Vectra Detect

Vectra Detect is a key component of the Vectra AI platform that employs artificial intelligence and machine learning to detect and prioritize cyber threats in real time. It continuously monitors network traffic, user behavior, and cloud environments to identify indicators of compromise, anomalous activities, or potential security breaches. Vectra Detect provides accurate and actionable threat intelligence, empowering security teams to respond swiftly and effectively to emerging threats.

A critical part of the Vectra AI cyberattack detection and threat-hunting platform, Vectra Detect is the fastest, most efficient way to find and stop cyberattackers in cloud, data center, and enterprise environments. It uses artificial intelligence to deliver real-time attack visibility and put attack details at your fingertips.

How Vectra Detect works

Rich metadata

Vectra Detect gives you real-time visibility into cloud and enterprise traffic by extracting network metadata from packets rather than performing deep packet inspection, enabling protection without prying.

Metadata analysis is applied to all internal (east-west) traffic, Internet-bound (north-south) traffic, virtual infrastructure, and cloud environments. Vectra Detect identifies, tracks, and scores every IP-enabled device from the cloud to the enterprise.

This visibility extends to laptops, servers, printers, BYOD and IoT devices as well as all operating systems and applications, including traffic between virtual workloads in data centers and the cloud, even SaaS applications.

System, authentication, and SaaS logs provide context enrichment to network metadata analysis for accurate identification of systems and users.

Vectra Detect uses STIX threat intelligence to detect threats based on known indicators of compromise derived from threat intelligence. These are correlated with other attacker behaviors to ensure pinpoint accuracy of host threat and certainty scores to prioritize risk.

Identify attacker behaviors

The collected metadata is analyzed with behavioral detection algorithms that spot hidden and unknown attackers. This exposes fundamental attacker behaviors in cloud and enterprise traffic, such as remote access tools, hidden tunnels, backdoors, credential abuse, and internal reconnaissance and lateral movement.

Vectra Detect continuously learns your local environment and tracks all cloud and on-premises hosts to reveal signs of compromised devices and insider threats. A wide range of cyberthreats are automatically detected in all phases of the attack lifecycle, including:

  • Command-and-control and other hidden communications
  • Internal reconnaissance
  • Lateral movement
  • Abuse of account credentials
  • Data exfiltration
  • Early indicators of ransomware activity
  • Botnet monetization
  • Attack campaigns, including the mapping of all hosts and their associated attack indicators

Vectra Detect also monitors and detects suspicious access to critical assets by authorized employees, as well as policy violations related to the use of cloud storage, USB storage, and other means of moving data out of the network.

Its built-in security insights feature allows security analysts to track and evaluate new accounts, hosts, and other devices (IoT) in an environment, surfacing additional non-security information such as new devices and accounts accessing the network and using new admin protocols.

Vectra AI automatically identifies new accounts and labels hosts by the role they perform (i.e. domain controller or DNS server). This allows security analysts to better evaluate the risks involved with a detection and take informed steps when responding.

Automated analysis

The Threat Certainty Index™ in Vectra Detect consolidates thousands of events and historical context to pinpoint hosts that pose the biggest threat.

Instead of generating more events to analyze, Vectra Detect boils down mountains of data to show what matters most. Threat and certainty scores trigger notifications to your staff or a response from other enforcement points, SIEMs, and forensic tools.

The Attack Campaigns feature further automates security detections by connecting the dots of related attacker behaviors and exposing the relationship between hosts across internal detections, external advanced command-and-control detections, and connectivity to common command-and-control infrastructures.

The Threat Certainty Index in Vectra Detect

As attackers perform reconnaissance and move laterally between hosts and cloud workloads, Vectra Detect correlates behaviors and detections and presents a synthesized view of the entire attack campaign.

Vectra Detect pivots to show views of hosts or related campaign detections, and analyzes event history spanning its entire lifetime to better understand the activity and full scope of attack. When looking for complete context, Vectra AI displays information in one consolidated location and eliminates the need for analysts to pivot to other tools.

