Six months: That's approximately how long it takes companies on average to detect a cyber attack, Vectra Networks CEO Hitesh Sheth pointed out. That makes the business case for the startup's real-time intrusion detection solution very easy, he said.

"[Companies] are spending an inordinate amount of money on prevention and clean up," Sheth said. "It is way cheaper -- way cheaper -- to invest in this active phase of an attack than to clean up after the fact. It is way cheaper to invest in us than paying a couple of million to Mandiant."

Rise of Machine Learning

Sheth recognized the problem as far back as 2009. At the time, though, there wasn't an easy way to detect the kinds of sophisticated attacks that might infiltrate the network and then use internal systems to spread and steal data.

He ran security and switching at Juniper Networks from 2005 to 2009, then became COO at Aruba Networks. With this background, he'd worked with the traditional tools of IT security. By 2010 he could see the existing white hat tools couldn't catch a new class of sophisticated cyber attacks.

"If we wind back to 2009 and 2010, cyber attacks are already on the increase. It just did not make Home Depot and Target, so it was not a press-worthy item," he said. "But if you were to talk to customers, they were already beginning to feel the pain and what they were telling me is, 'The way we are discovering these attacks is pretty random.'"

VectraLogoCustomers wanted an automated way to detect intrusions, but the technology couldn't support the automated accuracy customers wanted, he said. That changed with the advent of machine learning.

"By the time you come around to 2012, data science or, more specifically, machine learning had made enough leaps and bounds. Plus -- and this is really crucial -- the available compute and the cost structure of the compute that you could utilize had sufficiently advanced that it warranted looking at that as a possible technology solution," Sheth said.

Rethinking the Cloud

That's the reason James Harlacher and Mark Abene founded Vectra. By the time Sheth joined in 2012, enterprises didn't need to be sold on the business case; they were experiencing daily attacks. But there was one aspect of the solution customers refused to accept.

"When we started out, our intent was to do everything in the cloud," Sheth said. "We spoke to many customers, and they quickly disabused us of that concept. 'If you think you're taking our traffic and putting it into the cloud and expecting us to trust you with that, you're crazy.'"

The company rethought its original SaaS focus and designed Vectra as a software platform that will run either as a virtual machine or on an appliance using X36 chips and standard disks. It's capable of supporting half a million endpoints simultaneously. While it can run on private clouds, it is not offered as as a SaaS, he said.

Real-time Intrusion Detection

Vectra also had to rethink its plans to actively stop intrusions. After initial engineering discussions, the team decided to focus on automated intrusion detection that could detect an APT (advanced persistent threat) in real time, at all phases -- from inception to stealing data.

As a result, Vectra also works behind the firewall, monitoring both internal and network traffic directly, without creating latency or lifting packets off the wire, he said.

The real-time capability differentiates Vectra from next-generation SIEM (security information and event management) solutions, which apply new software techniques to log systems, Sheth added.

"We want to shrink the 200 days down to as close to real-time as we can and, as we do that, automate it," he said. "You can't be real-time when you're dealing with log systems."

The second key difference is Vectra is fully automated, with an intuitive design -- so much so, it does not include any associated documentation, he said. Customers subscribe for software updates and a "steady stream" of algorithm updates every six months or so.

IT research firm Gartner places Vectra in the advanced threat category, but Sheth said there isn't a category that truly reflects Vectra's approach. He described it as "security analysts turned into software," an idea that appeals to companies unable to hire the security expertise they need.

Vectra's entry-level price is $60,000, and it scales up according to the size of the network. The company has close to 200 customers, Sheth said. The focus right now is on growing aggressively in the U.S and Europe.

"I think it really comes down to this: If you show you're adding value, and they like your software, there's a budget to be had for that," he said. "I'm pretty pleased with the products we've made. It comes down to putting the customer first. We are very passionate about some core sets of values, and number one on the list is putting the customer first."

Fast Facts about Vectra Networks

Founded: 2011

Founders: James Harlacher and Mark Abene

HQ: San Jose, Calif.

Product: Vectra Networks provides real-time continuous analysis of both internal and Internet-bound network traffic to automatically detect all phases of a breach, including an APT attack.

Employees: 110

Customers: Tribune Media Group, Santa Clara University, Tri-State Generation and Transmission Association, and Barry University, among others

Funding: $77.84 million in five rounds from seven investors, including $35 million from DAG Ventures and $25 million from Accel. Other investors include Khosla Ventures, Juniper Networks, Intel Capitol, and IA Ventures.

Loraine Lawson is a freelance technology journalist. Previously, she covered data and integration for IT Business Edge and covered IT business issues, mobile and IT security issues while an editor at TechRepublic.