Vectra and Microsoft join forces to step up detection and response

This blog post is part of the Microsoft Intelligent Security Association (MISA) guest blog series. Click here to learn more about MISA.

Traditional security operations center (SOC) processes typically involve a wide variety of disparate event notification tools that force overworked analysts to battle massive amounts of inbound alerts. This often leads to missed signals and incorrect alert prioritization.

The move to cloud, hybrid environments, and IoT further exacerbates the situation as the attack surface is distributed, boundless, and ever-changing. Perimeter defenses, although necessary, are insufficient.

To address these challenges, SOCs today are focusing on continuous real-time detection and response capabilities that are based on three tightly integrated vantage points and solutions – network detection and response (NDR), endpoint detection and response (EDR), and security information and event management (SIEM).

Gartner calls this approach the SOC visibility triad. It combines the widespread visibility of NDR with the deep process-level insight of EDR, and couples them together with log and security analytics from a variety of sources in the SIEM.

Using these three components in a deeply integrated solution gives security professionals the tools and visibility into modern networking environments and allows them to detect and stop attacks that evade perimeter defenses.

The Cognito® platform from Vectra® delivers high-fidelity NDR by keeping a watchful eye on hidden attacker behaviors in workloads in the cloud and hybrid cloud as well as on-premises enterprise networks.

By combining security research with data science, Vectra AI-derived machine learning algorithms automatically detect and prioritize the highest-risk attacker behaviors in cloud/SaaS and data center workloads as well as user and IoT devices.

As a result, Vectra enables security professionals to reduce the SOC workload, instantly get deep insights and context about every attack, and respond faster to encroaching threats with surgical precision.

An image of the SOC Vectra Triad.

The deep native integrations between Vectra (NDR), Microsoft Defender ATP (EDR) and Microsoft Azure Sentinel (SIEM) make the SOC triad fully operational for customers, enabling them to use tools they are already familiar with.

This SOC triad brings together context from each data source, creating an extraordinary solution that is greater than the sum of its parts.

In addition to enriching Vectra detections with contextual endpoint data from Microsoft Defender ATP, this solution automatically shows attacker detections in the Microsoft Azure Sentinel dashboard, where SOC teams can conduct conclusive investigations.

The SOC visibility triad further helps drive integrated enforcement actions like disabling compromised accounts and isolating hosts that an attacker is using. This allows SOCs to deliver well-coordinated responses, enhance efficiency, and reduce attacker dwell-times.

The Host Lockdown feature from Vectra is a perfect example of this. When a high-risk attack is detected by the Cognito platform, SOC teams can respond quickly and accurately to lockdown Microsoft Defender ATP hosts from the Cognito dashboard.

This can be performed manually with a button-click or configured for automated enforcement that triggers when host threat, certainty, and observed-privilege scores exceed SOC-defined thresholds.

In summary, together with Microsoft Defender ATP, Vectra enables SOC teams to:

  • Combine the Vectra 360-degree aerial view of interactions on cloud and data center workloads with the in-depth ground-level view from Microsoft Defender ATP.
  • Enrich high-fidelity Vectra detections with deep process-level host-context from Microsoft Defender ATP.
  • Take precise and immediate enforcement actions from Vectra closer to the source using Microsoft Defender ATP.

And together with Microsoft Azure Sentinel, Vectra enables SOCs to:

  • Bring Vectra high-certainty behavior-based detections straight to Microsoft Azure Sentinel workbooks for immediate attention.
  • Automate incidents in Microsoft Azure Sentinel based on configurable threat and certainty score thresholds from Vectra.
  • Perform forensic analysis on incidents to identify involved devices, accounts, and attackers.

With these deep integrations between NDR, EDR, and SIEM that Vectra and Microsoft have collaborated on, we are able to realize the SOC visibility triad, ultimately allowing customers to elevate SOC visibility and prevent attackers from establishing footholds across cloud, data center, IoT, and enterprise networks.

For more details, check out the Cognito platform from Vectra and our integration with Microsoft Defender ATP and Microsoft Azure Sentinel.

To learn more about the Microsoft Intelligent Security Association (MISA), visit our web site where you can learn about the MISA program, product integrations, and find MISA members. Visit the video playlist to learn about the strength of member integrations with Microsoft products.

For more information about Microsoft security solutions, visit the Microsoft security web site. Bookmark the security blog to keep up with our expert coverage of security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.