Vectra AI Reviews

We use Vectra AI for endpoints where we are unable to install agents, like endpoint agents, EDR agents, or antivirus tools. For example, BYOD devices or routers in our network. We don't have any control over those, but we need monitoring capability. 

Vectra AI can monitor the traffic from the wireless router to the firewall or any outgoing traffic. It can give us an idea of whether there is any C&C or C2 communication or any botnet activity from those source IPs. Without having any agents in the endpoint, it is a network monitoring tool. We use this tool to detect threats within the environment where the assets are unmanaged. 

Also, since we tap into certain network points such as firewalls or IDSs, we get more visibility from managed assets as well. So before the endpoint notices the behavior, Vectra notices some of the exfiltration techniques and alerts us.

Overall, it is good and has reduced our time in identifying the system. It is for unmanaged devices. Previously, if we got an alert from the firewall, it was very difficult to find that particular asset. But with the help of this tool, we can simply run a packet capture and immediately get the hostname and know which user is using it. 

It has greatly reduced our time to remediate the situation. We can identify the user, block their account immediately, and sometimes kick that device off the network completely.

It has a confidence level of around 60% to detect insider threats of anomalies, but we mostly need to fine-tune the product. We are still in the fine-tuning process. Even though it has been one year since we implemented the product, the first six months were spent integrating various log servers and determining where to tap. 

For the past three months, we have been actively investigating the alerts. When we investigate some of the insider alerts, most of the time it is a false positive because the domain is allowed. Vectra does not know that those are allowed domains, such as OneDrive and SharePoint, to access our network devices. 

It considers it malicious because a huge amount of file uploads is seen, according to Vectra. But we know those are known URLs and known behavior. When we slowly started whitelisting, the threat confidence level increased. So right now, for insider threats, it gives around 60% confidence, but around 80% of the incidents were false positives because we are still in the fine-tuning process.

The packet capturing feature is very useful, and as the name suggests, AI uses models to detect abnormal behavior. Some of the patent-matching algorithms they use are very advanced and detect threats at a very early stage.

For me, detections from unmanaged networks are one of the greatest values. You can identify threats from BYOD or even mobile devices, which were not handled before.

The detection algorithms can be improved at the sensor level rather than doing all the things at the brain. For example, if the sensor has some directional algorithm or detects repeating traffic, it can drop those packets at the beginning itself. There is no need to send that traffic to the brain in order to reduce the bandwidth.

AI is picking up a lot now. There is no manual intervention needed. Whenever a detection happens, it can automatically summarize and give it to you. But Vectra doesn't have those kinds of capabilities. It still needs manual intervention to analyze, and they don't have a summarized kind of output. So that can be improved. But apart from that, the detection models and all the other categories have good support for that.

In future releases, I would like to see Vectra AI to generate a summary of the instance.

I have been using it for a year. 

I would rate it at eight. The remaining two points I'm not giving because it's a fairly new product. So far, it is good as per our test and it is able to scale as well.

The only limit is you need to increase the sensors when you have more traffic. For example, the current sensors can handle up to 50 GBPS of traffic per second. If you need more traffic to be utilized, then you need to buy additional sensors to handle the traffic.

From a technical perspective, there is not much more possible, because there are some hard limits in the hardware. You cannot increase the bandwidth. They have other options to increase with more sensors, but it ultimately ends up being a cost factor.

If you have more money, you can buy more sensors and do it.

In our organization, we are an MSSP provider. We use Vectra, and our entire SOC team, which is around 20 people, uses Vectra for our MSSP. We have two customers who are also using this product. Two of the largest telecom industries in Thailand are using this product to understand their behavior as of now. The approximate number of users in those categories will be around ten.

The customer service and support are good. So far, we have not faced any issues at all.

The setup is a very straightforward process. You need to tap the network traffic at your desired point, and it has two components: a sensor and a brain. The sensor collects the logs and forwards them to the brain, which does the detection and everything. They offer a virtual appliance that you can run in your environment. 

The setup process is usually very simple. It took only two days to set up. But, initially, deciding the location of the sensor and other factors took more time. The threat team at Vectra AI engaged with us effectively, provided all the support, understood our architecture and advised us on placing the sensors.

The licensing is on annual basis. 

I would rate it at nine out of ten. The one point I'm reducing is because the model can learn itself. If no one is fine-tuning it, for example, every time we find a huge number of alerts, then only we go and look it up and fine-tune the product. 

If no one is acknowledging it or it seems like regular traffic, then the product can understand that behavior and have a feedback mechanism to correct it, mark it as a false positive, or whitelist it.

My recommendation: 

Understand your network first, and place the sensors in the correct position to receive all kinds of traffic: THC, PDNS, and all those things. If you place the sensors at the egress traffic, you may not receive some of the packets, and you will not have overall visibility. 

So the placement of sensors is very important; you need to understand your network to place them correctly.

We wanted to have an additional layer of protection. We have the standard IDSs and were looking for solutions that provide additional security features.

We are still in the deployment phase and hope to be in production mode soon.

I like the way that Vectra AI focuses on the internal network. Nowadays, most of the attackers are already inside, and they can be inside for many years before they start attacking. With normal monitoring, it's quite difficult to find them.

Vectra AI checks the behavior of the systems. It's much better than, for example, McAfee IDS, which also has some behavioral capabilities. With Vectra AI, it is possible to get some more hits.

What is most important for us is to have one place where we can manage a few brains because we are based on a zero-trust network. As a result, each customer needs to have a separate brain. For the SOC team, we need to have one place where the SOC analyst can go to visit the website and from that site manage all of the customers. Right now, Vectra AI doesn't have this capability, and I would really like to have this feature.

We have been using it for almost two years.

