Many security teams are overwhelmed with the scale and ferociousness of digital threats. Threats are sneakier and more damaging, and security operations centers (SOCs) are being worn down investigating and stomping out incidents.
The integration of endpoint and network security can lift that load. Network security tools provide a trusted view of what’s happening across an enterprise network—from users to datacenter to cloud—and across all types of devices, including IoT. Endpoint security has its own view of what’s happening inside high-value devices such as cloud workloads, server and laptops. Endpoint and network security tools each have their own very perceptive views, and when that double vision is brought into singular focus, SOC teams can detect and stop threats faster.
For example, the network viewpoint can tell you that a tunnel is enabling a system outside your network to control a system inside your network; while the endpoint viewpoint can tell you whether the process generating that traffic is a RAT, Teamviewer, etc. Combining the two perspectives allows threats to be quickly identified, validated, and remediated.
It’s an idea that’s catching on quickly.
Just how integrated?
“The integration of endpoint and network security tools has the potential to reduce the total cost of ownership of security solutions and deliver better threat detection and automated remediation,” wrote Gartner analyst Peter Firstbrook in the research note “How to Decide Whether Endpoint and Network Security Integration Is a Feature or a Fad” published June 29, 2017 (ID: G00321058).
However, the true effectiveness depends on the level of integration. Gartner identifies five levels of integration, from packaging (Level 1), management (Level 2), threat intel (Level 3), alert resolution (Level 4), to action-oriented (Level 5).
“Most solutions are integrated only at the packaging or threat-sharing level; few are sufficiently integrated at the policy layer to change security posture based on context. Consequently, integration has not yet delivered better-together security,” the report continues.
A new integrated kill chain
At Vectra, we have witnessed the power of integrating endpoint and network security. We have seen the advantages of enabling security teams to see the combined context of both network and endpoint detections so they can quickly respond and take swift, decisive action to remediate cyberattacks and avoid data loss.
We back up that belief with a robust, REST API that enables Vectra Cognito, our security analyst in software, to be part of an enterprise’s well-coordinated security architecture. The Vectra API permits integration with many endpoint security tools—and virtually any other security solution.
Vectra Cognito integrates even more closely with Carbon Black, which provides next-generation endpoint security. In-product integration allows Vectra to automatically import context about an endpoint running Carbon Black, and then with a single click, a security admin can pivot from the Vectra UI into Carbon Black Cb Response to investigate further, isolate a host or kill a process.
Right-click on a detection in Vectra, and you can get a detailed look into the host, courtesy of Carbon Black.
HBO Latin America is one organization that has seen firsthand the benefits of integrating Vectra and Carbon Black. “In the past it’s been very difficult to connect the dots between network behavior, host behavior, and event logs,” explains Albert Caballero, CISO at HBO Latin America.
HBO Latin America uses Vectra Cognito to automatically quarantine endpoints based on network attack behavior detections. “A digital investigation must have network activity (pcaps or some sort of proof of what happened on the network), information on what’s happening on the host that’s deemed compromised, and the logs to back it up. Those three things are essential to have the full picture of what’s happening,” says Caballero.
Learn more about why Vectra Cognito and Carbon Black are better together when detecting and mitigating threats. Download the brief.
Kevin Kennedy is vice president of product management at Vectra. Before Vectra, he was vice president of product management at Agari Data, which builds data-driven security solutions that eliminate email as a channel for cyberattacks. Prior to Agari, Kevin was senior director of security product management at Juniper, where he spearheaded the company’s continued innovation in data center security. Kevin was also director of product management at Cisco IronPort Systems, where he led the highest-growth business in the Cisco security portfolio, growing bookings by 400 percent in three years. Kevin earned his BSE in computer engineering at the University of Michigan.