We wanted something to understand what's happening on the network of the company, and we wanted something to protect us against attacks and cyber activities. We wanted visibility into our network and all the threats that we're facing.
CIO at General Transmissions
Good filtering capabilities, simple to implement, and has helped to stop some attacks
Pros and Cons
- "The automatic filtering that they provide is valuable. The logic inside that makes some detections instead of us is very useful. We are confident that if we are just looking into it and there is nothing, nothing could happen."
- "We are using SMB 3.0, which is an encrypted protocol. When we get some alerts or something, we cannot go deep into the protocol to see what's wrong because it's encrypted. We need to decrypt the protocol in another way, which is quite difficult. We might go back to SMB 2.0 just for this reason, but that's not a good solution."
What is our primary use case?
How has it helped my organization?
It has helped improve our mean time to identify, but I don't have the metrics on time savings because we didn't have anything for that previously.
It hasn't had any effect on the productivity of our organization’s SOC, but it has had a great effect on security.
In terms of the effect of Vectra AI Attack Signal Intelligence for empowering security analysts within our organization to take intelligent action, we are looking at the right risks and nothing more. We save some time for sure, and we empower our security with it. Previously, we couldn't see anything, but now, we are seeing some of the things, and we have already stopped some attacks with it.
What is most valuable?
The automatic filtering that they provide is valuable. The logic inside that makes some detections instead of us is very useful. We are confident that if we are just looking into it and there is nothing, nothing could happen. That's great.
It's simple to implement. It's simple to analyze. The dashboard is very smart and clean. It's very easy to check something. There are a lot of tools to analyze the detections. It's great.
What needs improvement?
We got two problems that couldn't be solved because of the philosophy of the product. We are using SMB 3.0, which is an encrypted protocol. When we get some alerts or something, we cannot go deep into the protocol to see what's wrong because it's encrypted. We need to decrypt the protocol in another way, which is quite difficult. We might go back to SMB 2.0 just for this reason, but that's not a good solution.
We did some penetration tests and tried to get some hashes or encrypted passwords from Active Directory. Those hashes didn't provide alerts into Vectra. Vectra doesn't survey them, which is quite problematic because it's a very common attack. They said that it's not the only aspect that would come with that kind of attack, but when somebody tries to get a lot of hashes, we would like that there is an alert because that seems like the start of an attack.
For the hashes issue, it could be very easy for them to make the improvement. They can just change a rule, and that's it, but for encrypted protocols, it could be trickier.
Buyer's Guide
Vectra AI
October 2024
Learn what your peers think about Vectra AI. Get advice and tips from experienced pros sharing their opinions. Updated: October 2024.
816,406 professionals have used our research since 2012.
For how long have I used the solution?
We have been using this solution for two to three years.
What do I think about the stability of the solution?
There is no problem with stability. Sometimes, alerts can come later. For example, for Office 365, we got the alert one day late, but the problem was coming from the Microsoft side.
What do I think about the scalability of the solution?
We just have one, and that's enough for our needs. Its scalability is good for us because we just have one with multiple probes at the same cost, so that's fine for us.
How are customer service and support?
Their support is very good. They have knowledgeable people with great knowledge of cyber security and cyber risks. I'd rate them a 10 out of 10.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
We weren't using any solution before. We went for Vectra AI because we wanted something to have visibility. We were completely blind to what could happen on the network. With Vectra AI, we aren't so blind.
What was our ROI?
We stopped some attacks. An attack could cost a lot more than the cost of Vectra. For example, we got an attack before that cost us $100,000. So, Vectra's cost is not so high. The cost of an attack could be worse. If we got encrypted data, it could be worse because we would have to stop the factory, which would cost a lot.
What's my experience with pricing, setup cost, and licensing?
Its cost is too much. It's an investment that we can afford. It's a lot, but it's worth it.
Which other solutions did I evaluate?
We evaluated Darktrace and one more solution. We also evaluated some SOC and SIEM systems, but we found Vectra AI to be better in comparison to other solutions. It was simple to implement and analyze.
What other advice do I have?
I'd rate Vectra AI a 10 out of 10.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Head of ICT Security & Governance at a construction company with 501-1,000 employees
Provides real-time visibility of potential threats to the network and prioritizes them to help us react quickly
Pros and Cons
- "We particularly like the user experience around the dashboard, which we find to be much more straightforward than the dashboard of some of the competitive products... Vectra is a really easy system to understand and use to prioritize where we need to focus our security resources."
- "A blind spot that I have is around the ease with which you can automate threat intervention."
What is our primary use case?
We use it as our internal network monitoring solution.
How has it helped my organization?
It's interesting to consider how it has helped our organization because it's a security product. But the way it has helped is that nothing has gone wrong. And it has certainly enhanced our internal security capabilities.
Vectra has helped accelerate our threat investigations, providing us with real-time visibility of potential threats to the network that we can act upon or triage accordingly. Prior to the implementation of Vectra, we didn't have that visibility. We had a number of disparate security tools, each with its own alerting functionality. Vectra has significantly helped with a consolidated view of potential threats. And the prioritization of threats allows us to focus specifically on those threats that we believe present the greatest risk and to react to those threats extremely quickly.
