network detection and response...native integration into existing workflows. not just an api....
TRANSCRIPT
Network Detection and ResponsePaolo LaurettiChannel Manager – South Europe+33 6 08 69 82 [email protected]
This is Vectra.Hundreds ofglobal customers.
Dozens offive-star ratings.
Highlyrecommended.
Vibrantcybersecurity community.
Created by security professionalsfor security professionals.Our core team consists of security researchers,data scientists, platform engineers, and UI designers.
Recognized innovator and industry leader.
97% ONGARTER
Red Herring Global 100 Winner
Deloitte 500 fastest growing technology
Approved for CDM Phase 3 DEFEND
Computing Security Awards
IDC Innovators: AI Security Solutions
CyberSecurity Breakthrough Awards
Only visionary in 2018 MQ for IDPS
Technology innovator by EMA research
Visionary innovation by Frost and Sullivan
Vectra stops incidents from becoming breaches.
Gaps to today’s approach to network securityThe right data
High fidelitySecurity enriched
360 deg view
Analyzed the right wayAI detections
Security targeted-contextML Enrichment
Continuouscompromise awareness
=
Relevance
Visibility
IDS
Signature onlyNo historical data
SIEMLimited E-W
Limited fidelity
Detects what matters
Provides a complete record of what happened
Simple anomaliesLow fidelity
Netflow
Network Forensics Deep but narrow visibilitySlow investigation
What is needed
The modern SOC isanchored to the network.
All statements in this report attributable to Gartner represent Vectra’s interpretation of data, research opinion or viewpoints published as part of a syndicated subscriptionservice by Gartner, Inc., and have not been reviewed by Gartner. Each Gartner publication speaks as of its original publication date (and not as of the date of this presentation.The opinions expressed in Gartner publications are not representations of fact, and are subject to change without notice.
Source: Applying Network-Centric Approaches for Threat Detection and ResponseMarch, 2019ID Number: G00373460
SOC Visibility Triad
Network-based technologies enable technical professionals to obtainquick threat visibility across an entire environment without using agents.
Detects attacker behaviors across the kill chain
Botnet MonetizationAbnormal Web or Ad Activity
Cryptocurrency Mining
Brute-Force Attack
Outbound DoS
Outbound Port Sweep
Outbound Spam
Command and ControlExternal Remote Access
Hidden DNS Tunnel
Hidden HTTP/S Tunnel
Multi-homed Tunnel
Suspicious Relay
Suspect Domain Activity
Malware Update
Peer-to-Peer
Pulling Instructions
Suspicious HTTP
TOR Activity
Threat Intel Match
ReconnaissanceInternal Darknet Scan
Port Scan
Port Sweep
SMB Account Scan
Kerberos Account Scan
File Share Enum
Suspicious LDAP Query
RDP Recon
RPC Recon
Lateral MovementPrivilege Anomaly (multiple)
Suspicious Remote Exec
Suspicious Remote Desktop
Suspicious Admin
Shell Knocker
Automated Replication
Brute-Force Attack
SMB Brute-Force
Kerberos Brute Force
Kerberos Server Activity
Ransomware File Activity
SQL Injection Activity
ExfiltrationData Smuggler
Smash and Grab
Hidden DNS Tunnel
Hidden HTTP/S Tunnel
Security mustevolve withthe network.
Visibility into cloudenvironments
Solutions that balancevisibility with efficiency
Identify lateral movementand data exfil
Eliminate alert fatigue
Behaviors not signatures
Security begins with theunderlying network data.
1CaptureCapture dataeverywherewithout agents.
2 EnrichPair data scienceand security researchto enrich the data.
3 ApplyFlexibly applydata to youruse case
Sensors deployed across cloud,data center and enterpriseCustom flow engine extracts relevantmetadata from traffic Ingest external data sources
Public CloudManaged and
Unmanaged DevicesData Center
1Capture data everywhere without agents.
Deploy Vectra Cognito• Visibilité à 360° pour identifier
rapidement les attaques
• Déploiement passif sur un TAP ou SPAN ports
• Sondes physiques ou virtuelles
• Evolutif et adapté à de larges environnements
User and devices
Remote locations
Data center
Cloud
2Enrich data bypairing researchand science.
Data scientists and security researches buildand continually tune self-learning behavioral models that enrich metadata with machine learning-derived security information.
