What is our primary use case?
One of the reasons we went with this solution was because there is less that we have to customize; it's more commercial off the shelf. Therefore, my team can spend their time doing what's most beneficial for the university, which is protecting it, not upgrading custom software.
We use it to inspect and look for malicious, abusive, or other types of forbidden behavior with our north-south and east-west traffic. We not only look at traffic from our campus to the Internet, but we look at traffic internally in our network as it does network AI. It not only looks when a specific event happens, but whether, "Is this a normal event? Or is it normal for the host to do that?"
How has it helped my organization?
The Privileged Account Analytics for detecting issues with privileged accounts is very important because, like any organization, we have people from low-privileged, regular users all the way to administrators who have very high levels of privilege. Therefore, a regular student, on their own machine, may run Coinminer on it, which might be something that the student is experimenting with for higher ed. However, it's a very different use case when a staff user on their work issued machine is running it. Cognito will let us discover that very easily and contextualize it, "Is this really the criticality of an alert or a behavior?" It does this not only for the user, but it also lets us see through the DNS and machine name, whether it's a university asset, etc. Also, you can target those users who have a very high level of access by really enriching your analysis of alerts, such as, "I know that this administrative account does do PowerShell stuff because that's one of the main jobs of that sysadmin." Then, if I see that sort of PowerShell behavior from another account that I wouldn't expect it from, then that's a reason for concern.
The solution captures network metadata at scale and enriches it with security information. This provides us context upfront which helps us prioritize.
The solution provide visibility into behaviors across the full lifecycle of an attack in our network, beyond just the Internet gateway. It makes our security operations much more effective because we are now looking not just at traffic on the border, but we're looking at east-west internal traffic. Now, not only will we see if an exploit kit is being downloaded, but we would be able to see then if that exploit kit was then laterally distributed into our environment.
The solution’s ability to reduce false positives and help us focus on the highest-risk threats is very good. The additional context and ability to take other factors that we can feed into it, like our threat intelligence feed or the user identity, helps with running down whether behaviors are legitimate or pose a big risk. It also helps us eliminate false positives where appropriate, such as some of our system admins running PowerShell in a way that looks very suspicious if you saw it from a regular user.
It has reduced the type of analysis needed to run down and get to the bottom of what's really happening. On the flip side, it doesn't miss as much as a human only or more signature oriented approach would. While I don't want to give a false impression that it's going to result in less work, I think the work that we're doing is more efficient. We can do a lot more to protect, because we're able to react and look at what's important. It may not directly translate into, "Oh, well we spend less time on threat hunting and investigating a suspicious behavior," but we're seeing what we need to look at more effectively.
It's easier to get an analyst up to speed and be effective. The solution has helped move approximately 25 percent of the work from our Tier 2 to Tier 1 analysts.
What is most valuable?
I find the network artificial intelligence and machine learning to be most valuable because we have also significantly increased the amount of traffic that we inspect. This has kind of lowered the burden of creating ways to drink from that fire hose of data. The artificial intelligence and machine learning help bubble up to the top things that we should go look at which are real deviations from the norm.
I would assess the solution’s ability to reduce alerts by rolling up numerous alerts to create a single incident or campaign for investigation very highly. Rather than relying on signatures and a human to look if, "Host X has hit these four different signatures," which is probably an indicator of a fairly high confidence that something's not right, the analytics, artificial intelligence, and machine learning in this product tie those events together. It also looks for new events that are out of the ordinary, then gathers those together and tells us to look at specific hosts. This is rather than an analyst having to sift through a bunch of signature hits, and say, "Oh, this host needs to be looked at."
Also, there is a much lower operational burden of maintenance. We used to use open source monitoring tools, which are very good, but they take a lot of work to maintain and leverage. We really like the commercial off the shelf type of approach of the software, not brewing our own.
What needs improvement?
Some of their integrations with other sources of data, like external threat feeds, took a bit more work than I had hoped to get integrated. I think the company has been very responsive, willing to take our feedback, and look at addressing our concerns.
I have asked that they give direct packets capabilities.
For how long have I used the solution?
What do I think about the stability of the solution?
It is very stable and easy to maintain compared to the Linux open source solution that we previously used for a long time.
Maintaining the solution isn't even a full FTE, probably more like a quarter. We have to coordinate if we want to get more data into it, as there are some integrations that we do with our threat intelligence feed from our ISAC.
What do I think about the scalability of the solution?
We have talked to several other customers who have much larger environments than ours, so it is very scalable. We have applied it in excess of probably 20,000 devices. We have probably 50,000 to 60,000 active users who might see traffic from it. We have hundreds of thousands in our directory total, but some of those are alumni or adjunct faculty, so they may not be active all the time. We have on order of 700 servers and hundreds of applications. We're not huge, but we're not tiny.
One of the things that is really exciting about partnering with Vectra is they have solutions for the cloud, both Azure and AWS. This will get us that same type of visibility we're getting now with things on our physical campus using cloud services. This is probably where our increased usage will be concentrated on.
How are customer service and technical support?
Vectra's technical support is very good.
Which solution did I use previously and why did I switch?
We switched from an open source solution to Cognito because there was a lower operational maintenance burden and it provided more visibility into our environment. It also has more analysis and initial triage done by the network AI and machine learning.
Vectra enables us to answer investigate questions faster than our open source solutions previously did.
How was the initial setup?
The initial setup was straightforward.
Our initial deployment with north-south and a bit of east-west for our first virtual sensor probably took two to three days at most.
Long-term, we now have it deployed on every VMware server that is in our environment and it's monitoring probably 500 to 600 inter-server communications (between different servers). That took a little longer because we had to first work with our colleagues here onsite. It wasn't an issue with Vectra. It just took time and we had to arrange some work with internal partners. We did the reference and first setup in a day.
For our implementation strategy, we turned up north-south visibility immediately and brought up a single virtual sensor for our VMware environment. Then, after three months, we revisited it with a team who operates VMware and their servers. We made sure they were comfortable with the resource demands and how well the solution was working. Finally, we were able to have them turn it on for all the VMware servers.
What about the implementation team?
We had very knowledgeable people from the vendor work with our networking group to get the correct traffic to its sensors. This was done remotely/virtually, but it was done very well.
What was our ROI?
Hopefully, this is a sunk cost. We are mitigating risk. We are not expecting to make money on this solution.
The solution has reduced the time it takes us to respond to attacks by approximately 20 percent.
Which other solutions did I evaluate?
We looked at some of Vectra's competitors. We had Snort and also used Bro. We also used Argus and NetFlow collector. Therefore, we looked at what were the products out there that could sort of replicate the things we were doing with a commercial off the shelf product that had artificial intelligence, but not open source.
We looked at Corelight, which was more grow only. We also looked at ExtraHop.
We didn't do a formal RFP with this one. We developed some relationships with the management at Vectra, who really wanted to partner with us. We looked at their technology and other competitors in the area, then decided it was a worthwhile (based on their commitment) for us to work with them.
Usually, I'll go to the Gartner Security & Risk Summits and look around at what different vendors are coming out with. That's a very useful venue for learning about new vendors.
What other advice do I have?
We don't have that big of a cloud presence yet. However, the solution would correlate behaviors in our enterprise network and data centers with behaviors we see in our cloud environment because part of our east-west visibility includes our dedicated connections to cloud instances. If it goes over to our commodity Internet, it should see it there too.
I would rate this solution as an eight point five (out of 10).
All opinions in this review are my own.
Which deployment model are you using for this solution?