Meet Vectra’s new Attack Signal Intelligence™ engine for cloud

February 6, 2023
Aakash Gupta
Product Manager, Detection & Response for Public Cloud
Meet Vectra’s new Attack Signal Intelligence™ engine for cloud

Through harnessing Vectra’s Security AI-driven Attack Signal IntelligenceTM (ASI) for cloud, SecOps teams can continuously monitor and uncover sophisticated threats across their SaaS and cloud environments in real-time. Vectra ASI delivers alerts within minutes of attacker actions providing necessary context to characterize intent and understand the overall business impact enabling faster and more accurate threat hunting, investigations and response.  

Those familiar with Vectra NDR (network detection and response), are privy to its industry-leading threat detection and response capabilities against attackers in network environments. With the introduction of the Vectra ASI engine for cloud, the real-time detection capabilities of Vectra NDR are now extended to Vectra CDR (cloud detection and response) to highlight malicious behaviors in near real-time. It empowers SecOps teams by providing unmatched visibility into the actions taking place across their cloud environment. But why did we build a new threat detection engine for the cloud and why do you need both, an NDR, and a CDR security solution?  

Attacks in the cloud are different than those in the data center

There exists a convoluted many-to-many relationship between infrastructure, data and connectivity in the cloud, with identity as the glue. Coupled with the speed at which modern CI/CD pipelines move, it presents a very broad attack surface that is impossible to prevent attacks on. While the end goals of an attacker across the cloud and traditional on-prem environments remains the same, cloud attacks differ in the following ways:

  • Focus on Credentials: At the heart of most cloud exploits lie compromised credentials. Be it through phishing campaigns or credentials accidentally committed to code repositories, attackers find novel ways to steal confidential credentials and access accounts.  
  • Shallow kill-chain: This is a consequence of the sheer number of services offered by cloud providers. Various flavors of compute, storage, data lakes, serverless services, containerized workloads and applications across numerous regions means the gap from infiltration to high value assets is significantly reduced.
  • Speed of progression: Unlike in on-prem environments, attacks in the cloud progress faster. This is primarily due to the ephemeral nature of temporary credentials in the cloud. When an attacker finds a way in, they must move quickly to ensure persistent access.  

Defenders need to think differently

In addition to the fundamental differences in how attacks unfold, the characteristics of the artifacts available to security teams to effectively stop attacks are also very different. Unlike datacenter environments that rely on network packet data, cloud providers leverage logging for auditability. Analysis of these logs for threat detection across multi-cloud environments is challenging for the following reasons:

  • Multiple Log Sources: There are numerous log sources in the cloud with different information of interest in each. Examples include control plane logs, data plane logs, workload audit logs and network logs. From a security standpoint, they need to be interwoven to effectively detect attacker behavior.
  • Inconsistent Log Schemas: Each provider uses their own format when publishing logs. Furthermore, there are instances where the same cloud provider may alter a log schema based solely on the destination of the logs! This inconsistent process can make analysis of logs overwhelming for security teams.
  • Unpredictable Delivery: Diverse logs across services and multiple cloud environments means there is an element of uncertainty in delivery. Related actions may show up across different log files separated by arbitrary time intervals. This delay adds incoherency and makes it difficult to track principals acting against resources.  

These make auditing actions in the cloud fundamentally different from datacenter environments where standard protocols are adhered to, and packets are received in real-time.  

The Solution – Vectra Cloud Detection and Response with Attack Signal Intelligence  

With its new ASI engine for the cloud, Vectra has reimagined its technology platform to look for sophisticated threats in very different data but surface them with the same speed and accuracy as Vectra NDR. Additionally, the built-in capability of AI-driven Prioritization automates alert prioritization with each detection so security teams know which threats are the most urgent. Threats are automatically analyzed, scored and ranked so security teams know where their efforts are needed most. The image below shows how Attack Signal Intelligence was able to prioritize and stop an attack targeting an AWS environment of a manufacturing company.  

Anatomy of a Cyberattack in the AWS Cloud
Anatomy of a AWS Cloud attack

To prioritize and stop attacks throughout cloud environments, Vectra CDR has the following defining characteristics:

  • Faster Detections: Vectra CDR comes equipped with tools for the real-time analysis of logs, at enterprise scale. Coupled with enrichments like Vectra’s AI-driven attribution methodology, Vectra CDR can scrutinize logs and correlate millions of events from hundreds of users and services. High-confidence detections now fire mere minutes after a malicious behavior is observed — which can make the difference between stopping an attack in-progress vs. analyzing it post-mortem.    
  • Rich Context: Querying logs for simple sequences yields thousands of alerts for even small deployments drowning a SOC team’s resources. This is where environmental context can make a significant difference. Using the new ASI engine, Vectra CDR can keep track of how individual users interact with different roles and services in an environment. This persistence in state enables use-cases such as environment specific privilege anomalies.  
  • Coverage for Advanced Threat Vectors: Vectra can identify more sophisticated attacker methods in the cloud. One such attacker technique is to conduct malicious activity across multiple time-separated sessions. This shields them from conventional detection mechanisms. By stitching together learnings across time, sessions and entities, Vectra CDR paints an accurate picture of even sophisticated attack progressions.

Delivered as SaaS, Vectra CDR provides the added benefits of scalability, performance and reliability which play a key role in helping SOC teams meet their MTTD / MTTR goals as they take on multicloud and hybrid-cloud footprints.

What’s Next?  

Experience the power of Vectra CDR powered by Attack Signal Intelligence firsthand with our free trial.