Back to Blog

Vectra Attack Signal Intelligence (ASI)

By
Kevin Kennedy
|
October 12, 2022

72% of security practitioners “think they may have been breached, but don’t know it.” Said differently, nearly three-quarters of security teams don’t know where they are compromised right now.  We call this the unknown threat, and it has been gaining steam over the past couple years given the rapid shift to hybrid cloud services, storage, applications and identity. Unknown threats whether cloud-based, account takeovers or attacks on the supply chain, simply have more ways to infiltrate and move laterally inside and organization — which is why we believe the unknown threat is the single biggest cybersecurity risk today.

We see evidence of this in IBM’s Cost of a Data Breach 2022 Report, where nearly half (45%) of breaches are cloud-based. We see it in Verizon’s 2022 Data Breach Investigations Report that found nearly half of breaches stemmed from stolen credentials. What’s more, Verizon found that APTs attacking supply chains, accounted for 62% of system intrusion incidents.

So, why are organizations more susceptible to unknown threats? We believe it boils down to three things, where at the heart of these three things, is the vicious spiral of trying to address more with “more.”

  • More attack surface exposure means more tools, which means more complexity.
  • More evasive attackers mean more rules, which means more alerts and more tuning.
  • More alert rules to tune and maintain means more analysts, more work and more burnout.

What’s discouraging is that the security industry keeps trying to fight more with more, but it’s incredibly clear that this is not the answer. More does not erase the unknown. It fuels it.  More is the cause of the confidence problem that security leaders face.  

Breaking away from the spiral of “more”

Two factors drive the spiral of “more”

The first, is structural in the security industry — too many point products for threat detection and response. The only practical solution to this is threat detection and response platforms that have breadth of attack surface coverage, and can unify and simplify natively. We will talk more about this in a future blog [XDR].  

The second, is the language that still-common detection tools use to do detection — most notably IDS and SIEM. This stems from a decades-long focus on building threat intelligence capabilities to rapidly communicate about and find known IoCs like C2 domains, file hashes, malicious process names, registry keys, regex in packets, etc. Detection rule languages were naturally optimized to find these known IoCs.  

Today, the landscape has changed, and these approaches can’t keep up:

  • Modern threats move too fast, leaving defenders constantly chasing the latest vulnerability or domain.
  • Modern attacker methods defy characterization by signatures and simple rules.
  • Modern, evasive threats circumvent prevention and go undetected, for months.

One simple example is finding an attacker that’s using a stolen admin credential to move laterally with a Windows admin protocol. If you have the right data, then rules and signatures can tell you every time an admin credential is used with Windows admin tools used to remotely run code. Potential attack activity will be buried in alerts for every admin doing their job. Now the attempts to tune this rule begin — and will never end — maybe the rule is effective, maybe not. This is a recipe for more blind spots and more burnout. A recipe for the unknown compromise to win out.

Good ML/AI models are the only way out of this vicious cycle

For over a decade, Vectra has been researching, patenting, developing and pioneering Security AI centered on erasing the unknown and not doing it with more, but doing it with less. The core premise of Vectra Security AI does not focus on collecting more data but collecting and analyzing the right data in the right way.

Collecting the right data and analyzing it in the right way arms security teams to do more with less tools, less work and in less time. At Vectra, we believe to erase the unknown threat, AI/ML should arm security teams to do 3 simple things effectively and efficiently:  

  • Think like an attacker to go beyond signatures and anomalies to understand attacker behavior and zero in on attacker TTPs across the cyber kill chain.
  • Know what is malicious by analyzing detection patterns unique to your environment to surface relevant events and reduce noise.
  • Focus on the urgent with a view of threats by severity and impact enabling analysts to focus on responding to critical threats and lowering business risk.

Enter Attack Signal Intelligence

The only “more” security need, is more Attack Signal Intelligence

Attack Signal Intelligence is to the unknowns what Threat Intelligence is to the knowns. Unlike other “AI” approaches that look for simple anomalies to tell security teams what’s different, Vectra’s Attack Signal Intelligence tells security teams what matters.  

We do this by continuously monitoring for use of attacker methods with a set of models programmed with an understanding of attacker TTPs (think MITRE ATT&CK) and the ability to learn your unique environment. We then run the results through another layer of AI which combines an understanding of your environment in aggregate, with threat models, and human threat intelligence, to automatically surface the threats that matter most to your business. The result is that our customers are 85% more efficient in identifying actual threats and achieve >2x higher security operations productivity.      

If threat intelligence gives security the confidence to mitigate what is known, then Attack Signal intelligence gives security the confidence to mitigate what was previously unknown. Harnessing Vectra’s patented Attack Signal Intelligence, security teams are empowered to erase the unknown, turn the tables on attackers and make the world a safer and fairer place.  

That’s our commitment.

For more information on how we are delivering on our mission, check out these resources: