Vectra AI has teamed up with Microsoft to deliver an enhanced security solution. The company is integrating its network threat detection and response (NDR) solution with Microsoft Defender ATP and Azure Sentinel. The goal is to create a SOC visibility triad with Vectra’s NDR platform providing full visibility of all threats. Vectra is also joining the Microsoft Intelligence Security Association.
Talking to Enterprise Times, Matt Walmsley, Head of EMEA Marketing, Vectra, explained the SOC visibility, triad as: “I think about it as the processes on the endpoint. Then there are the various logs and information that come into the SIEM. The last place is an area called network detection response where we sit.”
One of the problems for IT departments is understanding exactly what the network consists of. Walmsley said: “Network is a bit of a misnomer because it’s a bit of a hangover from back in the day. It’s not just the network. There’s also increasingly cloud events as well. Virtual networks are set out in the cloud, particularly, Azure and AWS.
“Bring these three disparate data sources together logs, packets, side events and processes, and integrate them in the SIEM, you’ve got three different perspectives. Correlate those together, and you have defence in depth.”
What will the Vectra integrations deliver?
Vectra has announced two separate integrations. Customers can either integrate with the individual Microsoft products or connect both, to create that SOC visibility triad. With so many users now working from home and organisations increasing their use of cloud and SaaS, it is likely that they will take advantage of both.
Vectra’s Integration with Microsoft Defender ATP includes:
- Close the network visibility gaps by combining Vectra’s full 360-degree aerial view of interactions on all your networks with the in-depth ground-level view.
- Enrich the high-fidelity Vectra detections with deep process-level host-context from Microsoft Defender ATP, giving professionals the information needed to pinpoint attackers.
- Block and isolate attackers, not resources. Take surgical and immediate enforcement actions from Vectra closer to the source.
Vectra’s Integration with Microsoft Azure Sentinel includes:
- Bring the Vectra high fidelity behavioural detections straight to your Sentinel Workbook for immediate attention with direct links into the Vectra UI for deeper analysis.
- Automate incidents in Azure Sentinel based on configurable threat and certainty score thresholds from Vectra.
- Perform forensic analysis on incidents to identify devices, accounts, and attackers involved. Leverage Vectra threat intelligence feed to proactively prevent future attacks.
What does this mean for IT security teams?
Walmsley describes Vectra as being the: “Drone in the skies. Its goal is to spot the different parts of an advanced attack and how they play out in the endpoint, the network, and the cloud.”
This ability to spot attacks across all vulnerable surfaces is important. Attackers often create a lot of noise to distract defenders. Walmsley believes that the only way to see the scope of an attack properly is by bringing together all these disparate data sources that IT security has access to.
One advantage that Walmsley sees from this approach is that it is not just focused on detecting known attacks. Talking about the integration into Microsoft’s tools, he said: “When it searches for the indicators of advanced attackers being active, it doesn’t look for just anomalies. It’s not just unusual behaviour. It is looking for new behaviours that attackers have to manifest in pursuit of their attack.
“How do they do command and control? What are the different techniques they use for reconnaissance? What techniques do they use for credential abuse and credential escalation, data exfiltration, data destruction, all those things? We score those by certainty and risk so we can start to prioritise what the security team should be looking at first.”
Less noise = better actionable intelligence
An oft used term around security vendors is actionable intelligence. For most organisations, that doesn’t mean a lot. They are still overwhelmed by too much information from their providers and have to do a lot of in-house triage.
Walmsley addressed this saying: “The run books that they need are increasingly automated. Here’s the alert, here’s the contextual information. You can make a very quick decision on triage, is this something I’m going to put some attention on now? Is it something to look at later?”
That actionable intelligence flows all the way through the landscape from the endpoint to the cloud. Walmsley continued: “It’s about more signal and less noise coming into the SOC. When that signal arrives, it’s got more context around it. You’re already in a much better place to make a well-informed decision about how quickly or how urgently do you want to respond.”
What is interesting about Vectra’s approach is that unlike other security vendors, they do not see automation replacing people in the SOC. According to Walmsley: “The response piece is increasingly getting automated. This is not to remove the human out of the loop because there are immutable values that human beings bring in contextual understanding.”
Reconnaissance is increasingly internal
Spotting and understanding the reconnaissance of a network is important. It provides indicators as to what the attacker is interested in and where they see weaknesses. The use of tools to find insecure devices and unpatched vulnerabilities in public-facing systems is commonplace. But do the security teams need to look elsewhere?
Yes, says Walmsley. Vectra is focusing on attacks that are doing reconnaissance post intrusion. This is where attackers have already created a foothold inside the organisation. They are looking for their next target. Organisations also need to think about the implications for tighter integration with their supply chain partners. It shows how monitoring for internal reconnaissance is essential.
Walmsley said once attackers have their foothold they: “Try to figure out how to go sideways. Where do I move laterally? How do I escalate my privilege?” He goes on to point out that defenders: “Have to understand that something can and will bypass defensive controls. So how do you find it and how do you find it quick enough before the attackers turn an incident into a breach?”
One solution that Walmsley talks about is instrumenting endpoints. That is fine but very limited, given that there are more vulnerable IoT devices on networks than IT devices. He says that the solution here is layering the network view. He believes that security needs to be agnostic of the device yet still retain visibility of how and where devices communicate.
Enterprise Times: What does this mean?
Organisations must build a complete view of their network. This is not just about the on-premises network but has to include the cloud and wherever remote workers are located. Solutions have to be device agnostic and capable of spotting new IT devices as organisations increasingly merge their IT and OT networks.
Vectra integrating its NDR solution with Microsoft Defender ATP and Azure Sentinel to create a SOC visibility triad will help security teams get that view. Is it enough? Probably not. Is it more than many organisations have today? Yes.