and targeted attacks.

Read blog post

Shamoon 2: Same or better than the original?

Cybersecurity
By:
Chris Morales
January 28, 2017

Shamoon is back, although we are not entirely sure it ever left.

On Monday, Saudi Arabia warned organizations in the kingdom to be on alert for the Shamoon virus, which cripples computers by wiping their disks. The labor ministry said it had been attacked and a chemicals firm reported a network disruption. This has been dubbed Shamoon 2 by some news outlets.

Here is a simple explanation of what is likely to be happening.

The adversary is using a combination of social engineering and email phishing to infect one or a number of computers on an organization’s networks. Either downloading a file or clicking a link downloads an exploit kit.

The computers infected with the exploit kit rapidly perform port sweeps across the subnet to which hosts are connected. Using automated replication, it then attempts to move laterally via remote procedure calls (RPCs). To cover an organization’s entire network, the adversary needs to infect machines on many subnets.

Shamoon 2, like Shamoon that struck Saudi Aramco in 2012, moves extremely fast with the sole objective of destroying systems and bringing businesses to their knees.

Read blog post

Healthcare is one of cybercrime’s most targeted sectors

Cybersecurity
By:
Chris Morales
January 26, 2017

Healthcare organizations are prime targets of cyber attackers because they are reliant on vulnerable legacy systems, medical IoT devices with weak security and have a life or death need for immediate access to information.

Read blog post

Our focus on Russian hacking obscures the real problem

Cybersecurity
By:
Hitesh Sheth
January 19, 2017

This blog was originally published on The Hill.

If I didn’t deal daily with the mechanics of cybersecurity, I might be captivated by Washington’s focus on whether the Russians penetrated the Democratic National Committee and why they did it. As a citizen, I follow politics and geopolitics, too.

But here’s what bothers me:

The hacking tools identified by the FBI and Department of Homeland Security are freely available on the internet. The Russians can use them. So can the Iranians, the Chinese, the North Koreans and any other nation-state which wants to penetrate the networks that serve our political parties and government. There is nothing special or even uniquely “Russian” about them. And they often work.

I am not surprised that such common tools are employed against us. We should expect it. In the cybersecurity business we know the focus should be on our ineffective defense, rather than on finding the guilty country.

Whoever got inside the DNC networks had seven months to plumb about, pilfer embarrassing material, package it for shipping and make off with it, all without detection. The DNC had no way to detect the penetration while it was happening.

Why not? After all, the technology to spot and interrupt hacking while it is in progress exists. We can literally watch hackers and their tools move around inside our networks, probing our vulnerabilities, locating our most sensitive data and setting up private tunnels to take it out of our systems.

Read blog post

The UEBA market will be gone by 2022

Cybersecurity
By:
Chris Morales
January 11, 2017

This is a prediction made by Gartner analyst Avivah Litan in her latest blog entry, The Disappearing UEBA Market. Of course it caught our attention here at Vectra. We are not a standalone UEBA company, nor do we want to be. First and foremost, we are an AI company that empowers threat hunters. But we often find ourselves in this discussion with people who believe UEBA alone will solve the world's problems (and possibly make coffee in the morning, too).

Read blog post

InfoSec skills shortage: The No. 1 threat to Internet security

Cybersecurity
By:
Günter Ollmann
November 15, 2016

When asked a poorly bounded question such as “What is the biggest threat to Internet security?”, the majority of quick-fire answers can likely be represented by the flags of a handful of nation states. Certainly the front-of-mind answer – identifying a cluster of hackers – represents a constant and escalating threat to business continuity and potential compromise.

Yet, if we introspectively examine the nature of our industry, we can easily argue that the biggest risk that Internet security faces is in fact our general inability to respond and counter the attackslaunched by adversaries from around the world.

It is estimated that today there are over 1 million InfoSec positions unfilledgrowing to over 1.5 million by 2019 – and more than 200,000 of those vacancies are in the U.S. This global shortage of expertise and experience lies at the very heart of the InfoSec world’s ability to respond to cyber attacks – affecting vendors and consumers alike.

Read blog post

Moonlight – Targeted attacks in the Middle East

Cybersecurity
By:
Chris Doman
October 26, 2016

Vectra Threat Labs researchers have uncovered the activities of a group of individuals currently engaged in targeted attacks against entities in the Middle East. We identified over 200 samples of malware generated by the group over the last two years. These attacks are themed around Middle Eastern political issues and the motivation appears to relate to espionage, as opposed to opportunistic or criminal intentions.

Read blog post

Triggering MS16-030 via targeted fuzzing

Cybersecurity
By:
Bill Finlayson
October 11, 2016

The need to analyze the patch for MS16-030 recently presented itself to us due to some related product research. After the analysis was complete, we realized that the attack surface of the patch was pretty interesting and determined it may be beneficial to share part of the analysis. This post will focus on triggering a patched bug from MS16-030.

Read blog post

Bringing attack detections to the data center

Cybersecurity
By:
Wade Williamson
September 13, 2016

In extending the Vectra cybersecurity platform to enterprise data centers and public clouds, we wanted to do more than simply port the existing product into a virtualized environment. So, Vectra security researchers, data scientists, and developers started with a fresh sheet of paper to address the real-world challenges and threats that are unique to the enterprise data centers and clouds.

Visibility and intelligence that spans the enterprise

First, it was important to remember that the data center can be both integrally connected, yet in some ways separated from the physical enterprise. For example, attacks can spread from the campus environment to the data center environment, and security teams absolutely need to know how these events are connected. On the other hand, 80% of data center traffic never leaves the data center, making it invisible to traditional security controls.

Read blog post

Reverse engineering the Shadow Brokers dump: A close look at NOPEN

Cybersecurity
By:
Nick Beauchesne
September 13, 2016

While digging and reversing my way through the Equation Group dump, I’ve come across a few interesting pieces that probably are not getting the attention they deserve. While a lot of the initial research has focused on the potential 0-days, the dump also gives a glimpse into the backbone tools and operational methods of a serious hacking group.

Read blog post

From the Iron Age to the “Machine Learning Age”

Cybersecurity
By:
Günter Ollmann
August 30, 2016

It is likely self-evident to many that the security industry’s most overused buzzword of the year is “machine learning.” Yet, despite the ubiquity of the term and its presence in company marketing literature, most people – including those working for many of the vendors using the term – don’t actually know what it means.

Read blog post

Accelerating action: New technology partnerships help customers bridge the cybersecurity gap

Cybersecurity
By:
Kevin Kennedy
August 4, 2016

“Without knowledge, action is useless, and knowledge without action is futile.”-Abu Bakr

Read blog post

Own a printer, own a network with point and print drive-by

Cybersecurity
By:
Nick Beauchesne
July 12, 2016

Printers present an interesting case in the world of IoT (Internet of Things), as they are very powerful hardware compared to most IoT devices, yet are not typically thought of as a “real” computer by most administrators. Over the years, many security researchers have studied and reported on printer vulnerabilities. However, the vast majority of this research focused on how to hack the printer itself in order to do things such as change the display on the printer or steal the documents that were printed. In this case, we investigate how to use the special role that printers have within most networks to actually infect end-user devices and extend the footprint of their attack within the network.

Read blog post

Time to update how we manage and address malware infections

Cybersecurity
By:
Mike Banic
June 28, 2016

Network-based malware detection addresses increasing complexity in the malware ecosystem but doesn’t make attribution a key priority.

Conventional wisdom about malware infection paints a picture that hapless users click on something they shouldn’t, that in turn takes their Web browsers to a drive-by-download website. It then exploits a vulnerability to install a botnet agent that eventually steals all their personal data and uploads it to cybercriminals in another country.

That conventional wisdom isn’t completely wrong, but it needs some serious updating. Today’s malware infections are more typically multi-stage events, wherein a user visits a favorite website with a banner advertisement supplied by a third-party ad network that was supplied by an affiliate ad network.

Read blog post

Ransomware, encryption and machine learning – Three key takeaways from Infosecurity 2016

Cybersecurity
By:
Wade Williamson
June 15, 2016

Ransomware, encryption and machine learning – Three key takeaways from Infosecurity 2016

Last week was a long one. Vectra participated for the first time at Infosecurity Europe in London. Now that my feet have recovered from our very busy booth I thought I shared a few of the recurring themes I noticed at the show.

Ransomware. Definitely the threat de rigueur with vendors coming at the problem from various angles, including DNS management and client based solutions. Vectra was part of the buzz too, offering a network-centric approach with our newly announced ransomware file activity detection.

Read blog post

Introducing the Spring 2016 Post-Intrusion Report

Cybersecurity
By:
Wade Williamson
April 20, 2016

Insights from inside the kill chain. This week we are proud to announce the release of the third edition of the Vectra Post-Intrusion Report. And while there are plenty of reports from security vendors out there, this one provides something that is unique.

Read blog post

Plan on losing visibility of your network traffic: Steps to take control

Cybersecurity
By:
Günter Ollmann
March 8, 2016

The ongoing Apple versus the FBI debate has me thinking more about the implications of encryption. Whether or not national governments around the globe choose to go down the path of further regulating encryption key lengths, requiring backdoors to encryption algorithms, mandating key escrow for law enforcement purposes, or generally weakening the implementations of encrypted communications and data storage in consumer technologies, the use of encryption will increase – and in parallel – network visibility of threats will decrease.

Read blog post

Apple vs. the FBI: Some points to consider

Cybersecurity
By:
Günter Ollmann
February 18, 2016

In light of Apple’s response to the FBI’s request to gain access to San Bernardino shooter Syed Farook’s iPhone, I thought I would share some of my thoughts on this. It appears that there is some confusion in the connection of this request from the FBI with the bigger government debate on providing backdoors and encryption.

Let me attempt to break this down a little in the hopes of clearing some of that confusion:

  • Apple has positioned the request from the FBI to be a request to install a “backdoor” in their product. This is not correct. The FBI request is pretty specific and is not asking for a universal key or backdoor to Apple products.
  • The FBI request should be interpreted as a lawful request to Apple to help construct a forensics recovery tool for a specific product with a unique serial number.
  • The phone in question is an Apple 5C, and the method of access requested by the FBI is actually an exploitation of a security vulnerability in this (older) product. The vulnerability does not exist in the current generation of Apple iPhones.
Read blog post

The Chocolate Sprinkles of InfoSec

Cybersecurity
By:
Günter Ollmann
February 2, 2016

In the rapidly expanding world of threat intelligence, avalanches of static lists combine with cascades of streaming data to be molded by evermore sophisticated analytics engines the output of which are finally presented in a dazzling array of eye-candy graphs and interactive displays.