So far, the stability of Vectra has been good compared to that of McAfee IDS. I really like the automatic updates because I am the security engineer and responsible for the tools. I have less work to do, which is really nice.

In the beginning, when we had less throughput, the stability was quite nice, but now, we are reaching 25 GB of throughput. The current device is only capable of 20 GB. I do see some slowness, but I believe that it will be solved by the new brain.

To scale, you would need to know the data center and its average throughput to order the correct brain. We have around 13,000 IPs right now, but we're still growing. The only limitation I see with Vectra AI in terms of scalability is that we cannot have one place to manage all of the brains. Besides that, it's quite straightforward; at each site, we need to have a brain, a physical or virtual one.

Regarding technical support, I am in direct contact with a few people at Vectra. I enjoy cooperating with them. However, it hasn't gone that well with a ticket I created. We had to contact them after waiting for a few weeks. Overall, I'd give technical support a five out of ten.

Neutral

In the beginning, we had some problems because of a misunderstanding between my company and Vectra. During that time, it was quite challenging, but nowadays, everything is straightforward for us. For example, I'm planning the implementation of the new data center, and it's quite straightforward.

We have already deployed all of the sensors and brains. We are waiting for B101 because we need to have a bigger brain and also want to have one on standby. Once we receive the brains, we will deploy integrations with Vectra.

The pricing and licensing are quite straightforward because they're based on IP licenses. As a result, they are easy to count.

From a deployment and operations perspective, it's quite nice. Therefore, I'd give an overall rating of seven out of ten. However, I look forward to increasing the rating when we move into the production phase and see the real output from Vectra AI.

We use Vectra AI to sniff the network using Ixia taps so that we can identify potentially malicious activity on the network and at all points of the kill chain. What it's exceptionally good at doing is correlating seemingly unrelated events.

It's in our data center, but the versioning is controlled by Vectra. They push it out discreetly so I don't have any touch on that.

We have 89,000 concurrent IPS that we're analyzing and it's distilled it down to under 1,000 IP addresses that warrant deeper investigation. It's filtering out 99 percent of the traffic that would otherwise be noise, noise that we would never get through.

The solution captures network metadata at scale and enriches it with security information, but that's because we are using the API calls to inject our CMDB data into the brain. It speeds things up quite significantly. Being an enterprise, sometimes it can take a day or two just to find the person responsible for looking after a particular server or service. This way, the information is right there at our fingertips. When we open up the GUI, if we have a detection we look at the detection and see the server belongs to so-and-so. We can reach out to that party directly if we need to. It streamlines the investigation process by having the data readily available to us and current. Each one is unique, but typically, from initial detection to completion of validation (that it's innocuous or that there's something else is going on) it's within 24 to 48 hours

It also provides visibility into behaviors across the full lifecycle of an attack in our network, beyond just internet gateway. It gives us visibility for when something is inside the network and it's maybe doing a lateral movement that it wouldn't normally be doing. Or if we have a system that has suddenly popped up on the network and we can see that it's a wireless router, for example, we pick that up right away. We can see it and we can deal with it. If people put unauthorized devices on the network — a wireless router from home — we can pick that up right away and deal with it.

In addition, Vectra triages threats and correlates them with compromised host devices. We can do a search based on the threat type and get the host. It streamlines things and makes it faster to get to the root cause of an issue.

And while it hasn't reduced the security analyst workload in our company, it has reduced the workload in that analysts are not having to look at stuff that absolutely means nothing. There is still a lot to do, but it has allowed us to focus better on the workload that needs to be done.

It has also increased our security efficiency. It has reduced the time it takes us to respond to attacks by 100 percent. If you're not aware of it you can't respond to it. Now, it's making us aware of it so we can respond to it, which is a 100 percent improvement.

The solution enables us to answer investigative questions that other solutions are unable to address. We will detect the fact that there is some suspicious domain activity going on — a DNS query is going out to MGAs and it really shouldn't be. The other systems are just passing that through, not even realizing that it shouldn't be happening. We see them and we can take action on them.

The dashboard gives us a scoring system that allows prioritization of detections that need attention. We may not necessarily be so concerned about any single detection type, or event, but when we see any botnet detections or a brute force attack detections, we really want to get on top of those. 

The solution's ability to reduce false positives wasn't very good, initially, because it was picking up so much information. It took the investment of some time and effort on our part to get the triage filters in place in such a fashion that it was filtering out the noise. Once we got to that point, then there was definitely value in time-savings and in percolating up the high-risk events that we need to be paying attention to.

I'd like to be able to get granular reports and to be able to output them into formats that are customizable and more useful. The reporting GUI is lacking.

I've been using Vectra for three years.

The stability is excellent.

We've had no issues so far with the scalability. Right now, it covers about 90 percent of our network. We are considering increasing the usage to incorporate it in the new cloud environments that we're standing up.

Their technical support is excellent.

I was not involved in the initial setup, but I was involved in a review of the setup when I took it over, to make sure that it is doing what it's supposed to be doing. The initial setup would have been straightforward, but it would have been very large.

The implementation strategy would have been to make sure that it got to all the places that it needed to be, and to work out a way to make that happen by getting the Ixia taps into the right locations in our enterprise.

In terms of staff from our side involved in deployment, it's web-based so there weren't a lot. Maintenance is ongoing from Vectra and they do it on the back-end. It just works. It's a black box for us.

Take time to understand how the triage filtering works and standardize it early on. Use a  standardized naming convention and be consistent.

It's a very effective tool, but if you don't pay attention to what it's telling you, then it's like anything else. If you don't use it, then it's no good. You have to trust that what it's telling you is correct and then you can take the appropriate action.

