Vectra expands intelligent cyberattack detection and response capabilities with CrowdStrike

Vectra AI, a pioneer in network detection and response (NDR) announced expanded response capabilities for its flagship product, