0% found this document useful (0 votes)
360 views6 pages

Vectra NDR and Network Identity Architecture

The document provides an overview of Vectra's NDR (Network Detection and Response) and Network Identity Architecture, detailing the deployment types, including Respond UX (RUX) and Quadrant UX (QUX), and the roles of Brain and Sensor appliances. It outlines the general deployment process, traffic capture guidance, and the importance of maintaining secure communication between appliances. Additionally, it highlights the capabilities of Vectra's AI-driven detection platform and its integration options with other security tools.

Uploaded by

aafak.aghzere
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
360 views6 pages

Vectra NDR and Network Identity Architecture

The document provides an overview of Vectra's NDR (Network Detection and Response) and Network Identity Architecture, detailing the deployment types, including Respond UX (RUX) and Quadrant UX (QUX), and the roles of Brain and Sensor appliances. It outlines the general deployment process, traffic capture guidance, and the importance of maintaining secure communication between appliances. Additionally, it highlights the capabilities of Vectra's AI-driven detection platform and its integration options with other security tools.

Uploaded by

aafak.aghzere
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 6

NDR (Detect) and Network Identity Architecture Overview

Definitions / Deployment

Definitions

• Vectra UI / Deployment Types


• Please see Vectra Analyst User Experiences (Respond vs • Brain Appliance - Can be a physical appliance or
Quadrant) for additional details. virtual appliance.
• Respond UX (RUX) - The Vectra UI is served from Vectra’s • Pairs with Sensors (network data sources) and processes /
cloud. Shown in diagram on next page. deduplicates and optionally forwards the metadata received
• The UI serves as the central point of web-based from Sensors (when licensed for Stream or Recall (Recall is
management for your RUX deployment(s). for QUX deployments only).

• When used with network Sensors, it communicates with • Serves as communications broker between Vectra’s cloud
Brain appliance(s) deployed in customer premises. and local integration points for RUX deployments.

• Quadrant UX (QUX) - The Vectra UI is served from Brain • Sensor Appliance - vSensor is a virtual Sensor (for hypervisors
appliance(s). Not shown in diagram on next page. or IaaS cloud), Sensor is a physical Sensor.

• The UI serves as the central point of web-based • Must be paired to a Brain.


management for your QUX deployment(s). • Captures and deduplicates raw network traffic.
• Vectra Cloud - The portions of the Vectra AI Platform that • Forwards metadata to the Brain for processing.
reside in Vectra’s cloud.
• Houses rolling capture buffer to enable PCAP retrieval when
• Customer Premises - Private/Shared Data Centers, Public requested from the Brain.
Cloud, Campus/Office environments where Brain or Sensor
• Optionaly runs Vectra Match and Suspect Protocol Anomaly
appliances will be installed to capture network traffic (including
Detections.
network identity).
• Mixed-mode Appliance - Can perform both Brain and Sensor
• Appliance - Physical or virtual (including public IaaS cloud) functions when used in smaller deployments.
Brain, Sensor, or Stream appliance.
• Network Identity - Vectra covers IDR (Identity Detection and
• Vectra AI Platform - Vectra’s cloud platform, delivered as SaaS Response) use cases through analysis of identity as observed
with the RUX UI. in the network through protocols such as Kerberos, DCE/RPC,
• Deployments with network Sensors will include at least one LDAP, NTLM, etc.
Brain appliance and one or more Sensor(s). For smaller
deployments, this can be a single mixed-mode appliance.