For the most part, the users who log into it in our company are people on the security operations team. It's pretty much a closed tool. Access is limited to the people in the security center of excellence.

In terms of the solution's ability to reduce alerts by rolling up numerous alerts to create a single incident or campaign for investigation, we don't use it that way. We've set up enough triage filters over the course of the last year-and-a-half to get all the noise out of the way; stuff that is either innocuous or really isn't bad. Then we're focusing on what's left, which is typically, for lack of a better term, the bad stuff or the stuff that we need to pay attention to.

Regarding the solution's privileged account analytics for detecting issues with privileged accounts, we've used it, but not to the extent that we would like to. We just don't have enough manpower to be able to do that at this point. But it's important because we can see when an account is doing something that it shouldn't be doing, or that it doesn't normally do, or that it's connecting to a place that it doesn't normally connect to, or that it's escalating its privileges unexpectedly. We see all that and then we can respond accordingly.

The Detect platform that we have is on-prem. We have what's called "the brain", then we have sensors placed in different key/strategic areas in the organization. It is helping us do a lot of the monitoring. We also have some SaaS offerings from the Recall platform, which look at some of the metadata, etc. If we were doing things like incident response, it gives us a bit more granular type of information to query. However, the Cognito Detect platform is all on-prem.

We are using the latest version.

We had a gap where we didn't necessarily have a managed service, which we do today, but at the time we needed something that would help us detect malicious behavior and anomalies within the organization. We found that Vectra solved this. We were able to find issues within minutes or hours of them occurring, then we were able to action them rather quickly.

Some of the metrics that we try to show from an incident response perspective are the effectiveness of our controls, like mean time to detection and mean time to remediate. E.g., mean time to detection shows how quickly the organization detects it from when it first occurred, then determines the remediation aspect as well. We take those numbers and correlate them back to how effective our tools are in our organization. Vectra's really helped in the sense that our mean time to detect is within zero the majority of the time, meaning that from the time we detect it to the time it occurred is within zero days. This promotes how effective our controls are.

When we get an alert, we're not wasting hours or so trying to determine if, "I need to find more logs. I need to correlate the data." We're getting actionable data that we are able to action on right away. I have found value in that.

We can find things quickly that users shouldn't have been doing in the organization. Simple things, e.g., all of a sudden we have a user whose exfiltrating a lot of gigs of data. Why are they doing that? We found value there. My very small team does not have to waste cycles on investigating issues when we get a good sense of exactly what is occurring fairly quickly.

We have the solution’s Privileged Account Analytics. We have seen detection on certain cases, and it's been good. It actually is a good feature. We already have an organizational approach to privileged accounts, so we have seen a few detections on it but haven't necessarily seen abuse of privilege because of the way our organization handles privilege management. We are an organization where users don't run with privilege. Instead, everybody runs with their basic user account access. Only those that need it have privileges, like our IT administrators and a few others, and those people are very few and far between. 

If we are investigating something, we may be investigating user behavior. Using the metadata, we can find exactly, "What are all the sites he's going to? Is he exfiltrating any information? Internally, is he trying to pivot from asset to asset or within network elements?' Using that rich set of information, we can find pretty much anything we need now. 

The solution provide visibility into behaviors across the full lifecycle of an attack in our network, beyond just the internet gateway. It augments what we are doing within the organization now. Being able to discover/find everything that is occurring within the kill chain helps us dive down to find the root of the problem. It's been beneficial to us because that's a gap we've always had in the past. While we may have gotten an alert in a certain area, trying to find exactly where it originated from or how it originated was difficult. Now, by utilizing the information that Vectra produces, we can find exactly what the root cause is, which helps with discovering exactly how it originated in the first place.

With a lot of the detections or things that are happening, I would not say they're necessarily malicious. Where I find it very valuable is that it gives us an opportunity to understand exactly how users are sometimes operating as well as how systems are operating. In a lot of cases, we have had to go back and reconfigure things because, "Oh, this was not done." We realized that maybe systems were not setup correctly. I really liked this aspect of the solution because we don't like false positives. We don't want Vectra to produce things that are just noise, which is something that it doesn't do. 

Vectra produces actionable data using automation. That has helped us. It's less manpower now to look at incidents, which has definitely increased efficiency. Right now, in a lot of cases, our mean time to detection is within zero days. This tells me by the time something happened, and we were able to detect it, it was within the same day.

It gives you a risk score of everything that you just found. The quadrant approach is useful because if there are things in the lower-left quadrant, then we don't necessarily need to look at them immediately. However, if there's something with a high impact and high risk score, then we will want to start looking at that right away. We found this very valuable as part of our investigative analysis approach.

The solution’s ability to reduce alerts by rolling up numerous alerts to create a single campaign for investigation is very good. Once it starts adding multiple detections, those are correlated to a campaign. Then, all of a sudden, this will increase the risk score. I've found that approach helps us with understanding exactly what we need to prioritize. I find it very useful.

The amount of metadata that the Recall solution produces is enormous. What we can find from that metadata is exceptional. Once you get to know how to use the tool, it's much simpler and more intuitive to use when finding information than using a traditional SIEM, where you have to build SQL type commands in order to retrieve data. So, I do find it very valuable.

I would like to see a bit more strategic metrics instead of technical data. Information that I could show to my executive management team or board would be valuable. 

I would like to see some improvements on the integration aspects of it. They are getting better in this. However, most organizations have a plethora of cybersecurity solutions that they run, and I think that there is a bit more that could be done on the integration side. 

About four years.

The stability is good. I don't think we've ever had an issue with it at all. I don't think I've ever seen it misbehave, crash, or anything like that.

It is continuously updated. Whenever they release a new patch or updates, they push it to the brain (the centralized management).

