This is an active breach detection tool with a very particular focus: malware, most especially APTs. Vectra characterizes the product as "APT defense" using automated threat management. Of the products we looked at this month, this one is the most focused. That is consistent with the company's objectives of simplifying and automating as much as possible so that the entire process can be operationalized. That is a term we've heard a lot lately and it may be the most important generalized concept employed in these rather complicated tools. In just about every case - and this one certainly is no exception - the complexity of what the tool does is well-concealed under a well thought-out, comfortable user interface.
We started with configuration of the Vectra device: 99 percent of the work is done on premises and one percent done in the Vectra cloud for updating, context and threat intelligence. Updating can be immediate when new information is available. Once the system is configured it begins watching all of the traffic in and out of the network. It deploys as a span or tap connection. It watches the traffic on an IP by IP basis and if it sees a threat involved with a particular IP it examines it and reports with its percentage of certainty.
The product provides a unique user interface for quick analysis. It is the first tool we've seen that uses a scatter graph to show threats against certainty. It also characterizes threats by severity. Clicking on one of the bubbles in the scatter graph reveals details about that particular threat including hostname and IP address, latest detections, threat level, certainty and recent history for that host.
At a glance
Product X-series Platform
Company Vectra Networks
Price $68,000, hardware and software with hardware support $1,600 and software support and upgrades at no additional cost.
What it does Spots and analyzes attacks, particularly APTs.
What we liked This is about as simple for the operator as it gets. For a very focused tool, this one excels at what it does and is quite good at peripheral tasks associated with its main mission.
You can drill down even further for more information relating to the current detection, past detections and a nice graph that shows exactly what the data path involved is/was. This graph - really more of a flow chart - shows the steps in the kill chain as well as the types of entities - botnet, for example - involved. The threat level and certainty - both on a scale of 1-100 - can be expanded with the "explain" option.
One thing we really liked is a cool function called the "data smuggler." This shows up as a specially colored box - violet on our test machine - usually at the exit point in the data flow chart. Clicking on the data smuggler gives a lot of detail about data exfiltration in this particular event. The detail includes a detection summary that shows exactly where the exfiltrated data came from on the network, how it is being exfiltrated - SSL, for example - how much has been sent and to where it was sent. All of this combines on a timeline so that you can see all of the instances of exfiltration attempts over time from a particular host.
Another good drill-down is the brute-force detection. This describes in detail the attacker's efforts to brute-force a password from a network device. Again, the details are considerable and, like all of the detections, a downloadable PCAP (packet capture) is available for later analysis at the packet level.
There are several other detections, including internal port scans (where the attacker takes over a device and uses it for reconnaissance), malware updates from the command and control (including the IP of the C&C server), fake browser activity, suspect domain activity, internal darknet scans that tell the analyst what IPs on the darknet have been scanned by a host on the network and, tied closely to that TOR activity. Additionally, the tool can provide triage filters that you configure to highlight activity on particular hosts. The company characterizes the architecture as a brain with a collection of sensors. The brain is physical and the sensors can be small, large or virtual. The sensors feed the brain and the brain does the analysis.
The device actually identifies attacks as they are happening in addition to being able to retrospectively examine a system. While its focus is malware - it bills itself as a "new class of APT defense" - it knows attacks and responds accordingly. Like most next-generation products, this one depends heavily on behavior analysis and uses a combination of data science, behavior analytics and machine learning. Because the entire process is automated and the interaction between the operator and the device is so straightforward, it empowers organizations that are light on security and analytical talent.
A big surprise to us - and a very good one - is the 24/7 support that is the company's standard. There are lots of resources in the form of white papers, a Vectra boot camp and others. The Vectra Threat Labs turn out some of the more useful and interesting research we've seen. Overall, this is a rather complete and quite focused package that is well worth the price.