To do that, it had to infuse Vectra DC 1.0, launched Tuesday, with some new strategies for detecting bad behavior, because intruders in the data center don’t have the same goals as intruders in the campus network do.
Vectra is among a new wave of security companies that try to detect attacks in progress. That’s in contrast to the traditional strategy of trying to keep attackers out entirely. You still want to try to do that, but the current thinking is that you have to assume the network has been breached and try to spot the intruders from within.
Some security startups have targeted the data center all along. Vectra might be new to the data center, but its strategy of targeting campus networks has won it some fans. Vectra claims roughly 200 installations since it began shipping in general availability in early 2014.
Vectra uses a similar tactic but opts to watch everything, keeping a real-time record of all network activity. The trick is to winnow down that activity to a small number of anomalies to tell the operators about, and that’s where technologies such as machine learning come in.
Security-wise, the data center is more difficult than the campus because workloads move. “All the ground is shifting beneath your feet there,” says Wade Williamson, Vectra’s director of threat analysis.
Venctra also had to revise the list of behaviors that trigger red flags in its software.
For example, Williamson says, intruders in the campus tend to move about laterally, seeking credentials that can get them into the data center. But inside the data center itself, the game becomes more about exfiltration — siphoning away all that data.
So, Vectra DC has to watch for signs of exfiltration. Attackers might grab as much data as possible very quickly — which is obviously noteworthy — but they can also slowly bleed information out of the network, a pattern Vectra now looks for.
Since Vectra uses machine learning to tell anomalies from false positives, the company had to build a model of what data center network administrators do. That way, any behavior outside the norm — such as suddenly using an old, obscure protocol to tap a server — can be flagged as a sign of trouble.
Vectra built this model by logging the activity of network operators at 11 beta customers. It was crucial to observer real activity rather than having administrators answer questions, says Alex Waterman senior director of product management at Vectra.