Vectra MDR is also very important for us, given the relatively small size of our internal team, and it gives us 24/7 capability that we didn't have before we used Vectra's MDR service.
What is most valuable?
We particularly like the user experience around the dashboard, which we find to be much more straightforward than the dashboard of some of the competitive products. In the grand scheme of things, we're a relatively small organization with approximately 1,000 users and a small internal security team. Compared with some of its competitors, Vectra is a really easy system to understand and use to prioritize where we need to focus our security resources.
We use Microsoft 365 and Vectra extends our ability to track attacker activity, whether that happens on-premises, in a data center, or in a SaaS environment. It provides complete coverage and visibility across our ICT estate. That was a real positive when we were going through the selection process. The simplicity of the dashboard and the categorization of alerts as low, medium, high, or critical, presents us with the potential of a security risk. We can then choose to investigate it, regardless of whether it's an on-premises or cloud-security risk. They are presented in the single-pane-of-glass dashboard, and that allows us to take the appropriate action. The detection and prioritization of attacker behaviors are extremely important.
What needs improvement?
A blind spot that I have is around the ease with which you can automate threat intervention.
For how long have I used the solution?
We've been using Vectra AI for approximately 12 months.
What do I think about the stability of the solution?
It seems to be extremely stable. We've not had any issues in that respect.
What do I think about the scalability of the solution?
Vectra has visibility across our entire ICT network, which is a combination of on-premises and cloud environments. Our cloud solution is Azure, and it extends to about 1,000 users. The vast majority of them are now remote or mobile workers.
It has comfortably managed the needs of our organization and I don't have any concerns if we were to need, at some point in the future, to either scale or switch the current balance between on-prem and cloud.
How are customer service and support?
We are very satisfied with the support. It has been excellent so far. It has been very timely, very personalized, and always quick to find solutions. We've been really pleased with it.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
We didn't have a previous solution. We have no internal networking monitoring capability.
How was the initial setup?
We started with a proof of concept and then we committed to the Vectra solution. That's when we began the formal implementation. From the very initial engagement to the proof concept and through the transition to service, it took approximately six months.
The deployment went very well and that was a real positive in terms of the engagement with the onboarding and the customer experience.
Across our ICT team, six individuals were involved in security, infrastructure, project management, and service transition.
There is no maintenance of the solution on our side.
What about the implementation team?
The implementation was supported directly by Vectra UK itself.
What was our ROI?
The return on investment from the product comes from not incurring unplanned costs because of a security incident.
What's my experience with pricing, setup cost, and licensing?
The upfront pricing model that we have would have been more beneficial if it had been a recurring license fee, but that wasn't a massive issue for us. It's fairly priced.
Which other solutions did I evaluate?
We evaluated other options very thoroughly. It became a two-horse race between Vectra and Darktrace. The differentiators for us were the UI experience, the MDR, and we felt that there was better engagement with the Vectra presales team. They better understood our needs and how Vectra would fit as a solution.
What other advice do I have?
The percentage of critical alerts from Vectra that are critical or true positives, to be fair, is relatively small, probably about 10 percent, but that's more a reflection of the fact that we're still a relatively new client and that the system is still learning. What we have noticed though is that the triage process is effective and we don't get multiple false negatives once we've identified an issue.
We bought Vectra AI through our IT partner, which is CDW. They were only involved in the procurement process. We used a partner to ensure that we could demonstrate that we had done so according to compliance.
I would definitely recommend Vectra and to do a proof of concept. We learned quite a lot through that proof-of-concept process. Those lessons certainly helped us when we went into the implementation process and to engage internal ICT team stakeholders and anticipate central issues in the implementation process. A proof of concept would be invaluable for anybody thinking about implementing this or one of the competitive solutions.
At the moment, we're really pleased with the product and it's a really good fit for the size of our organization.
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Buyer's Guide
Vectra AI
October 2024
Learn what your peers think about Vectra AI. Get advice and tips from experienced pros sharing their opinions. Updated: October 2024.
816,406 professionals have used our research since 2012.
Cyber Security Analyst at a financial services firm with 1,001-5,000 employees
Reduces the times between an alert and a ticket coming up
Pros and Cons
- "It is doing some artificial intelligence. If it sees a server doing a lot of things, then it will assume that is normal. So, it is looking for anomalous behavior, things that are out of context which helps us reduce time. Therefore, we don't have to look in all the logs. We just wait for Vectra to say, "This one is behaving strange," then we can investigate that part."
- "We would like to see more information with the syslogs. The syslogs that they send to our SIEM are a bit short compared to what you can see. It would be helpful if they send us more data that we can incorporate into our SIEM, then can correlate with other events."
What is our primary use case?
The original use case was because we had some legacy stuff that doesn't do encryption at rest. Compliancy-wise, we had to put in some additional mitigating actions to protect it. That was the start of it. Then, we extended it to check other devices/servers within our network as well.
We are on the latest version.
How has it helped my organization?
It is doing some artificial intelligence. If it sees a server doing a lot of things, then it will assume that is normal. So, it is looking for anomalous behavior, things that are out of context which helps us reduce time. Therefore, we don't have to look in all the logs. We just wait for Vectra to say, "This one is behaving strange," then we can investigate that part.
