Introduction

It’s easy to see that the information security field is full of intrusion detection and prevention systems options. Two of the most popular products today are Darktrace and Vectra.

This article will explore both the Darktrace and Vectra intrusion detection and prevention products, looking at the various pros and cons of each. As we strive to make this article an unbiased, objective review of both, you will walk away with more complete knowledge of both products and doubtless have a much easier time choosing between them.

Before we begin, a quick definition. For those new to these products, IDS products monitor networks and systems for intrusions, malicious activity and policy violations.

Darktrace

Founded by cybersecurity experts and UK intelligence personnel at Cambridge University, Darktrace uses innovative tactics to combat cyberattacks. Leveraging AI machine learning, Darktrace Enterprise Immune System and its new IDS product, Antigena, learn by analyzing an enormous amount of data and rely on probabilistic mathematics to determine the likelihood of an attack. Darktrace does not lean on rules, signatures or prior assumptions. For many, Darktrace is both a powerful and useful product.

The unique thing about Darktrace is that it is modeled on the human immune system. When it predicts that an attack is likely to occur, it releases its own form of antigens to slow down and deter attacks. Real-world examples of this can include identifying an attack route and slowing down the connection speed, switching off routes completely, marking specific content for subsequent investigations and quarantining systems, users and devices as the situation requires. From a functionality perspective, Darktrace Antigena will be able to handle most organizations’ IDS needs.

Recently, Darktrace unveiled Antigena v2. This new version includes an email module capable of blocking threats at the point of entry, autonomous response for email, network and cloud attacks as well as better orchestration with leading firewalls and switches. Antigena v2 also allows for greater control and visibility from its Darktrace Mobile App.

While Darktrace offers useful IDS functionality and solid benefits for an information security environment, it is not without its downsides. First, many have complained that Darktrace is cost-prohibitive. What’s worse than having a high initial cost (which plagues it) is that the product will cost more if you want to make use of prevention services, and it will cost more still if you have a disturbed network.

Another related complaint is that to use IPS functionality available to Darktrace you would pretty much need a 24/7 SOC on staff to respond. This will drive up overhead costs of the organization — possibly to the point of being entirely cost-prohibitive.

Darktrace products also require proper configuration, management and tuning for the product to be effective. While many comparative IDS products may require configuration, it seems that the configuration and management needed to make the products effective is a bridge too far for many.

One last concern is Darktrace’s apparent dysfunction with identifying devices. For example, one client had 112 servers running and without proper tuning, Darktrace identified 2,000 servers. Coupled with a GUI that many find unappealing, these cons have led some to consider Darktrace not ready for primetime.

Vectra

Billed as being part IDS, part traffic monitoring tool and part SIEM, the Vectra Cognito platform is an interesting hybrid. Vectra combines supervised, unsupervised and deep machine learning with optimized artificial intelligence techniques and traffic monitoring into one tool.

The functionalities above are not all Vectra can do — it can also track attacks enterprise-wide, import IoCs for detection purposes and integrates with your current network firewall, endpoint, NAC, SIEM and SOAR products. This provides for more streamlined incident response.

A common compliment among a wide variety of Vectra users in different industries is that Vectra’s deployment is very easy to perform. While some may consider this benefit to be minimal, those professionals who already have a lot of work on their plate will not want to invest any more time than is necessary for deployment.

Unlike some other solutions, cost does not seem to be an issue with Vectra. One source stated that cost management benefit was one of the pros associated with it, and another source claimed that it features low monitoring staff overhead. With many small- to medium-sized organizations facing rising costs, keeping the cost relatively low for an IDS can give it an edge over its competitors.

Vectra is not without its complaints, and this is most clearly demonstrated in its product reviews. The most common complaint is that it is not a very effective product if it is not properly configured. The result of using the unconfigured, out-of-the-box version is that there is a significant number of false positives in detection. Implementing Vectra in your organization without careful consideration of your current environment will also result in false positives.

Another reported con: Due to the nature of Vectra, it cannot fully detect external-to-internal attacks on the network. This occurs because it is intended to protect the inside of a network — the individual who made this complaint said they used the workaround of using a pre-existing IPS on their network.

Another con reported is that Vectra’s policy exceptions are difficult to manage. I have not been able to confirm this with any other known issues, so for fairness’s sake, this may have just been user error.

Conclusion

When you are looking for an IDS for your organization, you have many options, with each having different pros and cons. Darktrace and Vectra are no exception and choosing one or the other requires a weighing of these concerns.

 

Sources

  1. The Enterprise Immune System, Darktrace
  2. Darktrace Reviews, TrustRadius
  3. The Cognito platform: AI-driven network detection and response, Vectra
  4. Vectra vs. Darktrace, Vectra