This is the second installment in our lockdown series, wherein we discuss methods you can use to effectively contain security events and how Vectra can help. Check out the first piece discussing why speed and precision are key when detecting and remediating breaches.
Need for speed
As mentioned in our previous piece on Vectra lockdown, speed is a key ingredient to successful containment. When you are forced to pivot to another platform and find the host, account, or policy you want to apply, you loose valuable time you might not have when attacks are taking place.
In this part, we’ll go into detail about how Vectra enables security teams to automatically contain events directly from the Vectra platform where analysts can easily see and manage the containment settings from a single pane of glass. And as an example, we’ll show how you can achieve this with two of our integration partners from our rich native partner ecosystem: Microsoft and Amazon AWS.
Vectra integrates closely with Microsoft Defender for Endpoint, a popular endpoint detection and response (EDR) solution. With this integration, we can leverage Defender for Endpoint’s “Isolate Device” functionality. This gives analysts the full isolation functionality from Defender without the need to pivot to it from Vectra.
Vectra Lockdown for Endpoint allows analysts to either isolate hosts manually or automatically, and much like in the previous blog where we talked about Account Lockdown, Lockdown for Hosts has granular options. The first is assessing the duration of the Lockdown, which can be between 1 - 24 hours. We can also select the minimum threat and certainty scores for the host along with a minimum observed privilege of the host. Once these thresholds are configured, Vectra will automatically contain a host if observed behavior matches the criteria.
Lockdown for AWS
Some customers require expanding the Cognito platform's feature set to cover cloud workloads, and thankfully our rich API enables quick and easy integration. On our Github, you'll find one such example for integration with AWS.
Without repeating what's on the README, we can leverage AWS security hub to create events which are actioned by CloudWatch launching an AWS Lambda function, such as stopping or isolating a workload in AWS. The flow is fully automated and doesn't require manual operator intervention. Since the integration uses our native APIs, it could also easily be converted to look for a specific tag on a host and allow for actions to be taken by a middleware component such as a security orchestration automation and response (SOAR).
The point here is that we're not limited to what's already built into the platform, and many successful custom integrations already exist.
When in doubt, scope it out
Vectra Cognito is both powerful and flexible, allowing you to configure containment architecture according to your organization’s needs. When putting Cognito into practice, the following checklist can be useful to consider upon implementation:
Answering these questions will give your organization a clear picture of what's in scope and what's out of scope for containment. Once standards are established, a flow chart can be outlined along with steps that analysts can take.
To help you get the most out of the Cognito platform functionality, Vectra's Professional Services team can help. Sidekick Services is an offering where our experts can work alongside your team to develop and integrate lockdown functionality according to your own playbook.
It's common for organizations to jump into remediation before a full investigation has been completed. With Lockdown, you buy time, preserve evidence, and scope the incident before remediating.
But remember, while useful, containment is a rapidly-implemented short-term solution that isn’t an adequate substitute for strong, healthy security operations practices. Host lockdown and account lockdown are not designed to be permanent solutions but rather temporary solutions to utilize while an investigation is ongoing.
Niall Errity has been a Senior Consultant with Vectra for over a year, working with customers to enhance their Cognito platform, including investigating detections, configuring integrations and delivering training. Before Vectra, Niall worked at FireEye for almost six years as an analyst, threat hunter and consultant. Highlights include working on Operation Clandestine Wolf which was an APT3 phishing campaign leveraging an Adobe Flash Zero-Day and co-authoring a blog chronicling an investigation. Prior to this Niall worked at a consultancy firm based in Ireland mostly focused on security administration of security appliances. When not working you can find Niall on the golf course or cycling around Dublin, being Irish traveling is in his DNA and it’s a life goal to visit every country possible.