Vectra AI Reviews

We wanted something to understand what's happening on the network of the company, and we wanted something to protect us against attacks and cyber activities. We wanted visibility into our network and all the threats that we're facing.

It has helped improve our mean time to identify, but I don't have the metrics on time savings because we didn't have anything for that previously.

It hasn't had any effect on the productivity of our organization’s SOC, but it has had a great effect on security.

In terms of the effect of Vectra AI Attack Signal Intelligence for empowering security analysts within our organization to take intelligent action, we are looking at the right risks and nothing more. We save some time for sure, and we empower our security with it. Previously, we couldn't see anything, but now, we are seeing some of the things, and we have already stopped some attacks with it.

The automatic filtering that they provide is valuable. The logic inside that makes some detections instead of us is very useful. We are confident that if we are just looking into it and there is nothing, nothing could happen. That's great.

It's simple to implement. It's simple to analyze. The dashboard is very smart and clean. It's very easy to check something. There are a lot of tools to analyze the detections. It's great.

We got two problems that couldn't be solved because of the philosophy of the product. We are using SMB 3.0, which is an encrypted protocol. When we get some alerts or something, we cannot go deep into the protocol to see what's wrong because it's encrypted. We need to decrypt the protocol in another way, which is quite difficult. We might go back to SMB 2.0 just for this reason, but that's not a good solution.

We did some penetration tests and tried to get some hashes or encrypted passwords from Active Directory. Those hashes didn't provide alerts into Vectra. Vectra doesn't survey them, which is quite problematic because it's a very common attack. They said that it's not the only aspect that would come with that kind of attack, but when somebody tries to get a lot of hashes, we would like that there is an alert because that seems like the start of an attack.

For the hashes issue, it could be very easy for them to make the improvement. They can just change a rule, and that's it, but for encrypted protocols, it could be trickier.

We have been using this solution for two to three years.

There is no problem with stability. Sometimes, alerts can come later. For example, for Office 365, we got the alert one day late, but the problem was coming from the Microsoft side.

We just have one, and that's enough for our needs. Its scalability is good for us because we just have one with multiple probes at the same cost, so that's fine for us.

Their support is very good. They have knowledgeable people with great knowledge of cyber security and cyber risks. I'd rate them a 10 out of 10.

Positive

We weren't using any solution before. We went for Vectra AI because we wanted something to have visibility. We were completely blind to what could happen on the network. With Vectra AI, we aren't so blind.

We stopped some attacks. An attack could cost a lot more than the cost of Vectra. For example, we got an attack before that cost us $100,000. So, Vectra's cost is not so high. The cost of an attack could be worse. If we got encrypted data, it could be worse because we would have to stop the factory, which would cost a lot.

Its cost is too much. It's an investment that we can afford. It's a lot, but it's worth it.

We evaluated Darktrace and one more solution. We also evaluated some SOC and SIEM systems, but we found Vectra AI to be better in comparison to other solutions. It was simple to implement and analyze.

I'd rate Vectra AI a 10 out of 10.

We use Vectra AI to sniff the network using Ixia taps so that we can identify potentially malicious activity on the network and at all points of the kill chain. What it's exceptionally good at doing is correlating seemingly unrelated events.

It's in our data center, but the versioning is controlled by Vectra. They push it out discreetly so I don't have any touch on that.

We have 89,000 concurrent IPS that we're analyzing and it's distilled it down to under 1,000 IP addresses that warrant deeper investigation. It's filtering out 99 percent of the traffic that would otherwise be noise, noise that we would never get through.

The solution captures network metadata at scale and enriches it with security information, but that's because we are using the API calls to inject our CMDB data into the brain. It speeds things up quite significantly. Being an enterprise, sometimes it can take a day or two just to find the person responsible for looking after a particular server or service. This way, the information is right there at our fingertips. When we open up the GUI, if we have a detection we look at the detection and see the server belongs to so-and-so. We can reach out to that party directly if we need to. It streamlines the investigation process by having the data readily available to us and current. Each one is unique, but typically, from initial detection to completion of validation (that it's innocuous or that there's something else is going on) it's within 24 to 48 hours

It also provides visibility into behaviors across the full lifecycle of an attack in our network, beyond just internet gateway. It gives us visibility for when something is inside the network and it's maybe doing a lateral movement that it wouldn't normally be doing. Or if we have a system that has suddenly popped up on the network and we can see that it's a wireless router, for example, we pick that up right away. We can see it and we can deal with it. If people put unauthorized devices on the network — a wireless router from home — we can pick that up right away and deal with it.

In addition, Vectra triages threats and correlates them with compromised host devices. We can do a search based on the threat type and get the host. It streamlines things and makes it faster to get to the root cause of an issue.

And while it hasn't reduced the security analyst workload in our company, it has reduced the workload in that analysts are not having to look at stuff that absolutely means nothing. There is still a lot to do, but it has allowed us to focus better on the workload that needs to be done.

It has also increased our security efficiency. It has reduced the time it takes us to respond to attacks by 100 percent. If you're not aware of it you can't respond to it. Now, it's making us aware of it so we can respond to it, which is a 100 percent improvement.

The solution enables us to answer investigative questions that other solutions are unable to address. We will detect the fact that there is some suspicious domain activity going on — a DNS query is going out to MGAs and it really shouldn't be. The other systems are just passing that through, not even realizing that it shouldn't be happening. We see them and we can take action on them.

The dashboard gives us a scoring system that allows prioritization of detections that need attention. We may not necessarily be so concerned about any single detection type, or event, but when we see any botnet detections or a brute force attack detections, we really want to get on top of those. 