Vectra Detect presents a synthesized view of an entire attack campaign

Drive response

Respond quickly and decisively to threats by putting the most relevant information and context at your fingertips. Unlike security analytics products, Vectra Detect eliminates manual investigations by automatically prioritizing and correlating threats with compromised hosts and key assets that are the target of an attack.

Vectra Detect puts threat detection details – including host context, packet captures, and threat and certainty scores – within immediate reach.

In addition, Vectra Detect works with your next-generation firewalls, endpoint security, NAC, and other enforcement points to automatically block unknown and customized cyberattacks. Vectra Detect also provides a clear starting point for threat investigations, which boosts the efficiency of SIEMs and forensic analysis tools.

Vectra Detect: Powered by Artificial Intelligence

Real-time detection of data exfiltration in progress

Security context that saves time

Vectra Detect unburdens and empowers security operations teams that are understaffed. This is achieved by automating the time-consuming analysis of security events and eliminating the need to endlessly hunt for hidden threats.

Each detection is explained in detail, along with the underlying event and historical context that led to the detection. Security analysts can instantly view a connection map of any host to see other hosts the device is communicating with and how.

Vectra Detect is the only solution that offers a unified view of accounts on your network and in the cloud. The platform is uniquely positioned to recognize and evaluate interactions between workloads and identities, which equips analysts with the knowledge about how they are functioning in an environment.

Vectra Detect also provides on-demand access to enriched metadata from captured packets for further forensic analysis. This gives security teams the proof and accuracy they need to take immediate, decisive action.

Vectra Detect also leverages Privileged Access Analytics to automatically analyze behaviors and uses artificial intelligence to identify entities that have privilege and differentiate between approved and malicious uses. It is available across the Vectra platform as searchable security enrichments in Vectra Stream and Vectra Recall and as detections in Vectra Detect. Custom use-cases are also supported by accessing its attributes through the Vectra REST API.

Strengthen your existing security infrastructure

Whether providing the intelligence to block a new class of threat with firewalls, endpoint security, NAC and other enforcement points, or providing a clear starting point for a more extensive search with SIEMs and forensic tools, Vectra Detect gives you more value from existing security technologies.

Vectra Detect integrates with leading endpoint security solutions to automatically add enriched context to investigations and enables security operations teams to isolate compromised host devices.

A robust API enables automated response and enforcement with virtually any security solution. Vectra Detect also generates syslog messages and CEF logs for all detections as well as prioritized host scores. This makes Vectra Detect much more than just another source of logs and provides an ideal trigger for investigations and workflows within your SIEM.

Full lifecycle detection of ransomware

Vectra Detect identifies ransomware campaigns against enterprises and other organizations across all phases of an attack. By monitoring all internal network traffic, Vectra Detect identifies in seconds the fundamental behaviors of a ransomware attack as it attempts to take critical assets hostage.

In addition to detecting ransomware directly, Vectra Detect exposes ransomware precursors, including command-and-control traffic, network scans, and spreading behavior that ransomware relies on to find and encrypt critical assets.

Watching the watchers

While attackers may initially compromise an end-user device, the real prize involves commandeering administrator or system credentials. Vectra Detect goes beyond simple user-behavior monitoring to detect signs of compromised administrators.

The Vectra Detect Ransomware detection

Vectra Detect tracks administrative protocols and learns the specific machines or jump systems that are used to manage specific hosts, servers and workloads. This vigilance quickly reveals when a cybercriminal attempts to use administrative credentials and protocols to escalate an attack.

Example of the Shell Knocker Server Detection in the Vectra Detect UI

Unifying data center operations Modern data centers require constant coordination between networking, application development, virtualization teams, and of course, the security team. Vectra Detect makes it easy for all groups to remain in sync and retain full visibility from cloud to enterprise even when workloads are constantly on the move.

What is Cognito Detect?

Cognito Detect is the former name of the Vectra Detect functionality. The Vectra AI Platform was originally branded as "the Cognito Platform". The Platform and its features have been rebranded to reflect the evolution of our products.

What is the difference between Vectra Detect and Vectra Recall?

Vectra Recall complements Vectra Detect. Vectra Detect identifies compromised hosts in real-time as an investigation starting point. Vectra Recall finds threats that detection has missed by investigating historical metadata.