Vectra Cognito Automating Security Operations with AI

Transcription

1 ESG Lab Review Vectra Cognito Automating Security Operations with AI Date: October 2017 Author: Tony Palmer, Senior IT Validation Analyst Enterprise Strategy Group Getting to the bigger truth. Abstract This ESG Lab Review examines Vectra Cognito, an artificial intelligence (AI) platform designed to find active attackers inside an organization s network, automate investigations, and make incident response faster and more efficient. ESG Lab explored how Cognito detects attacks as they happen, at any phase of the attack, on any device on the network. Cognito uses multiple AI techniques supervised and unsupervised machine learning algorithms that make use of a wide range of data science models, including deep learning, neural networks, and always-learning behavioral models, to adapt and evolve to detect hidden and unknown attacks and attackers. The Challenges According to ESG research, strengthening cybersecurity tools and processes was cited by 32% of respondents as their most important IT initiative in 2017 (see Figure 1). 1 This is hardly surprising, considering the multitude of cybersecurity incidents organizations are experiencing. In a 2016 research project conducted by ESG and the Information Systems Security Association (ISSA), 39% of cybersecurity professionals say that their organization has experienced one or more incidents resulting in the need to reimage one or more endpoints or servers, 27% have experienced a ransomware incident, and 20% have experienced at least one security incident that disrupted a business application. 2 In today s dynamic business environment, organizations are challenged to keep pace with the evolving threat landscape. Employees are using more devices and collaborating in new ways, while bad actors are growing more sophisticated. Organizations must monitor their environments for suspicious activities and malicious behavior to respond to problems quickly. But many enterprises simply lack the right level of security analytics skills or staff to perform these tasks effectively. Figure 1. Most Important IT Initiatives for 2017 Which of the following IT initiatives will be the most important (i.e., number 1) for your organization over the course of 2017? (Percent of respondents, N=641) Strengthening cybersecurity tools and processes 32% Using data analytics for real-time business intelligence and customer insight Use of public cloud for applications and infrastructure Data center modernization (i.e., highly virtualized and automated data center) Mobility (i.e., providing employees and customers with mobile access to applications and IT resources) Reinventing application development processes for a mobile- and cloud-centric world 9% 17% 15% 15% 12% Source: Enterprise Strategy Group, Source: ESG Research Report, 2017 IT Spending Intentions Survey, March Source: ESG/ISSA Research Report: Through the Eyes of Cyber Security Professionals: Annual Research Report (Part II). December This ESG Lab Review was commissioned by Vectra and is distributed under license from ESG.

