Security data today is broken. NetFlow is incomplete while PCAPs are storage and performance intensive. Organizations that choose to deploy and maintain open-source Zeek must face the resource- and time-intensive effort of hardware assembly and configurations, software configurations, and building integration into existing tooling. This leaves security practitioners in an untenable state.
With Vectra Stream, security teams are empowered with the rich network context necessary to build custom tooling as well as feed models to detect, investigate and hunt. Delivered in open-source Zeek format, it seamlessly integrates security insights into data lakes and SIEMs without the overhead and scale limitations that accompany open-source Zeek.
The metadata from Vectra Stream is enriched with host identity, enabling investigations based on device names rather than just IP addresses. This eliminates the need to search DHCP logs in parallel to find the device using an IP address at specific times, and to track the changes in the device’s IP address for the period of time relevant to an investigation. Searching by device name saves time when speed is crucial. Security insights embedded in the metadata provide threat hunters with intelligence for investigations and threat hunting.
Vectra Stream provides visibility into network traffic by extracting metadata from all packets and storing it in your data lake or SIEM for correlation, search and analysis. Every IP-enabled device on the network is identified and tracked.
This visibility extends to servers, laptops, printers, BYOD and IoT devices as well as all operating systems and applications, including traffic between virtual workloads in data centers and the cloud. The metadata includes connectivity and details across the protocols critical for threat hunting and investigating incidents.
Metadata is captured from all internal (east-west) traffic, internet- bound (north-south) traffic, virtual infrastructure traffic and traffic in cloud computing environments. Vectra Stream forwards searchable metadata to data lakes with Kafka, syslog, and Elastic support.
Organizations can deploy the Vectra platform in 30 minutes or less and start hunting for threats or investigating incidents without the operational overhead of managing the sensor infrastructure:
The sensors connect to a central entity (“Brain”) that de-duplicates the flows and runs the host identification and enrichment algorithms. Vectra Stream is deployed as an on-premises virtual machine (VM). The VM normalizes the metadata into Zeek-format and delivers it to a data lake or SIEM that can be running on-premises or in the cloud.
Indicators of compromise (IoCs) are found in the course of an analyst’s daily workflow or learned from open source intelligence being shared or internal research. Searching enriched network metadata for IoCs enables an analyst to search retrospectively for IP addresses, domains, URLs, hashes and SSL certificates used in the course of a cyberattack. With long-term metadata retention, searching for high-value IoCs is very powerful.
Effective threat hunting is achieved with total visibility over the IT assets, risks, and flows within an organization’s network. The data needed for this type of visibility break down into three categories:
Network metadata provides an analyst with a high-level view of patterns and events as they occur across an entire network.
Host and application data (combined into device data) provides an analyst with granular, low-level details to behaviors at the host level including system processes and memory access.
Combined, these datasets provide a comprehensive map of the enterprise, giving a multilevel view of what might be going on. These datasets are most effectively used in tandem by hunters to detect advanced threats.
With custom detections, an analyst can monitor events for any kind of behavior such as suspicious or emerging threats, compliance violations, internal misuse or industry-specific attack vectors. Security insights in Vectra Stream provide machine-learning building blocks embedded in the metadata that can be combined with other attributes to create powerful custom models correlated to a specific host, or user account.
Vectra Stream enables security analysts to conduct deeper, more conclusive incident investigations in an existing data lake or SIEM with remarkable efficiency.
By leveraging enriched network metadata, security analysts can easily follow the chain of related events from attack detections found by Vectra Detect, third-party security products, and searchable, high-quality threat intelligence in historical network metadata.
When incidents are reported by the Vectra Detect application or third-party security products, Vectra Stream ensures that security analysts have a complete 360-degree view of all workload and device activity.
With Vectra Stream, security analysts can investigate incidents with unprecedented efficiency using complete context about the transactions across the network, along with relevant details about associated devices, accounts and network communications.