- Vectra Networks

SOLUTION BRIEF
Adaptive Distributed Architecture
Vectra Networks
provides automated
detection of cyber
attacks in real time.
Vectra detects any
active phases of
an attack including
command and control,
internal reconnaissance,
lateral movement,
exfiltration phases of a
cyber attack.
Executive Overview
Today’s cyber security threat landscape is highly dynamic with attackers
constantly morphing malware and attack vectors to evade detection, and
persistently attack your information assets. There are many infections that
will occur outside the perimeter – mobile users, connected partners.
Recent breaches have all followed the same blueprint of attackers gaining
privileged access, extending the compromise across the network and
stealing or destroying data. These cyber attacks are evading the perimeter
security systems designed to stop an attacker from entering.
The breach at Target Corp began with keylogger malware installed on
a computer at their business partner Fazio Mechanical. By infecting
computers at Fazio Mechanical, the attackers used stolen credentials
to gain access to the Target network, spread laterally, locate key assets,
accumulate data and exfiltrate it.
Automating Detection of Attacks in Progress
To detect cyber attacks that have already bypassed the network perimeter,
security professionals need an automated real-time breach detection and
reporting solution. This solution monitors network traffic in real time and
provides high fidelity detection of an attack in progress.
Vectra Networks provides automated detection of cyber attacks in real
time. Vectra detects any active phases of an attack including command
and control, internal reconnaissance, lateral movement, exfiltration phases
of a cyber attack. Using data science and machine learning to detect all
attack phases, the Vectra platform has several opportunities to detect an
active cyber attack with high fidelity, reducing the rates of false negatives
and false positives.
The Vectra X-series platform passively monitors network
traffic and performs all of the functions below to provide
real-time breach detection and reporting.
Report
Correlate
Detect
Distill
Capture
External reporting through syslog, email
alerts and API are also provided.
Detections are correlated to the hosts under
attack using Vectra’s Threat Certainty Index,
detections are matched against a host
and a numeric value assigned to the host
reflecting its security risk.
Data science and machine learning
algorithms are applied on the distilled data
to detect active phases of an active cyber
attack within the traffic.
Packets are assembled into flows and
metadata is extracted from packets for
processing by the detection.
Capturing network packets in passive
mode in the initial stage of real-time breach
detection.
Figure 1. Vectra Network Architecture
Increasing Efficacy
Efficacy increases when this solution has visibility into
traffic across the entire attack surface such as remote
sites and internal network segments where key assets are
located. Remote sites are often weak links in the attack
surface.
Remote sites typically have fewer perimeter defenses
and lack security professionals who can take quick
action during an attack. Minimizing capital expense,
and operational cost and complexity of cybersecurity at
remote sites are often key criteria. In the case of remote
sites in retail, banking and healthcare segment, the size,
noise level, heat dissipation and ease of use are other
important decision factors.
Internal segments containing key assets have often
been presumed to be safe because they lie deep within
layers of perimeter security, yet the perpetrators of the
Carbanak APT were able to use remote access tools on
financial networks to steal over $1 Billion for over 100
banks.
Holistic cybersecurity – fully distributed
The automated detection of attacks in progress by the
Vectra X-series platform can now be extended to remote
sites and internal segments while maintaining a singlepane view of an organizations risk profile.
X-series Platform
The X-series platform software can be ordered
preloaded on a full-depth rack-mountable
appliance designed to scale with even the largest
networks. The X-series platform can be deployed
either as an all-in-one device to both monitor
traffic and perform real-time threat detection or in
combination with S-series sensors that monitor
traffic and process metadata from the sensors.
The X-series platform performs all detection,
analysis and correlation of threats on metadata
from sensors.
S-series Sensors
The S-series sensors are small, dedicated
sensors that can be easily deployed in remote
sites or with access switches. Sensors can be
deployed in-line or as passive device to monitor
network traffic, extract critical metadata from
it and forward the metadata on to an X-series
platform for threat analysis. The small size
and
simple deployment model of the S-series ensures
enterprises have comprehensive coverage
throughout the network, especially to remote
sites including small offices, bank branches,
healthcare clinics and retail locations.
Deploying the Distributed Architecture
The Vectra Networks scalable distributed architecture
ensures customers have consistent cybersecurity
protection across their entire organizational regardless of
size or geographical distribution. S-series sensors and
X-series platforms provide the ability to scale to any size
of network across geographically dispersed sites and
deliver the centralized analysis, detection and correlation
of threats.
The infographic on the next page shows the deployment
topologies of distributed architecture. »
Monitoring traffic on these internal segments is important
in a data-centric security strategy, the capital expense
and operational complexity of solutions are often
limitations.
©2015 Vectra Networks, Inc. | 2
Campus Sensor Deployment
Remote Site Sensor Deployment
• Sensors deployed at the access layer switch provides
visibility into user-to-user traffic
• Sensors deployed at the remote-site provides visibility
into traffic at remote sites
• X-series deployed at the core/distribution layer provides
visibility into traffic to and from users to internet, and
correlates detections from sensors
• X-series deployed at the data center provides visibility
into traffic in the data center, and correlates detections
from sensors
Benefits of Distributed Architecture
Vectra Networks distributed architecture provides the following benefits:
• Plug-and-play deployment
» Sensors are provisioned with customer information before shipment by Vectra Networks.
» Sensors obtains its network configuration from DHCP server in the network. This helps with deployments in remote
sites with very little technical expertise
» Sensors can be deployed in passive mode, or in-line mode as bump-in-the-wire with fail-open
• Low bandwidth utilization
» Sensor distills metadata of the local traffic and sends it to the X-series for threat analysis and reporting
» The metadata from the sensor to X-series is compressed to less than 1% of the received bandwidth to reduce
overhead on low bandwidth network links
• Extends full fidelity traffic visibility
» Remote sites are weak links in the attack surface. Sensors can be easily deployed at remote locations to
strengthen network security at remote sites
» Sensors deployed on internal segments with key assets to detect lateral spread and data accumulation
• Automatic centralized reporting
» Vectra X-series provides a unified view of an organization’s risk profile by aggregating and correlating all detections
» Vectra X-series enables security operations team to filter threat detections based on sensor monitoring the suspect
traffic
» X-series provides automatic real-time reporting, empowering organizations with the relevant data to rapidly
respond to attacks saving time and manpower
• Automatic software updates
» Vectra cloud provides updates to the X-series
» Updates are downloaded automatically to the sensor from the X-series.
©2015 Vectra Networks, Inc. | 2
The screenshot below shows detections viewed from the
X-series deployed in distributed architecture.
Figure 2. Detection view on X-series
Summary
Vectra technology picks up where perimeter
security leaves off by providing deep, continuous
analysis of both internal and Internet network traffic
to automatically detect all phases of a breach.
Vectra Networks provides a scalable distributed
architecture to ensure customers can maintain
full visibility of their networks regardless of their
organizational size or physical distribution. S-series
sensors and X-series platforms provide the ability to
scale to any size of network across geographically
dispersed sites while delivering the centralized
analysis, detection and correlation of threats.