Blog

The good, the bad and the anomaly

Posted by Hitesh Sheth on Nov 8, 2017 10:57:20 AM

This blog was originally published on LinkedIn.

The security industry is rampant with vendors peddling anomaly detection as the cure all for cyber attacks. This is grossly misleading.

The problem is that anomaly detection over-generalizes: All normal behavior is good; all anomalous behavior is bad – without considering gradations and context. With anomaly detection, the distinction between user behaviors and attacker behaviors is nebulous, even though they are fundamentally different.

Read More »

Topics: cyber security, network security, artificial intelligence, Threat Detection, anomaly detection


Better together: Tight integration between endpoint and network security can stop attacks faster

Posted by Kevin Kennedy on Sep 20, 2017 11:03:56 AM

Many security teams are overwhelmed with the scale and ferociousness of digital threats. Threats are sneakier and more damaging, and security operations centers (SOCs) are being worn down investigating and stomping out incidents.

Read More »

Topics: Cyberattacks, cyber security, network security, endpoint, security operation centers


Goldeneye. Petya. WannaCry. It's all ransomware.

Posted by Chris Morales on Jun 27, 2017 5:46:22 PM

We are seeing another outbreak of ransomware that appears to be a combination of previous other ransomware campaigns. As is always the case, criminal gangs learn from each other.

Petya was successful in 2016 using email attack campaigns and a ransomware-as-a-service business model. Wannacry introduced new worm propagation techniques proving highly successful in hitting thousands of systems in a short time span last month.

Read More »

Topics: Cyberattacks, cyber security, Ransomware, AI, WannaCry, petya, goldeneye


How AI detects and mitigates cyber attacks in software-defined data centers

Posted by Chris Morales on Jun 22, 2017 7:47:16 PM

Earlier this month Vectra announced plans to leverage the capabilities of VMware NSX to accelerate the detection and mitigation of hidden cyber attackers in virtualized data centers.

Vectra currently applies artificial intelligence to automatically detect attacker behaviors inside virtualized data centers. Vectra also integrates with endpoint and network response tools to automate the workflow.

Read More »

Topics: Cyberattacks, cyber security, Datacenter, AI


A behind-the-scenes look at how cybercriminals carry out attacks inside enterprise networks

Posted by Chris Morales on Jun 13, 2017 5:16:09 PM

Vectra Networks last week published the 2017 Post-Intrusion Report, which covers the period from January through March. While there are plenty of threat research reports out there, this one offers unique insights about real-world cyber attacks against actual enterprise networks.

Most industry security reports focus on statistics of known threats (exploits and malware families) or give a post-mortem look back at breaches that were successful. The first one looks at threats that network perimeter defenses were able to block and the second lists attacks that were missed entirely. 

Read More »

Topics: Cyberattacks, cyber security, Security Analytics, AI


Vectra detection and response to WannaCry ransomware

Posted by Chris Morales on May 16, 2017 8:59:36 AM

Vectra Threat Labs analyzed the WannaCry ransomware to understand its inner workings. They learned that while the way it infects computers is new, the behaviors it performs are business as usual.

WannaCry and its variants behave similarly to other forms of ransomware that Vectra has detected and enabled customers to stop before experiencing widespread damage. This is a direct benefit of focusing on detecting ransomware behaviors rather than specific exploits or malware. Many of WannaCry’s behaviors are reconnaissance and lateral movement on the internal network, within the enterprise perimeter.

Read More »

Topics: Cyberattacks, cyber security, Ransomware, cyber security gap, AI, cyber defense, WannaCry


Fighting the ransomware pandemic

Posted by Chris Morales on May 12, 2017 5:00:14 PM

What just happened?

A ransomware attack is spreading very rapidly among unpatched Windows systems worldwide. This morning, the attack was initially believed to target the UK National Health Service, but throughout the day, it has become apparent this is a global attack.

Kaspersky labs reported on Friday afternoon that at least 45,000 hosts in 74 countries were infected. Avast put the tally at 57,000 infections in 99 countries. All this, during just 10 hours. Of those infected hosts, Russia, Ukraine and Taiwan were the top targets.

Read More »

Topics: Cyberattacks, cyber security, Ransomware, Threat Labs, AI, Attacker Detection, threat research, bitcoin, Windows vulnerability, attacker behavior, shadow brokers


The existential threat of IP theft

Posted by Kevin Kennedy on Apr 19, 2017 5:41:26 PM

Confusion reigns on the origin of the term "bullseye." Some say it started when English archers showed off their accuracy by shooting arrows through the empty eye socket of a bull skull. Others contend it was a reference to a blemish in the center of a glass window pane.