The solution's ability to reduce false positives wasn't very good, initially, because it was picking up so much information. It took the investment of some time and effort on our part to get the triage filters in place in such a fashion that it was filtering out the noise. Once we got to that point, then there was definitely value in time-savings and in percolating up the high-risk events that we need to be paying attention to.

I'd like to be able to get granular reports and to be able to output them into formats that are customizable and more useful. The reporting GUI is lacking.

I've been using Vectra for three years.

The stability is excellent.

We've had no issues so far with the scalability. Right now, it covers about 90 percent of our network. We are considering increasing the usage to incorporate it in the new cloud environments that we're standing up.

Their technical support is excellent.

I was not involved in the initial setup, but I was involved in a review of the setup when I took it over, to make sure that it is doing what it's supposed to be doing. The initial setup would have been straightforward, but it would have been very large.

The implementation strategy would have been to make sure that it got to all the places that it needed to be, and to work out a way to make that happen by getting the Ixia taps into the right locations in our enterprise.

In terms of staff from our side involved in deployment, it's web-based so there weren't a lot. Maintenance is ongoing from Vectra and they do it on the back-end. It just works. It's a black box for us.

Take time to understand how the triage filtering works and standardize it early on. Use a  standardized naming convention and be consistent.

It's a very effective tool, but if you don't pay attention to what it's telling you, then it's like anything else. If you don't use it, then it's no good. You have to trust that what it's telling you is correct and then you can take the appropriate action.

For the most part, the users who log into it in our company are people on the security operations team. It's pretty much a closed tool. Access is limited to the people in the security center of excellence.

In terms of the solution's ability to reduce alerts by rolling up numerous alerts to create a single incident or campaign for investigation, we don't use it that way. We've set up enough triage filters over the course of the last year-and-a-half to get all the noise out of the way; stuff that is either innocuous or really isn't bad. Then we're focusing on what's left, which is typically, for lack of a better term, the bad stuff or the stuff that we need to pay attention to.

Regarding the solution's privileged account analytics for detecting issues with privileged accounts, we've used it, but not to the extent that we would like to. We just don't have enough manpower to be able to do that at this point. But it's important because we can see when an account is doing something that it shouldn't be doing, or that it doesn't normally do, or that it's connecting to a place that it doesn't normally connect to, or that it's escalating its privileges unexpectedly. We see all that and then we can respond accordingly.

The Detect platform that we have is on-prem. We have what's called "the brain", then we have sensors placed in different key/strategic areas in the organization. It is helping us do a lot of the monitoring. We also have some SaaS offerings from the Recall platform, which look at some of the metadata, etc. If we were doing things like incident response, it gives us a bit more granular type of information to query. However, the Cognito Detect platform is all on-prem.

We are using the latest version.

We had a gap where we didn't necessarily have a managed service, which we do today, but at the time we needed something that would help us detect malicious behavior and anomalies within the organization. We found that Vectra solved this. We were able to find issues within minutes or hours of them occurring, then we were able to action them rather quickly.

Some of the metrics that we try to show from an incident response perspective are the effectiveness of our controls, like mean time to detection and mean time to remediate. E.g., mean time to detection shows how quickly the organization detects it from when it first occurred, then determines the remediation aspect as well. We take those numbers and correlate them back to how effective our tools are in our organization. Vectra's really helped in the sense that our mean time to detect is within zero the majority of the time, meaning that from the time we detect it to the time it occurred is within zero days. This promotes how effective our controls are.

When we get an alert, we're not wasting hours or so trying to determine if, "I need to find more logs. I need to correlate the data." We're getting actionable data that we are able to action on right away. I have found value in that.

We can find things quickly that users shouldn't have been doing in the organization. Simple things, e.g., all of a sudden we have a user whose exfiltrating a lot of gigs of data. Why are they doing that? We found value there. My very small team does not have to waste cycles on investigating issues when we get a good sense of exactly what is occurring fairly quickly.

We have the solution’s Privileged Account Analytics. We have seen detection on certain cases, and it's been good. It actually is a good feature. We already have an organizational approach to privileged accounts, so we have seen a few detections on it but haven't necessarily seen abuse of privilege because of the way our organization handles privilege management. We are an organization where users don't run with privilege. Instead, everybody runs with their basic user account access. Only those that need it have privileges, like our IT administrators and a few others, and those people are very few and far between. 

If we are investigating something, we may be investigating user behavior. Using the metadata, we can find exactly, "What are all the sites he's going to? Is he exfiltrating any information? Internally, is he trying to pivot from asset to asset or within network elements?' Using that rich set of information, we can find pretty much anything we need now. 

The solution provide visibility into behaviors across the full lifecycle of an attack in our network, beyond just the internet gateway. It augments what we are doing within the organization now. Being able to discover/find everything that is occurring within the kill chain helps us dive down to find the root of the problem. It's been beneficial to us because that's a gap we've always had in the past. While we may have gotten an alert in a certain area, trying to find exactly where it originated from or how it originated was difficult. Now, by utilizing the information that Vectra produces, we can find exactly what the root cause is, which helps with discovering exactly how it originated in the first place.

With a lot of the detections or things that are happening, I would not say they're necessarily malicious. Where I find it very valuable is that it gives us an opportunity to understand exactly how users are sometimes operating as well as how systems are operating. In a lot of cases, we have had to go back and reconfigure things because, "Oh, this was not done." We realized that maybe systems were not setup correctly. I really liked this aspect of the solution because we don't like false positives. We don't want Vectra to produce things that are just noise, which is something that it doesn't do. 