Brain and Sensor Deployment

• Start Here: • Vectra offers a full complement of services including technical


support, professional services / training, managed services,
• RUX Deployments - Vectra Respond UX Deployment Guide
and offensive security services. Please see the Vectra AI
• QUX Deployments - Vectra Quadrant UX Deployment Guide Services datasheet and speak with your Vectra account team
• Additional documentation is available on the Vectra for details and pricing.
Support Portal • Post deployment - Enable backups, integrations, enable other
• Formal product docs are tracked in the Vectra Product features/products, configure notifications/reporting, built
Documentation Index (KB article in the above portal) groups and triage rules to suppress unwanted detections
for authorized behaviors. AI-Triage will also learn the
• The general process is:
environment and automatically suppress detections as part
• RUX - Receive your welcome email for a RUX deployment, of AI-driven Prioritization.
login and configure user accounts / SSO, deploy your Brain
appliance, perform configuration / integration, deploy
Sensors, direct traffic to the Sensors.
• QUX - This deployment is largely the same except there is no
RUX UI, and your UI is served from the Brain.
PRODUCT DATASHEET

General Deployment Description

• The diagram to the right represents a


high-level Respond UX deployment of
Vectra NDR (including network identity).
• A Brain appliance is installed in the
customer premises and the RUX UI is
served from the Vectra cloud.
• Sensors are paired to the Brain and
capture network traffic in the data
center, campus, and IaaS
public clouds.
• The Sensors can also run Vectra
Match and Suspect Protocol
Anomaly Detections.

• The Brain appliance processes the metadata locally to • Vectra Stream sends network metadata to the customer’s
create detections. data lake for both RUX and QUX deployments.
• The Brain sends metadata and detections to the Vectra cloud • Logs are analyzed by the Brain to link remote workers with
for presentation in the Respond UX. traffic seen by app connectors in the data center.
• For QUX deployments, the UI is local, and metadata can be • SOAR/SIEM integration uses API connections to communicate
sent to Vectra Recall. with the Vectra cloud.

Placement of Brain and Sensors

• It is generally recommended to deploy Brain and Sensor devices


in locations not visible from the public internet.
• Private connectivity or a VPN tunnel that is terminated
outside of the Vectra appliances is preferred.
Proxy Guidance
See Proxy Handling in Vectra for full details
• Small remote branch locations do NOT all typically need a
• Traffic should be captured on the south side of any proxy or NAT
Sensor. Flows are still seen in central locations.
device to fully recognize the real sending host.
• Vectra NDR detections are focused on In-to-In and In-to-Out
• In some situations, you may need to capture traffic on the north
communications. It is preferred to NOT capture outside of your side of proxies.
edge firewalls in the DMZ where a significant amount of traffic
will be Out-to-In. Out-to-Out traffic should NOT be captured. • Flows from multiple hosts behind the proxy will be mapped to
the north side proxy IP and would result in spurious detections.
Vectra Match or some metadata use cases may necessitate
The Vectra system automatically suppresses detections that
Out-to-In traffic capture.
would fire inaccurately because of this. The Manage > Proxies
• Vectra allows you to define your internal IP space. Exceptions in your Vectra UI page allows you to manage identified proxies.
can be configured for internal labs where you may wish to
simulate CnC traffic as an example. Networks can be fully
ignored by VLAN or CIDR block.
PRODUCT DATASHEET

Network Traffic Capture Guidance

General Traffic Types to Capture

Traffic Type Purpose Examples

North/South C&C, Exfiltration, Botnet Server to Internet, User to Internet

East/West Recon, Lateral Movement Server to Server, User to Server, User to User

Important to Capture Should be Excluded from Capture What Helps Improve Vectra’s
HostID
DCE/RPC Core routing protocols
See Understanding Vectra Detect Host
Naming for additional information.
DHCP High-bandwidth backup data

DNS, Reverse DNS, Multicast DNS


High-performance computing (HPC) workloads
DNS (mDNS)
high in bandwidth

HTTP Kerberos
HPC workloads that are well isolated

ICMP Multiprotocol Label Switching (MPLS) DHCP

Kerberos Session Initiation Protocol (SIP) Netbios

LDAP Storage network file systems (SMB is ok) EDR Integration, VWware integration,
SIEM event forwarding,
NTLM Video Multicast Windows Event Log Ingestion

