Network Detection and ResponsePaolo LaurettiChannel Manager – South Europe+33 6 08 69 82 11plauretti@vectra.ai

This is Vectra.Hundreds ofglobal customers.

Dozens offive-star ratings.

Highlyrecommended.

Vibrantcybersecurity community.

Created by security professionalsfor security professionals.Our core team consists of security researchers,data scientists, platform engineers, and UI designers.

Recognized innovator and industry leader.

97% ONGARTER

Red Herring Global 100 Winner

Deloitte 500 fastest growing technology

Approved for CDM Phase 3 DEFEND

Computing Security Awards

IDC Innovators: AI Security Solutions

CyberSecurity Breakthrough Awards

Only visionary in 2018 MQ for IDPS

Technology innovator by EMA research

Visionary innovation by Frost and Sullivan

Vectra stops incidents from becoming breaches.

Gaps to today’s approach to network securityThe right data

High fidelitySecurity enriched

360 deg view

Analyzed the right wayAI detections

Security targeted-contextML Enrichment

Continuouscompromise awareness

=

Relevance

Visibility

IDS

Signature onlyNo historical data

SIEMLimited E-W

Limited fidelity

Detects what matters

Provides a complete record of what happened

Simple anomaliesLow fidelity

Netflow

Network Forensics Deep but narrow visibilitySlow investigation

What is needed

The modern SOC isanchored to the network.

All statements in this report attributable to Gartner represent Vectra’s interpretation of data, research opinion or viewpoints published as part of a syndicated subscriptionservice by Gartner, Inc., and have not been reviewed by Gartner. Each Gartner publication speaks as of its original publication date (and not as of the date of this presentation.The opinions expressed in Gartner publications are not representations of fact, and are subject to change without notice.

Source: Applying Network-Centric Approaches for Threat Detection and ResponseMarch, 2019ID Number: G00373460

SOC Visibility Triad

Network-based technologies enable technical professionals to obtainquick threat visibility across an entire environment without using agents.

Detects attacker behaviors across the kill chain

Botnet MonetizationAbnormal Web or Ad Activity

Cryptocurrency Mining

Brute-Force Attack

Outbound DoS

Outbound Port Sweep

Outbound Spam

Command and ControlExternal Remote Access

Hidden DNS Tunnel

Hidden HTTP/S Tunnel

Multi-homed Tunnel

Suspicious Relay

Suspect Domain Activity

Malware Update

Peer-to-Peer

Pulling Instructions

Suspicious HTTP

TOR Activity

Threat Intel Match

ReconnaissanceInternal Darknet Scan

Port Scan

Port Sweep

SMB Account Scan

Kerberos Account Scan

File Share Enum

Suspicious LDAP Query

RDP Recon

RPC Recon

Lateral MovementPrivilege Anomaly (multiple)

Suspicious Remote Exec

Suspicious Remote Desktop

Suspicious Admin

Shell Knocker

Automated Replication

Brute-Force Attack

SMB Brute-Force

Kerberos Brute Force

Kerberos Server Activity

Ransomware File Activity

SQL Injection Activity

ExfiltrationData Smuggler

Smash and Grab

Hidden DNS Tunnel

Hidden HTTP/S Tunnel

Security mustevolve withthe network.

Visibility into cloudenvironments

Solutions that balancevisibility with efficiency

Identify lateral movementand data exfil

Eliminate alert fatigue

Behaviors not signatures

Security begins with theunderlying network data.

1CaptureCapture dataeverywherewithout agents.

2 EnrichPair data scienceand security researchto enrich the data.

3 ApplyFlexibly applydata to youruse case

Sensors deployed across cloud,data center and enterpriseCustom flow engine extracts relevantmetadata from traffic Ingest external data sources

Public CloudManaged and

Unmanaged DevicesData Center

1Capture data everywhere without agents.

Deploy Vectra Cognito• Visibilité à 360° pour identifier

rapidement les attaques

• Déploiement passif sur un TAP ou SPAN ports

• Sondes physiques ou virtuelles

• Evolutif et adapté à de larges environnements

User and devices

Remote locations

Data center

Cloud

2Enrich data bypairing researchand science.

Data scientists and security researches buildand continually tune self-learning behavioral models that enrich metadata with machine learning-derived security information.

