ESG's Jon Oltsik talks with with Mike Banic of Vectra Networks about SOAPA and Cybersecurity. This is part 1 of a 2-part series.
Read the related ESG Blog: Talking SOAPA with Vectra Networks (Video, Part 1)
Jon: I'm here today with VP of Marketing from Vectra Networks, Mike Banic, old friend.
Mike: Hi, Jon.
Jon: Good to see you.
Mike: It's good to see you too.
Jon: And we're talking about SOAPA, and you guys are in the security analytics and operations market. So let me start with this, so there is a tremendous amount of rich telemetry in security. You focus on network security telemetry. Tell me why that is.
Mike: We get this question a lot. So we focus on network data because it's where the action is. The attacker has to do certain things across the network, and it can't hide that. If an attacker gets on your computer, he knows that logs are batched. He can clean up his bread crumbs before stuff gets sent up. Logs are a little bit lower fidelity, so that's why we focus on network. But we actually complement it with log information because there's things we can get it from Active Directory or DHCP that we may not be able to get from the networks. It helps us to provide greater context around detections.
Jon: How much data do you collect or does the customer collect using Vectra?
Mike: Of course, it's gonna vary based on the number of IP addresses that they have, but it could be anywhere from tens of terabytes to a petabyte of data in a year, depending on the numbers of hosts that they have and devices that they have. Now, the nice thing though is we're looking at the metadata, so that's a fraction of the total traffic. And then from there, the only thing we keep are pcaps that are associated with detections with behavior that's representative of what something an attacker might be doing.
Jon: In that way, you manage the amount of data. Because what we're seeing is just incredible increase in amount of data that people are collecting and they say, "We're collecting this, but we don't get that much value out of it." But you're not seeing that, because you kind of streamline the data that you collect.
Mike: Yeah, our goal is to pare things down as much as we can. So the algorithms we have look at what's happening on the network. Anything that is just benign, we don't bother keeping that. If it's grey or definitely malicious, that gets kept. If the grey stuff doesn't turn out to actually show a pattern of an attacker behavior, we get rid of that as well. So that way, we're only keeping what's specifically associated with an attacker behavior.
Jon: Now, one of the things about SOAPA is integration. And so I can imagine you go and you talk to a customer and they say, "Well, I understand the value there, but I've already got SIM or I'm already doing something like EDR collecting data from endpoints." How do you guys help them put that story together?
Mike: Yeah, integrations are a big part of what we do. So we have integrations with endpoint, with NAC solutions, with firewall, and with SIM. Our goal is to give people a starting point, they understand exactly what the attacker's doing, where they're doing it, to what hosts are they doing it. And then they can use endpoint detention and response, and click in deeper. They can then maybe isolate the host, kill an end process, or they have the starting point for a threat investigation in their SIM.
Jon: And so how do you add value to what SIM is doing? Because obviously, that's been the nexus of security analytics for a long time.
Mike: We find a lot of our customers use the SIM to drive a lot of their human process, their workflows in their incident response or security operations. And what we do is we give them the starting point. SIMs collect a lot of data. They essentially create a data lake. But you could drown diving further details in the data lake.
Jon: Yeah, you do drown, oftentimes.
Mike: You really do. And so our goal is to take a security event, completely triage that, correlate it, tell somebody what host is it affecting, and if there's other hosts that are demonstrating similar behaviors with similar, maybe external IP addresses, maybe tell them where we're seeing a lot of movement internally, so now they have a full picture, now they know exactly what to ask their SIM. They can say, "All right, I have this 10 internal IP addresses. Is any of the security system telling me something about one of these addresses?" Rather than starting with a massive data lake.
Jon: One more question for you. You know I've written quite a bit about the security skill shortage. And so one of the complaints I hear from customers is "I understand the value of this. I don't have the people to put on this. I don't have the skill set. I don't have the time to train someone." Does that come up in your sales and how do you overcome that in the SOAPA context?
Mike: For us, one of the things that our customers say, so I let them speak for us, is that Vectra is headcount augmentation. That actually started back with Paul Moreno when he was running security operations at Pinterest. And we hear that repeatedly from customers today. Even Ottawa Hydra talks about Vectra automates the threat hunting for them. Because these are people who have a lot of aspects of responsibility that they have to provide. They're humans. They have to go home at the end of the day. What they need is they need tools to augment them. They need tools that can actually do threat hunting, do correlation, provide context, so that they can figure out, all right, what's the game plan? They can apply their intelligence. They can apply their artisan skills in security operations.
Jon: Artisan skills, that's good, that we need more art, because this is more art than science, oftentimes. It's the instincts and the experience of the actual security analyst. So Mike, this is really interesting. Will you hang around? We'll do some more questions and answers?
Mike: You bet.