ESG's Jon Oltsik talks with Mike Banic of Vectra Networks about SOAPA and Cybersecurity. This is part 2 of a 2-part series.
Read the related ESG Blog: SOAPA Chat with Vectra Networks (Video, Part 2)
Jon: I'm back again with VP of Marketing from Vectra Networks, Mike Banic. Welcome back.
Mike: Thanks, Jon.
Jon: Seems like we just were doing this.
Jon: You guys base a lot of your technology expertise and what you do, the value of what you do, on machine learning.
Jon: Our research says people are totally confused. Don't understand what machine learning is or have some fundamental understanding, and they don't understand the value that it provides. Now, I think the industry's done a terrible job of communicating this, so here's your opportunity to represent the industry. Tell us, what does machine learning do and what value does it provide?
Mike: Essentially, with machine learning, we're teaching a machine to think. We're giving it data and we're teaching it what things look like. We're asking it to look for specific features in that data, and then make decisions. And I'll give you a really simple example. Trying to find a remote access Trojan in a network, the features I'm looking for are random silences, and then I wanna know which IP address breaks those random silences. And if the external IP address in the conversation, the one that's outside of your firewall, is breaking all of the random silences, then that address is in control of the conversation. I can teach a machine to look for those features and do that automatically for me.
Jon: Do customers get this?
Mike: It takes a while. It's not an easy concept. And I think part of it is that, you know, what security has meant for so many years has it has been very binary. And what machine learning introduces is that you're looking deeper under the covers. It's like you gotta understand how the engine works a little bit. And it introduces some ambiguity. And I think that's where I see people, on a gradual scale of their journey, in terms of how they understand that ambiguity and how they understand…what do you do with the information you're getting from it.
Jon: If I've got a number of security analytics products, do I get benefit out of cumulative machine learning from each of these products? Or is it really, kind of, you're looking for the same things someone else is so that's…there's some redundancy in there?
Mike: Yeah, this is where I think asking…you know, we've got a new document on our website, "The Nine Questions to Ask your AI Vendor," and a lot of it centers around asking a vendor what type of algorithms they have. How do they classify those algorithms? What kind of depth do they have? Because you really want your vendor to provide you a range of capability in terms of the types of things you can find in the face of an attack, whether it's command and control, recon, lateral movement, but you also want depth. So you're not just finding one type of command and control, you're finding a wide range of it.
There's machine learning that other kind of products have that can be complementary, but this is where it does take a little bit of effort on the part of the CISO on this operations team to look through what are their requirements and match what the vendor has algorithmically to what their needs are.
Jon: So I imagine, because a lot of security people say to me, "I don't really care what's underneath the covers. I care if it's effective." So I imagine a lot of this is getting the product installed, showing people what it does and how it saves them time, which is a key element of SOAPA, and makes it more productive.
Mike: Yeah, and of one things that…we like customers to get their fingers on our software as early as possible. Sometimes, it's just in a demo form because bringing software in means it's work for them. They've gotta get things set up, and they've gotta make sure you get access to the traffic. The next step is they wanna see it work on their data. When they're gonna make that kind of an investment, one of the things we really urge them to do is synchronize it with the red team exercise, or with the pen test. You don't even have to tell us it's happening. Just please synchronize it with that, because you don't often find a smoking gun. But the pen test or the red team is going to demonstrate attacker behavior, you get a real sense of what the machine learning is going to turn up for you.
Jon: One of the points of integration that I find consistently, and even increasing is threat intelligence. So you know what's going on inside the network, but it'd be nice know what people are seeing in the wild with threat intelligence. Tell me about the integration that you guys have, maybe some partnerships and how that provides a cumulative value.
Mike: Yes, so we now allow you to import threat intel. So you can import IoCs. We have support STIX, so that's the way you import them. So can get your threat intel from a wide range of sources now. And when we detect something based on that IoC, we're gonna score it, for threat and for certainty. We're also gonna correlate it with all the detections that we're seeing just based purely looking in network traffic. And that's gonna drive the overall threat score for that IP address.
Jon: So there's a degree of automation there.
Mike: Huge degree of automation.
Jon: Okay, that's a good step. And speaking of automation, integration, there're lots of different technologies out there that we could integrate with. What are the ones that people are asking you to integrate with?
Mike: One that comes up a lot is SIM, because people use it for a lot of operational functions today. And a lot of people need a SIM for regulatory compliance reasons. And they've already made a big investment in that. They wanna preserve and get more value out of it. We can bring a lot more value to the SIM.
On the other end of the spectrum, we have a lot of requests for integration with endpoint detection and response. With EDR platforms like Carbon Black, you get the opportunity to see, from Vectra, that there's an attacker behavior against the host, but you can then see through Carbon Black, what's the process at the end of that communication threat? Do you wanna quarantine the host? Do you wanna kill the process? You have a lot of granularity and control.
So those are two things we see fairly significantly in the market as customer requests coming in.
Jon: So that's good, that's a good point. It's not all about just the analytics and understanding what's going on. There's also sort of the…a path to controls or automation of remediation activities.
Mike: That's right.
Jon: So again, kind of increasing productivity. So last question, put yourself in my shoes, so become the analyst. SOAPA's all about integration. It's about all these different products working together for the customer, for a better whole. As you're out there in the market talking to customers, seeing their requirements, where do you see this going?
Mike: So one of the things I'd probably do if I was in your shoes and somebody put a client inquiry into me, I would ask them to think about the security spend in the market overall. So you know, the market, globally, is spending little more than 10 billion on firewalls, probably about 3 billion on endpoint security, 3 billion on SIM, 3/2 billion on IDS, but 55 billion is spend on services.
And when I think about all the security use cases, you know, a use case might be lateral movement detection. It might be ransomware. It might be general malware. Those all get served with a variety of products. When we think about what products, a lot of people in your job recommend to customers, it might be more than one discrete product to help solve one of these use cases. And what do they do to bring these products together? They put people on the job. And if they don't have enough people, they hire services. $55 billion in services, that's the market that we address, because there… As you've aptly written about, there isn't enough skills in the workforce to hire to do this stuff. And you know, the only way we can do this is through automation and that way, then we can augment the workforce with AI. And so if I flip the roles, that's how I think about it.
Jon: Yeah. Well, it is how I think about it, so that's a good way to end. So thank you, Mike, for participating and we'll be back with more video soon.