Vectra has launched Cognito Stream, delivering enterprise-scale network metadata in Zeek format enriched with security insights to empower threat hunters and incident investigators by leveraging existing software tooling. Cognito Stream enriches metadata with host identity so security analysts can investigate incidents with unprecedented efficiency using the complete context about incidents in network communications between cloud and data center workloads and user and IoT devices.
“Security analysts shouldn’t also have to be network experts to complete threat investigations. Searching NetFlow data, which lacks detail, or packet data, which is too complex and costly to store, must be performed based on IP address, which is not intuitive and requires additional correlation with separate dynamic host control protocol (DHCP) logs,” said Eric Ogren, senior security analyst at 451 Research. “A key network visibility, detection and response requirement is to use intelligence in correlating traffic data and presenting meaningful insights to security analysts.”
Cognito Stream provides a transactional record of every network communication across the organization to an enterprise-scale data lake or security information and event management (SIEM) system. Cognito Stream enriches metadata with host identity to eliminate parallel searches in DHCP logs to find the device using an IP address at specific times and tracks IP address changes. By collecting and forwarding historical metadata, rather than full packet capture, Cognito Stream reduces the storage required by over 99% and ensures compliance with data privacy mandates like the European Union General Data Protection Regulation (GDPR).
“Evaluate Cognito Stream if you have invested in your own data lake,” said Dan Basile, executive director of security operations at The Texas A&M University System. “Context is always key to being able to find threats. The ability to correlate enriched metadata with other data sources and hunt retrospectively for threats based on high-value indicators of compromise (IoCs) can reduce noise and enable your analysts to reduce the time to remediation.”
Cognito Stream delivers:
§ Actionable network metadata in Zeek format. Cognito Stream extracts hundreds of metadata attributes from raw network traffic and presents them in a compact, easy-to-understand Zeek format that leverages existing software tooling. Cognito Stream provides the details analysts need, compared to NetFlow and without the storage complexity of full packet capture.
§ Embedded security insights. Security insights generated by machine learning are embedded in the Cognito Stream metadata to provide powerful building blocks security analysts can combine with their own individual expertise to quickly reach conclusions.
§ Investigations based on hosts, not IP addresses. Cognito Stream automatically associates network metadata with other attributes to create a unique host identity. User attribution enables security analysts to efficiently investigate hosts regardless of IP address changes and explore relationships among groups of hosts.
§ Set-and-forget ease of use. Cognito Stream sets up in less than 30 minutes, requires no performance tuning or ongoing maintenance, and delivers more than five times the single-sensor performance of Zeek. As a result, security teams can focus on investigations and avoid the management overhead of open-source Zeek.
Network metadata provides a security analyst with a high-level view of patterns and events as they occur across an entire network. Host and application data provide an analyst with granular low-level data to behaviors at the host level, including system processes and memory access. Combined, these datasets provide a comprehensive map of the enterprise, giving a multilevel view of what might be going on, and are most effectively used in tandem by hunters to detect advanced threats.
“Cognito Stream delivers rich metadata that provides additional enrichment over Zeek while providing full compatibility with all existing Zeek tooling,” said Rohan Chitradurga, director of product management, Vectra. “This addresses the need to quickly and easily hunt for threats in large enterprises without the operational overhead of managing the sensor infrastructure.”