For many of those charged with securing their corporate systems and online presence, the pressure continues to grow for them to figure out some way to incorporate this glitzy wealth of intelligence into tangible and actionable knowledge.

Read blog post

Who is watching your security technology?

Cybersecurity
By:
Günter Ollmann
January 28, 2016

It seems that this last holiday season didn’t bring much cheer or goodwill to corporate security teams. With the public disclosure of remotely exploitable vulnerabilities and backdoors in the products of several well-known security vendors, many corporate security teams spent a great deal of time yanking cables, adding new firewall rules, and monitoring their networks with extra vigilance.

It’s not the first time that products from major security vendors have been found wanting.

It feels as though some vendor’s host-based security defenses fail on a monthly basis, while network defense appliances fail less frequently – maybe twice per year. At least that’s what a general perusal of press coverage may lead you to believe. However, the reality is quite different. Most security vendors fix and patch security weaknesses on a monthly basis. Generally, the issues are ones that they themselves have identified (through internal SDL processes or the use of third-party code reviews and assessment) or they are issues identified by customers. And, every so often, critical security flaws will be “dropped” on the vendor by an independent researcher or security company that need to be fixed quickly.

Read blog post

Blocking Shodan

Cybersecurity
By:
Günter Ollmann
January 20, 2016

The Internet is chock full of really helpful people and autonomous systems that silently probe, test, and evaluate your corporate defenses every second of every minute of every hour of every day. If those helpful souls and systems aren’t probing your network, then they’re diligently recording and cataloguing everything they’ve found so others can quickly enumerate your online business or list systems like yours that are similarly vulnerable to some kind of attack or other.

Read blog post

Cybersecurity in 2016: A look ahead

Cybersecurity
By:
Hitesh Sheth
January 6, 2016

Cybersecurity is a rapidly evolving landscape and this new year will be no different. Attackers will come up with new ways to infiltrate corporate networks and businesses, security vendors will be tasked with staying ahead of them, and governments will talk a lot, yet do very little. Here are some of the ways we see the industry changing shape over the course of 2016:

Sandboxing will lose its luster and join the ranks of anti-virus signatures. Anti-malware sandboxing has generated high-flying IPOs and grown to over $1 billion in annual spend. But in 2016, it’ll plummet back to Earth, as organizations realize that malware evades sandboxes as easily as anti-virus signatures.
Read blog post

Vectra Threat Labs discovers vulnerabilities in Adobe Reader and Internet Explorer

Cybersecurity
By:
Chris Morales
October 14, 2015

Today, Vectra researchers were again credited with discovering critical vulnerabilities that impact the security of Adobe Reader, VBScript, and Internet Explorer.

Read blog post

Takeaways from Gartner Security and Risk Management UK

Cybersecurity
By:
Mike Banic
October 12, 2015

I attended the Gartner Security and Risk Management Summit in London on Sept. 14 and 15 and would like to share some key takeaways from presentations by analysts Earl Perkins, Jeremy D’Hoinne and Neil MacDonald. The following are messages that resonated with me:

Read blog post

Cybersecurity and machine learning: The right features can lead to success

Cybersecurity
By:
David Pegna
September 15, 2015

Big data is around us. However, it is common to hear from a lot of data scientists and researchers doing analytics that they need more data. How is that possible, and where does this eagerness to get more data come from?

Very often, data scientists need lots of data to train sophisticated machine-learning models. The same applies when using machine-learning algorithms for cybersecurity. Lots of data is needed in order to build classifiers that identify, among many different targets, malicious behavior and malware infections. In this context, the eagerness to get vast amounts of data comes from the need to have enough positive samples — such as data from real threats and malware infections — that can be used to train machine-learning classifiers.

Is the need for large amounts of data really justified? It depends on the problem that machine learning is trying to solve. But exactly how much data is needed to train a machine-learning model should always be associated with the choice of features that are used.

Read blog post

Belkin F9K1111 V1.04.10 Firmware Analysis

Cybersecurity
By:
Chris Morales
August 19, 2015

Introduction

Recently, it came to our attention that HP DVLabs has uncovered at least tenvulnerabilitiesin the Belkin N300 Dual-Band Wi-Fi Range Extender (F9K1111). In response to this, Belkin released firmware version 1.04.10. As this is the first update issued for the F9K1111 and there were not any public triggers for the vulnerabilities, we thought it would be interesting to take a deeper look.

Unpacking the Update

To begin our analysis, we downloaded the firmware update from the vendor [1]. We used a firmware tool called binwalk [2]to unpack the update:

Read blog post

Microsoft Internet Explorer 11 Zero-day

Cybersecurity
By:
Chris Morales
July 14, 2015

Summary

On July 6th, information spread that the Italian company known as the Hacking Team were themselves the victims of a cyber attack. In the aftermath of this leak, Vectra researchers have analyzed the leaked data, and identified a previously unknown vulnerability in Internet Explorer 11 that impacts a fully patched IE 11 on both Windows 7 and Windows 8.1.

The hunt for the vulnerability began when we noticed an email from an external researcher who attempted to sell a proof-of-concept exploit to Hacking Team. The email was sent on 02/06/2015 and described an exploitable use-after-free bug in Internet Explorer 11. While Hacking Team ultimately declined to buy the PoC exploit, the email gave enough information for Vectra researchers to find and analyze the vulnerability.

While Hacking Team declined to purchase the PoC exploit, there is a chance the researcher went elsewhere to sell it, meaning that it may have been exploited in the wild.

Read blog post

What cyberthreats are lurking about in your network?

Cybersecurity
By:
Wade Williamson
June 23, 2015

Today, Vectra Networks published its second edition Post-Intrusion Report that offers a first-hand look at modern threats that get past perimeter security and spread inside the network.

In the latest report, we analyzed behaviors and techniques across the entire lifecycle of real-world cyber attacks. We also looked back and saw alarming changes in the threat landscape and observed emerging trends in attack techniques.

Read blog post

Duqu: The Sequel

Cybersecurity
By:
Wade Williamson
June 12, 2015

Recently, Kasperky Labs disclosed that it was the victim of a sophisticated cyber attack, which they have named Duqu 2.0. The team at Kaspersky Labs has published a detailed analysis of Duqu 2.0 and it’s definitely worth a read.

The original Duqu threat actor was a family of malware that most researchers believe was created by a nation-state and it’s related to the infamous Stuxnet worm. While Stuxnet was used to damage centrifuges used to enrich uranium, the original Duqu appeared more intent on surveillance and collecting information within a compromised network.

Read blog post

Insider threats surge while budgets retreat

Cybersecurity
By:
Wade Williamson
June 4, 2015
The Information Security Community on LinkedIn recently completed a survey of more than 500 cybersecurity professionals on the topic of insider threats. This report reveals the real-world trends and challenges of combating insider threats from the viewpoint of the security professionals who do it every day.

Let’s take a look at some of these trends and what they may mean for information security.

Insider threats are on the rise, but budgets are not Security teams have long been asked to do more with less, but this trend is particularly stark in the area of malicious insiders.

The study shows that 62% of respondents saw more insider threats over the past year, but only 34% expect to get more budget to address the problem. Underscoring this problem, 68% feel vulnerable and less than half feel they have appropriate control over insider threats.

Read blog post

Cybersecurity, data science and machine learning: Is all data equal?

Cybersecurity
By:
David Pegna
May 9, 2015

In big-data discussions, the value of data sometimes refers to the predictive capability of a given data model and other times to the discovery of hidden insights that appear when rigorous analytical methods are applied to the data itself. From a cybersecurity point of view, I believe the value of data refers first to the "nature" of the data itself. Positive data, i.e. malicious network traffic data from malware and cyberattacks, have much more value than some other data science problems. To better understand this, let's start to discuss how a wealth of network traffic data can be used to build network security models through the use of machine learning techniques.

Read blog post

Big Data Sends Cybersecurity Back to the Future

Cybersecurity
By:
David Pegna
April 1, 2015

The main reason behind the rising popularity of data science is the incredible amount of digital data that gets stored and processed daily. Usually, this abundant data is referred to as "big data" and it's no surprise that data science and big data are often paired in the same discussion and used almost synonymously. While the two are related, the existence of big data prompted the need for a more scientific approach– data science– to the consumption and analysis of this incredible wealth of data.

Read blog post

Creating cybersecurity that thinks

Cybersecurity
By:
David Pegna
March 9, 2015

Until recently, using the terms “data science” and ”cybersecurity” in the same sentence would have seemed odd. Cybersecurity solutions have traditionally been based on signatures – relying on matches to patterns identified with previously identified malware to capture attacks in real time. In this context, the use of advanced analytical techniques, big data and all the traditional components that have become representative of “data science” have not been at the center of cybersecurity solutions focused on identification and prevention of cyber attacks.

This is not surprising. In a signature-based solution, any given malware or new flavor of it needs to be identified, sometimes reverse-engineered and have a matching signature deployed in an update of the product in order to be “detectable.” For this reason, signature-based solutions are not able to prevent zero-day attacks and provide very limited benefit compared to the predictive power offered by data science.

Read blog post

Superfish: When Bloatware Goes Bad

Cybersecurity
By:
Wade Williamson
March 4, 2015

The recent Superfish debacle is yet another reminder that as security professionals we live in an inherently post-prevention world. Increasingly everyone must assume that despite all our best efforts, users on our networks are may already compromised. While the focus is often on the many ways that a user can be infected with malware, Superfish is a reminder that a device can be compromised before it ever comes out of the box.

As a quick recap, Superfish is software that acts as an SSL man-in-the-middle in order to control the ads a user sees while browsing the Web – it’s “adware” which pretends to provide a service you would want. To break SSL encryption without triggering a browser warning, Superfish installs a signed root certificate on the machine. More specifically, the software installs the exact same root cert on a series of laptops, and researchers (and attackers) are able to quickly extract the cert. Rob Graham at Errata Security provides a nice write-up on how he was able to do this.