We have never seen an issue from a scaling perspective. It is not an issue for us.

We have a team of less than four people. We don't really have a Tier 1 or Tier 2. We just have people working in cyber.

There are areas where we would like to increase our capabilities. We have 100 percent visibility for anything leaving the organization. There are some areas within the organization where we would like to monitor some of the internal workings. One of the places where we are looking to expand is into our OT segment. We do have a path for where we would like to see this go.

They are very competent and good. They are always able to solve problems.

A few years ago when we were looking at this, we had a gap in the organization. We didn't have like a managed service offering. We had an on-prem SIEM, but we didn't have a large team so we didn't have resources fully dedicated to looking to see threats and correlating them with other event logs to see exactly what was occurring. The reason that we didn't have a managed server previously was cost. Therefore, we looked for alternative ways to solve the gap, lower the resource count, and be able to automate and integrate within our enterprise solutions.

It was pretty straightforward. You can plug the appliances in, whether it is into a switch, router, or some other demarc point from a SPAN port, then you let it learn. That is it. There's nothing really you have to do.

Our deployment took days at most. Once you configure it, you just let the system learn. Usually, within a week, it starts to detect things. For it to be effective, it needs to know what the known baseline is.

You plug it in, let it learn, and it's up and running.

We saw ROI within the first six month due to the reduced impact on our staff and we have been deploying it for years. 

Vectra has absolutely reduced security analyst workload in our organization. This was the real thing that we were trying to find: How can we do this? With a small team, it is very hard. We have a small team with a large stock of solutions. Therefore, we were looking for the best way to reduce the amount of manual effort that's required for an individual. We've found Vectra has significantly reduced the workload by probably 200 percent for our staff.

We looked at NextGen traffic analysis type of solutions, like Darktrace. Then, we looked at Vectra. I found Vectra was a bit more intuitive. I think both products had some really good offerings. What really helped us make a decision was we were trying to find things that help us produce actionable items. I liked Vectra because the one thing it was trying to do is it was show you exactly what is happening in the kill chain. The whole premise behind it was, "These are things that are actually occurring in your network, and they're following a specific pattern." I really liked it because in my view it was very actionable and automated.

I don't want to have to spend cycles on things on unnecessary things. One thing I found with Darktrace was it produces a lot of good things, but it's too much in certain cases. Whereas, I like the way Vectra tells you exactly the things that are happening right now in your network, then groups it based on exactly what the type is, providing you a risk score.

Also, it did seem like it was like a resource built into a box with AI capabilities. I found that the amount of effort we have to spend on analysis from it is a low cost to us. Vectra just fit in well with my team mandate.

I found Darktrace was a bit more noisier than Vectra. Sometimes, when you deal with products like this, the noise is time and effort that you may not necessarily have.

Once we started to do the PoCs, we ran Vectra in certain use cases with the sense of, "Okay, let us know exactly what's kind of going on within the network." What we found in a lot of cases is, and these weren't just cybersecurity incidents that were occurring, and Vectra gave us a good sense of how a lot of our solutions were operating. We ended up finding out, "This is exactly what this solution may be doing. Maybe there is a misconfiguration here or there."

There was no complexity with Vectra; it is very simplistic. However, for the tool to be effective, you want to make sure that you place your sensors in appropriate places. Other than that, you let the tool run and do its thing. There's really no overhead.

I would probably rate it as a nine or 10 (out of 10). We have been extremely happy with the solution. It's been one of the best solutions we have in our enterprise. I would put it at the top of the list.

Our main intention was to see what type of visibility, in terms of detections, Vectra could give us. 

We use it on both our manufacturing perimeter and at the internet perimeter. That's where we have placed the devices. We have placed it across four sites, two in UAE and two outside UAE.

What we have seen over the course of the three to four months it has been in place is that it has not found anything bad. That's good news because nothing specific has happened. But we have identified a lot of misconfigurations as well as some information on how applications are working, which was not known earlier. The misconfigurations that became known because of Vectra have been corrected.

It has given us the opportunity to understand some of the applications better than we had understood them before because some of the detections required triage and, while triaging, or in that investigation, we found how applications work. That is one of the main benefits.

We did a red team penetration exercise and almost all the pen activities were picked up by Vectra. That is another big benefit that we have seen through the deployment of the device.

Apart from the network traffic, a lot of the privileged accounts get monitored. It focuses on the service, the machine, and the account. We have seen many of the privileged accounts flagged with alerts whenever they're doing any activity which they do not normally do. We can see that it is the admin accounts or our support team accounts where the activity is happening. It is important because any privileged access which sees increased activity becomes a cause for suspicion. It's something that we need to be watchful for. It's a very useful feature because a privileged account can propagate more easily than an account that is not privileged.

These are all examples of the kind of information which is of great value, information that we didn't have earlier.

The detections, as well as the host ratings, allow us to focus in cases where we are pressured for time and need to do something immediately. We can focus on the critical and high hosts, or on the detections that have a very high score. If you do a good job in the rules and policy configuration, the alerts are not too numerous. A person can easily focus on all the alerts. But as of now we focus on the critical, high, and medium. The scoring and the correlation really help in focusing the security operations.

While I wouldn't say Vectra AI has reduced our security analyst's workload, it allows him to focus. It's a new tool and it's an additional tool. It's not like we implemented this tool and removed another one. It doesn't necessarily reduce his total time, but what it definitely does is it allows him to prioritize more quickly. Previously, he would be looking at all the other tools that we have. Here, it allows him to focus so things of serious concern can be targeted much faster and earlier. The existing tools remain. But Vectra is something to help give more visibility and focus. In that sense, it saves his time. Vectra is very good for automated threat-hunting, so you get to pick out things faster. All the other tools give you a volume of data and you have to do the threat-hunting manually.