2 Lab Review: Vectra Cognito 2 Even enterprise-class organizations find themselves lacking in security analytics skills, thanks to a bigger problem the global cybersecurity skills shortage. Per ESG research, 45% of organizations claim to have a problematic shortage of cybersecurity skills the area of IT skills gap shortage reported by the largest percentage of respondents. 3 Workplace mobility has boosted productivity and collaboration. It has also put corporate data at risk. Using multiple devices, anywhere, at any time, workers may unknowingly expose themselves and their organizations to risk. They access information and apps on compromised hardware. They click on infected URLs. They open malicious attachments. Unfortunately, these are common scenarios bad actors constantly exploit human nature to steal sensitive and critical company data. These attacks hurt companies bottom lines, brands, and reputations. They also open the door to compliance and legal problems. As many organizations proactively work to address these issues amid a growing number of incidents, they must consider whether traditional security tools can keep pace. That task becomes more complicated as business moves to applications and data consumed outside the corporate data center examples include: software-as-a-service (SaaS), , mobile, web, and social platforms. To deal with advanced threats, businesses must consider a different path. IT needs to improve visibility beyond its immediate network, and into the full threat landscape. In many cases, that means leveraging the experience and competency of technology partners that spend every waking moment detecting, interpreting, and evaluating potentially dangerous activity. This partnership will enable IT teams to prepare for the threats that exist today and new ones that are constantly emerging. is the most common vector for today s threats, but mobile and social entry points are on the rise. Threat actors are exploiting these new vectors, and security teams aren t effectively protecting them. Businesses must devise a means to defend against these increasingly common threats. IT must not only be able to detect malicious content and behavior, but must also be prepared to act on them quickly. The remediation process should begin before a threat executes. Ideally, this process should be automated to minimize resourceconsuming manual intervention by the security team. Reacting after a threat has landed is often too late and can put undue strain on an already stretched security team. Organizations need visibility through constant monitoring and reporting. Business owners and executive teams need insight into their level of risk, remediation activity, and defense activity. This insight should include real-time and historical views into the frequency of threats and the impact of proactive detection and remediation across the organization. The Solution: Vectra Cognito Vectra Cognito is a cybersecurity AI platform designed to deliver real-time visibility into cyber-attack behaviors using advanced supervised and unsupervised machine learning techniques that leverage multiple data science models, including deep learning and neural networks. Always-learning behavioral models are leveraged to detect hidden and unknown security threats and attacks before damage is done. Using AI, Cognito automatically analyzes, triages, correlates, and prioritizes threats across an enterprise in real-time, with a goal of reducing the security-analyst workload. This enables security teams to focus on addressing the most critical threats without being inundated with constant alarms for low risk events. Unlike traditional perimeter security systems, Vectra Cognito is a distributed platform with a centralized brain running on a Vectra X-series appliance receiving input from multiple physical and virtual sensors. Physical S-series sensors can be deployed in-line as a bump-in-the-wire or on a SPAN port or network TAP to passively monitor network traffic, extract critical metadata and forward it to the X-series appliance for analysis and threat detection. Vectra vsensors run in VMware ESXi 5.0 or later to extend threat detection coverage into virtualized data centers and remote locations. The vsensors can connect to any VMware vswitch in the data center to provide visibility into all traffic and detect threats that pass between 3 Source: ESG Brief, 2017 Cybersecurity Spending Trends, March 2017.

3 Lab Review: Vectra Cognito 3 workloads in the virtual environment, integrating with VMware vcenter for authoritative, up-to-date views of the virtual environment. Vectra Cognito can also receive input from third-party sources logs from security products, authentication systems, and SaaS applications, as well as indicators of compromise from threat feeds via a STIX interface. As seen in Figure 2, Vectra Cognito is designed to automate the hunt for cyber attackers, show where they re hiding, and report what they re doing. The highest-risk threats are instantly triaged, correlated to hosts, and prioritized so security teams can respond faster to stop in-progress attacks and avert data loss. Figure 2. Vectra Cognito Automated Threat Hunting and Response Source: Enterprise Strategy Group, 2017 Targeted cyber attacks, also referred to as advanced persistent threats, are so named because the bad actors behind the threats utilize intelligence-gathering and intrusion techniques, prioritize specific targets and goals, and patiently keep trying until they succeed. Bad actors target a specific organization, perform external reconnaissance, and eventually create an initial compromise, oftentimes with an exploit that attacks a system s vulnerability. This allows the attack to gain a foothold inside the organization from which they can spy, spread, and eventually steal data. To do so, the attacker performs internal reconnaissance and moves laterally to deepen its infiltration. Compromised systems are exploited for botnets or for data acquisition and exfiltration. While botnets are more frequent and bothersome, targeted attackers acquiring and exfiltrating data represent a higher risk to the organization. At each stage of the attack, the attacker performs actions that each have a specific network traffic behavior, regardless of their method, that can be detected with supervised and unsupervised machine learning algorithms. For example, computer systems normally attempt to find other systems in the network using DNS or active directory queries. Attackers using compromised systems may scan sequential addresses on sequential subnet ranges to create a map of the network discovering other hosts, servers and subnets. Traditional security systems attempt to find attacks by searching incoming internet traffic for known signatures or exploits, or checking IP address reputation, at a single location at a single point in time. Vectra Cognito, however, learns behavior over the entire network over long periods of time, meaning in days, weeks, and months. Cognito identifies network behavior consistent with the attacker actions at each phase of the cyber-attack kill chain. Detected attacker behavior is categorized and correlated to hosts, which are scored for threat and certainty to determine the level of risk. Hosts with attacker behaviors are further correlated to identify ones that are part of a single coordinated attack campaign, enabling administrators to concentrate their efforts on attacks that represent the highest business risk. ESG Lab Tested ESG Lab participated in hands-on demonstrations and testing of the Vectra Cognito AI platform deployed in live production environments. The Cognito dashboard, as shown in Figure 3, prioritizes workloads and devices under attack, correlates them with key assets, and identifies coordinated attacks and the attacker s activities. This view distills the intelligence