Read blog post

Morgan Stanley Meets the Insider Threat

Cybersecurity
By:
Wade Williamson
January 6, 2015

Earlier today news broke that financial services firm Morgan Stanley had experienced an insider breach, which resulted in customer data being posted online. The breach was initially detected when data related to a portion of the firm’s wealth management clients was observed on Pastebin. Pastebin is a popular site for sharing text-based data, and while it is widely used for sharing code between developers, it has also long been a thriving marketplace for advertising and selling stolen data for everything from compromised user accounts, cracked passwords, credit card numbers, and in this case account data.

Read blog post

Malicious Insider Psychology – when the personal bubble bursts

Cybersecurity
By:
Oliver Brdiczka
December 22, 2014

In the previous post, we examined the motivations and constraints that make an insider ‘malicious,’ and we saw that external and mental pressure, an opportunity to steal confidential information and rationalization of the potential theft are the factors that contribute for an insider to turn against his employer.

While these three factors are necessary triggers for becoming malicious, there is much more going on in an insider’s mind before, during and after an attack. What are the mental stages that a ‘turning’ insider goes through? And what are potential indicators for each stage?

Read blog post

Malicious Insider Psychology – when pressure builds up in the Fraud Triangle

Cybersecurity
By:
Oliver Brdiczka
December 13, 2014

In previous posts, we have discussed various types of insider threats that affect US government, companies and organizations in charge of critical infrastructure. We have discussed various insider attack patterns, but what are the motivations and constraints that make an insiderturn againsthis employer?

We have seen that so called ‘whistle blowers’ may act upon their own convictions and turn against their employer, but their numbers are very limited. As the majority of cases involves the theft of information and assets in an organization for own personal gain, what are the motivations and constraints in this case?

Read blog post

Community Threat Analysis Uncovers Insider Attacks

Cybersecurity
By:
Mike Banic
December 10, 2014

Today, we announced the new Community Threat Analysis for the Vectra X-series that puts your organizations key assets at the center of real-time investigations of Insider and targeted attacks.

2014 has been the year of the breach, and as a result companies are increasing their investment in cyber security. However, the majority of cyber security products focus exclusively on malware and external attacks, and are effectively blind to insider threats. At Vectra we believe that security should protect your most important assets regardless of whether the threat is from an external attacker or a malicious insider. You don’t get to choose your attacker, so why should your security solutions protect only against one type? Let’s take a closer look at why stopping the insider threat is crucial, and what Vectra can do to help.

Read blog post

Insider Threats - the myth of the black swan

Cybersecurity
By:
Oliver Brdiczka
November 30, 2014

While the reported $40 billion of insider threat losses for the US economy seem scary, many companies consider insider threats to be more like a ‘black swan’ event– highly visible, but extremely rare, abstract, and too hard-to-predict in order for it to constitute arealthreat. But it is the gray areas companies should be wary of.

In previous posts of this series, we described how companies are affected by malicious insider incidents, and what impact and cost these incidents might cause.Most think of highly publicized whistleblower cases such as Edward Snowden and Bradley Manning. Overall, these seem like natural disasters (e.g., earth quakes), you can take some precautions, but then you just hope it will not happen to you … and if it does, it will be disastrous (and you just have to accept it).

In addition, I often hear arguments from small and medium sized companies that they do not feel exposed to the insider threat because:

Read blog post

Insider Threats - how they affect US companies

Cybersecurity
By:
Oliver Brdiczka
November 22, 2014

In the second post of this series, we looked at basic definitions of insider threat incidents and their impact on organizations. Now, let’s have a closer look at how malicious insider threat actions affect companies in the United States, and how companies can respond to these threats.

From the most recent consolidated data available on this subject, over 50% of organizations report having encountered an insider cyberattack in 2012, with insider threat cases making up roughly 23% of all cybercrime incidents.This percentage has stayed consistent over the prior couple of years, but the total number of attacks has increased significantly.

The result is $2.9 trillion in employee fraud losses globally per year, with $40 billion in losses due to employee theft and fraud in the US in 2012 alone.The damage and negative impact caused by insider threat incidents is reported to be higher than that of outsider or other cybercrime incidents.

Interestingly, in contrast to outsider attacks on networks, insider cyberattacks are under-reported. Only a few cases make it into public media or are even known to insider threat experts. Reasons for such under-reporting are insufficient damage or evidence to warrant prosecution, and concerns about negative publicity.The risk of revealing confidential data and business processes during investigations may be another reason why many companies don’t report and prosecute insider threat incidents.

Read blog post

Insider Threats - is your organization safe?

Cybersecurity
By:
Oliver Brdiczka
November 16, 2014

In the previous post of this blog series, we discussed highly publicized whistleblower cases such as Chelsea Manning and Edward Snowden. While government agencies are ramping up their protections of data and infrastructure against these cases, what danger do malicious or negligent insiders constitute for organizations, including corporations and small businesses, and what kind of insider threats exist? Is your organization safe?

Let’s first look at a more formal definition of the malicious insider. According to the computer emergency response team (CERT) at CMU, a malicious insider is a current or former employee or contractor who deliberately exploited or exceeded his or her authorized level of network, system or data access in a way that affected the security of the organization’s data, systems, or daily business operations.

Read blog post

Insiders – Threat or Blessing?

Cybersecurity
By:
Oliver Brdiczka
November 12, 2014

Insiders leaking information about secretive government practices and decision-making have had their impact on public opinion and United States policies in recent years, but are these leaks for the benefit of society, or do they push a hidden agenda? The most prominent example is Edward Snowden who leaked significant amounts of classified information from the National Security Agency (NSA) about its practices. On September 23, Edward Snowden received the Swedish human rights award, also referred to as the alternative Nobel prize, for his revelations in 2013. Snowden, who “blew the whistle,” got rewarded “for his courage and skill in revealing the unprecedented extent of state surveillance violating basic democratic processes and constitutional rights.”

Read blog post

The Hidden Risk of Not Detecting Bitcoin Mining

Cybersecurity
By:
Mike Banic
June 6, 2014

On June 6th, Forbes reporter Kashmir Hill wrote about an NSF researcher who misused NSF-funded supercomputing resources to mine Bitcoin valued between $8,000 and $10,000. The article points to a student at London Imperial College and a researcher at Harvard University who are also alleged to have used their University’s computers to mine a similar virtual currency called Dogecoin.

As a CISO, your first reaction might be that inappropriate uses of your organization’s resources should be stopped, but this is probably not your highest priority. Someone using your computer(s) and network to mine virtual currency is a bit like someone charging his or her electric car from a power outlet on your home. Yes, they are using your electricity without permission or reimbursing you. However, they aren’t stealing something of high value and threatening your life or livelihood. Still, this is something we probably want to know about and stop if we can.

Read blog post

Trust, but verify (Доверяй, но проверяй)

Threat detection
By:
Marcus Hartwig
September 16, 2019

In infosec, the concept of “zero trust” has grown significantly in the last couple of years and has become a hot topic. A zero-trust architecture fundamentally distrusts all entities in a network and does not allow any access to resources until an entity has been authenticated and authorized to use that specific resource, i.e. trusted.

Read blog post

Privileged Access Analytics

Threat detection
By:
Jacob Sendowski, Ph.D.
September 9, 2019

Since the early days of Vectra, we’ve been focused primarily on host devices. After all, hosts are the entities that generate the network traffic the Cognito platform analyses in looking for attacker behaviors.

Read blog post

Improving threat-hunting efficiency with the multi-homed attribute

Threat detection
By:
Hsin Chen
July 9, 2019

In a previous blog, we spoke about the importance of security enrichments in your network metadata. These serve as the foundation for threat hunters and analysts to test and query against hypotheses during an investigative process.

Read blog post

Machine learning: The cornerstone of Network Traffic Analytics (NTA)

Threat detection
By:
Eric Ogren
January 26, 2019

Imagine having a security tool that thinks the way you teach it to think, that takes action when and how you have trained it to act. No more adapting your work habits to generic rules written by a third party and wondering how to fill in security gaps that the rules did not tell you about.

Read blog post

Cyberattack detections from more than 250 Vectra customers with over 4 million devices and workloads

Threat detection
By:
Chris Morales
August 8, 2018

Recently, Vectra published the 2018 Black Hat Edition of the Attacker Behavior Industry Report, which covers the period from January through June 2018. While there are plenty of threat-research reports out there, this one offers unique insights about real-world cyberattacker behaviors found in cloud, data center and enterprise networks.

Read blog post

Attackers can use your admin tools to spy, spread, and steal

Threat detection
By:
Cognito
January 26, 2018

In my last blog, I spoke about a financial customer performing pen testing and how I helped the blue team detect the red team as it carried-out an attack. I’m back again today with another story from the trenches.

This time, I’ve been working with a customer in the manufacturing sector who recently deployed me. As before, this customer prefers to remain anonymous to keep cybercriminals in the dark about their newly developed security capabilities. To stay on top of their game, they routinely run red team exercises.

Read blog post

The good, the bad and the anomaly

Threat detection
By:
Hitesh Sheth
November 8, 2017

This blog was originally published on LinkedIn.

The security industry is rampant with vendors peddling anomaly detection as the cure all for cyber attacks. This is grossly misleading.

The problem is that anomaly detection over-generalizes: All normal behavior is good; all anomalous behavior is bad – without considering gradations and context. With anomaly detection, the distinction between user behaviors and attacker behaviors is nebulous, even though they are fundamentally different.

Read blog post

Roundtable roundup from the European Information Security Summit

Threat detection
By:
Matt Walmsley
February 23, 2017

Earlier this week I was at TEISS hosting a round table session titled “Artificial Intelligence – Fancy maths or a pragmatic answer to cyber security gaps and challenges?”

We explored human, threat, and technical dimensions to the current drivers and role of AI in cybersecurity. Here's a summary of our group's discussion.

Read blog post

“We have got to get faster” at fighting hacks

Threat detection
By:
Hitesh Sheth
January 5, 2017

Sen. John McCain, chairman of the Senate Armed Services Committee, held a hearing today with top intelligence officials on Russian cyber-attacks, after many remarks by President-elect Donald Trump called into question conclusions by U.S. intelligence community that Kremlin-backed hackers meddled in the 2016 election.

