Since Vectra's inception, the focus has primarily been on host devices. Hosts generate the network traffic that the Vectra AI platform analyzes to identify attacker behaviors. They are also the prime targets for attackers and require meticulous remediation. Traditionally, attributing attacker behavior to the hosts from which they emanate has been the norm.
However, Vectra is now broadening its scope to include accounts with the recent introduction of Vectra Privileged Threat Analytics (PTA).
Why Vectra AI built Privileged Threat Analytics (PTA)
Attackers, once inside a network, engage in reconnaissance to understand the environment's structure and identify critical systems. A significant part of their strategy involves escalating their privileges to gain more comprehensive access. Recognizing this, Vectra has leveraged insights gained from adopting the attacker’s perspective.
This approach has led to groundbreaking technologies in addressing account security within the Vectra AI platform.
What is Privileged Threat Analytics?
Vectra Privileged Threat Analytics (PTA) introduces an account and privilege focus to the Vectra AI platform. This system is grounded in a patented technology that observes, infers, and comprehends the privilege levels of accounts, hosts, and services interacting on the network. These privilege levels are incorporated into the metadata in Stream and Recall, enhancing security analysts' and threat hunters' investigative capabilities.
Key Features of PTA
- High-Fidelity Detection Models: PTA focuses on entities with higher privileges, allowing for deeper scrutiny of their behaviors. This leads to high-quality detections involving admin and service accounts engaging in unusual or potentially malicious activities.
- Account-Based View in UI: One of the most significant updates to the Vectra UI in years includes an account-based perspective. Accounts linked to detections are rated with threat and certainty scores, displayed in a two-axis chart. Each account has a dedicated page detailing associated detections and contextual information.
- Understanding Observed Privilege: PTA emphasizes observed privilege, which differs from granted privilege. Observed privilege is based on actual network usage patterns, unlike granted privilege, which is defined by access rights in a directory server. This approach is more reflective of real-world scenarios and threats.
How PTA Differs from Legacy Approaches?
Unlike User Behavior Analytics (UBA) and other traditional account-based analytics that treat all accounts equally, PTA adopts an observational approach. This method focuses on privileged entities and highlights malicious behaviors where preventive measures might not be sufficient.
Elevating Cybersecurity with Vectra PTA
Vectra Privileged Threat Analytics represents a paradigm shift in monitoring and protecting privileged entities during active attack phases. Now available for all existing Vectra customers and evaluators, PTA offers a novel, more effective way to approach cybersecurity, especially in managing and understanding privileged accounts.
If you’re ready to change your approach to monitoring and protecting your privileged entities, get in touch with us.