Also, the technical expertise required to do the hunting part is much less now, because the tool does it for you. I wouldn't say that it has moved work from tier 2 to tier 1, but both of them can use their time and efforts for resolving problems rather than searching for actual threats. You cannot do away with tier 2 people, but they can have a more focused approach, and the tier 1 people can do less. It reduces the work involved in all their jobs.

In addition, it has definitely increased our security efficiency. The red team exercise is a very clear-cut example of how efficiency has been enhanced, because none of the other tools picked these things up. Vectra was the only tool that did.

It makes our workforce more efficient, and makes them target the actual threats, and prioritizes their efforts and attention. Whether that eventually leads to needing fewer people is a different question. Quantifying it into a manpower piece is probably more an HR issue. But improved efficiency is definitely what it provides. If I needed three or four tier 2 people before, I can manage with one or two now.

And Vectra has definitely reduced the time it takes us to respond to attacks. It's a significant reduction in time. In some cases, the key aspect is that, more than saving time, it detects things which other tools don't. It helps us find things before they actually cause damage. The other tools are more reactive. If your IPS and your signatures are getting hit, then you're already targeted. What Vectra achieves is that it alerts us at the initial phase, during the pre-damage phase. During the red team exercise we had, it alerted us at their initial recon phase, before they actually did anything. So more than saving time, it helps prevent an attack.

The solution's ability to reduce alerts, by rolling up numerous alerts to create a single incident or campaign, helps in that it collapses all the events to a particular host, or a particular detection to a set of hosts. So it doesn't generate too many alerts. By and large, whatever alerts it generates are actionable, and actionable within the day. With the triaging, things are improving more and more because, once we identify and investigate and determine that something is normal, or that it is a misconfiguration and we correct it, in either of these two instances, gradually the number of alerts is dropping. Recently, some new features have been introduced in the newer versions, like the Kerberos ticketing feature. That, obviously, has led to an initial spike in the number of tickets because that feature was not there. It was introduced less than a month back. Otherwise, the tickets have been decreasing, and almost all the tickets that it generates need investigation. It has very rarely been the situation that a ticket has been raised and we found that it was not unique information.

Also, we have seen a lot of detections that are not related to the network. Where we have gained extra value in terms of the internet is during data exfiltration and suspicious domains access.

The detections focus on the host, and the host's score is dependent on how many detections it triggers. We have seen with many of our probing tools, without triaging, that these hosts pretty quickly come into the high-threat quadrant. Its intelligence comes from identifying vulnerable hosts along with the triaging part. That's something that we have seen.

One thing which I have found where there could be improvement is with regard to the architecture, a little bit: how the brains and sensors function. It needs more flexibility with regard to the brain. If there were some flexibility in that regard, that would be helpful, because changing the mode of the brain is complex. In some cases, the change is permanent. You cannot revert it. I would like to see greater flexibility in doing HA without having to buy more boxes just to do it.

Another area they could, perhaps, look at is with OT (operational technology) specifically. Vectra is very specific to IT-related threats. It really doesn't have OT in its focus. We are using another tool for that, but maybe that is another area they can consider venturing into.

It's being used by my team of four or five people. Once we hand it over to operations, then the team size will increase significantly. It will grow to about 10 to 15 people.

We have been using Vectra AI four about four months.

Stability-wise, we've not had any issues, although it has only been three or four months. We had some slight bugs in there, bugs that were related to the triaging and how we used the conditions. But stability-wise, we've had no problem. 

There were some software issues, bugs, but then nothing major. There were minor cosmetic and syntax-based issues while raising the conditions. Apart from that, no issues with the stability.

Currently we are in the process of expanding it to two more remote sites. One is in West Africa, in Guinea, and another one in the U.S. Those are more recent deployments, in place less than a month. We are in the process of creating the policies, and triaging, and investigations for those. That's ongoing. With those sites, the benefit realization is still pending because we just started the traffic loading.

The scalability part is where the architecture comes in. That's one of the areas for improvement that I would like to recommend. Unless you have dedicated brains doing anything other than brain functions, it doesn't become scalable. If you have a brain in mixed mode, your scalability is limited. Also, the brain's capacity gets reduced based on its function, so if it's in mixed mode, the capacity is less. If it's in brain mode, the capacity is more. If it's in sensor mode, the capacity is different. It makes scalability difficult. Unless you go for two big brains with your highest capacity device and then you keep adding.

When I spoke to our internal success team at Vectra, they mentioned that this is something that they're planning to fix in the near future with an upgrade.

Whenever we have raised issues we have gotten timely responses. Getting support is fairly easy compared to some of the other technologies that we have. A simple email is sufficient to get attention from their support team. They have a remote access feature wherein we don't necessarily have to give a WebEx. We just simply enable the remote access on the device, and the remote team can log in, and have a look, and understand what the problem is.

The problem was the architecture. Once we arrived at an architecture, it was simple. What takes time is to build the architecture plan because of the way the brains work. We had to agree on a design. Once you agree on the architecture, the implementation is pretty straightforward.

The initial architecture design took some time, a week or so. The implementation was done within a day.

Our implementation strategy was to have an HA setup for each site. We put two brains into mixed mode, but then we found out that if we put it in mixed mode, HA is not possible. So we set it up as a standby and we configured manual scripts to transfer the file from one brain to the other brain. That's how we are managing it now. If we want to go live on the standby brain, we just import the configuration and go live, if there is a failure.

It's a little bit manual process for us. If it has to be automated, I believe the brains cannot be in mixed mode. That was where we faced the initial problem, I mean, for the architecture part. So we have two brains configured in mixed mode and we have a couple of sensors on the OT side, sensors that are talking to these brains. The sensors are there in the OT connectivity, the active or standby firewalls, and this is repeated on the other site as well.