Read More »

Topics: Cyberattacks, cyber security, Ransomware, cyber defense, intellectual property


Don't blow your IT security budget on flow analysis

Posted by Hitesh Sheth on Apr 10, 2017 9:23:04 AM

This blog was originally published on LinkedIn.

Vendors who are trapped in a time warp often tout traffic flow analysis as a great way to detect and analyze behavior anomalies inside networks. I have a problem with that because it’s decades-old technology dressed in a new suit. 

Read More »

Topics: cyber security, network security, artificial intelligence


AI: Is science fiction on a collision course with science fact?

Posted by Chris Morales on Mar 30, 2017 3:48:43 PM

Sometimes science fiction becomes less fantastic over time than the actual reality. Take the film Ghost in the Shell, for example, which hits the big screen this week. It’s an adaptation of the fictional 28-year-old cult classic Japanese manga about human and machine augmentation.

Read More »

Topics: cyber security, machine learning, artificial intelligence


Stealthy ransomware: Extortion evolves

Posted by Kevin Kennedy on Mar 29, 2017 11:22:31 AM

It seems like a new variant or victim of ransomware is in the news every day. It’s newsworthy because it works so well and causes widespread destruction.

So when the recent wave of stories hit about PetrWrap, a variation of the widely known Petya ransomware strain, it was easy to miss the significance. The “no-honor-among-thieves” narrative crowded out its true importance.

Read More »

Topics: Cyberattacks, cyber security, Ransomware, cyber defense


Don't let your cybersecurity vendor leave you vulnerable

Posted by Chris Morales on Mar 23, 2017 12:57:20 PM

The U.S. Computer Emergency Readiness Team (US-Cert) issued a warning last week stating HTTPS interception weakens TLS security. As the use of encryption for privacy has increased, the security industry has responded by intercepting and decrypting SSL sessions to perform deep-packet inspection (DPI).

Read More »

Topics: Cyberattacks, SSL Encryption, cyber security, security architecture


The love-hate relationship with SIEMs

Posted by Hitesh Sheth on Mar 7, 2017 12:00:14 PM

This blog was originally published on LinkedIn.

To know SIEM is to love it. And hate it.

Security information and event management (SIEM) is a ubiquitous cybersecurity tool. It’s used by probably every security analyst who works in a security operations center (SOC).

Read More »

Topics: Cyberattacks, cyber security, SIEM


An immigrant CEO's story

Posted by Hitesh Sheth on Mar 7, 2017 11:38:30 AM

This blog was originally published on Medium.

Growing up in Kenya, I shared a one-bedroom apartment with my family. In fact, I slept in the laundry/storage room in the constant presence of family laundry and stacks of suitcases. You might say I’ve been sensitive to the invasive presence of others from an early age. 

Read More »

Topics: cyber security, artificial intelligence, technology, politics, immigration


Our focus on Russian hacking obscures the real problem

Posted by Hitesh Sheth on Jan 18, 2017 4:25:34 PM

This blog was originally published on The Hill.

If I didn’t deal daily with the mechanics of cybersecurity, I might be captivated by Washington’s focus on whether the Russians penetrated the Democratic National Committee and why they did it. As a citizen, I follow politics and geopolitics, too.

But here’s what bothers me:

The hacking tools identified by the FBI and Department of Homeland Security are freely available on the internet. The Russians can use them. So can the Iranians, the Chinese, the North Koreans and any other nation-state which wants to penetrate the networks that serve our political parties and government. There is nothing special or even uniquely “Russian” about them. And they often work.

I am not surprised that such common tools are employed against us. We should expect it. In the cybersecurity business we know the focus should be on our ineffective defense, rather than on finding the guilty country.

Whoever got inside the DNC networks had seven months to plumb about, pilfer embarrassing material, package it for shipping and make off with it, all without detection. The DNC had no way to detect the penetration while it was happening.

Why not? After all, the technology to spot and interrupt hacking while it is in progress exists. We can literally watch hackers and their tools move around inside our networks, probing our vulnerabilities, locating our most sensitive data and setting up private tunnels to take it out of our systems. 

Read More »

Topics: cyber security, cybersecurity, hacker, hacking, cyber defense


Security automation isn't AI security

Posted by Günter Ollmann on Jan 17, 2017 2:11:52 PM

This blog was orignially published on ISACA Now.