We have implemented it fully now. We have done some training and filtering on it. Now, every alert that we see means that we need to investigate. It sees roughly 300 events a day. The majority are normal behavior for our company. So, there are about 10 to 15 events a day that we need to investigate.
The solution triages threats and correlates them with compromised host devices. It looks at a certain IP address, and if you're doing something strange, then it will give us an alert. E.g., normally John Doe is logged into it for four days, going to server XYZ. If all of a sudden, it's in a different timescale, going to server B, then it will send us an alert.
We have privileged accounts. They have a specific names, and if I see those names, then I investigate a bit more thoroughly. That's our policy. I don't know whether Vectra does anything different with them.
The solution gives us more tickets. If we did not have Vectra, we wouldn't have those tickets. So, it's actually increasing them. However, it is improving our security with a minimum amount of work. That's the whole purpose of the device. We have 10 to 15 events that we need to look into a day, and that is doable.
The solution creates more work for us, but it is work that we are supposed to do. We need more FTEs because we need more security.
What is most valuable?
We mainly use it for the detection types, checking dark IPS or command-and-control traffic.
We bought Recall so we can have more information. Recall is an addition onto Vectra. We haven't enabled Recall yet, but we will. So, if there is an incident, we can investigate it a bit further with Vectra devices before going into other tools and servers. This gives us the metadata for network traffic. So, if we have a detection, we can check with Recall what other traffic we are seeing from that device, if there is anything else. It's mainly a quick and dirty way of looking at it and getting some extra information to see whether it's malicious.
We found that the solution captures network metadata at scale and enriches it with security information. This is one of the reasons why we added Recall, so the alert gives us information on where we need to look, then we can investigate a bit further. For example, a certain device is sending data to command-and-control server, then we can investigate whether that is really happening or just a false alarm with the metadata in Recall. It makes it easier to find out.
What needs improvement?
We would like to see more information with the syslogs. The syslogs that they send to our SIEM are a bit short compared to what you can see. It would be helpful if they send us more data that we can incorporate into our SIEM, then can correlate with other events. We have mentioned this to Vectra.
It does some things that I find strange, which might be the artificial intelligence. E.g., sometimes you have a username for a device, then it makes another. It detects the same device with another name, and that's strange behavior. This is one of the things that we have with Vectra support at the moment, because the solution is seeing the device twice.
For how long have I used the solution?
We started the pilot roughly a year ago. So, we started small with a pilot on part of the systems, then with two other vendors. Afterwards, we decided to buy it.
Now, it's almost in production. It's still a project in the end phase, as we are still implementing it. But, most of it has been running for a year.
What do I think about the stability of the solution?
So far, the stability has been good. There are no issues. It's never been down. It has been updating automatically on a regular basis and there are no issues with that where it has stopped working.
One person will be responsible for the deployment, maintenance, and physical upkeep; a person from the service delivery team will keep the device up and running. The security analysts (my team) deal with the alerts and filtering.
What do I think about the scalability of the solution?
The part that we designed is not really scalable. They have options, and there is some room for improvement. If we need to scale up, which we have no intention of doing, then the physical devices need to be swapped over for a bigger one. Other than that, we have some leeway. This came up in the design with, "What are your requirements?" and those requirements have been met, so that's fine. They will probably be met for the foreseeable future.
At the moment, we don't have Tier 1 and Tier 2. Instead, we have a small team who does everything. I am mostly using it. There will be three security analysts. Then, we have a number of information security officers (ISOs) who will have a read-only role, where they can see alerts to keep an eye on them, if they want, and be able to view the logging and see if they need more information. But, there are three people who will be working with Vectra alerts.
How are customer service and technical support?
We are in contact with the Vectra service desk. If you send them ideas, they talk about them and see if they can incorporate them.
Which solution did I use previously and why did I switch?
We decided that we wanted to have an alert within 30 minutes, which is doable with this solution. It fulfills our needs. However, we didn't have this before, so it has increased our time, but for things we need to do.
How was the initial setup?
The initial setup is relatively straightforward. They have security on a high level. There are a lot of logins with passwords and very long passwords. This made it go a bit longer. However, the implementation is relatively easy compared to other devices.
We made a design. That's what we implemented.
What about the implementation team?
Initially, it was set up in conjunction with Vectra. When we put it into production, the majority was done by me, then checked by a Vectra engineer. If I had issues, I just contacted Vectra support and they guided me through the rest of it.
The Vectra team is nice and helpful. The service desk is fast. They know what they are doing, so I have no complaints on that part. We have a customer service person who knows about our environment and can ask in-depth questions. He came over as well for the implementation to check it, and that was fine. The work was well done.
What was our ROI?
The solution has reduced the time it takes us to respond to attacks. It sends an email to our SIEM solution. From that SIEM solution, we get emails and tickets. Therefore, the time between an alert coming up and a ticket is reduced. This is for tickets that we monitor regularly. Within 15 to 20 minutes, it gives us an alert for the things that we want. Thus, it has greatly reduced our measurable baseline.