Two or three people are enough for the deployment. They should have a sound understanding of the network and an idea of how the architecture and the applications function. One person from the architecture team and one person from the network or security team are sufficient to understand how to get maximum utilization from Vectra.

In terms of visibility and security improvement, we have definitely seen a return on our investment.

We have a one-year subscription that covers support and everything. There is no other overhead.

We evaluated Darktrace, in addition to Vectra, each in a PoC. We chose Vectra because the things that Vectra picked up were far more useful, and necessary from an enterprise point of view. Darktrace was a bit noisier.

One thing we have learned using Vectra is that anomaly detection is a critical component of security; a non-signature-based technology is very critical. It helps pick up things that other tools, which are more focused on active threats, will miss. That is one major lesson that we have picked up from Vectra.

My advice would be that you need to focus, because the licensing is based heavily on IPs and area of coverage, although predominantly IPs. You need to have a very clear idea of what areas you want to cover, and plan according to that. Full coverage, sometimes, may not be practical because, since it's a detection tool, covering everything for large organizations is complicated. Focus on critical areas first, and then expand later on.

Also, the architecture part needs to be discussed and finalized early on, because there is a limited flexibility, depending on which model you choose to take.

The solution captures network metadata at scale and enriches it with security information, but the full realization of that will come with Cognito Stream, which we have yet to implement. Right now we are on Cognito Detect. Cognito Stream is something that we are working on implementing, hopefully within the next month or so. Once that comes online, the enriched metadata will have greater value. As of now, the value is there and it's inside Vectra, but we don't see that information — such as Kerberos tokens, or certificates, or what the encryption is — unless it leads to a detection. Only in that event do we currently see that information.

The Cognito Stream can feed into our SIEM and then we will have rich information about all the metadata which Vectra has in our data lake.

We use Vectra AI to detect incidents because we have offices in 50 countries and 30 to 40 sensors around the world.

We want to be able to have a sensor or a foothold in as many offices as possible, and Vectra AI helps us achieve that goal.

Vectra AI helps us to have more visibility in terms of what happens in our network and the network at large. It increased our understanding and our ability to respond and clean up.

In terms of valuable features, I like the ability to record the traffic and the metadata in the traffic. I also like the ability to rewind the past and be able to understand what happened. Some of my colleagues like the ability to investigate incidents.

Vectra AI has had a positive effect on the productivity of our company's top teams. They use it a lot to understand what's going on. However, we still need to teach people how to use it to its full potential because it's quite a complicated product.

The Sidekick MDR service is quite important to our organization’s security monitoring and management. The Sidekick team is able to give us the ins and outs of what's going on with some incidents. They are able to triage and help us to focus on a particular part of detection. They also gave us advice on how to configure some parts of the product. The two people I worked with from the MDR service are really good at what they do, and it's quite nice to work with them.

The UI/UX and detection could be improved. More detections of specific security events could be useful. We've had a few incidents that were not detected by Vectra. The teams are working on it right now, but more detection is always better.

Vectra AI is quite good at threat detection, however, it cannot respond to threats and attacks in real time by itself. It has to have plugins with other components, such as EDR or other software, to be able to respond properly. By itself, Vectra AI cannot do much, but it's powerful enough to pilot other software.

I've been using Vectra for nine months now.

Vectra AI's stability is quite good.

Scalability-wise, we have many sensors, and Vectra AI seems to handle them all very well.

We have 30,000 devices across 50 countries with close to 2,000 offices. It's an enterprise-scale environment, and Vectra AI has not had any issues.

The engineer who deploys Vectra at my company seeks perfection, and he wasn't happy with everything. However, Vectra's technical support staff handled all of his requests quite well. I would rate them an eight out of ten.

Positive

The product is quite good, and we have a good relationship with the customer success managers and other teams as well.

Overall, I would rate Vector AI an eight on a scale from one to ten with ten being the best.

We use it to monitor what is happening on our network, especially to protect our network from malicious activity.

We also have the sensor into Office 365, so we can also monitor everything that is happening in there.

At the moment, we use it to monitor all our endpoints.

The solution's Privileged Account Analytics for detecting issues with privileged accounts is critical for our organization. Because of risk, we scan our entire network. We have a lot of segmented networks where clients can almost do nothing. If we just look into everything, then sometimes there is a bit of noise. When you select your privileged hosts or accounts, you can see how many things are left over and which are the most critical that need to be solved as soon as possible.

It notifies us if our Office 365 has been compromised. Even after business hours, I get personal emails. This is a temporary solution because we are working doing repetitive alerting, but that's a work in process. We are working on an integration with our authentication system that will be able to detect an account or device. We want to automate that process so the account will be locked out for a period of time.

Vectra is a detection system on top of our protection system. We do a lot of protection on our network, but that protection is a configuration based on human interaction, where there can also be human faults or errors in the system. 

The solution captures network metadata at scale and enriches it with security information, e.g., we have sensors for Symantec antivirus and our virtual infrastructure. We are looking into extra sensors for enabling some things from Microsoft Defender. We integrated it into our Active Directory so we can do some user correlations, etc. It enriches the metadata on hosts and accounts, but that is mainly informative. It is good for us when making a final decision about some detections.

It has helped us to organize our security. We get a better overview on what is happening on the network, which has helped us get quicker responses to users. If we see malicious activity, then we can quickly take action on it. Previously, we weren't getting an overview as fast as we are now, so we can now provide a quicker response.