Read blog post

DPI goes blind as encryption adoption increases

Threat detection
By:
Günter Ollmann
June 1, 2016
Governments and businesses that have traditionally relied upon deep packet inspection (DPI) or content-level inspection technologies to identify threats or control access across the perimeter of their networks are at the cusp of a dramatic and non-reversible sea change. Month on month organizations have observed the silent shift to encrypted communications, and with that, their visibility and control of network traffic has incrementally diminished. As the encryption of North-South corporate network traffic reaches levels of 60% or more in most environments, organizations are finding themselves in the uncomfortable position of having to plan for the abandonment of the DPI-based perimeter defenses they’ve depended upon for a decade and a half. It would seem that IDS, IPS, DLP, and ADS are rapidly turning dark.
Read blog post

Automate to optimise your security teams

Threat detection
By:
Matt Walmsley
January 4, 2016

Mind the gap

87% of U.K. senior IT and business professionals believe there is a shortage of skilled cybersecurity staff, the same percentage of UK security leaders also want to hire CISSP credentialed staff into their teams. Nothing of real surprise in that there’s a gap; let’s fill it with demonstrable high calibre professionals, right? Well, not quite. That skills gap also includes a “CISSP” gap. With 10,000+ UK security positions out there but just over 5,000 UK CISSPs, the math simply doesn’t add up. We should also consider that credentials like CISSP demonstrate excellent existing domain knowledge but does not help hiring managers understand soft skills, attitudes and other characteristics that combine to form the overall “talent and capabilities” of a candidate.

A pragmatic approach is therefore to hire on traits such as adaptability, collaboration and innovation alongside evidence of requisite technical capabilities. After all, in a rapidly changing digital landscape you’re hiring for tomorrow’s battle not yesterday’s, so agility is essential. Today’s security teams need to be ready to handle the new risks, challenges and the increased pace of change that Internet of Things (IoT) [Read more on IoT security], cloud, mobility and social media all bring to the security challenge. The talent pool is limited, as are organisations' overall cyber security resources. It’s time to develop and support from within and broaden recruitment methodologies for those hard-to-fill open positions.

Read blog post

Will IDS ever be able to detect intrusions again?

Threat detection
By:
Wade Williamson
November 3, 2015

IDS has been around for decades and has long been a cornerstone of network security. But over the years, IDS was gradually absorbed by IPS, and IDS simply became thought of as a deployment option of IPS.

However, this subservient role of IDS in relation to IPS introduces a subtle but important compromise – detection takes a backseat to prevention. Because IPS is deployed in-line with network traffic, performance concerns are paramount. Prevention cannot slow the speed or flow of business, and that meant detections must be near-instantaneous.

The need to block threats within milliseconds locks IDS/IPS into using signatures for detections. While signatures can detect a wide variety of threats, they rely on the fast-pattern-matching of known threats.

Read blog post

A revolutionary new approach to detecting malicious covert communications

Threat detection
By:
Wade Williamson
October 28, 2015

Today’s cyber attackers are patient, as they infiltrate and steadily persist within an organization’s network over time. These long-term attacks require ongoing communication to orchestrate the various phases of attack.

By understanding how attackers conceal their communications, we can rob attackers of the persistence and coordination that makes modern attacks so successful.

Read blog post

The industry needs a real alternative to signatures

Threat detection
By:
Wade Williamson
September 9, 2015

For years, security professionals have become increasingly aware of the limitations of signatures. And yet for all this awareness, the industry is still focused on making signatures faster instead of addressing the fundamental problem.

Threat feeds deliver signatures faster and faster and malware sandboxes generate new signatures for newly discovered malware. Nonetheless, attackers continue to evade them and are wining at an ever-increasing rate.

Read blog post

Think outside the sandbox

Threat detection
By:
Jerish Parapurath
July 8, 2015

As cyber attacks increase in frequency and complexity, organizations continue to invest in prevention-centric technologies to secure their network perimeter. However, prevention-centric technologies are less than perfect. They protect networks from known threats using a combination of security rules, signatures and reputation lists.

A critical component of today’s network perimeter security is the file-based sandbox.They were created to analyze suspicious files on isolated hosts – many with different operating systems – in a contained environment.

Read blog post

Technical analysis of Hola

Threat detection
By:
Vectra Threat Labs
June 1, 2015

Updated June 3, 2015 11:00 AM(see details)

Recently a popular privacy and unblocker application known as Hola has been gaining attention from the security community for a variety of vulnerabilities and highly questionable practices that allow the service to essentially behave as a botnet-for-hire through its sister service called Luminati. Vectra researchers have been looking into this application after observing it in customer networks over the past several weeks, and the results are both intriguing and troubling. In addition to its various botnet-enabling functions that are now part of the public record, the Hola application contains a variety of features that make it an ideal platform for executing targeted cyber attacks.

Read blog post

Cybersecurity Sensors – Threat Detection Throughout a Distributed Network

Threat detection
By:
Hitesh Sheth
March 24, 2015

Keeping data from getting out into the wild or being damaged by cyber attackers is what keeps CISOs, the executive team and boards of directors up at night. To protect organizations, cybersecurity needs to be automated and real-time, it needs to learn contextually like we do and it needs to monitor for threats at every corner of the network in a way that organizations can afford without sacrificing coverage.

Read blog post

Don't Shed Tears When Peeling the Onion Router

Threat detection
By:
Oliver Tavakoli
November 11, 2014

Periodically, articles are published highlighting the difficultyauthorities have investigating illegal activity on the Internet when the perpetrators make use of the anonymity that Tor provides.

Last week saw another such article appear in The Wall Street Journal, highlighting an operation that took down more than four hundred Web sites accessible only via Tor, which are essentially Tor “services”, arrested 17 people and confiscated plenty of Bitcoins associated with running these web sites. These web sites are referred to as “darknet marketplaces” and basically connect purveyors of illegal goods (e.g., drugs, guns) and services (e.g., contract killings) with people seeking these things. An August article in Wired spent more time detailing how the FBI goes about fighting the demand side of the problem – by infecting machines belonging to potential seekers of such goods and services via drive-by-downloads.

Read blog post

Attackers Lurk in my Network, but Nothing Reports it

Threat detection
By:
Jerish Parapurath
November 10, 2014

Home Depot, Target, JP Morgan, and Community Health Systems have all been victims of a network security breach, resulting in loss of customer’s personal data and millions of dollars in revenue. We ask ourselves “who will be next?” – because the assault on the digital economy has become an asymmetric war and businesses are on the losing side.

The first edition of "The Post Breach Industry Report" is an industry study using real-world data from enterprise networks, revealing what attackers do inside an organizations network once they evade perimeter defenses.

Read blog post

Chronicle integration: Conduct faster, context-driven investigations into active cyberattacks with Vectra and Chronicle

Security operations
By:
Jitin Dhanani
November 19, 2019

The Cognito threat detection and response platform from Vectra now seamlessly integrates AI-based threat hunting and incident response of Chronicle Backstory, a global security telemetry platform, for increased context during investigations and hunts and greater operational intelligence.

Read blog post

Swimlane integration: Automate response and speed remediation with Swimlane and Vectra

Security operations
By:
Jitin Dhanani
November 11, 2019

That’s why we are happy to announce the integration of Vectra Cognito automated threat detection and response platform with the Swimlane security orchestration, automation and response (SOAR) platform.

Read blog post

Forescout integration: Gain real-time visibility and automated response

Security operations
By:
Jitin Dhanani
November 4, 2019

The integration of the Cognito network detection and response platform with the Forescout device visibility and control platform provides inside-the-network threat detection and response, a critical layer of defense in today’s security infrastructure.

Read blog post

Check Point integration: Gain continuous threat visibility and enforcement

Security operations
By:
Jitin Dhanani
October 28, 2019

The integration between the Cognito automated network detection and response platform and Check Point Next Generation Firewalls empowers security staff to quickly expose hidden attacker behaviors, pinpoint specific hosts involved in a cyberattack and contain threats before data is lost.

Read blog post

Controlling cyber-risk in mergers and acquisitions

Security operations
By:
Henrik Davidsson
October 2, 2019

Acquiring a company is a massive undertaking and requires significant amount of planning and ideally flawless execution. Time is of the essence. The quicker an integration materializes, the faster the time to value.

Read blog post

CrowdStrike, Splunk and Vectra – A powerful triad to find and stop cyberattacks

Security operations
By:
Ethan Durand
September 17, 2019

The combination of network detection and response (NDR), endpoint detection and response (EDR) and log-based detection (SIEM) allows security professionals to have coverage across threat vectors from cloud workloads to the enterprise.

Read blog post

Considerations when selecting your managed security services provider

Security operations
By:
Henrik Davidsson
August 22, 2019

The rationale behind choosing a managed security services provider (MSSP) can be numerous, but one of the primary reasons is to overcome the cybersecurity skills shortage. Finding the right talent in cybersecurity and retaining skilled professionals once they’ve been trained is very difficult.

Read blog post

Vectra and Nozomi Networks safely secure the IT/OT convergence

Security operations
By:
Henrik Davidsson
August 12, 2019

The time of separated networks – when you could safely keep tools for manufacturing, transportation, utilities, energy and critical infrastructure apart from your IT environment – is long gone.

Read blog post

Notable insights from the Gartner Market Guide for Intrusion Detection and Prevention Systems

Security operations
By:
Kevin Sheu
July 23, 2019

Earlier this month, the Gartner Market Guide for Intrusion Detection and Prevention Systems (ID: G00385800)*, written by Gartner researchers Craig Lawson and John Watts, was published. The guide describes the market definition and direction of requirements that buyers should look for in their IDPS solution as well as the top use-cases that drive IDPS today.

Read blog post

Accelerate your cybersecurity with a managed detection and response service

Security operations
By:
Henrik Davidsson
June 20, 2019

As a security leader, you need the most effective way forward to protect your most valuable assets, make security an integral part of your business and supporting your digitalization journey full on, and inspire the trust of the employees, customers and partners who work with you.