The return of investment is we have tested it so sometimes we have auditors who do pen tests and see them. That's the goal. It seems to be working. We haven't found any actual hackers yet, so I'm not completely a 100 percent certain. However, we found auditors who are trying to do pen tests, which essentially the same thing.
What's my experience with pricing, setup cost, and licensing?
The license is based on the concurrent IP addresses that it's investigating. We have 9,800 to 10,000 IP addresses.
There are additional features that can be purchased in addition to the standard licensing fee, such as Cognito Recall and Stream. We have purchased these, but have not implemented them yet. They are part of the licensing agreement.
Which other solutions did I evaluate?
We investigated Darktrace, Vectra, and Cisco Stealthwatch.
Darktrace and Vectra plus Recall were similar in my opinion. Darktrace was a bit more expensive and complex. Vectra has a very nice, clean web GUI. It easier to understand and cheaper, which is one of the main reasons why we chose Vectra over Darktrace.
Darktrace and Vectra are very different, but eventually for what we wanted it to do, they almost did the same thing. Because Darktrace was a bit more expensive, it was a financial decision in the end.
I did the comparison between Darktrace and Vectra. They did almost the same thing. Sometimes, there are differences that Darktrace did detect and Vectra didn't. For the majority, we didn't find any actual hackers. So, it's all false positives, eventually. Both of them are very similar. The big thing is the hacker activity. They both detected it in the same way. But, in the details, they were different.
The options for Stealthwatch were a bit limited in our opinion for what we wanted it to do. Stealthwatch is network data, and that's it.
What other advice do I have?
Start small and simple. Work with the Vectra support team.
The solution’s ability to reduce false positives and help us focus on the highest-risk threats is the tricky part because we are still doing the filtering. The things it sees are out of the ordinary and anomalous. In our company, we have a lot of anomalous behavior, so it's not the tool. Vectra is doing what it's supposed to do, but we need to figure out whether that anomalous behavior is normal for our company.
The majority of the findings are misconfigurations of servers and applications. That's the majority of things that I'm investigating at the moment. These are not security risks, but need to be addressed. We have more of those than I expected, which is good, but not part of my job. While it's good that Vectra detects misconfiguratons, there are not our primary goal.
The solution is an eight (out of 10).
We don't investigate our cloud at the moment.
Which deployment model are you using for this solution?
On-premises
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
SOC Administrator at The National Commercial Bank
Gives alerts on suspicious activities; stable and scalable, with excellent technical support
Pros and Cons
- "What I like best about Vectra AI is that it alerts you about suspicious activities."
- "An area for improvement in Vectra AI is reporting because it currently needs some details. For example, when you download a report from Vectra AI, you won't see complete information about the alerts or triggers. Another area for improvement in the tool is that sometimes, an alert has high severity, yet it's marked as low severity. Vectra AI should have a mechanism to change the severity level from low to high or critical."
What is our primary use case?
Vectra AI is an NDR tool, and my company is using it for security and insider threat detection purposes.
What is most valuable?
What I like best about Vectra AI is that it alerts you about suspicious activities.
What needs improvement?
An area for improvement in Vectra AI is reporting because it currently lacks some details. For example, when you download a report from Vectra AI, you won't see complete information about the alerts or triggers.
Another area for improvement in the tool is that sometimes, an alert has high severity, yet it's marked as low severity. Vectra AI should have a mechanism to change the severity level from low to high or critical.
For how long have I used the solution?
I've been using Vectra AI for two years now.
What do I think about the stability of the solution?
Vectra AI is a stable tool.
What do I think about the scalability of the solution?
Vectra AI is a scalable tool.
How are customer service and support?
My company has a dedicated support team for Vectra AI, so I have the support team's direct contact number and WhatsApp number.
The technical support is excellent, so my rating is five out of five.
How was the initial setup?
The initial setup for Vectra AI wasn't that complex. It won't take long if your environment is ready, with all required ports open. Setting up Vectra AI would be easy.
What about the implementation team?
We implemented Vectra AI together with their technical support team.
What's my experience with pricing, setup cost, and licensing?
My company pays for the Vectra AI licensing fee yearly. I know the figure because my company recently renewed the license, and it's okay, at least for the financial sector.
What other advice do I have?
I'm the admin of Vectra AI, a tool implemented in my company.
The tool was updated three or four months ago, but I'm unsure if I have the latest release.
My company has two SOCs in different areas, so all SOC analysts log in or use Vectra AI, with the alerts forwarded to Splunk. One person is the admin in-house, but he works with support because the tool is customized for my company, as any command can't be run in Linux.
I'd recommend Vectra AI to others looking for an NDR solution.
Vectra AI is excellent for NDR purposes, in general. I'm rating it as ten out of ten based on my experience because I'm investigating the Vectra AI alerts. It triggers alerts for suspicious activities, so it's an excellent tool.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Security Analyst at a computer software company with 1,001-5,000 employees
Is intuitive, stable, and shows misconfigurations related to compliance
Pros and Cons
- "Some valuable features of Vectra AI are that it is very intuitive and that there are only a small amount of false positives. Therefore, it's an effective solution."
- "We have a lot of system solutions and integrations with system solutions. Vectra is a type of black box. It implements AI-informed detection mechanisms, but we cannot create system detections. I understand that the product is designed this way, but it would be great if we could create our own detections as well."
