A few months ago, I wrote about the Cognito Network Detection and Response platform’s new automatic response feature – the Vectra Account Lockdown. By integrating with an identify provider (IdP) like Active Directory and leveraging our world-class AI detection capabilities, Account Lockdown can automatically disable network accounts that demonstrate suspicious activity.
Analysts also have the option to manually disable accounts during a security investigation. Disabling an account can significantly slow down an active attack by limiting access to additional resources. This limits the attack's blast radius and gives your SOC more time to investigate and stop the attack.
And while this has been incredibly well received by our customers, especially when configured to automatically trigger on high-fidelity scoring thresholds – namely threat, certainty and observed privilege – we knew our work was not done.
For immediate and precise enforcement, you must go directly to the source of an attack and lockdown the endpoint itself.
Our integration with Microsoft Defender ATP does just that. In addition to enriching Cognito Detect™ hosts with contextual endpoint data, security analysts can now perform Host Lockdown on Microsoft Defender ATP hosts, right from the Cognito Detect UI.
Like the Vectra Account Lockdown, Host Lockdown can be performed manually by an analyst with a button-click or configured for automated enforcement triggering against host threat, certainty and observed privilege scoring thresholds.
With automated active enforcement actions, organizations must always balance risk. On one side, overzealous enforcement on bad alerts will cause widespread outages, disrupt operations, and, in some cases, create more damage than some real attacks. On the flip side, not acting might allow attackers to gain a stronger foothold in your networking environment.
With the Vectra Host Lockdown, we leverage our industry-best behavioral-based AI detections with the precise enforcements that you get from Microsoft Defender ATP. This essentially gives you the best of both worlds. It’s a great way to ensure that automation causes as little disruption as possible while giving you greater confidence that attackers are stopped in their tracks.
Learn more about Host Lockdown, and about our integration with Microsoft Defender ATP. I’ve also created a video there, showcasing how our products work together. And as always, don’t hesitate to contact us to learn more or schedule a demo.
Jose Malacara is a senior product manager at Vectra. He is an AWS Certified Solutions Architect and has over 18 years of broad technology experience, drawing on his many years working in various product management, sales and network engineering roles building and supporting cloud applications for companies like FATHOM, Rackspace and ANX.