4 Lab Review: Vectra Cognito 4 gathered by Cognito from the entire network into one place, guiding the user to the most critical activities that need to be addressed. Figure 3. Vectra Cognito Dashboard From here, users can navigate to the hosts view, for detailed drill-down into host activity, shown in Figure 4. Figure 4. Cognito Network Threat Summary and Threat Details

5 Lab Review: Vectra Cognito 5 The hosts summary is presented in a two-dimensional Threat Certainty Index, measuring the threat level against the certainty of the behavior being part of an attack. Hosts mapped to the upper right of the graph and highlighted in yellow or red represent high and critical risk to the organization, and therefore should be addressed first. Hosts in the bottom left of the graph are a lower priority and can be evaluated when time permits. Clicking on a specific host dot from the Threat Certainty Index shows the threat details for that host. The threat details for host DJComp shows each of the detections identified by Cognito, sorted chronologically, and the specific scores for threat and certainty. At the bottom, hosts can be sorted by selecting the appropriate column heading. The Vectra Cognito categorization and display of threats by threat and certainty provide the first level of triage to system administrators. With this information, administrators are quickly directed to look at specific hosts under attack, without having to parse the thousands of alerts for all types of issues that are found by traditional perimeter and endpoint security systems. ESG Lab quickly pivoted to a view of the host DJComp, seen in Figure 5. Figure 5. Detections for a Compromised Host Once specific hosts exhibiting attacker behaviors are identified, administrators can review the history and the specific offending network traffic to help determine the actual cause of the threat, enabling quick quarantine and remediation of hosts. The history can also help administrators to understand the date, location, and vectors of host infection; classify new modes of infection; and encourage change in user behavior for overall enhanced security. The Cognito user interface provides additional tools, including a campaign view, as shown in Figure 6. The campaign view provides a dynamic visual view that links attacker activity across multiple hosts to give a comprehensive visualization of all the hosts afftected by a coordinated attack. From this campaign view, Tier-1 analysts can easily see both the hosts that are affected by a specific campaign and exactly what actions are being executed between internal hosts and the bad actor. This is all made possible by the Cognito platform s advanced command-and-control detection, which identifies all hosts that have connected to the same command and control infrastructure and highlights relevant lateral detections between hosts.

6 Lab Review: Vectra Cognito 6 Figure 6. Viewing a Campaign with Cognito ESG Lab also looked at the integration between Cognito and third-party cybersecurity products. One example is Carbon Black Enterprise Response software. From the host information page of a device that was communicating with an external command and control server, ESG Lab launched Carbon Black Enterprise Response with a single click to take immediate action to isolate the affected host from the network. Why This Matters Of organizations prioritizing cybersecurity initiatives in 2017, 39% expect to allocate funding to fortifying network security. In the same survey, 45% of organizations report a problematic shortage of cybersecurity skills. 4 Smart organizations will consider both investing in skills development and seeking products that improve operational efficiency. ESG Lab validated that Vectra Cognito leverages advanced AI to quickly identify compromised hosts and attackers, and enabled us to act upon the most urgent threats, according to their threat severity and probability of success. ESG Lab testing revealed that Cognito provides detection of malware and ransomware across the entire attack lifecycle, including precursors like command and control traffic, port scans, and spreading behavior. Vectra Cognito also enabled ESG Lab to view an entire campaign, identifying all involved internal hosts, the external bad actor, and the interactions between all involved systems. We used Cognito to respond quickly and decisively to active threats that were automatically prioritized and correlated with compromised hosts and key assets that were the target of the attacks. ESG Lab leveraged the Cognito third-party integrations to dramatically shrink investigation effort and time to containment. Organizations can open investigations directly in their other tools because the Cognito detections enable them to know what questions to ask. 4 Source: ESG Brief, 2017 Cybersecurity Spending Trends, March 2017.

