Vectra Cognito appliances (X-series brains, S-series sensors, and vSensors) are integrated into customer networks in ways that may not be immediately obvious. The intent of this article is to review some of the recommended approaches for implementation of Cognito within your environment.
Every customer environment is unique.
Vectra's approach accommodates the needs of security professionals mitigating threats within the organization. Cognito initially focuses on threat detection on key core networks and systems, and then later learns and monitors general infrastructure as well. This results in a flexible and extensible implementation approach that maintains security and privacy while maximizing threat detection.
To be best effective, threat detection must be able to review bi-directional packet data from most if not all of the various networks in your enterprise.
Network Packet Brokers and Tap Aggregation solutions such as those from Arista, Ixia and Gigamon are commonly used to aggregate packet data from internal VLANs, private cloud tenant networks, storage networks, and campus networks. Vectra sensors provide both dedicated hardware, and virtual sensor based packet analysis of traffic from routers and switches in the enterprise intranet as well as the DMZ.
Vectra sensors are usually deployed within individual campus networks. In both public and private clouds, vSensors can provide Cognito with packet data from physical hosts, from SDNs directly, and via aggregated packet broker/tap devices. Other data sources (SIEM, syslog) can be aggregated as well.
The following diagram describes an example Cognito deployment.
In all Vectra deployments the management network (illustrated here with the label "mgt1 network") plays a central role. When possible, Cognito should have this network to himself. He must be able to trust it. Customers should also expect occasional high-volume traffic on this network, as Cognito actions internal automatic updates.
Cognito Internal Dataflow
Cognito Sensors, whether virtual, S2, or appliance-grade, communicate with the Cognito brain (head-end) on its mgt1 interface via encrypted HTTPS and SSH tunnels. Administrative UI access is available on any device able to connect to the mgt1 interface on the brain device using HTTPS.
Individual customer networks, security considerations and traffic capture requirements will influence deployment decisions and should be discussed with your account team prior to deployment. We encourage you to contact your account team regarding your specific needs and network architecture.