Vectra CDR for AWS with Amazon GuardDuty

Key Challenges

• Quality of alerts: Native tooling relies on foundational alerts that leverage threat intelligence and simple baseline anomalies. These often lead to significant alert volume, alert fatigue and as a result, overlooked threats. SOC teams need a solution that surfaces advanced attacker behaviors with high fidelity and low noise.
• Lack of advanced investigation capabilities: Investigating threats surfaced by native tools often involves navigating across numerous services to confirm the veracity of alerts. For example, Amazon GuardDuty attributes all alerts to the last set of temporary credentials (assumed role) used to take the action. To investigate these alerts, analysts have to manually trace back actions through chains of temporary credentials to the original actor. During a true-positive incident, SOC teams cannot spend precious resources and time on manually correlating threat incidents before deciding on the right course of action.
• Siloed scope: Native tools come with limitations and often operate in the siloed surface they aim to protect. Amazon GuardDuty does not operate across regions leading to fragmented security metadata. Attackers don’t abide by these limitations and utilize any means necessary to reach their goals. With today’s hybrid cloud deployments encompassing datacenters, SaaS applications and multicloud environments — native tools lack visibility into critical portions of an organization’s infrastructure.
• Increased operational complexity: Rapid growth in AWS security services has led to oversight risk and complexity in managing a SOC team’s security stack. In addition, disparate pricing across these services can be challenging to navigate and often leads to unexpectedly high bills.