Security ResearchFundamental attacker behaviorssourced from securing the world’s
most sensitive assets
Data ScienceTeam of PhD data scientists whocodify behaviors across unsupervised,supervised and deep learning models
Security Analyst in Software92% of the MITRE ATT&CK frameworkSecurity enrichments (e.g. privilege)
Automate Tier-1 activities: 34X workload reduction
Met
adat
aEn
richm
ent
Physical, virtual, and cloud sensors
connsslX509
dns rdpkerberos
ldap
ntlm
dcerpc
dhcp
smb
http
Record of what happened
Security-targeted context
Threat Investigation Threat hunting Compliance
Investigate a phishing attack Hunt for recently published IoC’s
Understand the blast radius of an incidentU
se C
ases
Build custom models for industry specific attack vectors
Look for usage of SMBv1
Discover weakness in your SSL posture
Built by threat hunters, for
threat hunters
Host context Security Insights
HostID Group
ScoreHost Privilege
Connection rarity
IP / Domain rarityJA3 / JA3s rarity
Beacons
User Agent rarity
Web clusters
Account contextAccount privilege
Service privilege
Powered by security enrichments
3Apply the datato any of youruse cases.
Directly interact with security-enriched network metadata or use SOC-based toolsto automate detection and response.
Build effectives security models
Meet compliance requirements
Identify theft of data
M&A hygiene
Secure cloud workloads
Identify lateral movement
Identify ransomware
Send security-enriched metadata to data lakes and/or SIEM
Investigate and hunt in a cloud-based application
Detect and prioritize hidden threats at speed using AI
Cognito Stream
Cognito Recall
Cognito Detect
Custom correlation
Intelligence-driven threat hunting
Accelerate investigations
Compromise of privileged accounts
Alert fatigue
Identify the earliest stages of an attack
The ultimate network detection and response platform.
Cognito platform
Investigate and hunt in a cloud-based application
Cognito RecallSend security-enriched metadata
to data lakes and/or SIEM
Cognito StreamDetect and prioritize hidden
threats at speed using AI
Cognito Detect
• Cloud, user, datacenter
• Security-enriched
• Real time and historical
• Scalable architecture
Vectra for IaaS – supports AWS and Azure
Cognito platform
Investigate and hunt in a cloud-based application
Cognito RecallSend security-enriched metadata
to data lakes and/or SIEM
Cognito Stream
• Cloud, user, datacenter
• Security-enriched
• Real time and historical
• Scalable architecture
Detect and prioritize hidden threats at speed using AI
Cognito Detect
Hybrid & Multi-cloud
VPC
Corporate data center
AWS Workloads
VPC
Sensor
Sensor
CloudWatch SecurityHub
Comprehensive coverage and single-pane of glass across on-prem and multi-vendor clouds
AWS Management Cloud
DirectConnect
Brain
VNet
Azure Workloads
Sensor
ExpressRoute
Transit GW
Stream
AWS ELK
Recall
Know now with Cognito Detect for Microsoft 365
Find attacker behaviors in Microsoft 365• Infiltration and elevation: Brute force, adding users and
privileges to groups, staging malware, etc.• Reconnaissance: accessing files in unusual ways; listing
users, files, and shares, etc.• Persistence and evasion: installing apps to keep access,
changing policy and logging, turning off DLP, etc.• Exfil and destruction: creating mail sinks, sharing and
downloading files, etc.
Easy to start:• 100% SaaS• 15-minute onboarding
Gain insight quickly:• Regular reports • Help from Vectra
Consulting Analysts• Free service runs
through May 31, 2020*
Cognito Detect for Microsoft 365Early Access program
Vectra-owned/-managed
Daily Reports
Vectra Services
Detect for M365 Early Access
* Option to join Beta program after May 31, 2020
Simple onboarding process
Information we need from you
• Choice of cloud location: EU or US
• Domain of the Microsoft 365 Admin who will authorize Vectra access
Actions for Microsoft 365 Admin
• Follow the URL to install Vectra Microsoft 365 sensor App
• Authenticate to Microsoft 365• Grant consent to Vectra for
two privileges:• ActivityFeed.Read• ActivityFeed.ReadDLP
Vectra provides URL to sensor App
Native integrationinto existing workflows.
Not just an API.Comprehensive API augmentedby tools and user community. Enables rich integration into the Cognito platform with your technology stack.
Enforce
Investigate
Respond
Infrastructure
Partner Portal https://partners.vectra.ai/English/Authorized/home.aspx
Demo Portal https://partners.vectra.ai/English/Authorized/sales-tools/access-demo-instance.aspx
Thank You !