Read blog post

How to gain visibility into attacker behaviors inside cloud environments

Security operations
By:
Chris Morales
June 10, 2019

Preventing a compromise is increasingly difficult but detecting the behaviors that occur – from command and control to data exfiltration – are not.

Read blog post

How to gain full threat visibility where only the network exists

Security operations
By:
Henrik Davidsson
June 6, 2019

The SOC visibility triad consists of network detection and response (NDR), endpoint detection and response (EDR) and log-based detection (SIEM).

Read blog post

Don’t do it: Rolling your own production Zeek deployment

Security operations
By:
Rohan Chitradurga
May 15, 2019

In a previous blog, we wrote about the benefits that come with Zeek-formatted metadata. This blog builds on that thread by discussing why our customers come to us as an enterprise solution to support their Zeek deployments.

Read blog post

Three cornerstones of the SOC nuclear triad

Security operations
By:
Kevin Sheu
May 7, 2019

Although NDR and EDR can provide perspective on this, NDR is more critical because it provides perspective where EDR cannot. For example, exploits that operate at the BIOS level of a device can subvert EDR.

Read blog post

Integrating with Microsoft to detect cyberattacks in Azure hybrid clouds

Security operations
By:
Gareth Bradshaw
September 25, 2018

Microsoft unveiled the Azure Virtual Network TAP, and Vectra announced its first-mover advantage as a development partner and the demonstration of its Cognito platform operating in Azure hybrid cloud environments.

Read blog post

2018 Black Hat Superpower Survey: It's about time and talent

Security operations
By:
Chris Morales
August 22, 2018

2018 Black Hat survey: It’s about time and talent

We love Black Hat. It’s the best place to learn what information security practitioners really care about and what is the truth of our industry. Because we want to always be relevant to customers, we figured Black Hat is an ideal event to ask what matters.

Read blog post

Vectra is positioned as the sole visionary in the 2018 Gartner Magic Quadrant for IDPS

Security operations
By:
Chris Morales
January 12, 2018

Vectra® was recently positioned as the sole Visionary in the Gartner 2018 Magic Quadrant for Intrusion Detection and Prevention Systems (IDPS). I’m pretty ecstatic about that.

Over the years, intrusion detection systems (IDS) have converged with intrusion prevention systems (IPS) and the two are now known collectively as IDPS. This convergence occurred as the security industry focused more on preventing external threat actors.

Read blog post

Fatal SIEM flaw: No body, no murder

Security operations
By:
Mike Banic
November 7, 2017

Over lunch last week, a customer who recently deploy our Cognito™ platform told me that his SIEM sales person said “We can do what Vectra does with our analytics package. I simply looked at him and said, “No body, no murder – no they can’t.”

He was puzzled, so I explained.

Read blog post

Better together: Tight integration between endpoint and network security can stop attacks faster

Security operations
By:
Kevin Kennedy
September 20, 2017

Many security teams are overwhelmed with the scale and ferociousness of digital threats. Threats are sneakier and more damaging, and security operations centers (SOCs) are being worn down investigating and stomping out incidents.

Read blog post

Don't let your cybersecurity vendor leave you vulnerable

Security operations
By:
Chris Morales
March 23, 2017

The U.S. Computer Emergency Readiness Team (US-Cert) issued a warning last week stating HTTPS interception weakens TLS security. As the use of encryption for privacy has increased, the security industry has responded by intercepting and decrypting SSL sessions to perform deep-packet inspection (DPI).

Read blog post

Security automation isn't AI security

Security operations
By:
Günter Ollmann
January 17, 2017

This blog was orignially published on ISACA Now.

In many spheres of employment, the application of Artificial Intelligence (AI) technology is creating a growing fear. Kevin Maney of Newsweek vividly summarized the pending transformation of employment and the concerns it raises in his recent article "How artificial intelligence and robots will radically transform the economy."

In the Information Security (InfoSec) community, AI is commonly seen as a savior – an application of technology that will allow businesses to more rapidly identify and mitigate threats, without having to add more humans. That human factor is commonly seen as a business inhibitor as the necessary skills and experience are both costly and difficult to obtain.

As a consequence, over the last few years, many vendors have re-engineered and re-branded their products as employing AI – both as a hat-tip to their customer’s growing frustrations that combating every new threat requires additional personnel to look after the tools and products being sold to them, and as a differentiator amongst “legacy” approaches to dealing with the threats that persist despite two decades of detection innovation.

The rebranding, remarketing, and inclusion of various data science buzzwords – machine intelligence, machine learning, big data, data lakes, unsupervised learning – into product sales pitches and collateral have made it appear that security automation is the same as AI security.

Read blog post

Turning a Webcam Into a Backdoor

Security operations
By:
Chris Morales
January 12, 2016

Reports of successful hacks against Internet of Things (IoT) devices have been on the rise. Most of these efforts have involved demonstrating how to gain access to such a device or to break through its security barrier. Most of these attacks are considered relatively inconsequential because the devices themselves contain no real data of value (such as credit card numbers or PII). The devices in question generally don't provide much value to a botnet owner as they tend to have access to lots bandwidth, but have very little in terms of CPU and RAM.

Read blog post

AI and the future of cybersecurity work

Artificial intelligence
By:
Sohrob Kazerounian
November 7, 2018

In February 2014, journalist Martin Wolf wrote a piece for the London Financial Times[1] titled Enslave the robots and free the poor. He began the piece with the following quote:

“In 1955,Walter Reuther, head of the US car workers’ union, told of a visit to a new automatically operated Ford plant. Pointing to all the robots, his host asked: How are you going to collect union dues from those guys? Mr. Reuther replied: And how are you going to get them to buy Fords?”

Read blog post

Near and long-term directions for adversarial AI in cybersecurity

Artificial intelligence
By:
Sohrob Kazerounian
September 12, 2018

The frenetic pace at which artificial intelligence (AI) has advanced in the past few years has begun to have transformative effects across a wide variety of fields. Coupled with an increasingly (inter)-connected world in which cyberattacks occur with alarming frequency and scale, it is no wonder that the field of cybersecurity has now turned its eye to AI and machine learning (ML) in order to detect and defend against adversaries.

The use of AI in cybersecurity not only expands the scope of what a single security expert is able to monitor, but importantly, it also enables the discovery of attacks that would have otherwise been undetectable by a human. Just as it was nearly inevitable that AI would be used for defensive purposes, it is undeniable that AI systems will soon be put to use for attack purposes.

Read blog post

Choosing an optimal algorithm for AI in cybersecurity

Artificial intelligence
By:
Sohrob Kazerounian
August 15, 2018

In the last blog post, we alluded to the No-Free-Lunch (NFL) theorems for search and optimization. While NFL theorems are criminally misunderstood and misrepresented in the service of crude generalizations intended to make a point, I intend to deploy a crude NFL generalization to make just such a point.

You see, NFL theorems (roughly) state that given a universe of problem sets where an algorithm’s goal is to learn a function that maps a set of input data X to a set of target labels Y, for any subset of problems where algorithm A outperforms algorithm B, there will be a subset of problems where B outperforms A. In fact, averaging their results over the space of all possible problems, the performance of algorithms A and B will be the same.

With some hand waving, we can construct an NFL theorem for the cybersecurity domain: Over the set of all possible attack vectors that could be employed by a hacker, no single detection algorithm can outperform all others across the full spectrum of attacks.

Read blog post

Types of learning that cybersecurity AI should leverage

Artificial intelligence
By:
Sohrob Kazerounian
July 18, 2018

Despite the recent explosion in machine learning and artificial intelligence (AI) research, there is no singular method or algorithm that works best in all cases.

In fact, this notion has been formalized and shown mathematically in a result known as the No Free Lunch theorem (Wolpert and Macready 1997).

Read blog post

Neural networks and deep learning

Artificial intelligence
By:
Sohrob Kazerounian
June 13, 2018

Deep learning refers to a family of machine learning algorithms that can be used for supervised, unsupervised and reinforcement learning.

These algorithms are becoming popular after many years in the wilderness. The name comes from the realization that the addition of increasing numbers of layers typically in a neural network enables a model to learn increasingly complex representations of the data.

Read blog post

How algorithms learn and adapt

Artificial intelligence
By:
Sohrob Kazerounian
May 24, 2018

There are numerous techniques for creating algorithms that are capable of learning and adapting over time. Broadly speaking, we can organize these algorithms into one of three categories – supervised, unsupervised, and reinforcement learning.

Supervised learning refers to situations in which each instance of input data is accompanied by a desired or target value for that input. When the target values are a set of finite discrete categories, the learning task is often known as a classification problem. When the targets are one or more continuous variables, the task is called regression.

Read blog post

AI vs. machine learning

Artificial intelligence
By:
Sohrob Kazerounian
April 26, 2018

“The original question ‘Can machines think?’ I believe to be too meaningless to deserve discussion. Nevertheless, I believe that at the end of the century, the use of words and general educated opinion will have altered so much that one will be able to speak of machines thinking without expecting to be contradicted.” – Alan Turing

Read blog post

The rise of machine intelligence

Artificial intelligence
By:
Sohrob Kazerounian
April 10, 2018

Can machines think?

The question itself is deceptively simple in so far as the human ability to introspect has made each of us intimately aware of what it means to think.

Read blog post

Alan Turing and the birth of machine intelligence

Artificial intelligence
By:
Sohrob Kazerounian
March 15, 2018

"We man compare a man in the process of computing a real number to a machine which is only capable of a finite number of conditions..." - Alan Turing

It is difficult to tell the history of AI without first describing the formalization of computation and what it means for something to compute. The primary impetus towards formalization came down to a question posed by the mathematician David Hilbert in 1928.

Read blog post

A sinuous journey through ``tensor_forest``

Artificial intelligence
By:
Chris Morales
December 11, 2017

Random forest, an ensemble method

The random forest (RF) model, first proposed by Tin Kam Ho in 1995, is a subclass of ensemble learning methods that is applied to classification and regression. An ensemble method constructs a set of classifiers – a group of decision trees, in the case of RF – and determines the label for each data instance by taking the weighted average of each classifier’s output.

The learning algorithm utilizes the divide-and-conquer approach and reduces the inherent variance of a single instance of the model through bootstrapping. Therefore, “ensembling” a group of weaker classifiers boosts the performance and the resulting aggregated classifier is a stronger model.

