The Integrator had an exclusive interview with Taj El-khayat, Area Vice President at Vectra AI EMEA.

Can you talk about the role of AI in detection and prevention of threats?

Given the challenge of “more” in cybersecurity – more attack surface, more evasive attacker methods, more tools/alerts, and more analyst burnout, leveraging AI and automation to detect, prioritize and remediate threats is vital. But not all AI and automation is built equal and many only add to the problem of more by introducing more alerts and more noise which require SOC analysts to spend more time tuning rules and triaging alerts.

AI can either assist in performing tasks that humans fundamentally cannot do, or it can help perform the tasks that humans can do but do so at speed and scale. AI algorithms, on the other hand, can be trained to do precisely this.

How does Vectra AI’s solution help organizations break away from the cycle of deploying more tools and rules, while still ensuring comprehensive threat coverage?

 According to the Vectra 2023 State of Threat Detection report, 63% of SOC analysts report that the size of their attack surface has increased in the last three years and 67% are unable to manage the number of daily alerts received.

The Vectra AI Platform integrates native and third-party attack signals across hybrid cloud domains including AWS, Microsoft Azure, Google Cloud Platform, Microsoft 365, Microsoft Azure AD, networks of all types, and endpoints leveraging the customer’s Endpoint Detection and Response (EDR) tool of choice. The Vectra AI Platform integrated signal enables security teams to:

• Cover more than 90% of MITRE ATT&CK techniques with patented and proven MITRE D3FEND countermeasures.
• Combine AI-driven behavior-based detection, signatures and threat intelligence for the most accurate representation of active attacks in progress.
• Map attacker progression and lateral movement from data center to cloud, cloud to data center and cloud to cloud.

Can you talk about how Vectra AI leverages the technology?

Vectra detections focus explicitly on finding attackers and identifying attacker methods in action, not just weird anomalies. Coverage is built by security researchers with diverse backgrounds and data scientists with a deep understanding of how to extract value from massive complex data sets.

Vectra’s security research team is present throughout the entire detection development process. Their work leads the process, with the team constantly monitoring and reviewing attacker methods being used in the wild.

Once the attacker method has been identified, the security researchers work to collect a corpus of malicious and benign samples. Malicious samples are collected from several places including customers who voluntarily share anonymized metadata, synthetic data creation algorithms, publicly documented cyber-incidents, and attacks in our internal labs.

With the attacker method and supporting data in hand, the security researchers work with the data science team to develop a prototype model with an optimal threshold for attacker method detection. The models are rapidly iterated on until strict standards of quality are satisfied for their performance in detecting the attacker methods in the real world. The final steps of detection development involve the creation of a dedicated UI that shows the full context of the identified attacker method, and where relevant, additional information about what is normal for the systems in question.

There are two key features that differentiate Vectra’s approach and use of AI:

Real-time streaming engine:  Vectra AI’s algorithms operate in real-time on streaming data, allowing for immediate detection and timely response to attackers. This approach also ensures high-quality alerts by continuously learning from months of data and millions of events.

AI-driven threat correlation: Vectra AI doesn’t just identify attacker methods; it also correlates these actions to categorize and prioritize progressing attacks. This correlation is vital as attackers often execute multiple actions across domains to achieve their goals.

How do you see AI and human expertise complementing each other in the fight against unknown threats?

The human element is pivotal in applying AI in cybersecurity, and in general, for that matter. Current models are influenced by human bias when selecting training material for instance as well as when fed with answers in production.

Today’s AI models are built to enable/augment the human rather than replacing him/her altogether. As mentioned before, taking away non-value adding activities enables the human to create value by taking educated decisions in the context of cybersecurity. This not only improves speed and effectiveness, but greatly increases efficacy of cybersecurity measures within the business context. Advanced AI-based solutions provide superior signal, cutting through the general noise and guide the human to take timely action, reducing the impact of an evolving cyber-attack.