Behavioral analysis – blocking an attack at an early stage
Vectra Cognito provides the fastest and most effective way to detect and stop an attack on your network – the only “Visionary” in Gartner MQ for NDR.
Due to the degree of dispersion in today’s business ecosystems – the network is becoming a major platform for attack detection in its early stages. This is because the network is the lifeblood of the entire infrastructure – physical and virtual, across IT, BYOD and IoT networks.
Any rule violation or behavioral anomaly within a group in organization such as:
- too many login attempts,
- logins from unusual locations,
- network scanning commands,
- additional information in packet headers,
- transmission of software categorized as malicious,
- attempts to spread internally via mailbox,
…is captured and forwarded to the appropriate flow, analyst, or device.
Importantly, Vectra detections are automatically correlated to the affected devices. In our view, ensuring that alerts are prioritized based on the possible criticality of the breach is invaluable in the face of constant work overload (aka “alert fatigue”) for cybersecurity analysts.
The platform works as follows:
- Captures network events, correlates and consolidates them into scenarios.
- Connects them to the device to which the events relate.
- Adds context – network metadata and related events.
- Prioritizes alerts – so the analyst knows what to do.
Thanks to continuous monitoring of internal network traffic, within seconds it identifies behaviour characteristic for e.g. encrypting malicious code or a hacker trying to “spread” himself to others by means of an intercepted mailbox.
Operators no longer have to manually review and categorize alerts. But above all, they can feel supported in organizing their work. Work that, during the digital transformation, extends to devices beyond their control such as public clouds but also servers in colocation. Vectra responds to this challenge by offering full integration and advanced monitoring capabilities for AWS, Office 365, Azure, Active Directory, SharePoint, OneDrive, Exchange and Teams.
The system analyzes, among other things:
- login processes,
- adding and changing privileges,
- changes in files, software and hardware configuration,
- changes in network settings – such as re-routing mailboxes.
By working in real-time, events from cloud services are linked to the appropriate device, correlated with local network behavior and checked for anomalies. This makes Vectra the most effective solution for MS Office365 protection – unmatched in detecting account interception and internal propagation.
This is all thanks to behavioral analytics based on an advanced Gartner-acclaimed AI and Machine Learning engine embedded in the solution. In the era of hundreds of thousands of EPS (Events per Second), it is the computational capabilities and “intelligence” of their execution that allows you to stay one step ahead of attackers. Among other things, Vectra AI uses the MITRE ATT&CK framework, which details the tactics, techniques and procedures (TTPs) used by attackers to breach security, from the initial intrusion, to evading defenses and finally taking control of the “crown jewels.”
One of the key determinants of trust in Vectra is its strategic partnership with Microsoft. This has resulted in full native integration of Vectra with the entire Microsoft ecosystem for the SOC visibility triad. Plus full monitoring of the O365, Azure and AWS operating environments.
Add to that Vectra’s integration with systems like NAC, SIEM and NGFW and you get an additional layer of visibility and the ability to detect attacks at a stage when they can still be blocked without damage.