Read blog post

(Artificial) Intelligence on the EU GDPR

Artificial intelligence
By:
Matt Walmsley
July 3, 2017

The European Union (EU) General Data Protection Regulation (GDPR) is set to come into force on 25 May 2018. However, many IT, security and compliance leaders in the EU and globally still have a long way to go before they can truly describe themselves as "GDPR-ready." Artificial intelligence (AI) can make valuable contributions toward GDPR preparations and operational compliance.

Read blog post

Why it's okay to be underwhelmed by Cisco ETA

Artificial intelligence
By:
Oliver Tavakoli
June 26, 2017

Cisco recently announced the term “intent-based networking” in a press release that pushes the idea that networks need to be more intuitive. One element of that intuition is for networks to be more secure without requiring a lot of heavy lifting by local network security professionals. And a featured part of that strategy is Cisco ETA:

"Cisco's Encrypted Traffic Analytics solves a network security challenge previously thought to be unsolvable," said David Goeckeler, senior vice president and general manager of networking and security. "ETA uses Cisco's Talos cyber intelligence to detect known attack signatures even in encrypted traffic, helping to ensure security while maintaining privacy."

Read blog post

How to win the cybersecurity battle in healthcare

Artificial intelligence
By:
Chris Morales
May 4, 2017

Risky business

There is some startling data in the 2017 Verizon Data Breach Investigation Report. What stood out to me as most concerning is that more breaches occurred in healthcare this year than last year. After reviewing the report, I see three key trends.

  1. The real threat is already inside healthcare networks in the form of privileged access misuse
  2. When healthcare organizations are hit from the outside, it is usually ransomware extorting them for money
  3. The growth in healthcare IoT is overwhelming and dangerous
Read blog post

Security that thinks is now thinking deeply

Artificial intelligence
By:
Jacob Sendowski, Ph.D.
April 26, 2017

Whether the task is driving a nail, fastening a screw, or detecting a hidden HTTP tunnel, it pays to have the right tool for the job. The wrong tool can increase the time to accomplish a task, waste valuable resources, or worse. Leveraging the power of machine learning is no different.

Vectra has adopted the philosophy of implementing the most optimal machine learning tool for each attacker behavior detection algorithm. Each method has its own strengths.

Read blog post

AI: Is science fiction on a collision course with science fact?

Artificial intelligence
By:
Chris Morales
March 30, 2017

Sometimes science fiction becomes less fantastic over time than the actual reality. Take the film Ghost in the Shell, for example, which hits the big screen this week. It’s an adaptation of the fictional 28-year-old cult classic Japanese manga about human and machine augmentation.

Read blog post

Politics and the bungling of big data

Artificial intelligence
By:
David Pegna
November 17, 2016

We live in the age where big data and data science are used to predict everything from what I might want to buy on Amazon to the outcome of an election.

The results of the Brexit referendum caught many by surprise because pollsters suggested that a “stay” vote would prevail. And we all know how that turned out.

History repeated itself on Nov. 8 when U.S. president-elect Donald Trump won his bid for the White House. Most polls and pundits predicted there would be a Democratic victory, and few questioned their validity.

The Wall Street Journal article, Election Day Forecasts Deal Blow to Data Science, made three very important points about big data and data science:

  • Dark data, data that is unknown, can result in misleading predictions.
  • Asking simplistic questions yields a limited data set that produces ineffective conclusions.
  • “Without comprehensive data, you tend to get non-comprehensive predictions.”
Read blog post

Insider Threats: Spotting “the Inside Job“

Artificial intelligence
By:
Angela Heindl-Schober
December 14, 2015

Incidents of fraud, theft and abuse enacted by rogue insiders present organisations with the ultimate in targeted threats. These are executed against themfrom highly motivated actors, operating with a high degree of internal organisational knowledge and comparative ease of access. Such threats have the ability to create sizable risks in relation to digital assets and are also the most challenging to manage.

Security leaders have to understand their organisation’s context and operations in order to strike a balance between protection, control and creating value.

Users tied up in complex and over-controlling systems are unable to perform. Too light a touch sees key assets and resources too easy to misuse, alter or steal. Blending layers of organisational, physical and technical policy and management can provide a meaningful way of reducing internal cyber attacks, but no solution can be perfect. Organisations must also enable themselves to identify and recognise illegitimate internal actions and make timely interventions.

Read blog post

Automate detection of cyberthreats in real time. Why wait?

Artificial intelligence
By:
Jerish Parapurath
May 15, 2015

Time is a big expense when it comes to detecting cyber threats and malware. The proliferation of new malware variants makes it impossible to detect and prevent zero-day threats inreal-time. Sandboxing takes at least 30 minutes to analyze a file and deliver a signature – and by then, threats will have spread to many more endpoints.

Read blog post

Do you know how to protect your key assets?

Artificial intelligence
By:
Oliver Brdiczka
March 27, 2015

Security breaches did not stop making headlines in recent months, and while hackers still go after credit card data, the trends goes towards richer data records and exploiting various key assets inside an organization. As a consequence, organizations need to develop new schemes to identify and track key information assets.

The biggest recent breach in the financial industry occurred at JP Morgan Chase, with an estimated 76 million customer records and another 8 million records belonging to businesses stolen from several internal servers. At Morgan Stanley, an employee of the company’s wealth management group was fired after information from up to 10% of Morgan Stanley’s wealthiest clientele was leaked. Even more sensitive was the largest health-care breach thus far: at Anthem, over 80 million records containing personally identifiable information(PII) including social security numbers were exposed. Less well-known, but potentially more costly in terms of damage and litigation is thealleged theft of trade secrets by the former CEO of Chesapeake’s Energy (NYSE: CHK).

Read blog post

The Carbanak APT - Redefining Banking Malware

Artificial intelligence
By:
Wade Williamson
February 19, 2015

Recent research from Kaspersky has revealed a massive criminal campaign that was able to infiltrate more than 100 different banks and steal upwards of $1 billion from the affected institutions. Kaspersky dubbed this operation the Carbanak APT due to a connection between the malware used in the attacks and the now infamous Carberp banking botnet.

Read blog post

Detecting the Insider Threat – how to find the needle in a haystack?

Artificial intelligence
By:
Oliver Brdiczka
January 10, 2015

In the previous posts, we have examined the insider threat from various angles and we have seen that insider threat prevention involves the information security, legal and human resources (HR) departments of an organization. In this post, we want to examine what information security departments can actually do to detect ongoing insider threats, and even prevent them before they happen.

The literal needle in the haystack

Overall, insider threats represent only a small proportion of employee behavior. And while only the ‘black swan’ incidents become public knowledge, minor incidents such as theft of IP or customer contact lists will add up to major costs for organizations.

In addition, insiders are by default authorized to be inside the network and are both granted access to and make use of key resources of an organization. Given the large pile of access patterns visible in an organization’s network, how is one to know which ones are negligent, harmful or malicious behavior?

Read blog post

Giving incident responders deeper context about what happened

Breach
By:
Cognito
June 4, 2018

If you’re joining me for the first time, I want to introduce myself. I am Cognito, the AI cybersecurity platform from Vectra. My passion is hunting-down cyberattackers – whether they’re hiding in data centers and cloud workloads or user and IoT devices.

Cybersecurity analysts are overwhelmed with security events that need to be triaged, analyzed, correlated and prioritized. If you’re an analyst, you probably have some incredible skills but are being held back by tedious, manual work.

Read blog post

WannaCry still lingering

Breach
By:
Kevin Moore
August 24, 2017

Attacks never really go away

Many enterprise organizations are currently evaluating the Vectra Cognito platform, and over the past weeks, several customers detected WannaCry attacker behaviors. Just because the headlines stopped, doesn’t mean that the attack did.

WannaCry was first reported by the media in May of this year and we had customers who detected and responded to outbreaks within minutes. A couple of days after the initial impact, it was reported that stopping the WannaCry command and control server limited the effectiveness of WannaCry in the wild. While that may have been be true, organizations are still detecting instances of WannaCry within their enterprise networks. While this is a smaller scale than the attack in May, it is important that enterprises continue to monitor their networks for what is proven to be a fast propagating ransomware attack with the potential to cause damage very quickly.

Read blog post

A behind-the-scenes look at how cybercriminals carry out attacks inside enterprise networks

Breach
By:
Chris Morales
June 14, 2017

Vectra AI last week published the 2017 Post-Intrusion Report, which covers the period from January through March. While there are plenty of threat research reports out there, this one offers unique insights about real-world cyber attacks against actual enterprise networks.

Most industry security reports focus on statistics of known threats (exploits and malware families) or give a post-mortem look back at breaches that were successful. The first one looks at threats that network perimeter defenses were able to block and the second lists attacks that were missed entirely.

Read blog post

Vectra detection and response to WannaCry ransomware

Breach
By:
Chris Morales
May 16, 2017

Vectra Threat Labs analyzed the WannaCry ransomware to understand its inner workings. They learned that while the way it infects computers is new, the behaviors it performs are business as usual.

WannaCry and its variants behave similarly to other forms of ransomware that Vectra has detected and enabled customers to stop before experiencing widespread damage. This is a direct benefit of focusing on detecting ransomware behaviors rather than specific exploits or malware. Many of WannaCry’s behaviors are reconnaissance and lateral movement on the internal network, within the enterprise perimeter.

Read blog post

The love-hate relationship with SIEMs

Breach
By:
Hitesh Sheth
March 7, 2017

This blog was originally published on LinkedIn.

To know SIEM is to love it.And hate it.

Security information and event management (SIEM) is a ubiquitous cybersecurity tool. It’s used by probably every security analyst who works in a security operations center (SOC).

Read blog post

Encrypt everything. Don’t let security be the reason you don’t (and attackers do)

Breach
By:
Chris Morales
December 15, 2016

On the cybersecurity website ThirdCertainty.com, Byron Acohido makes some very important points about the use of encryption by hackers to avoid detection tools and the need to detect these attacks. This is a water cooler discussion at Vectra headquarters. Encrypted traffic is an easy hiding place for attackers and difficult for organizations to deal with.

However, trying to monitor this traffic by decrypting first, performing deep-packet inspection, and then encrypting again at line-rate speeds is problematic, even with dedicated SSL decryption, especially in the long term. There are several factors at play here.