Vectra produces actionable data using automation. That has helped us. It's less manpower now to look at incidents, which has definitely increased efficiency. Right now, in a lot of cases, our mean time to detection is within zero days. This tells me by the time something happened, and we were able to detect it, it was within the same day.

It gives you a risk score of everything that you just found. The quadrant approach is useful because if there are things in the lower-left quadrant, then we don't necessarily need to look at them immediately. However, if there's something with a high impact and high risk score, then we will want to start looking at that right away. We found this very valuable as part of our investigative analysis approach.

The solution’s ability to reduce alerts by rolling up numerous alerts to create a single campaign for investigation is very good. Once it starts adding multiple detections, those are correlated to a campaign. Then, all of a sudden, this will increase the risk score. I've found that approach helps us with understanding exactly what we need to prioritize. I find it very useful.

The amount of metadata that the Recall solution produces is enormous. What we can find from that metadata is exceptional. Once you get to know how to use the tool, it's much simpler and more intuitive to use when finding information than using a traditional SIEM, where you have to build SQL type commands in order to retrieve data. So, I do find it very valuable.

I would like to see a bit more strategic metrics instead of technical data. Information that I could show to my executive management team or board would be valuable. 

I would like to see some improvements on the integration aspects of it. They are getting better in this. However, most organizations have a plethora of cybersecurity solutions that they run, and I think that there is a bit more that could be done on the integration side. 

About four years.

The stability is good. I don't think we've ever had an issue with it at all. I don't think I've ever seen it misbehave, crash, or anything like that.

It is continuously updated. Whenever they release a new patch or updates, they push it to the brain (the centralized management).

We have never seen an issue from a scaling perspective. It is not an issue for us.

We have a team of less than four people. We don't really have a Tier 1 or Tier 2. We just have people working in cyber.

There are areas where we would like to increase our capabilities. We have 100 percent visibility for anything leaving the organization. There are some areas within the organization where we would like to monitor some of the internal workings. One of the places where we are looking to expand is into our OT segment. We do have a path for where we would like to see this go.

They are very competent and good. They are always able to solve problems.

A few years ago when we were looking at this, we had a gap in the organization. We didn't have like a managed service offering. We had an on-prem SIEM, but we didn't have a large team so we didn't have resources fully dedicated to looking to see threats and correlating them with other event logs to see exactly what was occurring. The reason that we didn't have a managed server previously was cost. Therefore, we looked for alternative ways to solve the gap, lower the resource count, and be able to automate and integrate within our enterprise solutions.

It was pretty straightforward. You can plug the appliances in, whether it is into a switch, router, or some other demarc point from a SPAN port, then you let it learn. That is it. There's nothing really you have to do.

Our deployment took days at most. Once you configure it, you just let the system learn. Usually, within a week, it starts to detect things. For it to be effective, it needs to know what the known baseline is.

You plug it in, let it learn, and it's up and running.

We saw ROI within the first six month due to the reduced impact on our staff and we have been deploying it for years. 

Vectra has absolutely reduced security analyst workload in our organization. This was the real thing that we were trying to find: How can we do this? With a small team, it is very hard. We have a small team with a large stock of solutions. Therefore, we were looking for the best way to reduce the amount of manual effort that's required for an individual. We've found Vectra has significantly reduced the workload by probably 200 percent for our staff.

We looked at NextGen traffic analysis type of solutions, like Darktrace. Then, we looked at Vectra. I found Vectra was a bit more intuitive. I think both products had some really good offerings. What really helped us make a decision was we were trying to find things that help us produce actionable items. I liked Vectra because the one thing it was trying to do is it was show you exactly what is happening in the kill chain. The whole premise behind it was, "These are things that are actually occurring in your network, and they're following a specific pattern." I really liked it because in my view it was very actionable and automated.

I don't want to have to spend cycles on things on unnecessary things. One thing I found with Darktrace was it produces a lot of good things, but it's too much in certain cases. Whereas, I like the way Vectra tells you exactly the things that are happening right now in your network, then groups it based on exactly what the type is, providing you a risk score.

Also, it did seem like it was like a resource built into a box with AI capabilities. I found that the amount of effort we have to spend on analysis from it is a low cost to us. Vectra just fit in well with my team mandate.

I found Darktrace was a bit more noisier than Vectra. Sometimes, when you deal with products like this, the noise is time and effort that you may not necessarily have.

Once we started to do the PoCs, we ran Vectra in certain use cases with the sense of, "Okay, let us know exactly what's kind of going on within the network." What we found in a lot of cases is, and these weren't just cybersecurity incidents that were occurring, and Vectra gave us a good sense of how a lot of our solutions were operating. We ended up finding out, "This is exactly what this solution may be doing. Maybe there is a misconfiguration here or there."

There was no complexity with Vectra; it is very simplistic. However, for the tool to be effective, you want to make sure that you place your sensors in appropriate places. Other than that, you let the tool run and do its thing. There's really no overhead.

I would probably rate it as a nine or 10 (out of 10). We have been extremely happy with the solution. It's been one of the best solutions we have in our enterprise. I would put it at the top of the list.

Our main intention was to see what type of visibility, in terms of detections, Vectra could give us. 

We use it on both our manufacturing perimeter and at the internet perimeter. That's where we have placed the devices. We have placed it across four sites, two in UAE and two outside UAE.

What we have seen over the course of the three to four months it has been in place is that it has not found anything bad. That's good news because nothing specific has happened. But we have identified a lot of misconfigurations as well as some information on how applications are working, which was not known earlier. The misconfigurations that became known because of Vectra have been corrected.

It has given us the opportunity to understand some of the applications better than we had understood them before because some of the detections required triage and, while triaging, or in that investigation, we found how applications work. That is one of the main benefits.

