Vectra does not detect ARP spoofing or poisoning because ARP is done at Layer 2 and we do not look at the Layer 2 traffic.
Why does Cognito focus on Layer 3 and above, but not Layer 2?
The Cognito platform ingests Layer 3 and above network traffic for consideration by its detection algorithms and for sending metadata to the Recall cloud and Stream metadata forwarder.
ARP based attack techniques such as spoofing, poisoning, and flooding can be useful to an attacker in the reconnaissance phase of an attack. However, they make use of the Layer 2 ARP protocol and therefore are limited in scope to the local area network. Full coverage of local area networks would require the presence of a sensor at each switch in the network resulting in a high degree of implementation cost and overhead.
By focusing on Layer 3 and above traffic, the Cognito platform enables a much less complex and costly deployment model while providing coverage for attacker behaviors from across the attack life cycle. In the case in which an attacker is able to successfully use ARP based attacks to sniff traffic from the LAN and obtain credentials, they will still need to perform more reconnaissance elsewhere in the network, move laterally, stage and exfiltrate data, all of course while keeping their external command and control channel up in order to achieve their objectives.
Cognito Detect has been designed with the entire attack life cycle in mind to help security teams prioritize their time and use it efficiently in investigations and incident response operations.