With an increasing global desire for privacy, more traffic is encrypted by default. It is becoming a standard for cloud applications. The Sandvine Internet Phenomena Report states that encryption doubled last year in North America.

This is actually great news, especially for consumer privacy. Enterprises have a strategy to encrypt everything. With this encryption however, attempts to perform SSL decryption mean there will be large volumes of encrypted data to process.

Read blog post

The new vulnerability that creates a dangerous watering hole in your network

Breach
By:
Wade Williamson
July 12, 2016

Security researchers with Vectra Threat Labs recently uncovered a critical vulnerability affecting all versions of Microsoft Windows reaching all the way back to Windows 95. The vulnerability allows an attacker to execute code at system level either over a local network or the Internet. As a result, attackers could use this vulnerability both to infect an end-user from the Internet, and then spread through the internal network.

Vectra and Microsoft collaborated during the investigation of this issue, and Microsoft has delivered a fix as part of Security Bulletin MS16-087, which is available here.

The vulnerabilities, CVE-2016-3238 (MS16-087), and CVE-2016-3239, stem from the way users connect to printers in the office and over the Internet. This vulnerability could enable a relatively unsophisticated attacker to incorporate IoT devices as part of an attack and quickly infiltrate and spread through a network without detection. While this blog provides an overview of the vulnerability, you can read the in-depth technical analysis here. In addition, a video summary of the vulnerability is available here.

The vulnerability in question centers around the ways that network users find and use printers on a network. Needless to say, modern organizations often have many users, and likewise often have many different makes and models of printers. Users expect to connect to and use whatever printer is most convenient, and likewise, mobile users expect to be able to come in to the office and print.

Read blog post

Ransomware lessons from Julius Caesar

Breach
By:
Jacob Sendowski, Ph.D.
June 7, 2016
In his youth, Julius Caesar was taken hostage by Sicilian pirates and held for a ransom of 20 talents of silver (about 0.5 tons). He managed to convince the pirates that he was more important than that and encouraged them to demand 50 talents of silver instead.

They obliged and in doing so bought into a view of Caesar as superior to them. Caesar exploited this to good effect: he acted as the leader of the pirates, he practiced combat exercises with them and even read them poetry.

Eventually, Caesar’s associates returned with the silver and he was let go. He vowed to return to collect his money and kill the pirates and he went to great lengths to make good on his promise.

Caesar kept his cool, survived the hostage situation, and recovered his belongings because he had a plan and a strategy.

Read blog post

Canary in the ransomware mine

Breach
By:
Günter Ollmann
March 30, 2016

A quick no-frills solution to ransomware inside the enterprise

Ransomware is clearly the scourge of 2016. Every week there is a new and notable enterprise-level outbreak of this insidious class of malware – crippling and extorting an ever widening array of organizations.

For a threat that is overwhelmingly not targeted, it seems to be hitting large and small businesses with great success.

The malware infection can come through the front door of a failed “defense-in-depth” strategy or the side door of a mobile device latched to the corporate network on a Monday morning.

Read blog post

Is your thermostat spying? Cyberthreats and the Internet of Things

Breach
By:
Oliver Brdiczka
July 13, 2015

The Internet of Things (IoT) is beginning to have a huge impact on our daily lives, and it will grow by orders of magnitude. However, the multitude of IoT devices with zero, limited or outdated security could produce disastrous results. It will be a formidable task to secure every small IoT device or toy. Security solutions that watch device behavior and identify anomalies might be our only hope.

The IoT is on the rise...

The genesis of IoT goes back to the early ’90s when PARC chief scientist Mark Weiser came up with the vision of Ubiquitous Computing and Calm Technology. In this vision, computing becomes “your quiet, invisible servant” and disappears from conscious actions and the environment of the user.

Read blog post

Dyre Malware Games the Test

Breach
By:
Wade Williamson
May 7, 2015

The Dyre family of banking malware is back in the news after researchers recently observed that the malware incorporated tricks to avoid detection in malware sandboxes. Previously, Dyre was most notable for targeting high-value bank accounts, including business accounts, and incorporating sophisticated social engineering components to overcome the 2-factor authentication used by most banks.

In this latest twist, the Dyre malware aims to identify when it is being run in a malware sandbox by counting the cores of the machine on which it is running. The trick, in this case, is that many malware sandboxes will run as a virtual machine with only a single processor and single core in order to conserve resources. Malware sandboxes have to analyze a very large number of files, so each virtual machine often gets provisioned with a bare minimum of resources in order to run as many VMs as possible.

Read blog post

Cyberattackers Are Digital Termites

Breach
By:
Mike Banic
March 1, 2015

Each of the publicized breaches over the past 15 months have been followed by the same question: “How did these attackers go undetected for several weeks or months?” The 80 million Americans covered by Anthem, whose personally identifiable information (PII) was stolen, are now asking this very question.

Let me liken this attack to a recent experience in my own life. After finding a small pile of what looked like sawdust on our hardwood floor of our guest room, it was like the “oh-crap” moment a CXO experiences when a 3-letter agency informs them that their organization’s crown jewels have been discovered in Kazakhstan. “Oh crap, we have termites.” Just likeSony Entertainment called in the FBI or Anthem called in a forensics agency, we called the termite guy.

Read blog post

The Anthem Breach and Security Going Forward

Breach
By:
Wade Williamson
February 6, 2015

Yesterday Anthem became the latest company to suffer a massive, high-profile data breach that almost certainly will become the largest data breach to date in the healthcare industry. Attackers were able to infiltrate the network and steal personal information for over 80 million customers. The stolen data included a variety of Personally Identifiable Information(PII) including Social Security numbers, contact details as well as employment and income information.

This is a particularly dangerous combination of data that is worth significantly more on the black market than stolen credit card numbers. Unlike a credit card, which can be easily cancelled and replaced, a full identity can be used for long-term fraud such as taking out loans in the victim’s name. Employment information is particularly sought after when selling an identity. The one silver lining is that it does not appear that medical records and other Personal Health Information (PHI) were exposed in the breach.

Read blog post

Applying Vectra to the Regin Malware

Breach
By:
Wade Williamson
December 3, 2014

Researchers at Symantec have recently disclosed the presence of a highly sophisticatedmalware platform known as ‘Regin’. This new strain of malware instantly joins Stuxnet, Flame, and Duqu on the list of some of the most advanced malware ever seen. And like the other members of this elite state-sponsored fraternity, Regin malware appears to be purpose-built for espionage with the ability to quietly infect, spread, and persist within a targetnetwork for long periods of time.

Read blog post

Catch Attackers Attempting to Shellshock You

Breach
By:
Oliver Tavakoli
September 29, 2014

The recent discovery of Shellshock, the bash shell bug, has something in common with the discovery of Heartbleed earlier this year. Both vulnerabilities existed for many years before they were discovered – over two years for Heartbleed and over 22 years for Shellshock. Both affect a very large number of computer and communications systems. Both have induced a gut-wrenching panic.

There will always be two periods during which you are vulnerable to such exploits. The first is the period before the vulnerability is reported and may have been exploited by a few attackers. The second is the span of time between when the vulnerability is publicly reported and before you patch the affected systems. During this second period, every attacker imaginable will attempt to exploit the vulnerability. Predicting when new vulnerabilities will appear and what ways creative attackers will come up with to exploit them is generally a losing battle. That doesn’t mean there is nothing you can do to catch them.

Read blog post

Vectra detections will enable Juniper to block cyberattacks via API

Breach
By:
Mike Banic
September 9, 2014

Today, Vectra AI participated in Juniper Networks announcement on the expansion of Spotlight Secure threat intelligence platform. Part of the technology expansion includes an open API that enables the Vectra X-series to communicate detection of in-progress cyber attacks to Juniper’s Spotlight Secure platform.

The integration enabled by this open API delivers three important benefits:

  • The ability to block the attack;
  • A single pane of glass; and
  • The flexibility and choice to deploy best-of-breed solutions
Read blog post

Detecting Future Heartbleed Security Exploits

Breach
By:
Oliver Tavakoli
August 22, 2014

Reading Steve Ragan's write-up on the recent Community Health Systems breach in CSO online took me back to my blog post on Heartbleed on the Inside from May 1, 2014 that included this cautionary note.

"It's only a matter of time – actually, it's probably already happening – before we see targeted attacks that utilize Heartbleed as one of the weapons in the attackers' arsenal to acquire key account credentials and use those credentials to get to the crown jewels."

Read blog post

Art of Scoring Malware Detections – Friend or Foe?

Breach
By:
Oliver Tavakoli
August 15, 2014

As our customer base has grown, the variety of opinions about what constitutes a threat has grown with it. This variety creates challenges for products like ours, which strive to supply the right epiphanies with little or no configuration required by our customers.

One example of this comes up when we’ve detected what we call “external remote access” behavior in the network. This detection algorithm basically detects remote control of a host inside an organization’s network by an entity outside (in this context, “outside” means not connected via VPN) the network on a connection that has been initiated by the internal host.

Read blog post

Packet Pushers Shines Critical Light on New Cybersecurity Solution

Breach
By:
Tom Canty
August 14, 2014

Salespeople. They're charismatic, they're informative, and if they're good, they'll convince you that what they have is exactly what you need. I remember being tasked with finding a new corporate travel solution by a former manager. When information I found online looked promising, or was too vague, I'd request a sales demo. During the meeting, I would experience total clarity. What a perfect solution. This is exactly what we need. I'm not an easy sell, am I? The assurance salespeople provide is comforting, but the thing is, not all solutions are an ideal fit, and a salesperson isn't in the business of helping you find an ideal fit.

Read blog post

Are We Secure?

Breach
By:
Dain Perkins
May 28, 2014

Meaningful information security metrics seem to come in as many shapes and sizes as there are CISAs, CISMs, and CISSPs brave enough to weigh in on the subject. There are plenty of risk and security frameworks available to help guide a security team to a reasonable answer to nearly any question posed regarding the appropriate allocation of resources required to reduce a given business risk to a specific level.

Read blog post

Responding to a Priority One Malware Attack

Breach
By:
Jason Tesarz
May 7, 2014

If you are an SE like me, then you have probably experienced a 'priority one' incident response with your customer. Things are on fire and you call in all the reinforcements you can. If you are an IT or security guy, then you have probably placed the call for help. Either way, you will understand.