We did a red team penetration exercise and almost all the pen activities were picked up by Vectra. That is another big benefit that we have seen through the deployment of the device.

Apart from the network traffic, a lot of the privileged accounts get monitored. It focuses on the service, the machine, and the account. We have seen many of the privileged accounts flagged with alerts whenever they're doing any activity which they do not normally do. We can see that it is the admin accounts or our support team accounts where the activity is happening. It is important because any privileged access which sees increased activity becomes a cause for suspicion. It's something that we need to be watchful for. It's a very useful feature because a privileged account can propagate more easily than an account that is not privileged.

These are all examples of the kind of information which is of great value, information that we didn't have earlier.

The detections, as well as the host ratings, allow us to focus in cases where we are pressured for time and need to do something immediately. We can focus on the critical and high hosts, or on the detections that have a very high score. If you do a good job in the rules and policy configuration, the alerts are not too numerous. A person can easily focus on all the alerts. But as of now we focus on the critical, high, and medium. The scoring and the correlation really help in focusing the security operations.

While I wouldn't say Vectra AI has reduced our security analyst's workload, it allows him to focus. It's a new tool and it's an additional tool. It's not like we implemented this tool and removed another one. It doesn't necessarily reduce his total time, but what it definitely does is it allows him to prioritize more quickly. Previously, he would be looking at all the other tools that we have. Here, it allows him to focus so things of serious concern can be targeted much faster and earlier. The existing tools remain. But Vectra is something to help give more visibility and focus. In that sense, it saves his time. Vectra is very good for automated threat-hunting, so you get to pick out things faster. All the other tools give you a volume of data and you have to do the threat-hunting manually.

Also, the technical expertise required to do the hunting part is much less now, because the tool does it for you. I wouldn't say that it has moved work from tier 2 to tier 1, but both of them can use their time and efforts for resolving problems rather than searching for actual threats. You cannot do away with tier 2 people, but they can have a more focused approach, and the tier 1 people can do less. It reduces the work involved in all their jobs.

In addition, it has definitely increased our security efficiency. The red team exercise is a very clear-cut example of how efficiency has been enhanced, because none of the other tools picked these things up. Vectra was the only tool that did.

It makes our workforce more efficient, and makes them target the actual threats, and prioritizes their efforts and attention. Whether that eventually leads to needing fewer people is a different question. Quantifying it into a manpower piece is probably more an HR issue. But improved efficiency is definitely what it provides. If I needed three or four tier 2 people before, I can manage with one or two now.

And Vectra has definitely reduced the time it takes us to respond to attacks. It's a significant reduction in time. In some cases, the key aspect is that, more than saving time, it detects things which other tools don't. It helps us find things before they actually cause damage. The other tools are more reactive. If your IPS and your signatures are getting hit, then you're already targeted. What Vectra achieves is that it alerts us at the initial phase, during the pre-damage phase. During the red team exercise we had, it alerted us at their initial recon phase, before they actually did anything. So more than saving time, it helps prevent an attack.

The solution's ability to reduce alerts, by rolling up numerous alerts to create a single incident or campaign, helps in that it collapses all the events to a particular host, or a particular detection to a set of hosts. So it doesn't generate too many alerts. By and large, whatever alerts it generates are actionable, and actionable within the day. With the triaging, things are improving more and more because, once we identify and investigate and determine that something is normal, or that it is a misconfiguration and we correct it, in either of these two instances, gradually the number of alerts is dropping. Recently, some new features have been introduced in the newer versions, like the Kerberos ticketing feature. That, obviously, has led to an initial spike in the number of tickets because that feature was not there. It was introduced less than a month back. Otherwise, the tickets have been decreasing, and almost all the tickets that it generates need investigation. It has very rarely been the situation that a ticket has been raised and we found that it was not unique information.

Also, we have seen a lot of detections that are not related to the network. Where we have gained extra value in terms of the internet is during data exfiltration and suspicious domains access.

The detections focus on the host, and the host's score is dependent on how many detections it triggers. We have seen with many of our probing tools, without triaging, that these hosts pretty quickly come into the high-threat quadrant. Its intelligence comes from identifying vulnerable hosts along with the triaging part. That's something that we have seen.

One thing which I have found where there could be improvement is with regard to the architecture, a little bit: how the brains and sensors function. It needs more flexibility with regard to the brain. If there were some flexibility in that regard, that would be helpful, because changing the mode of the brain is complex. In some cases, the change is permanent. You cannot revert it. I would like to see greater flexibility in doing HA without having to buy more boxes just to do it.

Another area they could, perhaps, look at is with OT (operational technology) specifically. Vectra is very specific to IT-related threats. It really doesn't have OT in its focus. We are using another tool for that, but maybe that is another area they can consider venturing into.

It's being used by my team of four or five people. Once we hand it over to operations, then the team size will increase significantly. It will grow to about 10 to 15 people.

We have been using Vectra AI four about four months.

Stability-wise, we've not had any issues, although it has only been three or four months. We had some slight bugs in there, bugs that were related to the triaging and how we used the conditions. But stability-wise, we've had no problem. 

There were some software issues, bugs, but then nothing major. There were minor cosmetic and syntax-based issues while raising the conditions. Apart from that, no issues with the stability.

Currently we are in the process of expanding it to two more remote sites. One is in West Africa, in Guinea, and another one in the U.S. Those are more recent deployments, in place less than a month. We are in the process of creating the policies, and triaging, and investigations for those. That's ongoing. With those sites, the benefit realization is still pending because we just started the traffic loading.

