Expanding Vectra Lockdown
Capabilities with Defender ATP
A few months ago, I wrote about the Cognito Platform’s new automatic response feature—Vectra Account Lockdown. By integrating with an identify provider (IdP) like Active Directory and leveraging our world-class AI detection capabilities, Account Lockdown can automatically disable network accounts that demonstrate suspicious activity.
Analysts also have the option to manually disable accounts during a security investigation. Disabling an account can significantly slow down an active attack by limiting access to additional resources. This limits the attack's blast radius and gives your SOC more time to investigate and stop the attack. And while this has been incredibly well received by our customers, especially when configured to automatically trigger on high-fidelity scoring thresholds—namely threat, certainty and observed privilege – we knew our work was not done.
For immediate and precise enforcement, you must go directly to the source of an attack and lockdown the endpoint itself.
Our integration with Microsoft Defender for Endpoint does just that. In addition to enriching Detect hosts with contextual endpoint data, security analysts can now perform Host Lockdown on Microsoft Defender ATP hosts, right from the Cognito Detect UI. Like the Vectra Account Lockdown, Host Lockdown can be performed manually by an analyst with a button-click or configured for automated enforcement triggering against host threat, certainty and observed privilege scoring thresholds.
With automated active enforcement actions, organizations must always balance risk. On one side, overzealous enforcement on bad alerts will cause widespread outages, disrupt operations, and, in some cases, create more damage than some real attacks. On the flip side, not acting might allow attackers to gain a stronger foothold in your networking environment.
With the Vectra Host Lockdown, we leverage our industry-best behavioral-based AI detections with the precise enforcements that you get from Microsoft Defender for Endpoint. This essentially gives you the best of both worlds. It’s a great way to ensure that automation causes as little disruption as possible while giving you greater confidence that attackers are stopped in their tracks.
Learn more about Host Lockdown, and about our integration with Microsoft Defender for Endpoint. I’ve also created a video there, showcasing how our products work together. And as always, don’t hesitate to contact us to learn more or schedule a demo.