Here's the customer scenario. It's fire drill time. Internet connectivity and applications are going down and everyone is panicking. Your organization has been either compromised by malware or you are being actively attacked. Now is the time that all of your security products need to be working, and working well.
Read blog post

Heartbleed on the Inside

Breach
By:
Oliver Tavakoli
May 2, 2014

A lot has been said about the global impact of Heartbleed. First, we had all the descriptions of Heartbleed – my favorite one was on xkcd. Then we saw warnings that we would need to change our password on public websites. That was followed by a warning that, since the private keys of certificates could be retrieved by exploiting Heartbleed, we should change our passwords now, wait for Web sites to change their certificates and then change our passwords again.

What has received far less attention is the fact that many of our common enterprise products (e.g., routers, firewalls, web proxies) inside our infrastructure are also susceptible to Heartbleed. Bulletins from Cisco, Juniper Networks and Blue Coat indicate widespread use of OpenSSL, the software in which the Heartbleed bug exists, in these products. Even industrial control systems from companies like Siemens have this vulnerability, which Arik Hesseldahl wrote about recently on Re/code.net. And, unlike public-facing web sites, many of which have already undergone updates to fix the bug, the availability and deployment of patches for all your infrastructure systems hits you in unexpected ways, including the need to upgrade to the newer versions of software than you are probably running, necessitating testing cycles before you can deploy it.

Read blog post

Finding Signals in Security's White Noise

Breach
By:
Mike Banic
April 22, 2014

A customer recently shared her perspective in the growing security white noise – a term she uses to describe the increasingly high volume of alerts coming out of the defense in depth security. To punctuate her point, she pulled up a recent Wall Street Journal blog with an example from Gartner analyst Avivah Litan of a client who receives over 135,000 security alerts a day. As Avivah aptly stated, "It becomes like the car alarms going off in a parking lot – no one takes them seriously because generally there are too many false car alarms."

Looking back at the Bloomberg BusinessWeek coverage of the Target breach, the article focused on multiple security alerts of the malware used to initiate the attack. While these alerts were marked as high priority, it is easy to imagine that an enterprise the size of Target may have been receiving hundreds or thousands of security alerts of varying priority that created white noise.

Read blog post

Divining Attacker Intent

Breach
By:
Oliver Tavakoli
April 17, 2014

In talking to customers, I am frequently reminded of the fact that people's understanding of how malware is built and delivered hasn't kept up with the changing landscape over the past few years. While most people expect actual targeted attacks to evolve through multiple stages, much of the run-of-the-mill botnet malware no longer infects a system in a single stage either.

Much of this multi-stage malware starts off with a small dropper that only represents the initial stage of an exploit. We’ve seen small droppers come bundled in Microsoft Word documents, PDF files and spreadsheets attached to emails or be retrieved when browsers access URLs – whether the user clicks on a link embedded in an email or visits a compromised web site.
Read blog post

Security Report Season: what malware does versus what it is.

Breach
By:
Oliver Tavakoli
April 2, 2014

The first quarter of every year in the security business brings every imaginable retrospective of all the bad things that happened the prior year. This year is no different. As I read this year's crop of reports (this required several cups of coffee), I was struck by the fact that much of the focus continues to be on malware families, which I call "the race to win the naming game," and the number of zero-day threats found.

The naming game is always an interesting one. It leads to names like Kelihos (aka Hlux), ZeroAccess (aka Sirefef), Zeus (aka Zbot) and the usual rogues' gallery of malware. While the desire to name things is all too human (after all, it helps us communicate about complex things with very little effort), when you juxtapose the number of malware variants against the desire to name them all, you can see that we're facing an uphill battle.
Read blog post

Does Your Security Architecture Adapt to Changing Threats?

Breach
By:
Mike Banic
March 25, 2014

Target, Neiman Marcus, Michael’s. There’s no doubt that the retail sector is under attack, but prominent retailers are not alone. Criminals are targeting banks, healthcare providers, government agencies and even high schools—anyone with high-value data or a reputation to protect. Whether your business is big or small, chances are that hackers have already penetrated your network.

But what do you do?

A new Gartner report, “Designing an Adaptive Security Architecture for Protection from Advanced Attacks,” advises: “All organizations should now assume that they are in a state of continuous compromise.” The challenges outlined are the insufficiency of blocking and prevention capabilities to protect against motivated, advanced hackers.

Read blog post

New NIST guidelines on Zero Trust Architecture calls for deeper visibility into the network

Infrastructure
By:
Marcus Hartwig
October 7, 2019

According to NIST, “No enterprise can completely eliminate cybersecurity risk. When complemented with existing cybersecurity policies and guidance, identity and access management, continuous monitoring, and general cyber hygiene, ZTA can reduce overall risk exposure and protect against common threats.”

Read blog post

The imminent threat against industrial control systems

Infrastructure
By:
Chris Morales
November 30, 2017

The United States has not been the victim of a paralyzing cyber-attack on critical infrastructure like the one that occurred in the Ukraine in 2015. That attack disabled the Ukrainian power grid, leaving more than 700,000 people helpless.

But the United States has had its share of smaller attacks against critical infrastructure. Most of these attacks targeted industrial control systems (ICS) and the engineering personnel who have privileged access.

Read blog post

Bolstering the blue team

Infrastructure
By:
Cognito
November 19, 2017

Hey everyone. For my first blog, I want to share a story about my role on the blue team during a recent red team exercise.

But first, I want to introduce myself to those of you who might not know me. I am Cognito, the artificial intelligence in the Vectra cybersecurity platform. My passion in life is hunting-down cyber attackers – whether they’re hiding in data centers and cloud workloads or user and IoT devices.

Read blog post

How AI detects and mitigates cyber attacks in software-defined data centers

Infrastructure
By:
Chris Morales
June 23, 2017

Earlier this month Vectra announced plans to leverage the capabilities of VMware NSX to accelerate the detection and mitigation of hidden cyber attackers in virtualized data centers.

Vectra currently applies artificial intelligence to automatically detect attacker behaviors inside virtualized data centers. Vectra also integrates with endpoint and network response tools to automate the workflow.

Read blog post

Cybersecurity: What to expect in 2017

Infrastructure
By:
Hitesh Sheth
December 13, 2016

Cybersecurity is a rapidly evolving landscape and 2017 will be no different. Attackers will leverage artificial intelligence and find new ways to infiltrate corporate networks and businesses using adaptive attacks. Encrypted traffic will increasingly blind legacy security technologies, while ransomware gets smarter, and more targeted. Also watch for geo-political changesthat act as a catalyst forincreased cyber attacks involving nation states.

Read blog post

Cyberattack of the clones

Infrastructure
By:
Chris Morales
November 27, 2016

In previous research from the Vectra Threat Labs, we learned that seemingly innocuous vulnerabilities can become serious problems in the context of the Internet of Things(IoT). IoT is the unattended attack surface, and more IoT devices means bigger clone armies.

The recentpublic release of source code for malware named "Mirai" has proven exactly that. Mirai continuously scans the Internet for IoT devices using factory default usernames and passwords, primarily CCTV and DVRs.

Read blog post

Exploiting the firewall beachhead: A history of backdoors into critical infrastructure

Infrastructure
By:
Günter Ollmann
September 28, 2016

Sitting at the edge of the network and rarely configured or monitored for active compromise, the firewall today is a vulnerable target for persistent and targeted attacks

Read blog post

The Impact of IoT on Your Attack Surface

Infrastructure
By:
Wade Williamson
September 29, 2015

Researchers from Vectra Threat Labs recently performed an in-depth analysis of vulnerabilities found in a common Belkin wireless repeater. Today in an article on Dark Reading, Vectra CTO Oliver Tavakoli digs into why seemingly innocuous vulnerabilities can become serious problems in the context of the Internet of Things (IoT). Read the full article here.

Of particular importance to security teams, IoT is not only bringing far more devices into the network, but they are also devices that very rarely get patches and updates. This means that vulnerabilities can be left unaddressed for months or even years. Likewise, these devices are unlikely to be protected by signatures and will almost assuredly be unable to run client-based security.

Read blog post

Insider attacks pose a serious threat to critical U.S. infrastructure

Infrastructure
By:
Oliver Brdiczka
December 7, 2014

A scary 70 percent of critical infrastructure organization suffered security breaches in the last year, including water, oil and gas, and electric utilities. An almost equally high number of 64 percent anticipate one or more serious attacks in the coming year.

In the previous posts of this series, we highlighted insider threat risks for US companies and how they respond to them. While the insider threat in government agencies and big companies is a known problem with somewhat implemented mitigation strategies, less is known about the insider threat to critical US infrastructure, such as water purification or nuclear power plants. To illustrate the nature of the threats, let me provide two examples from a Department of Homeland Security report –the Insider Threat to Utilities report.

Read blog post

Reducing the Cybersecurity Risk for BYOD – Can you have your gadgets and use them too?

Infrastructure
By:
Tom Canty
August 1, 2014

A few things ring true of today's working world. First is that no one in the year 2014 should have to work in a cubicle. Defenders will say "it's been this way for years," or "you'd be surprised by how common it is." That doesn't make working in a small felted cubby any less ridiculous. In the brief time I occupied one it was best used for sleeping on the job, and I've discovered that's a terrifying idea when sitting in a room full of your peers.

The second is that personal devices should be encouraged and ubiquitous fixtures of the workplace. One simple reason is that employer-provided technology is often clunky, out-of-date, or unsightly, so using personal devices can mean using better devices.
Read blog post

I'll Have Two BYOD and One Mobile, Hold the Malware Threats Please

Infrastructure
By:
Mike Banic
April 29, 2014

While meeting with a customer last week, we looked through the detections report to see if some of the new algorithms we released had produced detections. I noticed the lines for all categories of detections dropped precipitously and then increased nearly as rapidly two days later. Nearly as fast as I pointed my finger at the screen, he said, "Yeah, that's the weekend."

It took 3 seconds for us both to say, "Laptops." If you ever wanted evidence that most malware is walked in the front door on mobile devices like laptops, tablets and smartphones, then this is the graph for you.
Read blog post