7 Lab Review: Vectra Cognito 7 The Bigger Truth Organizations are prioritizing cybersecurity initiatives in 2017 in general and are specifically working to fortify network security, which will be a challenge, given the global shortage of cybersecurity skills.in a 2016 research project conducted by ESG and the Information Systems Security Association (ISSA), 39% of cybersecurity professionals say that their organization has experienced one or more incidents resulting in the need to reimage one or more endpoint or server and 27% have experienced a ransomware incident. 5 Cyber threats are dynamic, and cyber criminals continue to innovate. Breaches can infiltrate an organization s infrastructure and then spread laterally, causing serious damage. This presents an ominous scenario: Many organizations are understaffed and overwhelmed as the malware landscape grows ever more dangerous. Perimeter-based security is no longer sufficient, and organizations need a way to multiply the effectiveness of their security personnel. Vectra describes Cognito as an AI member of the security team, based on supervised and unsupervised machine learning algorithms that leverage advanced data science techniques like deep learning and neural networks to address these challenges with the aim of increasing an organization s overall cyber security by making their security team more effective. With access to all network traffic both inside the network and transiting the firewall, Cognito detects threats by finding hidden patterns in network traffic that reflect attacker behaviors across the cyber-attack kill chain. Regardless of which known or unknown exploit is used to infect a host, once infected, the attack follows specific stages of the kill chain, progressing from infection to either botnet monetization, or worse, internal reconnaissance, lateral movement, data acquisition, and eventually, data exfiltration. ESG Lab used Cognito to quickly identify and act upon the most urgent threats in an organization s environment, according to their threat severity and probability of success. Recognizing that many security organizations are under-staffed and overwhelmed, Vectra designed Cognito to automatically triage, correlate, and prioritize threat detections; and present the results graphically. This enables tier-1 security analysts to intuitively address the most urgent, highest-risk infections immediately. Detailed information, including the history and type of threats and packet captures offending network traffic, further guides the security professional, helping to identify which compromised systems should be isolated and remediated, thereby preventing extensive damage and increasing security. Vectra has an extensive list of partners including best-of-breed solutions and tools that speed threat investigations, automate response, and provide integration of Cognito with existing processes. As of this writing, Vectra Cognito integrations can pull host info from platforms and tools like VMware and Carbon Black Response. Vectra is actively working to add log collection from SIEMs, hook into the CrowdStrike APIs, and add additional functionality to their integrations. Vectra Cognito was architected with the understanding that perimeter and endpoint security do not provide a complete solution, and, regardless of the existing security tools and techniques, security incidents and infections will occur in everyone s network. Based on ESG Lab s testing, we found that Vectra Cognito can help organizations identify compromised hosts and attackers in real time, automate deep analysis of network behaviors, and drive faster, more effective response to incidents. 5 Source: ESG/ISSA Research Report: Through the Eyes of Cyber Security Professionals: Annual Research Report (Part II). December 2016.

8 Lab Review: Vectra Cognito 8 l trademark names are property of their respective companies. Information contained in this publication has been obtained by sources The Enterprise Strategy Group (ESG) considers to be reliable but is not warranted by ESG. This publication may contain opinions of ESG, which are subject to change. This publication is copyrighted by The Enterprise Strategy Group, Inc. Any reproduction or redistribution of this publication, in whole or in part, whether in hard-copy format, electronically, or otherwise to persons not authorized to receive it, without the express consent of The Enterprise Strategy Group, Inc., is in violation of U.S. copyright law and will be subject to an action for civil damages and, if applicable, criminal prosecution. Should you have any questions, please contact ESG Client Relations at The goal of ESG Lab reports is to educate IT professionals about data center technology products for companies of all types and sizes. ESG Lab reports are not meant to replace the evaluation process that should be conducted before making purchasing decisions, but rather to provide insight into these emerging technologies. Our objective is to go over some of the more valuable feature/functions of products, show how they can be used to solve real customer problems and identify any areas needing improvement. ESG Lab's expert third-party perspective is based on our own hands-on testing as well as on interviews with customers who use these products in production environments. contact@esg-global.com P