The visibility is much greater because of the behavior analysis and details that sometimes we have to put into it. On the firewall that we already have, sometimes we do manual lookups and check if everything is okay, then do research into it. Now, we put less effort into trying to manually do things to ensure that we have a good security model. We can see more how behavior changes with time, but that also requires us to put more time into the solution.

The solution gives us a baseline for users and their behaviors. We are able to establish which users have risky behaviors, then reach out to them and recommend better ways of doing things.

The hosts are critical hosts, which are really good when used to look up things as fast as you can because these could be very risky situations. Furthermore, within detections, we try to clean up a lot of things that are low in priority. It is same thing for the accounts within Office 365: Everything that is critical has to be solved as fast as possible.

The triaging is very interesting because we can do more with less work. We have more visibility, without too many false positives. It is a work in process because there are a lot of clients in the network, and everything has to be researched to see if it is valid, but most alerts and detections are solved with a bit of triaging.

The interface is very intuitive and easy to use. It gives a good overview, and it is important to understand what is happening on the network.

The integration within our virtualization infrastructure allows us to see the traffic that is going between virtual machines, even within our host. That gives us a lot more insights.

The solution’s ability to reduce false positives and help you focus on the highest-risk threats is mostly good. It is still a bit of work in process, but I can give feedback to the company from the help desk. There is follow-up from the Vectra team who follows it closely. We can also give a lot of inputs to make it still a better product. It's already a very good product, but in comparison with a lot of systems I used in the past, the false positives are really a burden because they are taking a lot of time at this moment.

The Office 365 integration is still a pretty new feature. I also have seen some improvements, and they email us with every step in the improvement process. I think that this integration will grow.

Every area has room from improvement. Security is an ongoing process. It is important for Vectra to keep updating their system based on new behaviors.

We would like to see the combination of the cloud with on-premise, e.g., what's happening in the cloud versus what's happening in the on-premise situation. If there is a phishing mail in the cloud, then the phishing mail comes in and a colleague clicks on that mail. Normally, it would be blocked by the system. However, when it's not blocked, then there can be malware on the system locally. We think it's important to get the integration of what's happening on Office 365 with phishing mails. 

Sometimes, it is a bit noisy on the dashboard because all the systems are on one field. On the dashboard, we have a complete overview of high, medium, and low risks. However, it would be more interesting for us if they could split that dashboard into high, medium, and low devices. For example, there is a dashboard on a device with a complete overview specifically for high-risk.

It has been operational for a few months.

It runs very smoothly. It is stable.

We haven't had any issues in regards to the stability or performance. The interface works very quickly. There is no latency on the traffic.

It scales well. 

For end users, we have about 10,00. On the administrative side, there are five to 10 system admins who use the information from the system for configuration and monitoring tasks.

The technical support is very good with fast responses. They reach out if they see there might be more questions. So, if you have a simple question, it could be that they elevate it to a more complex question to see what you really mean.

Seeing all the malware reaching out to CMC services from within our network, we reach out to those people via the help desk, and tell them, "Maybe you can scan this or that because those systems are managed by us." We get a lot of thanks from those people, which are often saying, "I did have some strange behavior on our systems, but I didn't know what it was. I wasn't doing anything about it, but thank you. It helps when you scan it, and the system is running better at the moment." In a completely unmanaged network with a lot of devices bring your own devices), it helps everybody.

The way that we can work with support to add feature requests is very interesting because it is an evolving world.

We didn't have a solution like Vectra previously.

The initial setup was completely straightforward. I didn't need any help. They delivered the device within the first weeks of COVID-19. The system is preconfigured from Vectra. I placed it in the server home, configured the network, and moved the Internet traffic out of the mailboxes, then I put it onto network so it was visible. In 30 minutes to an hour, everything was running.

We can sleep better.

As long as there is no full cycle attack, we will earn our money back.

Efficiency increased. There is less technical work to be done to ensure that nothing is happening from threats. Now, the system gives us the transparency that we need.

The solution has reduced the time it takes us to respond to attacks. In the past, it was difficult to know if something was happening because we didn't have an overview. Now, we know it very quickly because we have an overview of what is happening.

The pricing is high. 

Darktrace was also pricey.

We also evaluated Darktrace. We made a decision to stop testing Darktrace very early on, so it is difficult to compare to Vectra.

We chose Vectra because of the solution's simplicity; it is more straightforward. Also, we liked Vectra's support, visibility, and implementation. The solution comes to a conclusion within Vectra about some detections. It was easier to find the technical details which were interesting without looking too deep. The correlation was good too. At the end of the proof of a concept, Vectra added some extra features. However, for finding the way into the system, it took us a lot more time. 

We found that Vectra enables us to answer investigative questions that other solutions are unable to address. They provide a checklist regarding what we can do about detections. Because of this visibility, we don't have to do more investigations. 

We have other systems, like Office 365, which do behavior analysis and some signature behavior analysis. However, Vectra does not gives that many false positives in comparison with other solutions. Also, we are now able to see the entire network and cloud.

If you are looking into this type of solution and have the money, then you certainly need to look into Vectra.

The campaigns are interesting when looking at the beginning of a campaign. The scope of false positives is a real issue in a network that continuously has a lot of new hosts, but we can cope with it. We have given some feedback to the help desk regarding coping with this matter.

We hope that we can keep it so we don't see a complete lifecycle of an attack.

We are planning to use more features of the solution in the future, e.g., automation. We also want to integrate it with more advanced client security features.

I would rate this solution as an eight of 10. There is still a lot of development going on with it.

Vectra AI sits across our entire estate, we have an outsource provider for a lot of our backend systems. It sits in theirs and it sits in our own estates. It's deployed across our other numerous offices across the country. It sits across our entire state.