What is our primary use case?
I'm a SOC analyst, and I use Vectra AI to detect and respond to security incidents. My team manages the critical detections, and another team takes the low-priority detections. They also use Vectra to hunt for the system root.
What is most valuable?
We use the Threat Detection and Response platform, and it's quite good at detecting and responding to threats and attacks in real-time. I really like the UI experience because it's simple to use, and we get quite a lot of information very quickly.
Some valuable features of Vectra AI are that it is very intuitive and that there are only a small amount of false positives. Therefore, it's an effective solution.
Another benefit that is unrelated to security is that it allows us to see misconfigurations or things that should not be happening in terms of compliance.
As SOCs, we concentrate on the OS side, and with Vectra AI, we can now see the network from an endpoint point of view. It gives us new alerts and does bring some work because we now have more visibility. However, it's opening up a wide range of things for us.
What needs improvement?
We have a lot of system solutions and integrations with system solutions. Vectra is a type of black box. It implements AI-informed detection mechanisms, but we cannot create system detections. I understand that the product is designed this way, but it would be great if we could create our own detections as well.
For how long have I used the solution?
I've been using this solution for six months.
What do I think about the stability of the solution?
From my point of view, Vectra AI's stability has been quite good. We have never had any issues.
What other advice do I have?
On a scale from one to ten, I would give Vectra AI an overall rating of eight.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Head of Information Security at a outsourcing company with 1,001-5,000 employees
Enables us to understand what our normal traffic is, then pulls out the anomalies for us
Pros and Cons
- "It has reduced the time it takes to respond to attacks. That comes back to the proactive point. It makes us able to lower down in the kill chain, we can react now, rather than reacting to incidents that happened, we can see an instant, in some cases, as it's being implemented, or as it's being launched."
- "The false positives and the tuning side of it is something that could use improvement. But that could be from our side."
What is our primary use case?
Vectra AI sits across our entire estate, we have an outsource provider for a lot of our backend systems. It sits in theirs and it sits in our own estates. It's deployed across our other numerous offices across the country. It sits across our entire state.
How has it helped my organization?
We don't have very much in the way of IDS or IPS on our estate, so we're relying on Vectra AI to do that sort of work for us. We're allowing that to look at our traffic and to flag up to us on our system. It helps my analysts investigate other things. We might get other alerts in the estate, Vectra AI is one of the first tools that they'll jump onto, to do further investigation of alerts that are raised up to them. It's a really good tool, not just for what it throws up, but for us to dig into our network as well.
What is most valuable?
What is pretty good is the unknown unknowns. It's the anomalies to the norm and the intelligence behind it that helps us to dig through a mountain of data and find the stuff that's important to us.
It allows us to understand what our normal traffic is, then pulls out the anomalies for us. For instance, a recent use case of it would be that it suddenly picked up that a file transfer was happening out of our estate that we weren't aware of. It hadn't been there before. There was a file transfer that suddenly appeared, that was actually in our estate that hadn't been there before. We would never have been able to see that normally, it's just that Vectra AI saw it. It was okay, it was going to a third-party and it allowed us to investigate it and find it but we would never have seen that without a notification. It understands what should be happening and then usually says "This isn't normal," and it allows us to flag it up and dig deeper into that.
It is very good at reducing alerts by rolling up numerous sellers to create a single incident or campaign for investigation. Although it doesn't reduce, it actually increases our alerts because we wouldn't have seen the stuff in the first place, but when it does create an alert, it pulls all investigative information together. We're not getting hundreds of alerts, we're getting alerts that contain all of the relevant components.
Vectra AI captures network metadata at scale and enriches it with security information. Although, we don't make the most of that, but we've never had a problem with its captures and it captures the correct data for what we want it to do. I think we could be using it better.
The information affects investigations by our security team by allowing them to be more effective and quicker in their investigations.
Vectra AI provides visibility into behaviors across the full life cycle of an attack in our network, beyond just the internet gateway. Although, we found it's flagging up early, so it's not developing to that further stage of that because it's flagging up at an early stage.
Its ability to reduce false positives takes quite a bit of tuning. We've had to put a lot of effort into tuning out false positives, so that's something that we've had to invest our time into. Obviously it's getting better and better as time goes on, but we still have to spend time tuning it.
We've seen our tuning has lessened those processes, but we're still getting more than we would want. That's probably some of our fault. It could be some issues with the way it's set up in certain areas. But, once we tune them out, they're staying tuned out.
It hasn't reduced the security analyst workload in our organization but that was never the purpose of it for us. It's an additional tool in our armory, so it hasn't reduced our workload, but it's made us more efficient.
It makes the team more efficient in speed of response. I would say it makes them more efficient in the breadth of their coverage of what they can respond to. It makes us have a more proactive response to incidents.
It has reduced the time it takes to respond to attacks. That comes back to the proactive point. It makes us able to lower down in the kill chain. We can react now, rather than reacting to incidents that happened, we can see an instant, in some cases, as it's being implemented, or as it's being launched.
