services

Overview

Take action early and often
Gartner-validated approach to identifying behaviors in the early stages of an attack like command-and-control and reconnaissance behaviors found in today’s compromises.

Add efficiency to your security workflow
‍Vectra customers achieved a 34X workload reduction for Tier-1 SOC analysts in detection, triage, correlation and prioritization of security incidents.This enables security operations teams to focus on compromised devices that pose the highest risk.

“This solution excels at rolling up numerous alerts to create a single incident to investigate that describes a chain of related activities, rather than isolated alerts that an analyst then has to piece together.”
Gartner Research

Analysis
2019 Black Hat Edition of the Attacker Behavior Industry Report
Gartner IDPS Market Guide

Product
Cognito Detect: Automatically detect attacker behaviors and prioritize compromised devices that pose the biggest risk

Overview

Identifying data access and theft
‍The Cognito platform implements a suite of detection algorithms that identify hidden attackers who gain access to critical resources. This often indicates that operational disruption or data exfiltration is imminent.

To identify these malicious behaviors, supervised and unsupervised machine detection algorithms identify the early tell-tale signs of attack, including:

• An internal host acquires large amounts of data from one or more internal servers and subsequently sends it to an external system
• An internal host communicates with outside IPs using DNS, HTTP or HTTPS. This indicates a hidden tunnel that uses multiple sessions over longer periods of time while mimicking normal traffic
• A host transmits unusually large volumes of data to destinations that are not considered normal for the network
• An internal host sends data to another internal host that acts as a relay, which indicates an attempt to obfuscate communication with the external system

Analysis
2019 Black Hat Edition of the Attacker Behavior Industry Report

Product
Cognito Detect

Overview

Hunt using security-enriched network metadata
Whether sourced from an analyst’s daily workflow or open source intelligence, the first step in threat hunting is to make sure that the attributes necessary to answer investigative queries are readily available.
‍
This is precisely why Vectra uses AI engines to extract security insights that are embedded in our metadata. Notable security enrichments include beaconing activity, domain rarity and privilege level of relevant entities.

Security-enriched network metadata is fed directly to data lakes and SIEMs. Or dive deep into the metadata using Cognito Recall, Vectra’s investigative workbench optimized for threat hunting, incident analysis and sub-second searches at scale.

Data source
Blog: Why network metadata is just right for your data lake
Blog: Don’t do it: Rolling your own production Zeek deployment

Enrichments
Blog: Not all data is created the same
Blog: Improving threat-hunting efficiency with the multi-homed attribute

Overview

Gain visibility into security and compliance gaps

• Categorize compliance holes to meet requirements for regulations that include National Institute of Standards and Technology (NIST), General Data Protection Regulation (GDPR), MITRE ATT&CK framework and PCI compliance
• SMB exposed to the internet - SMB has many known vulnerabilities, including exploits that enable the spread of ransomware
• Identify SMBv1 activity - From anonymous NTLM logins to man-in-the-middle to EternalBlue, SMBv1 opens a broad spectrum of attacker exploits
• Identify TLS 1.0/1.1 activity - No longer PCI DSS compliant, TLS 1.0/1.1 is being deprecated by major vendors due to security vulnerabilities
• Telnet and unencrypted FTP - Telnet and FTP are unsecure protocols, can be used to pass credentials in the clear, and are vulnerable to sniffing attacks