Radius
Supported Encapsulations Typical Traffic Capture Sources
RDP
Vectra NDR for Cloud (Gigamon)
GENEVE
SMB
Generic Routing Encapsulation (GRE) SPAN/COPY/MIRROR Ports
SMTP

IEEE_802.1ad (known as QinQ) Traditional network TAP devices


SSH

IEEE_802.1Q (VLAN) Packet brokers


SSL/TLS

X509 IPSec Authentication Header (IPSec AH)


Native Cloud mirroring options such
as VPC Traffic Mirroring (AWS), GCP
Other session traffic Virtual Extensible LAN (VXLAN) Packer Mirroring, VTAP (Azure)
PRODUCT DATASHEET

Encrypted Traffic - Vectra AI models work with encrypted traffic (no decryption required)

• The vast majority of Vectra AI network traffic related detections


do not require decryption. For more information, please see our Guidelines when decrypting traffic to be sent
whitepaper ”The AI Behind Vectra Attack Signal Intelligence”. for analysis to Vectra Sensors
The relevant section begins on page 12. Some customers may
• When you want both encrypted and decrypted traffic to be
still have a need for decrypted data such as:
analyzed, this should be done in parallel pipelines.
• Some users of Vectra Recall, Vectra Stream, Instant
• A second Sensor (or as many as are needed for your specific
Investigation, or Advanced Investigation may require the throughput or architecture requirements) should be used that
decrypted traffic metadata. These use cases can vary but are is paired to a different Brain appliance.
not very common and are supported. • Vectra supports virtual Sensors, Brains, and Stream appliances
• If using Vectra Match, decryption can be useful and allow and does not charge for their use outside of normal licensing
certain rules to fire that would otherwise not fire if the system metrics for your environment.
processed only encrypted data. Again, this requirement will • If you do not use a parallel processing pipeline and send both
vary by customer implementation. decrypted and encrypted traffic to the same Sensors and paired
Brain, Vectra’s deduplication will see the same 5 tuple traffic in
multiple data streams and will discard the duplicate data that
arrives last. This would typically be the decrypted data as the
decryption process adds overhead on the sending side.

Basic Communications/Pairing

Note! - Please see Firewall Requirements for Vectra Deployments for full details. There are additional requirements depending on the
specifics of your deployment, specific integrations, etc.
Note! - Air gapped deployments of Vectra NDR are possible (QUX only). NDR Detections are generated locally on the Brain. Please see
Offline Updates (v8.9+) for details on how updates are easily managed in these situations.

• Users login using their web browser to the Respond UX at the • The Brain appliance is deployed in the customer premises and
URL given in their welcome letter. communicates with the Vectra Cloud over a variety of channels.
These connections are initiated from the Brain.
• Quadrant UX users login to their Vectra UI (served from the
Brain) at the IP or hostname of their Brain. • Updates are served from the Vectra Cloud and installed
• Sensors must be able to reach the Brain over TCP/22 (SSH), and automatically in an update window chosen by the customer.
TCP/443 (HTTPS). Sensor updates are served from the Brain appliance and are
also installed automatically.
• In general, Sensors only communicate with the Brain appliance
• Pairing Sensors or Stream appliances with a Brain is a simple
and DNS. There is only one exception:
process. Some details are below:
• Physical Sensors can retrieve the IP of the Brain they need
• Physical Appliance Pairing Guide
to pair with from the Vectra Cloud at initial boot. With
DHCP enabled, a physical Sensor can automatically begin • vSensor pairing is covered in each vSensor deployment guide
the pairing process with no login required to its CLI. This (see Product Documentation Index for guides)
requires that TCP/443 be open to update2.vectranetworks. • A Sensor registration token, managed in your UI or CLI,
com from the physical Sensor. allows IaaS cloud vSensors or any other Sensor to pair with
a Brain even if it was not originally configured for use with a
specific Brain.
PRODUCT DATASHEET

Appliance Sizing

Note! - Vectra periodically releases new appliances to support new throughput requirements, hypervisors, or cloud providers. Always
refer to Appliance and Sensor Specifications and your Vectra account team for the latest guidance.
Note! - Global View enables maximum scale for the largest global enterprises. The performance guidelines below are for individual
appliances. Please see the Global View detail on the next page for additional detail.
Note! - Performance refers to the amount of network traffic observed by Sensors that a Sensor can produce metadata for, or the
amount of traffic observed by Sensors that a Brain can process metadata for. The performance numbers are based upon average
throughput a given Sensor/Brain can process. Actual performance may vary depending on traffic composition.