It's not all attacks, but I would say that it's a shift less on the material chain. It's things that we might not even have spotted if it hadn't been for Vectra AI, so it's difficult to know how we would quantify that as an amount.
What needs improvement?
The false positives and the tuning side of it are some things that could use improvement but that could be from our side.
I don't want to criticize the product for performance with our role out of it. It does what it says it's going to do very well. We've got issues with the way we've deployed it in some places, but the support we've had in that is very good as well, so I'm very happy with the support we get.
For how long have I used the solution?
My company has been using Vectra AI for three years. I've been here for eight or nine months now, but the company has just been using it for three years.
What do I think about the stability of the solution?
We've had absolutely no issues with stability at all.
What do I think about the scalability of the solution?
Scalability is obviously based around the size of the clients that we have. We have had some issues around scalability but that's only because when it was implemented before my time but I know it is scalable. Obviously, we have to put some thought into that, some planning into that from our side, but it is limited on the size of the boxes. To summarize, yes, it is scalable, but it needs planning.
We have four users who use it in my company who are cybersecurity analysts.
Vectra AI is on everything apart from the clouds. Now we're on a journey towards more and more cloud. At least 70% of our company is covered by it.
We do have plans to increase usage. We want to move to the cloud.
How are customer service and technical support?
The support is excellent. We've had really good technical support from Vectra AI all the time. We have very regular catch-ups with them. They always pick the right people to do the calls, and we even have deep-dive sessions with our analysts with them and provide us with training. They've been excellent.
Which solution did I use previously and why did I switch?
We didn't have anything in place before Vectra AI.
I have used another solution in the past. I used Darktrace where I was before. It compares very favorably with Darktrace. I wouldn't say it was any better or worse.
The UI is quite different, but apart from that, there are obviously slight differences in the analytics behind it, but I'd be struggling to say that one of them was better than the other. They both seem to do what I do well. Vectra AI is a little bit more honest about their capabilities than Darktrace is.
I don't think Vectra AI enables us to answer investigative questions that other solutions are unable to address. I know that there are other solutions that could do it as well. They're as good as everything else out there, but I wouldn't go and say they're massively better. The thing that sells it for me is that the support has been very good. That's one of the bits that keeps me with them.
What was our ROI?
ROI depends on how you quantify that in security. It's really difficult to quantify what you find to a monetary value. We do see a return on investment because it's a good tool that we're using well and it's helping us to keep the company secure. It's really difficult to quantify a monetary value on that or say that you've got return on your investment. I wouldn't want to be without it. You can't put a price on security.
What's my experience with pricing, setup cost, and licensing?
They compare very favorably against the competition in terms of price. Nothing in this area is cheap. There is a lot of value in the products that you're buying, but they have come in at the right price for us in comparison to others. I would say that they're competitive in their pricing.
What other advice do I have?
My advice would be to make sure it is planned and deployed properly. That's a problem with my organization, not a problem with Vectra AI. Otherwise, if you don't build it to the specifications that you were told to, you're going to spend your whole life trying to fix a problem that shouldn't be there. My advice would be the plan and implement as per the plan.
I would rate Vectra AI a nine out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Director, Information Security at a university with 5,001-10,000 employees
Its artificial intelligence and machine learning helps us with looking at deviations from the norm
Pros and Cons
- "The solution provide visibility into behaviors across the full lifecycle of an attack in our network, beyond just the Internet gateway. It makes our security operations much more effective because we are now looking not just at traffic on the border, but we're looking at east-west internal traffic. Now, not only will we see if an exploit kit is being downloaded, but we would be able to see then if that exploit kit was then laterally distributed into our environment."
- "Some of their integrations with other sources of data, like external threat feeds, took a bit more work than I had hoped to get integrated."
What is our primary use case?
One of the reasons we went with this solution was because there is less that we have to customize; it's more commercial off the shelf. Therefore, my team can spend their time doing what's most beneficial for the university, which is protecting it, not upgrading custom software.
We use it to inspect and look for malicious, abusive, or other types of forbidden behavior with our north-south and east-west traffic. We not only look at traffic from our campus to the Internet, but we look at traffic internally in our network as it does network AI. It not only looks when a specific event happens, but whether, "Is this a normal event? Or is it normal for the host to do that?"
How has it helped my organization?
The Privileged Account Analytics for detecting issues with privileged accounts is very important because, like any organization, we have people from low-privileged, regular users all the way to administrators who have very high levels of privilege. Therefore, a regular student, on their own machine, may run Coinminer on it, which might be something that the student is experimenting with for higher ed. However, it's a very different use case when a staff user on their work issued machine is running it. Cognito will let us discover that very easily and contextualize it, "Is this really the criticality of an alert or a behavior?" It does this not only for the user, but it also lets us see through the DNS and machine name, whether it's a university asset, etc. Also, you can target those users who have a very high level of access by really enriching your analysis of alerts, such as, "I know that this administrative account does do PowerShell stuff because that's one of the main jobs of that sysadmin." Then, if I see that sort of PowerShell behavior from another account that I wouldn't expect it from, then that's a reason for concern.
The solution captures network metadata at scale and enriches it with security information. This provides us context upfront which helps us prioritize.