The scalability part is where the architecture comes in. That's one of the areas for improvement that I would like to recommend. Unless you have dedicated brains doing anything other than brain functions, it doesn't become scalable. If you have a brain in mixed mode, your scalability is limited. Also, the brain's capacity gets reduced based on its function, so if it's in mixed mode, the capacity is less. If it's in brain mode, the capacity is more. If it's in sensor mode, the capacity is different. It makes scalability difficult. Unless you go for two big brains with your highest capacity device and then you keep adding.

When I spoke to our internal success team at Vectra, they mentioned that this is something that they're planning to fix in the near future with an upgrade.

Whenever we have raised issues we have gotten timely responses. Getting support is fairly easy compared to some of the other technologies that we have. A simple email is sufficient to get attention from their support team. They have a remote access feature wherein we don't necessarily have to give a WebEx. We just simply enable the remote access on the device, and the remote team can log in, and have a look, and understand what the problem is.

The problem was the architecture. Once we arrived at an architecture, it was simple. What takes time is to build the architecture plan because of the way the brains work. We had to agree on a design. Once you agree on the architecture, the implementation is pretty straightforward.

The initial architecture design took some time, a week or so. The implementation was done within a day.

Our implementation strategy was to have an HA setup for each site. We put two brains into mixed mode, but then we found out that if we put it in mixed mode, HA is not possible. So we set it up as a standby and we configured manual scripts to transfer the file from one brain to the other brain. That's how we are managing it now. If we want to go live on the standby brain, we just import the configuration and go live, if there is a failure.

It's a little bit manual process for us. If it has to be automated, I believe the brains cannot be in mixed mode. That was where we faced the initial problem, I mean, for the architecture part. So we have two brains configured in mixed mode and we have a couple of sensors on the OT side, sensors that are talking to these brains. The sensors are there in the OT connectivity, the active or standby firewalls, and this is repeated on the other site as well.

Two or three people are enough for the deployment. They should have a sound understanding of the network and an idea of how the architecture and the applications function. One person from the architecture team and one person from the network or security team are sufficient to understand how to get maximum utilization from Vectra.

In terms of visibility and security improvement, we have definitely seen a return on our investment.

We have a one-year subscription that covers support and everything. There is no other overhead.

We evaluated Darktrace, in addition to Vectra, each in a PoC. We chose Vectra because the things that Vectra picked up were far more useful, and necessary from an enterprise point of view. Darktrace was a bit noisier.

One thing we have learned using Vectra is that anomaly detection is a critical component of security; a non-signature-based technology is very critical. It helps pick up things that other tools, which are more focused on active threats, will miss. That is one major lesson that we have picked up from Vectra.

My advice would be that you need to focus, because the licensing is based heavily on IPs and area of coverage, although predominantly IPs. You need to have a very clear idea of what areas you want to cover, and plan according to that. Full coverage, sometimes, may not be practical because, since it's a detection tool, covering everything for large organizations is complicated. Focus on critical areas first, and then expand later on.

Also, the architecture part needs to be discussed and finalized early on, because there is a limited flexibility, depending on which model you choose to take.

The solution captures network metadata at scale and enriches it with security information, but the full realization of that will come with Cognito Stream, which we have yet to implement. Right now we are on Cognito Detect. Cognito Stream is something that we are working on implementing, hopefully within the next month or so. Once that comes online, the enriched metadata will have greater value. As of now, the value is there and it's inside Vectra, but we don't see that information — such as Kerberos tokens, or certificates, or what the encryption is — unless it leads to a detection. Only in that event do we currently see that information.

The Cognito Stream can feed into our SIEM and then we will have rich information about all the metadata which Vectra has in our data lake.

We use it to monitor what is happening on our network, especially to protect our network from malicious activity.

We also have the sensor into Office 365, so we can also monitor everything that is happening in there.

At the moment, we use it to monitor all our endpoints.

The solution's Privileged Account Analytics for detecting issues with privileged accounts is critical for our organization. Because of risk, we scan our entire network. We have a lot of segmented networks where clients can almost do nothing. If we just look into everything, then sometimes there is a bit of noise. When you select your privileged hosts or accounts, you can see how many things are left over and which are the most critical that need to be solved as soon as possible.

It notifies us if our Office 365 has been compromised. Even after business hours, I get personal emails. This is a temporary solution because we are working doing repetitive alerting, but that's a work in process. We are working on an integration with our authentication system that will be able to detect an account or device. We want to automate that process so the account will be locked out for a period of time.

Vectra is a detection system on top of our protection system. We do a lot of protection on our network, but that protection is a configuration based on human interaction, where there can also be human faults or errors in the system. 

The solution captures network metadata at scale and enriches it with security information, e.g., we have sensors for Symantec antivirus and our virtual infrastructure. We are looking into extra sensors for enabling some things from Microsoft Defender. We integrated it into our Active Directory so we can do some user correlations, etc. It enriches the metadata on hosts and accounts, but that is mainly informative. It is good for us when making a final decision about some detections.

It has helped us to organize our security. We get a better overview on what is happening on the network, which has helped us get quicker responses to users. If we see malicious activity, then we can quickly take action on it. Previously, we weren't getting an overview as fast as we are now, so we can now provide a quicker response.

The visibility is much greater because of the behavior analysis and details that sometimes we have to put into it. On the firewall that we already have, sometimes we do manual lookups and check if everything is okay, then do research into it. Now, we put less effort into trying to manually do things to ensure that we have a good security model. We can see more how behavior changes with time, but that also requires us to put more time into the solution.

The solution gives us a baseline for users and their behaviors. We are able to establish which users have risky behaviors, then reach out to them and recommend better ways of doing things.