Security ResearchFundamental attacker behaviorssourced from securing the world’s

most sensitive assets

Data ScienceTeam of PhD data scientists whocodify behaviors across unsupervised,supervised and deep learning models

Security Analyst in Software92% of the MITRE ATT&CK frameworkSecurity enrichments (e.g. privilege)

Automate Tier-1 activities: 34X workload reduction

Met

adat

aEn

richm

ent

Physical, virtual, and cloud sensors

connsslX509

dns rdpkerberos

ldap

ntlm

dcerpc

dhcp

smb

http

Record of what happened

Security-targeted context

Threat Investigation Threat hunting Compliance

Investigate a phishing attack Hunt for recently published IoC’s

Understand the blast radius of an incidentU

se C

ases

Build custom models for industry specific attack vectors

Look for usage of SMBv1

Discover weakness in your SSL posture

Built by threat hunters, for

threat hunters

Host context Security Insights

HostID Group

ScoreHost Privilege

Connection rarity

IP / Domain rarityJA3 / JA3s rarity

Beacons

User Agent rarity

Web clusters

Account contextAccount privilege

Service privilege

Powered by security enrichments

3Apply the datato any of youruse cases.

Directly interact with security-enriched network metadata or use SOC-based toolsto automate detection and response.

Build effectives security models

Meet compliance requirements

Identify theft of data

M&A hygiene

Secure cloud workloads

Identify lateral movement

Identify ransomware

Send security-enriched metadata to data lakes and/or SIEM

Investigate and hunt in a cloud-based application

Detect and prioritize hidden threats at speed using AI

Cognito Stream

Cognito Recall

Cognito Detect

Custom correlation

Intelligence-driven threat hunting

Accelerate investigations

Compromise of privileged accounts

Alert fatigue

Identify the earliest stages of an attack

The ultimate network detection and response platform.

Cognito platform

Investigate and hunt in a cloud-based application

Cognito RecallSend security-enriched metadata

to data lakes and/or SIEM

Cognito StreamDetect and prioritize hidden

threats at speed using AI

Cognito Detect

• Cloud, user, datacenter

• Security-enriched

• Real time and historical

• Scalable architecture

Vectra for IaaS – supports AWS and Azure

Cognito platform

Investigate and hunt in a cloud-based application

Cognito RecallSend security-enriched metadata

to data lakes and/or SIEM

Cognito Stream

• Cloud, user, datacenter

• Security-enriched

• Real time and historical

• Scalable architecture

Detect and prioritize hidden threats at speed using AI

Cognito Detect

Hybrid & Multi-cloud

VPC

Corporate data center

AWS Workloads

VPC

Sensor

Sensor

CloudWatch SecurityHub

Comprehensive coverage and single-pane of glass across on-prem and multi-vendor clouds

AWS Management Cloud

DirectConnect

Brain

VNet

Azure Workloads

Sensor

ExpressRoute

Transit GW

Stream

AWS ELK

Recall

Know now with Cognito Detect for Microsoft 365

Find attacker behaviors in Microsoft 365• Infiltration and elevation: Brute force, adding users and

privileges to groups, staging malware, etc.• Reconnaissance: accessing files in unusual ways; listing

users, files, and shares, etc.• Persistence and evasion: installing apps to keep access,

changing policy and logging, turning off DLP, etc.• Exfil and destruction: creating mail sinks, sharing and

downloading files, etc.

Easy to start:• 100% SaaS• 15-minute onboarding

Gain insight quickly:• Regular reports • Help from Vectra

Consulting Analysts• Free service runs

through May 31, 2020*

Cognito Detect for Microsoft 365Early Access program

Vectra-owned/-managed

Daily Reports

Vectra Services

Detect for M365 Early Access

* Option to join Beta program after May 31, 2020

Simple onboarding process

Information we need from you

• Choice of cloud location: EU or US

• Domain of the Microsoft 365 Admin who will authorize Vectra access

Actions for Microsoft 365 Admin

• Follow the URL to install Vectra Microsoft 365 sensor App

• Authenticate to Microsoft 365• Grant consent to Vectra for

two privileges:• ActivityFeed.Read• ActivityFeed.ReadDLP

Vectra provides URL to sensor App

Native integrationinto existing workflows.

Not just an API.Comprehensive API augmentedby tools and user community. Enables rich integration into the Cognito platform with your technology stack.

Enforce

Investigate

Respond

Infrastructure

Partner Portal https://partners.vectra.ai/English/Authorized/home.aspx

Demo Portal https://partners.vectra.ai/English/Authorized/sales-tools/access-demo-instance.aspx

Thank You !