The solution provide visibility into behaviors across the full lifecycle of an attack in our network, beyond just the Internet gateway. It makes our security operations much more effective because we are now looking not just at traffic on the border, but we're looking at east-west internal traffic. Now, not only will we see if an exploit kit is being downloaded, but we would be able to see then if that exploit kit was then laterally distributed into our environment.
The solution’s ability to reduce false positives and help us focus on the highest-risk threats is very good. The additional context and ability to take other factors that we can feed into it, like our threat intelligence feed or the user identity, helps with running down whether behaviors are legitimate or pose a big risk. It also helps us eliminate false positives where appropriate, such as some of our system admins running PowerShell in a way that looks very suspicious if you saw it from a regular user.
It has reduced the type of analysis needed to run down and get to the bottom of what's really happening. On the flip side, it doesn't miss as much as a human only or more signature oriented approach would. While I don't want to give a false impression that it's going to result in less work, I think the work that we're doing is more efficient. We can do a lot more to protect, because we're able to react and look at what's important. It may not directly translate into, "Oh, well we spend less time on threat hunting and investigating a suspicious behavior," but we're seeing what we need to look at more effectively.
It's easier to get an analyst up to speed and be effective. The solution has helped move approximately 25 percent of the work from our Tier 2 to Tier 1 analysts.
What is most valuable?
I find the network artificial intelligence and machine learning to be most valuable because we have also significantly increased the amount of traffic that we inspect. This has kind of lowered the burden of creating ways to drink from that fire hose of data. The artificial intelligence and machine learning help bubble up to the top things that we should go look at which are real deviations from the norm.
I would assess the solution’s ability to reduce alerts by rolling up numerous alerts to create a single incident or campaign for investigation very highly. Rather than relying on signatures and a human to look if, "Host X has hit these four different signatures," which is probably an indicator of a fairly high confidence that something's not right, the analytics, artificial intelligence, and machine learning in this product tie those events together. It also looks for new events that are out of the ordinary, then gathers those together and tells us to look at specific hosts. This is rather than an analyst having to sift through a bunch of signature hits, and say, "Oh, this host needs to be looked at."
Also, there is a much lower operational burden of maintenance. We used to use open source monitoring tools, which are very good, but they take a lot of work to maintain and leverage. We really like the commercial off the shelf type of approach of the software, not brewing our own.
What needs improvement?
Some of their integrations with other sources of data, like external threat feeds, took a bit more work than I had hoped to get integrated. I think the company has been very responsive, willing to take our feedback, and look at addressing our concerns.
I have asked that they give direct packets capabilities.
For how long have I used the solution?
About a year and a half.
What do I think about the stability of the solution?
It is very stable and easy to maintain compared to the Linux open source solution that we previously used for a long time.
Maintaining the solution isn't even a full FTE, probably more like a quarter. We have to coordinate if we want to get more data into it, as there are some integrations that we do with our threat intelligence feed from our ISAC.
What do I think about the scalability of the solution?
We have talked to several other customers who have much larger environments than ours, so it is very scalable. We have applied it in excess of probably 20,000 devices. We have probably 50,000 to 60,000 active users who might see traffic from it. We have hundreds of thousands in our directory total, but some of those are alumni or adjunct faculty, so they may not be active all the time. We have on order of 700 servers and hundreds of applications. We're not huge, but we're not tiny.
One of the things that is really exciting about partnering with Vectra is they have solutions for the cloud, both Azure and AWS. This will get us that same type of visibility we're getting now with things on our physical campus using cloud services. This is probably where our increased usage will be concentrated on.
How are customer service and technical support?
Vectra's technical support is very good.
Which solution did I use previously and why did I switch?
We switched from an open source solution to Cognito because there was a lower operational maintenance burden and it provided more visibility into our environment. It also has more analysis and initial triage done by the network AI and machine learning.
Vectra enables us to answer investigate questions faster than our open source solutions previously did.
How was the initial setup?
The initial setup was straightforward.
Our initial deployment with north-south and a bit of east-west for our first virtual sensor probably took two to three days at most.
Long-term, we now have it deployed on every VMware server that is in our environment and it's monitoring probably 500 to 600 inter-server communications (between different servers). That took a little longer because we had to first work with our colleagues here onsite. It wasn't an issue with Vectra. It just took time and we had to arrange some work with internal partners. We did the reference and first setup in a day.
For our implementation strategy, we turned up north-south visibility immediately and brought up a single virtual sensor for our VMware environment. Then, after three months, we revisited it with a team who operates VMware and their servers. We made sure they were comfortable with the resource demands and how well the solution was working. Finally, we were able to have them turn it on for all the VMware servers.
What about the implementation team?
We had very knowledgeable people from the vendor work with our networking group to get the correct traffic to its sensors. This was done remotely/virtually, but it was done very well.
What was our ROI?
Hopefully, this is a sunk cost. We are mitigating risk. We are not expecting to make money on this solution.
The solution has reduced the time it takes us to respond to attacks by approximately 20 percent.
Which other solutions did I evaluate?
We looked at some of Vectra's competitors. We had Snort and also used Bro. We also used Argus and NetFlow collector. Therefore, we looked at what were the products out there that could sort of replicate the things we were doing with a commercial off the shelf product that had artificial intelligence, but not open source.