We don't have very much in the way of IDS or IPS on our estate, so we're relying on Vectra AI to do that sort of work for us. We're allowing that to look at our traffic and to flag up to us on our system. It helps my analysts investigate other things. We might get other alerts in the estate, Vectra AI is one of the first tools that they'll jump onto, to do further investigation of alerts that are raised up to them. It's a really good tool, not just for what it throws up, but for us to dig into our network as well.

What is pretty good is the unknown unknowns. It's the anomalies to the norm and the intelligence behind it that helps us to dig through a mountain of data and find the stuff that's important to us.

It allows us to understand what our normal traffic is, then pulls out the anomalies for us. For instance, a recent use case of it would be that it suddenly picked up that a file transfer was happening out of our estate that we weren't aware of. It hadn't been there before. There was a file transfer that suddenly appeared, that was actually in our estate that hadn't been there before. We would never have been able to see that normally, it's just that Vectra AI saw it. It was okay, it was going to a third-party and it allowed us to investigate it and find it but we would never have seen that without a notification. It understands what should be happening and then usually says "This isn't normal," and it allows us to flag it up and dig deeper into that.

It is very good at reducing alerts by rolling up numerous sellers to create a single incident or campaign for investigation. Although it doesn't reduce, it actually increases our alerts because we wouldn't have seen the stuff in the first place, but when it does create an alert, it pulls all investigative information together. We're not getting hundreds of alerts, we're getting alerts that contain all of the relevant components.

Vectra AI captures network metadata at scale and enriches it with security information. Although, we don't make the most of that, but we've never had a problem with its captures and it captures the correct data for what we want it to do. I think we could be using it better.

The information affects investigations by our security team by allowing them to be more effective and quicker in their investigations.

Vectra AI provides visibility into behaviors across the full life cycle of an attack in our network, beyond just the internet gateway. Although, we found it's flagging up early, so it's not developing to that further stage of that because it's flagging up at an early stage.

Its ability to reduce false positives takes quite a bit of tuning. We've had to put a lot of effort into tuning out false positives, so that's something that we've had to invest our time into. Obviously it's getting better and better as time goes on, but we still have to spend time tuning it.

We've seen our tuning has lessened those processes, but we're still getting more than we would want. That's probably some of our fault. It could be some issues with the way it's set up in certain areas. But, once we tune them out, they're staying tuned out.

It hasn't reduced the security analyst workload in our organization but that was never the purpose of it for us. It's an additional tool in our armory, so it hasn't reduced our workload, but it's made us more efficient.

It makes the team more efficient in speed of response. I would say it makes them more efficient in the breadth of their coverage of what they can respond to. It makes us have a more proactive response to incidents.

It has reduced the time it takes to respond to attacks. That comes back to the proactive point. It makes us able to lower down in the kill chain. We can react now, rather than reacting to incidents that happened, we can see an instant, in some cases, as it's being implemented, or as it's being launched.

It's not all attacks, but I would say that it's a shift less on the material chain. It's things that we might not even have spotted if it hadn't been for Vectra AI, so it's difficult to know how we would quantify that as an amount.

The false positives and the tuning side of it are some things that could use improvement but that could be from our side. 

I don't want to criticize the product for performance with our role out of it. It does what it says it's going to do very well. We've got issues with the way we've deployed it in some places, but the support we've had in that is very good as well, so I'm very happy with the support we get.

My company has been using Vectra AI for three years. I've been here for eight or nine months now, but the company has just been using it for three years.

We've had absolutely no issues with stability at all.

Scalability is obviously based around the size of the clients that we have. We have had some issues around scalability but that's only because when it was implemented before my time but I know it is scalable. Obviously, we have to put some thought into that, some planning into that from our side, but it is limited on the size of the boxes. To summarize, yes, it is scalable, but it needs planning.

We have four users who use it in my company who are cybersecurity analysts.

Vectra AI is on everything apart from the clouds. Now we're on a journey towards more and more cloud. At least 70% of our company is covered by it. 

We do have plans to increase usage. We want to move to the cloud. 

The support is excellent. We've had really good technical support from Vectra AI all the time. We have very regular catch-ups with them. They always pick the right people to do the calls, and we even have deep-dive sessions with our analysts with them and provide us with training. They've been excellent.

We didn't have anything in place before Vectra AI. 

I have used another solution in the past. I used Darktrace where I was before. It compares very favorably with Darktrace. I wouldn't say it was any better or worse.

The UI is quite different, but apart from that, there are obviously slight differences in the analytics behind it, but I'd be struggling to say that one of them was better than the other. They both seem to do what I do well. Vectra AI is a little bit more honest about their capabilities than Darktrace is.

I don't think Vectra AI enables us to answer investigative questions that other solutions are unable to address. I know that there are other solutions that could do it as well. They're as good as everything else out there, but I wouldn't go and say they're massively better. The thing that sells it for me is that the support has been very good. That's one of the bits that keeps me with them.

ROI depends on how you quantify that in security. It's really difficult to quantify what you find to a monetary value. We do see a return on investment because it's a good tool that we're using well and it's helping us to keep the company secure. It's really difficult to quantify a monetary value on that or say that you've got return on your investment. I wouldn't want to be without it. You can't put a price on security.

They compare very favorably against the competition in terms of price. Nothing in this area is cheap. There is a lot of value in the products that you're buying, but they have come in at the right price for us in comparison to others. I would say that they're competitive in their pricing.

My advice would be to make sure it is planned and deployed properly. That's a problem with my organization, not a problem with Vectra AI. Otherwise, if you don't build it to the specifications that you were told to, you're going to spend your whole life trying to fix a problem that shouldn't be there. My advice would be the plan and implement as per the plan.

I would rate Vectra AI a nine out of ten.