The hosts are critical hosts, which are really good when used to look up things as fast as you can because these could be very risky situations. Furthermore, within detections, we try to clean up a lot of things that are low in priority. It is same thing for the accounts within Office 365: Everything that is critical has to be solved as fast as possible.

The triaging is very interesting because we can do more with less work. We have more visibility, without too many false positives. It is a work in process because there are a lot of clients in the network, and everything has to be researched to see if it is valid, but most alerts and detections are solved with a bit of triaging.

The interface is very intuitive and easy to use. It gives a good overview, and it is important to understand what is happening on the network.

The integration within our virtualization infrastructure allows us to see the traffic that is going between virtual machines, even within our host. That gives us a lot more insights.

The solution’s ability to reduce false positives and help you focus on the highest-risk threats is mostly good. It is still a bit of work in process, but I can give feedback to the company from the help desk. There is follow-up from the Vectra team who follows it closely. We can also give a lot of inputs to make it still a better product. It's already a very good product, but in comparison with a lot of systems I used in the past, the false positives are really a burden because they are taking a lot of time at this moment.

The Office 365 integration is still a pretty new feature. I also have seen some improvements, and they email us with every step in the improvement process. I think that this integration will grow.

Every area has room from improvement. Security is an ongoing process. It is important for Vectra to keep updating their system based on new behaviors.

We would like to see the combination of the cloud with on-premise, e.g., what's happening in the cloud versus what's happening in the on-premise situation. If there is a phishing mail in the cloud, then the phishing mail comes in and a colleague clicks on that mail. Normally, it would be blocked by the system. However, when it's not blocked, then there can be malware on the system locally. We think it's important to get the integration of what's happening on Office 365 with phishing mails. 

Sometimes, it is a bit noisy on the dashboard because all the systems are on one field. On the dashboard, we have a complete overview of high, medium, and low risks. However, it would be more interesting for us if they could split that dashboard into high, medium, and low devices. For example, there is a dashboard on a device with a complete overview specifically for high-risk.

It has been operational for a few months.

It runs very smoothly. It is stable.

We haven't had any issues in regards to the stability or performance. The interface works very quickly. There is no latency on the traffic.

It scales well. 

For end users, we have about 10,00. On the administrative side, there are five to 10 system admins who use the information from the system for configuration and monitoring tasks.

The technical support is very good with fast responses. They reach out if they see there might be more questions. So, if you have a simple question, it could be that they elevate it to a more complex question to see what you really mean.

Seeing all the malware reaching out to CMC services from within our network, we reach out to those people via the help desk, and tell them, "Maybe you can scan this or that because those systems are managed by us." We get a lot of thanks from those people, which are often saying, "I did have some strange behavior on our systems, but I didn't know what it was. I wasn't doing anything about it, but thank you. It helps when you scan it, and the system is running better at the moment." In a completely unmanaged network with a lot of devices bring your own devices), it helps everybody.

The way that we can work with support to add feature requests is very interesting because it is an evolving world.

We didn't have a solution like Vectra previously.

The initial setup was completely straightforward. I didn't need any help. They delivered the device within the first weeks of COVID-19. The system is preconfigured from Vectra. I placed it in the server home, configured the network, and moved the Internet traffic out of the mailboxes, then I put it onto network so it was visible. In 30 minutes to an hour, everything was running.

We can sleep better.

As long as there is no full cycle attack, we will earn our money back.

Efficiency increased. There is less technical work to be done to ensure that nothing is happening from threats. Now, the system gives us the transparency that we need.

The solution has reduced the time it takes us to respond to attacks. In the past, it was difficult to know if something was happening because we didn't have an overview. Now, we know it very quickly because we have an overview of what is happening.

The pricing is high. 

Darktrace was also pricey.

We also evaluated Darktrace. We made a decision to stop testing Darktrace very early on, so it is difficult to compare to Vectra.

We chose Vectra because of the solution's simplicity; it is more straightforward. Also, we liked Vectra's support, visibility, and implementation. The solution comes to a conclusion within Vectra about some detections. It was easier to find the technical details which were interesting without looking too deep. The correlation was good too. At the end of the proof of a concept, Vectra added some extra features. However, for finding the way into the system, it took us a lot more time. 

We found that Vectra enables us to answer investigative questions that other solutions are unable to address. They provide a checklist regarding what we can do about detections. Because of this visibility, we don't have to do more investigations. 

We have other systems, like Office 365, which do behavior analysis and some signature behavior analysis. However, Vectra does not gives that many false positives in comparison with other solutions. Also, we are now able to see the entire network and cloud.

If you are looking into this type of solution and have the money, then you certainly need to look into Vectra.

The campaigns are interesting when looking at the beginning of a campaign. The scope of false positives is a real issue in a network that continuously has a lot of new hosts, but we can cope with it. We have given some feedback to the help desk regarding coping with this matter.

We hope that we can keep it so we don't see a complete lifecycle of an attack.

We are planning to use more features of the solution in the future, e.g., automation. We also want to integrate it with more advanced client security features.

I would rate this solution as an eight of 10. There is still a lot of development going on with it.

Vectra AI sits across our entire estate, we have an outsource provider for a lot of our backend systems. It sits in theirs and it sits in our own estates. It's deployed across our other numerous offices across the country. It sits across our entire state.

We don't have very much in the way of IDS or IPS on our estate, so we're relying on Vectra AI to do that sort of work for us. We're allowing that to look at our traffic and to flag up to us on our system. It helps my analysts investigate other things. We might get other alerts in the estate, Vectra AI is one of the first tools that they'll jump onto, to do further investigation of alerts that are raised up to them. It's a really good tool, not just for what it throws up, but for us to dig into our network as well.