We looked at Corelight, which was more grow only. We also looked at ExtraHop.
We didn't do a formal RFP with this one. We developed some relationships with the management at Vectra, who really wanted to partner with us. We looked at their technology and other competitors in the area, then decided it was a worthwhile (based on their commitment) for us to work with them.
Usually, I'll go to the Gartner Security & Risk Summits and look around at what different vendors are coming out with. That's a very useful venue for learning about new vendors.
What other advice do I have?
We don't have that big of a cloud presence yet. However, the solution would correlate behaviors in our enterprise network and data centers with behaviors we see in our cloud environment because part of our east-west visibility includes our dedicated connections to cloud instances. If it goes over to our commodity Internet, it should see it there too.
I would rate this solution as an eight point five (out of 10).
All opinions in this review are my own.
Which deployment model are you using for this solution?
Public Cloud
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Security Engineer at a legal firm with 1,001-5,000 employees
Improves network visibility and has boosted our productivity
Pros and Cons
- "The fact that we get the visualization of what's happening on our network, which is a way of improving our security in-depth is most valuable."
- "I think Vectra AI's automation, reporting, and integration could be improved."
What is our primary use case?
We have a basic Vectra environment because we mainly only use the NDR for the solution's options. We do mainly filled logins, anomalies, and network flow monitoring.
How has it helped my organization?
Vectra AI helped improve our mean time to identify by allowing us to have visibility and reveal some hidden or unknown things.
Vectra AI has had a positive impact on the productivity of our SOC team which is an external party. It as well had a positive impact on our IT environment for detection purposes, adapting, and hardening.
What is most valuable?
The fact that we get the visualization of what's happening on our network, which is a way of improving our security in-depth is most valuable. That's because with the information we get out of Vectra, we know how to adapt and modify things in our network.
Regarding Vectra AI attack signal intelligence, it is providing us with information on how to adapt or protect ourselves against certain attack vectors. This feature is quite helpful.
What needs improvement?
I think Vectra AI's automation, reporting, and integration could be improved.
For how long have I used the solution?
I have been using this solution for two years now.
What do I think about the stability of the solution?
It's stable as it performs as we expected.
What do I think about the scalability of the solution?
If you have enough power or bandwidth to deploy another sensor, the scalability of this solution shouldn't be very complex.
How are customer service and support?
I would rate the technical support of the Vectra AI solution a seven, on a scale from one to ten, with one being the worst and 10 being the best. The reason for this rating is that they always deliver what we expect and that's good enough for us. The reason that the rating is not a ten, is that we always need to let people improve themselves.
How would you rate customer service and support?
Neutral
How was the initial setup?
I joined the deployment project at a later stage and I worked on deploying the sensors and tuning false positives and similar things. My experience when it comes to deployment was quite good as we had good hands-on engineers which is why the implementation went well. Our deployment was straightforward with our hands-on approach.
What was our ROI?
When it comes to ROI, in certain places we saw the return and in certain places we didn't. When it comes to security investments and tooling of security, the return on investment takes a bit longer and you always see your investment back. At one point something will happen and you will start using the tool for the reason you bought it.
What other advice do I have?
Before Vectra, we didn't have any feasibility of our network net flow, so this solution gives us a better view of what has been happening on our network and this is what we're trying to solve by implementing Vectra.
We are not using the flood detection response platform.
We are not using Vectra MDR services.
Overall, I would rate this solution a seven, on a scale from one to ten, with one being the worst and ten being the best.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Download our free Vectra AI Report and get advice and tips from experienced pros
sharing their opinions.
Updated: October 2024
Product Categories
Intrusion Detection and Prevention Software (IDPS) Network Detection and Response (NDR) Extended Detection and Response (XDR) Identity Threat Detection and Response (ITDR) AI-Powered Cybersecurity PlatformsPopular Comparisons
Darktrace
Palo Alto Networks Advanced Threat Prevention
Splunk User Behavior Analytics
Trend Micro Deep Discovery
Check Point IPS
Trend Micro TippingPoint Threat Protection System
Fortinet FortiGate IPS
Palo Alto Networks URL Filtering with PAN-DB
Cisco Secure IPS (NGIPS)
Cisco Sourcefire SNORT
Trellix Intrusion Prevention System
ExtraHop Reveal(x) 360
Zscaler Cloud IPS
Proofpoint Identity Threat Defense
Buyer's Guide
Download our free Vectra AI Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- I'm building a next-gen AI powered threat intelligence platform. What's missing from existing solutions?
- What is the biggest difference between Corelight and Vectra AI?
- What are the threats associated with using ‘bogus’ cybersecurity tools?
- When evaluating Intrusion Detection, what aspect do you think is the most important to look for?
- What is your recommended cost-effective solution to detect and prevent APT attacks?
- What product do you recommend for a Campus IPS appliance implementation?
- How do you use the MITRE ATT&CK framework for improving enterprise security?
- What are the pros and cons of Darktrace vs CrowdStrike Falcon vs alternative EPP solutions?
- Which alternative solutions (other than Darktrace) do you recommend for an SMB?
- Which is the best intrusion detection and prevention solution?