• Brain appliances are available in configs that support up to 75 • When running Match and/or Suspect Protocol Anomaly
Gbps of performance and 500 paired Sensors. Detections in addition to Vectra NDR (Detect), Sensor
appliances are available in configuration that support up to 33
• Sensor appliances are available in configs that support up to 50
Gbps of performance.
Gbps of performance.
• Please work with your Vectra account team to determine the
right mix of physical and virtual appliances required.

Global View

• Global View provides a Global Respond view of prioritized entities from child RUX
instances in an anchor instance of RUX.
• Available as a standard feature with any RUX deployment.
• Allows for overlapping IP space in child deployments.
• Enables maximum scale while still providing a single pane of glass.
• The anchor instance retrieves prioritized entities from child instances using an API
client that is assigned the “Global Analyst” role.
• Communications are all encrypted and contained within the Vectra AI Platform.
• Data is not stored in the anchor instance. It is retrieved on demand from
child instances.
PRODUCT DATASHEET

Additional Guidance and Resources

• Detection data (including associated micro pcaps) are generally • Vectra is a very open platform with integration options for SIEM,
retained for 6 months. Metadata retention is dependent on your SOAR, etc.
contracted retention options for Advanced Investigation (RUX)
• API guides are available for Respond UX deployments and
or Recall (QUX). When sending metadata via Stream, retention
Quadrant UX deployments.
is based on the configuration of your downstream data lake.
• Syslog/Kafka is NOT supported in RUX deployments but is
• Vectra Packet Capture allows you to capture PCAPS for available for QUX deployments.
subsequent download and analysis with local tools.
• If you require Syslog for RUX, this can be done through a
• Guidance for optimizing your deployment when used with VPN customer deployed intermediary server with guidance from:
clients is available here. SIEM Connector for the Vectra AI Platform (pulls data via API
• Zscaler specific information: ZPA Log Ingestion and and sends to your SIEM).
Configuration, ZIA Integration and Optimization • MITRE ATT&CK and D3FEND details are available here: Vectra’s
• Response options Coverage of MITRE ATT&CK and D3FEND
• EDR Host Lockdown
• Account Lockdown and Azure AD (Entra ID) Account
Lockdown
• SOAR integration - search for your SOAR vendor on the
Vectra Support Portal
• Vectra Automated Response - Click the link to see the GitHub
repo with dozens of integrations

About Vectra AI
Vectra AI, Inc. is the leader in AI-driven extended detection and response (XDR). The Vectra AI Platform delivers integrated signal across public cloud, SaaS, identity, and data center
networks in a single platform. Vectra AI’s patented Attack Signal Intelligence empowers security teams to rapidly detect, prioritize, investigate and stop the most advanced hybrid
cyber-attacks. With 35 patents in AI-driven detection and the most vendor references in MITRE D3FEND, organizations worldwide rely on the Vectra AI Platform and MXDR services
to move at the speed and scale of hybrid attackers. For more information, visit www.vectra.ai.

For more information please contact us: Email: [email protected] | vectra.ai


© 2025 Vectra AI, Inc. All rights reserved. Vectra, the Vectra AI logo, and Security that thinks are registered trademarks and the Vectra Threat Labs, Threat Certainty
Index and Attack Signal Intelligence are trademarks of Vectra AI. Other brand, product and service names are trademarks, registered trademarks or service marks of
their respective holders. Version: 012125

You might also like