What is pretty good is the unknown unknowns. It's the anomalies to the norm and the intelligence behind it that helps us to dig through a mountain of data and find the stuff that's important to us.

It allows us to understand what our normal traffic is, then pulls out the anomalies for us. For instance, a recent use case of it would be that it suddenly picked up that a file transfer was happening out of our estate that we weren't aware of. It hadn't been there before. There was a file transfer that suddenly appeared, that was actually in our estate that hadn't been there before. We would never have been able to see that normally, it's just that Vectra AI saw it. It was okay, it was going to a third-party and it allowed us to investigate it and find it but we would never have seen that without a notification. It understands what should be happening and then usually says "This isn't normal," and it allows us to flag it up and dig deeper into that.

It is very good at reducing alerts by rolling up numerous sellers to create a single incident or campaign for investigation. Although it doesn't reduce, it actually increases our alerts because we wouldn't have seen the stuff in the first place, but when it does create an alert, it pulls all investigative information together. We're not getting hundreds of alerts, we're getting alerts that contain all of the relevant components.

Vectra AI captures network metadata at scale and enriches it with security information. Although, we don't make the most of that, but we've never had a problem with its captures and it captures the correct data for what we want it to do. I think we could be using it better.

The information affects investigations by our security team by allowing them to be more effective and quicker in their investigations.

Vectra AI provides visibility into behaviors across the full life cycle of an attack in our network, beyond just the internet gateway. Although, we found it's flagging up early, so it's not developing to that further stage of that because it's flagging up at an early stage.

Its ability to reduce false positives takes quite a bit of tuning. We've had to put a lot of effort into tuning out false positives, so that's something that we've had to invest our time into. Obviously it's getting better and better as time goes on, but we still have to spend time tuning it.

We've seen our tuning has lessened those processes, but we're still getting more than we would want. That's probably some of our fault. It could be some issues with the way it's set up in certain areas. But, once we tune them out, they're staying tuned out.

It hasn't reduced the security analyst workload in our organization but that was never the purpose of it for us. It's an additional tool in our armory, so it hasn't reduced our workload, but it's made us more efficient.

It makes the team more efficient in speed of response. I would say it makes them more efficient in the breadth of their coverage of what they can respond to. It makes us have a more proactive response to incidents.

It has reduced the time it takes to respond to attacks. That comes back to the proactive point. It makes us able to lower down in the kill chain. We can react now, rather than reacting to incidents that happened, we can see an instant, in some cases, as it's being implemented, or as it's being launched.

It's not all attacks, but I would say that it's a shift less on the material chain. It's things that we might not even have spotted if it hadn't been for Vectra AI, so it's difficult to know how we would quantify that as an amount.

The false positives and the tuning side of it are some things that could use improvement but that could be from our side. 

I don't want to criticize the product for performance with our role out of it. It does what it says it's going to do very well. We've got issues with the way we've deployed it in some places, but the support we've had in that is very good as well, so I'm very happy with the support we get.

My company has been using Vectra AI for three years. I've been here for eight or nine months now, but the company has just been using it for three years.

We've had absolutely no issues with stability at all.

Scalability is obviously based around the size of the clients that we have. We have had some issues around scalability but that's only because when it was implemented before my time but I know it is scalable. Obviously, we have to put some thought into that, some planning into that from our side, but it is limited on the size of the boxes. To summarize, yes, it is scalable, but it needs planning.

We have four users who use it in my company who are cybersecurity analysts.

Vectra AI is on everything apart from the clouds. Now we're on a journey towards more and more cloud. At least 70% of our company is covered by it. 

We do have plans to increase usage. We want to move to the cloud. 

The support is excellent. We've had really good technical support from Vectra AI all the time. We have very regular catch-ups with them. They always pick the right people to do the calls, and we even have deep-dive sessions with our analysts with them and provide us with training. They've been excellent.

We didn't have anything in place before Vectra AI. 

I have used another solution in the past. I used Darktrace where I was before. It compares very favorably with Darktrace. I wouldn't say it was any better or worse.

The UI is quite different, but apart from that, there are obviously slight differences in the analytics behind it, but I'd be struggling to say that one of them was better than the other. They both seem to do what I do well. Vectra AI is a little bit more honest about their capabilities than Darktrace is.

I don't think Vectra AI enables us to answer investigative questions that other solutions are unable to address. I know that there are other solutions that could do it as well. They're as good as everything else out there, but I wouldn't go and say they're massively better. The thing that sells it for me is that the support has been very good. That's one of the bits that keeps me with them.

ROI depends on how you quantify that in security. It's really difficult to quantify what you find to a monetary value. We do see a return on investment because it's a good tool that we're using well and it's helping us to keep the company secure. It's really difficult to quantify a monetary value on that or say that you've got return on your investment. I wouldn't want to be without it. You can't put a price on security.

They compare very favorably against the competition in terms of price. Nothing in this area is cheap. There is a lot of value in the products that you're buying, but they have come in at the right price for us in comparison to others. I would say that they're competitive in their pricing.

My advice would be to make sure it is planned and deployed properly. That's a problem with my organization, not a problem with Vectra AI. Otherwise, if you don't build it to the specifications that you were told to, you're going to spend your whole life trying to fix a problem that shouldn't be there. My advice would be the plan and implement as per the plan.

I would rate Vectra AI a nine out of ten. 

We use it as an intrusion detection system to monitor traffic that's going on within our network.

There was an event that happened before I started here, a ransomware event, and Vectra AI was able to quickly detect and alert on the activity. That greatly reduced the time it took for the company to respond to the incident.

