Vectra AI Platform Adds Unique Detections, Automated Identity Lockdown, Enhanced User Management

March 19, 2024
Vectra AI
Vectra AI Platform Adds Unique Detections, Automated Identity Lockdown, Enhanced User Management

Today’s challenge in building a top-tier SOC function

Building a top-tier security operations function is challenging and requires constant fine-tuning. The processes and response runbooks that worked yesterday might create unnecessary friction and incident response (IR) delays today. With attack surfaces changing on a day-by-day basis, just staying above water can feel overwhelming. For most, taking time to proactively fine-tune operations and detections is just another priority in a long list of ‘things to do’ and typically falls behind alert firefighting.  

SOC teams are resilient and even in the face of all these hurdles, and countless alerts, are holding themselves accountable to advance their functions and drive security operations excellence. To better help teams react faster to imminent threats and build upon a foundation of proactivity Vectra AI is pleased to highlight some of our recently released product functionality.  

Vectra AI Platform product enhancements  

By employing a multifaceted approach to threat detection focused on helping find the needles hidden in the haystack, the newest batch of detections helps surface visibility blind spots and attacker threats with high efficacy and context. A couple of examples are listed below, with more information available in our release notes (8.1 and 8.2).  

  • New detection coverage for attackers adding Entra ID/Azure AD persistence: alerts analysts when attacker behavior following identity compromise tries to register a device or authenticate from abnormal locations. This, along with a suspicious sign-on event, will be rapidly prioritized for analyst review.  
  • Enhanced coverage for privilege escalation techniques in AWS: this includes new logic that incorporates attacker tactics used to escalate permissions not only through policies, but also through native AWS services such as EC2 instances. These enhancements enable detection methods commonly used in attack tools like CloudGoat.  

Vectra AI Auto Lockdown for Active Directory (AD)

Having the ability to automatically incorporate response functionality within existing operating procedures and playbooks allows analysts and responders to react to threats as quickly as possible. With Automatic Lockdown for Active Directory (AD), teams are empowered with the ability to proactively lockdown an account based on alert Urgency Score and Entity Importance. This dual-configuration approach ensures that when an entity surpasses predefined thresholds, the account automatically enters a lockdown state (for a set duration configured by the user). This lockdown period gives responders time to thoroughly conduct investigation and respond appropriately. Customization options include configurable Urgency Score and Entity Importance thresholds as well as lockdown duration. Through this user-defined automation, teams can significantly reduce the window of opportunity for attackers.

Optimized User Management on the Respond UX

System administrators on the Vectra AI Platform can now easily see and access the users configured on their system and assigned roles, ensuring utmost accuracy when provisioning users and auditing system access – all within the same UI. These capabilities include:

  • User management: add new users, manage user role access, delete users, see list of roles correlated with usernames and time stamps for latest logins.  
  • Role management: rename roles, add and remove permissions, see how many users are associated with each role.  

But wait! There’s more!

Vectra AI will soon release the capability to programmatically list, create, modify, and delete users via the RUX v3 API. This will be pivotal in onboarding a large list of new users, adapting to staffing changes, and quickly operationalizing new deployments. Please stay tuned for updates with details on a new v3.4 API guide, public Postman library, and details on the new endpoints.  

These capabilities are a quick snapshot of our team's commitment to continuously delivering capabilities to support your security operations excellence journey. We encourage you to explore our release notes and reach out to us with your ideas on ways to improve our product.  

For teams that are interested in learning more about the Vectra AI Platform, sign up for a demo and see how we can help you stop real attacks in minutes.