I first met Gunter Ollmann when he was then CTO of IOActive back in 2013, and since then he has completed a move to another consultancy before landing in his current job at Vectra Networks.
His positive reputation led me to catch up with him, and now as Chief Security Officer of Vectra Networks, a new vendor to me, I wanted to get an understanding of what the premise of the company was.
He explained that as a vendor of appliances, the goal of the product is to sit passively on the network, inside the customer network and identify the threats and breaches that exist inside a company.
“We are focused on lateral movement detection as opposed to prevention or detection, and the approach being achieved through sophisticated machine and model learning approaches,” he said.
“Supervised and unsupervised learning models are really the core of what we are doing. The approach has been on being able to sit inside the organization and detect and classify threats to identify attackers, from SQL servers through to ransomware operating inside the network, we detect a broad range.”
Ollmann said that it is one thing to classify anomalies, but its use of a more advanced search engine allows it to do supervised learning inside the cloud and classify all of the activities that it associates with the bad ways to compromise a host, or network traffic that is not known as bad.
“If you are an analyst and trying to figure if a domain is good or bad, then things like ‘what country does your IP belong to’ is going to figure quite heavily, but from machine learning we can determine was is good or bad,” he said. “Once you have found features you create a mode, and push that to the product. This is a multi-dimensional signature to detect something and label it immediately.”
I asked him what he meant by “unsupervised learning”, which he explained as baselining something, and having a basic understanding of how something works so it becomes more about anomaly detection and what is good or bad.
“You find that with unsupervised learning you can have detection of low and slow attacks and unseen attacks, but it takes time to know the network and have a threshold to be hit before responding.”
Vectra Networks sell to the medium-large enterprise space, and often that space has networks that are under 10,000 nodes with an average IT team of five people, but don’t have skill sets to detect, and that is the gap that Vectra aims to fill.
“A lot of research is not only going into detecting, but why you classify inside the network and help the customer understand the context and the next actions.”
Research released today in the Vectra Networks Post-Intrusion Report found that cyber-attackers are getting quieter once inside the network, with use of covert attack communications on the rise. Analysis of 120 Vectra customer networks, comprised of more than 1.3 million hosts over January to March this year, showed signs of targeted attacks including internal reconnaissance, lateral movement or data exfiltration. Of the 120 participating organizations, nearly 98% (117 organizations) detected at least one of these behaviors during each month of the study.
Ollmann said that often, the only thing that you can see on a network is who they are communicating to, whereas previously it was done on determination of location, now it is about context.
“So while there is no malware and nothing is being targeted, if you do forensics you find that you have to remediate. If the traffic is going to New York City then maybe it is going to a law firm, and if it is in your town you can speak to the engineer, it means you understand the context of your own network and build a remediation path and take actions to have a direct response that will be more corrective than suspecting what is happening.”
Ollmann said that the shift from detection and alerting to “what is my response” acknowledges that a mistake is being made, but there are no tools and nothing to determine what is better.
I concluded by asking him what had attracted him to this company after stints in consultancies and large companies like IBM. He said: “For me it is about the cutting edge side and working on the latest technologies, and secondly I know what will work and what will not work. I want to solve some real problems."
“The machine learning approach is fantastic, and we are doing well on detection but need to do more for customers and find new innovation for hard problems that are not going to be engineered around, but will require that hard understanding of people, process and how security has to operate rather than how you would like it to operate. Some feel it is ‘complicated but see if it is going to work’ but there are a lot of broken toys out there.”