Cognito provides visibility into behaviors across the full life cycle of an attack in the network, beyond just the internet gateway. By detecting everything before the internet gateway, it's able to get a fuller picture of what was going on before the target left the network. It greatly increases our ability to investigate events that occur.

The Vectra product also triages threats and correlates them with compromised host devices. As a result, it helps to reduce the time to respond to incidents.

In addition, it does a really good job of bringing the higher-level alerts to our attention while not bombarding us with alerts on lower-level activities that, I find, we don't usually need to investigate. When I first started using it I was investigating everything and I quickly learned the low-level threats, as shown by their scores, were low for a reason and they really didn't need to be looked at too closely.

I would estimate it has reduced our security analyst workload by around 30 to 40 percent. It has increased our security efficiency and has also reduced the time it takes us to respond to attacks by about 50 percent.

One of the most valuable features is all the correlation that it does using AI and machine learning. An example would be alerting on a host and then alerting on other things, like abnormal behavior, that it has noticed coming from the same host. It's valuable because we're a very lean team. It helps reduce workload on our team daily by performing tasks that we don't have to do manually.

It does a really good job of reducing alerts by rolling up numerous alerts to create a single incident or campaign for investigation.

It also does a really good job detecting things. Some things it detects are not really threats, but it is stuff that it should be detecting, even though the behavior, sometimes, isn't malicious.

It does a little bit of packet capture on alert so you can look at the packet capture activity going on, but it doesn't collect a whole lot of data. Sometimes it's only one or two frames, sometimes it does collect more. That's why they have the addition of their Recall platform, because that really does help expand the capability.

I would also like to see more documentation or user guides about using the product.

I've been using Vectra AI for a little over one year, but it was in place at our location before I started working here.

We haven't had any issues other than one power supply failure, but there was a backup power supply and they sent the replacement quickly. Other than that, I haven't seen any issues with stability of the product.

I haven't had any experience in scaling it out beyond what was set up before I started here.

We have about 1,600 employees on site, but I'm not sure how many devices that equates to. Each person has one or more devices. We're scaled out about as far as we can go.

I'm the only person using it directly in our company, as an IT security engineer II.

They have very good tech support.

Our company definitely saw return on investment when it had the ransomware attack. They were able to stop it quickly. That was definitely a huge savings. Otherise, the company was going to have to shut down production.

I don't really have anything to compare it to, but I would assume the pricing is fair.

I believe they are licensing current devices or hosts. When I was last talking to a rep, we were having to go through a true-up process, but that hasn't started yet.

I have thought of evaluating other things, just for evaluation’s sake, but I haven't done so yet.

It's helped me learn how to investigate alerts in a more efficient way.

It also captures network metadata at scale and enriches it with security information. Part of that I was able to witness using a proof of concept for the Cognito Recall platform, which collects all the metadata and then forwards it to an Amazon instance in the cloud. From there you can do a lot of correlation and you can do deep-dives into the data. That was also a really good product, and I would like for us to purchase it, but right now it doesn't look like that's going to happen.

Vectra will alert on activity going to some of our cloud providers, for example Microsoft OneDrive or Teams, but our systems won't really inspect on any type of SSL traffic, and it doesn't provide that much use for external communication that's encrypted. It's something we do not have set up and that's why we're not able to get that full visibility.

We wanted to have an additional layer of protection. We have the standard IDSs and were looking for solutions that provide additional security features.

We are still in the deployment phase and hope to be in production mode soon.

I like the way that Vectra AI focuses on the internal network. Nowadays, most of the attackers are already inside, and they can be inside for many years before they start attacking. With normal monitoring, it's quite difficult to find them.

Vectra AI checks the behavior of the systems. It's much better than, for example, McAfee IDS, which also has some behavioral capabilities. With Vectra AI, it is possible to get some more hits.

What is most important for us is to have one place where we can manage a few brains because we are based on a zero-trust network. As a result, each customer needs to have a separate brain. For the SOC team, we need to have one place where the SOC analyst can go to visit the website and from that site manage all of the customers. Right now, Vectra AI doesn't have this capability, and I would really like to have this feature.

We have been using it for almost two years.

So far, the stability of Vectra has been good compared to that of McAfee IDS. I really like the automatic updates because I am the security engineer and responsible for the tools. I have less work to do, which is really nice.

In the beginning, when we had less throughput, the stability was quite nice, but now, we are reaching 25 GB of throughput. The current device is only capable of 20 GB. I do see some slowness, but I believe that it will be solved by the new brain.

To scale, you would need to know the data center and its average throughput to order the correct brain. We have around 13,000 IPs right now, but we're still growing. The only limitation I see with Vectra AI in terms of scalability is that we cannot have one place to manage all of the brains. Besides that, it's quite straightforward; at each site, we need to have a brain, a physical or virtual one.

Regarding technical support, I am in direct contact with a few people at Vectra. I enjoy cooperating with them. However, it hasn't gone that well with a ticket I created. We had to contact them after waiting for a few weeks. Overall, I'd give technical support a five out of ten.

Neutral

In the beginning, we had some problems because of a misunderstanding between my company and Vectra. During that time, it was quite challenging, but nowadays, everything is straightforward for us. For example, I'm planning the implementation of the new data center, and it's quite straightforward.

We have already deployed all of the sensors and brains. We are waiting for B101 because we need to have a bigger brain and also want to have one on standby. Once we receive the brains, we will deploy integrations with Vectra.

The pricing and licensing are quite straightforward because they're based on IP licenses. As a result, they are easy to count.

From a deployment and operations perspective, it's quite nice. Therefore, I'd give an overall rating of seven out of ten. However, I look forward to increasing the rating when we move into the production phase and see the real output from Vectra AI.