The Cognito® platform from Vectra® is an integral component of any company’s security posture through network detection and analysis of real-time threats. Due to the ever-changing landscape of security exploits and attacks, Vectra recommends deploying the Cognito platform with special attention to network traffic engineering to realize the most value from features and services available.
What traffic should Cognito see?
Cognito performs best when it sees the right level of network traffic to accurately identify behaviors associated with attack vectors and campaigns. Monitoring end-user compute traffic to the internet, user traffic to the data center and other critical resources, traffic within the data center, and data center traffic to the internet, allows Cognito to detect threat behaviors along multiple phases of the attack lifecycle.
The following protocols are particularly desirable for Vectra’s machine learning models to analyze to ensure Vectra’s full capabilities are far realized:
- Dynamic Host Configuration Protocol (DHCP)
- Internet Control Message Protocol (ICMP)
- Domain Name System (DNS)
- HyperText Transfer Protocol (HTTP)
- Transport Layer Security (TLS)
- Remote Desktop Protocol (RDP)
- Encrypted traffic for behavior analysis
- Traffic from remote management tools
- Server Message Block (SMB)
- Distributed Computing Environment/Remote Procedure Calls (DCE/RPC)
- Windows NT LAN Manager (NTLM)
- Lightweight Directory Access Protocol (LDAP)
- Session data (full and incremental)
- Host-based artifacts: Types
What traffic improves Cognito HostID attribution?
Cognito HostID attribution is the product of intelligent analysis over 14 host artifacts to uniquely identify a host with a high degree of confidence. HostID is a vital component of the Cognito platform for machine learning algorithms as well as customer usage. The following traffic and resources help to provide the greatest HostID attribution for detection accuracy and validation:
- Internal DNS
- Reverse DNS
- DHCP logs
- Kerberos logs
- Carbon Black Response integration
- CrowdStrike Falcon integration
- VMware vCenter integration
What traffic should be excluded from Cognito analysis?
The following network traffic is insignificant to Cognito and potentially problematic for analysis:
- Multiprotocol Label Switching (MPLS)
- Core routing protocols
- Session Initiation Protocol (SIP)
- High-performance computing (HPC) workloads high in bandwidth
- HPC workloads that are well isolated
- Video multicast
- Storage array network file systems (SMB OK)
- High-bandwidth backup data
Where should Vectra sensors and mixed-mode brains be located?
Physical placement of sensors that capture network traffic will provide for a highly improved deployment and value of the Cognito platform. Vectra sensors and mixed-mode appliances can process normal IP packets as well as some packets with encapsulation. Single layer of encapsulation such as virtual LAN (VLAN), virtual extensible LAN (VXLAN), generic route encapsulation (GRE) and IPSec AH (authentication header) are supported. Vectra appliances will automatically remove these encapsulation headers from incoming packet streams and does not parse the encapsulating header data itself.
Cognito software does not support overlapping IP addresses, MPLS encapsulation or an arbitrary number of encapsulation layers. Vectra sensors can handles double VLAN (QinQ, 802.1ad) and GRE inside of VLAN, but GRE inside of VXLAN will result in dropped packets.
Lastly, Vectra sensors should also be placed outside of any demilitarized zones (DMZ) and should capture as much traffic as possible from enterprise DNS and DHCP servers.