This is the second installment in our lockdown series, wherein we discuss methods you can use to effectively contain security events and how Vectra can help. Check out the first piece discussing why speed and precision are key when detecting and remediating breaches.
Need for speed
As mentioned in our previous piece on Vectra lockdown, speed is a key ingredient to successful containment. When you are forced to pivot to another platform and find the host, account, or policy you want to apply, you loose valuable time you might not have when attacks are taking place.
In this part, we’ll go into detail about how Vectra enables security teams to automatically contain events directly from the Vectra platform where analysts can easily see and manage the containment settings from a single pane of glass. And as an example, we’ll show how you can achieve this with two of our integration partners from our rich native partner ecosystem: Microsoft and Amazon Web Services (AWS).
Vectra integrates closely with Microsoft Defender for Endpoint, a popular endpoint detection and response (EDR) solution. With this integration, we can leverage Defender for Endpoint’s “Isolate Device” functionality. This gives analysts the full isolation functionality from Defender without the need to pivot to it from Vectra.
Vectra Lockdown for Endpoint allows analysts to either isolate hosts manually or automatically, and much like in the previous blog where we talked about Account Lockdown, Lockdown for Hosts has granular options. The first is assessing the duration of the Lockdown, which can be between 1 - 24 hours. We can also select the minimum threat and certainty scores for the host along with a minimum observed privilege of the host. Once these thresholds are configured, Vectra will automatically contain a host if observed behavior matches the criteria.
Lockdown for AWS
Some customers require expanding the Cognito Platform's feature set to cover cloud workloads, and thankfully our rich API enables quick and easy integration. On our Github, you'll find one such example for integration with AWS.
Without repeating what's on the README, we can leverage AWS security hub to create events which are actioned by CloudWatch launching an AWS Lambda function, such as stopping or isolating a workload in AWS. The flow is fully automated and doesn't require manual operator intervention. Since the integration uses our native APIs, it could also easily be converted to look for a specific tag on a host and allow for actions to be taken by a middleware component such as a security orchestration automation and response (SOAR).
The point here is that we're not limited to what's already built into the platform, and many successful custom integrations already exist.
When in doubt, scope it out
Vectra Cognito Platform is both powerful and flexible, allowing you to configure containment architecture according to your organization’s needs. When putting Vectra into practice, the following checklist can be useful to consider upon implementation:
- What type of security incidents do you want to contain? Active attacker? Ransomware? Data exfiltration?
- What hosts do you never want to contain? Active directory? Mail server? Production servers?
- Does your endpoint solution support containment? If so, which operating system(OS) versions are supported?
- For hosts without an agent, how do you want to handle these hosts?
- Do we want to include account containment? If so, which types of accounts are in scope and which are not?
- Who has ultimate authority to approve containment? Should any stakeholders be informed?
Answering these questions will give your organization a clear picture of what's in scope and what's out of scope for containment. Once standards are established, a flow chart can be outlined along with steps that analysts can take.
To help you get the most out of the Cognito platform functionality, Vectra's Professional Services team can help. Sidekick Services is an offering where our experts can work alongside your team to develop and integrate lockdown functionality according to your own playbook.
It's common for organizations to jump into remediation before a full investigation has been completed. With Lockdown, you buy time, preserve evidence, and scope the incident before remediating.
But remember, while useful, containment is a rapidly-implemented short-term solution that isn’t an adequate substitute for strong, healthy security operations practices. Host lockdown and account lockdown are not designed to be permanent solutions but rather temporary solutions to utilize while an investigation is ongoing.