Not all Network Detection and Response solutions are created equal
Show Me Why“Vectra clearly outperformed ExtraHop. Vectra detected red team activity during the proof-of-concept. That was the first time we ever detected a threat.”
Information security architect
Beauty industry retailer
Network security has changed
The new network
Today’s network includes cloud, IoT devices, data centers, and the enterprise network.
More detections =
more work
Solutions that claim to provide more detections are merely making more work for security analysts.
Hiding in plain sight
Attackers create use legitimate credentials and use your existing processes to remain hidden. We focus on attacker behavior, not signature or anomaly-based detections.
Decryption is not necessary.
Reality: Vectra detects attackers in encrypted SSL/TLS 1.3 traffic without requiring decryption.
Fact: Strong security is possible without decryption. Vectra does not decrypt because it violates privacy laws, slows network performance and increases packet storage costs.
ExtraHop claims it support SSL/TLS 1.3 decryption while Vectra has no decryption support.
Reality: Strong security is possible without decryption.
Reality: Vectra detects attackers in encrypted SSL/TLS 1.3 traffic (Hidden HTTPS Tunnel) without requiring decryption.
Fact: Vectra does not decrypt because it violates privacy laws, slows network performance and full decryption is impossible.
ExtraHop requires an endpoint agent to decrypt TLS 1.3. ~70% of enterprise devices cannot run the agent.
Throughput does not mean efficacy.
Reality: Raw throughput is not the governing factor in determining the scale of monitoring. The primary factor is the maximum number of hosts that are continuously monitored for threats.
Fact: Vectra supports 40 Gbps sensor and 55 Gbps of active threat monitoring with the X80 Cognito appliance.
ExtraHop claims to support 100 Gbps monitoring while Vectra only supports 20 Gbps.
Reality: Raw throughput is not the governing factor in determining the scale of monitoring. The primary factor is the maximum number of hosts that are continuously monitored for threats.
Fact: Vectra supports 40 Gbps sensor and 55 Gbps of active threat monitoring with the X80 Cognito appliance.
Threat behavior monitoring and data streams are not synonymous.
Reality: The majority of ExtraHop protocols only collect network performance monitoring metrics and do monitor for hidden attackers.
Fact: Vectra records more than 15 different data streams and monitors for hidden threats in traffic over countless protocols.
ExtraHop claims to support over 70 protocols while Vectra only supports 10.
Reality: Threat behavior monitoring and data streams are not synonymous.
Reality: The majority of ExtraHop protocols only collect network performance monitoring metrics and do not monitor for hidden attackers.
Fact: Vectra records more than 15 different data streams and monitors for hidden threats in traffic over countless protocols.
While there are no data streams for FTP, Telnet, Postgres, etc., they are all still monitored for security.
Reality: Vectra is focused on detecting behaviors related to adversarial tactics, techniques and procedures (TTPs).
Fact: Pure anomaly detection produces overwhelming volumes of false-positive alerts that require examination.
Fact: With anomaly detection, the distinction between user behaviors and attacker behaviors is nebulous, even though they are fundamentally different.
ExtraHop claims it supports full Layer 2-7 behavioral anomaly detection while Vectra has limited behavioral anomaly detection.
Reality: Vectra is focused on detecting behaviors related to adversarial tactics, techniques and procedures (TTPs).
Fact: Pure anomaly detection produces overwhelming volumes of false-positive alerts that require examination.
Fact: With anomaly detection, the distinction between user behaviors and attacker behaviors is nebulous, even though they are fundamentally different.
Reality: ExtraHop is limited by the number of critical hosts it can monitor. Throughput is not the limiting factor.
Reality: ExtraHop incorporates network context that you must search for manually, whereas Vectra's security insights automatically surface and label hosts and accounts using network metadata.
Fact: Vectra supports 8 Gbps cloud monitoring with an r5n.4xlarge instance type.
ExtraHop claims it can sustain 25 Gbps cloud monitoring and Vectra only processes 2 Gbps.
Reality: ExtraHop is limited by the number of critical hosts it can monitor. Throughput is not the limiting factor.
Reality: ExtraHop incorporates network context that you must search for manually, whereas Vectra's security insights automatically surface and label hosts and accounts using network metadata.
Fact: Vectra supports 8 Gbps cloud monitoring with an r5n.4xlarge instance type.
“Vectra detected the threat in minutes and we shut them down.”
Information security architect
Beauty industry retailer