In many spheres of employment, the application of Artificial Intelligence (AI) technology is creating a growing fear. Kevin Maney of Newsweek vividly summarized the pending transformation of employment and the concerns it raises in his recent article "How artificial intelligence and robots will radically transform the economy."

In the Information Security (InfoSec) community, AI is commonly seen as a savior – an application of technology that will allow businesses to more rapidly identify and mitigate threats, without having to add more humans. That human factor is commonly seen as a business inhibitor as the necessary skills and experience are both costly and difficult to obtain.

As a consequence, over the last few years, many vendors have re-engineered and re-branded their products as employing AI – both as a hat-tip to their customer’s growing frustrations that combating every new threat requires additional personnel to look after the tools and products being sold to them, and as a differentiator amongst “legacy” approaches to dealing with the threats that persist despite two decades of detection innovation.

The rebranding, remarketing, and inclusion of various data science buzzwords – machine intelligence, machine learning, big data, data lakes, unsupervised learning – into product sales pitches and collateral have made it appear that security automation is the same as AI security.

Read More »

Topics: cyber security, machine learning, cybersecurity, artificial intelligence, security automation


Politics and the bungling of big data

Posted by David Pegna on Nov 17, 2016 12:00:00 PM

We live in the age where big data and data science are used to predict everything from what I might want to buy on Amazon to the outcome of an election.

The results of the Brexit referendum caught many by surprise because pollsters suggested that a “stay” vote would prevail. And we all know how that turned out.

History repeated itself on Nov. 8 when U.S. president-elect Donald Trump won his bid for the White House. Most polls and pundits predicted there would be a Democratic victory, and few questioned their validity.

The Wall Street Journal article, Election Day Forecasts Deal Blow to Data Science, made three very important points about big data and data science:

  • Dark data, data that is unknown, can result in misleading predictions.
  • Asking simplistic questions yields a limited data set that produces ineffective conclusions.
  • “Without comprehensive data, you tend to get non-comprehensive predictions.”
Read More »

Topics: Data Science, cyber security, machine learning


Moonlight – Targeted attacks in the Middle East

Posted by Chris Doman on Oct 26, 2016 1:30:00 AM

Vectra Threat Labs researchers have uncovered the activities of a group of individuals currently engaged in targeted attacks against entities in the Middle East. We identified over 200 samples of malware generated by the group over the last two years. These attacks are themed around Middle Eastern political issues and the motivation appears to relate to espionage, as opposed to opportunistic or criminal intentions.

Read More »

Topics: Targeted Attacks, Malware Attacks, cyber security, Threat Labs


Reverse engineering the Shadow Brokers dump: A close look at NOPEN

Posted by Nick Beauchesne on Sep 12, 2016 11:58:00 PM

While digging and reversing my way through the Equation Group dump, I’ve come across a few interesting pieces that probably are not getting the attention they deserve.  While a lot of the initial research has focused on the potential 0-days, the dump also gives a glimpse into the backbone tools and operational methods of a serious hacking group.

Certainly 0-days are great, but in my opinion the previously disclosed Fortidoor exploit is 100x more significant than the Fortigate HTTP 0-days disclosed in the dump.  And while most of the dump is around firewall implants and a few exploits, there are some very interesting ops tools in the drop.  One of those tools is NOPEN. It is referenced multiple times in their script/ops/doc, and seem to be one of the cornerstones of their infrastructure.  It is significant both as a backdoor in a target network or as a tool deployed on a listening post to let you create a multi-layer call-back network. So let's take a closer look at this software.

Read More »

Topics: Malware Attacks, cyber security, Detection


From the Iron Age to the “Machine Learning Age”

Posted by Günter Ollmann on Aug 30, 2016 8:00:00 AM

It is likely self-evident to many that the security industry’s most overused buzzword of the year is “machine learning.” Yet, despite the ubiquity of the term and its presence in company marketing literature, most people – including those working for many of the vendors using the term – don’t actually know what it means.

Read More »

Topics: cyber security, machine learning, cybersecurity


Cybersecurity and machine learning: The right features can lead to success

Posted by David Pegna on Sep 15, 2015 9:52:24 AM

Big data is around us. However, it is common to hear from a lot of data scientists and researchers doing analytics that they need more data. How is that possible, and where does this eagerness to get more data come from?

