How a Global Retailer Passed Red Team Tests with Vectra
Every year, this global retail giant hires consultants to conduct red team exercises to test the mettle of cybersecurity operations. And every year it failed—until they deployed Vectra.
I had the privilege to speak with John Byun, Sr. Security Architect, from a global retailer, to discuss how his team passed Red Team testing, why partnering with Vectra was vital to achieving that milestone, and how the Cognito Platform has become essential to his organization’s security operations.
Vectra deploys for high fidelity alerts and less noise
Unfortunately, the seven-member security operations center (SOC) team was saddled with a lean security budget despite having to maintain network security for hundreds of stores and a busy online retail business. John’s team needed a network detection and response (NDR) solution that would identify attackers that bypass firewalls and intrusion prevention or detection systems (IPS/IDS) at the network perimeter, while providing visibility into threats.
When selecting a product, John said that his “must haves” for a security tool include 1) accurately detecting true positives, and 2) reducing noise. He remarked, “If it can’t detect true positives, what good is it doing for you?”
Following those top two needs, John mentioned that a clean UI, effective functionality, ease of use, and reasonable price are all “nice to have.”
Eventually, the SOC team narrowed NDR down to two finalists—Vectra and ExtraHop—which were operational in a proof-of-concept (POC) test. By coincidence, this occurred at the same time the company was engaged in another Red Team penetration test.
During the POC, John noted that Vectra “had a number of detections for that Red Team operation” and triaged detections using AI. On the other hand, while ExtraHop eventually showed some detections, its rule-based technology and failure to triage detections couldn’t compare to That’s when they selected Vectra as their NDR solution.
"ExtraHop, to me, was not a security tool. It's a network monitoring tool with some security functionalities in it,” John explained. He added that ExtraHop was considerably noisy compared to Vectra and did not have the same tuning capabilities that tailored alerts to his SOC activity.
Within two weeks, John's noise level dropped significantly. After almost three years of using Vectra, John notes that they only receive 4 to 5 high-fidelity detections per day: “We don’t have to spend hours a day investigating these detections.”
This reduced SOC workload gives his team more time to investigate incidents, proactively hunt for threats, and perform conclusive investigations.
John said it best himself: “I told my boss that if our budget got completely slashed, Vectra would be the last tool I would get rid of.”
Staying ahead of Red Team
Red Team testing challenges SOC teams when it comes to protection, detection, and remediation. Since deploying Vectra, John’s SOC team has passed Red Team testing two years in a row.
Of course, this success wouldn’t have been possible without two other elements of the SOC visibility triad: security information event management (SIEM) and endpoint detection and response (EDR). John noted the importance of using NDR along with SIEM and EDR in order to achieve end-to-end coverage.
“For me, I believe our SOC triad includes our EDR tool, NDR is Vectra, and our last is Splunk,” John said. Though they use Splunk and their EDR solution to gain visibility about activity, Vectra is the main component that they rely on for detections.
Watch this video to hear John walk through his Red Team progression (tip: start at 18:05 to jump right into the story).
The beauty of a strong partnership
John and I closed out by affirming the mutual communication and collaboration between our teams. When John said, “It’s the best relationship I’ve had with a vendor,” I couldn’t contain my excitement. Nothing is better than knowing our partners feel supported—especially when we enjoy working together.
In the future, his organization plans to undergo Purple Team testing. This decision exemplifies the opportunities and benefits derived from enthusiastic cooperation and continued success using Vectra solutions.
As this global retailer continues to leverage Vectra technology and build out their enterprise security, we will continue to support them every step of the way.
Tune in to my conversation with John and watch the chat on-demand.