Very often, data scientists need lots of data to train sophisticated machine-learning models. The same applies when using machine-learning algorithms for cybersecurity. Lots of data is needed in order to build classifiers that identify, among many different targets, malicious behavior and malware infections. In this context, the eagerness to get vast amounts of data comes from the need to have enough positive samples — such as data from real threats and malware infections — that can be used to train machine-learning classifiers.

Is the need for large amounts of data really justified? It depends on the problem that machine learning is trying to solve. But exactly how much data is needed to train a machine-learning model should always be associated with the choice of features that are used.

Read More »

Topics: Data Science, cyber security


What cyber threats are lurking about in your network?

Posted by Wade Williamson on Jun 23, 2015 5:00:00 AM

Today, Vectra Networks published its second edition Post-Intrusion Report that offers a first-hand look at modern threats that get past perimeter security and spread inside the network.

In the latest report, we analyzed behaviors and techniques across the entire lifecycle of real-world cyber attacks. We also looked back and saw alarming changes in the threat landscape and observed emerging trends in attack techniques.

Read More »

Topics: Cyberattacks, Post Breach Detection, Tor, cyber security


Duqu: The Sequel

Posted by Wade Williamson on Jun 12, 2015 12:54:00 PM

Doqu_2.0_Wade_Williamson_Blog_Image_Recently, Kasperky Labs disclosed that it was the victim of a sophisticated cyber attack, which they have named Duqu 2.0. The team at Kaspersky Labs has published a detailed analysis of Duqu 2.0 and it’s definitely worth a read.

The original Duqu threat actor was a family of malware that most researchers believe was created by a nation-state and it’s related to the infamous Stuxnet worm. While Stuxnet was used to damage centrifuges used to enrich uranium, the original Duqu appeared more intent on surveillance and collecting information within a compromised network.

Read More »

Topics: Cyberattacks, cyber security


Cybersecurity, data science and machine learning: Is all data equal?

Posted by David Pegna on May 9, 2015 9:00:00 AM

Big Data Sends Cybersecurity back to the future In big-data discussions, the value of data sometimes refers to the predictive capability of a given data model and other times to the discovery of hidden insights that appear when rigorous analytical methods are applied to the data itself. From a cybersecurity point of view, I believe the value of data refers first to the "nature" of the data itself. Positive data, i.e. malicious network traffic data from malware and cyberattacks, have much more value than some other data science problems. To better understand this, let's start to discuss how a wealth of network traffic data can be used to build network security models through the use of machine learning techniques.

Read More »

Topics: Data Science, cyber security, machine learning


Big Data Sends Cybersecurity Back to the Future

Posted by David Pegna on Apr 1, 2015 12:56:43 PM

Big Data Sends Cybersecurity back to the future The main reason behind the rising popularity of data science is the incredible amount of digital data that gets stored and processed daily. Usually, this abundant data is referred to as "big data" and it's no surprise that data science and big data are often paired in the same discussion and used almost synonymously. While the two are related, the existence of big data prompted the need for a more scientific approach – data science – to the consumption and analysis of this incredible wealth of data.

Read More »

Topics: Data Science, cyber security


Cybersecurity Sensors – Threat Detection Throughout a Distributed Network

Posted by Hitesh Sheth on Mar 24, 2015 5:00:00 AM

width="578"Keeping data from getting out into the wild or being damaged by cyber attackers is what keeps CISOs, the executive team and boards of directors up at night. To protect organizations, cybersecurity needs to be automated and real-time, it needs to learn contextually like we do and it needs to monitor for threats at every corner of the network in a way that organizations can afford without sacrificing coverage.

Read More »

Topics: cyber security, Automated Breach Detection


Creating Cyber Security That Thinks

Posted by David Pegna on Mar 9, 2015 1:50:00 PM

Until recently, using the terms “data science” and ”cybersecurity” in the same sentence would have seemed odd. Cybersecurity solutions have traditionally been based on signatures – relying on matches to patterns identified with previously identified malware to capture attacks in real time. In this context, the use of advanced analytical techniques, big data and all the traditional components that have become representative of “data science” have not been at the center of cybersecurity solutions focused on identification and prevention of cyber attacks.

This is not surprising. In a signature-based solution, any given malware or new flavor of it needs to be identified, sometimes reverse-engineered and have a matching signature deployed in an update of the product in order to be “detectable.” For this reason, signature-based solutions are not able to prevent zero-day attacks and provide very limited benefit compared to the predictive power offered by data science.

Read More »

Topics: Data Science, cyber security


Subscribe to the Vectra Blog



Recent Posts

Posts by Topic

Follow us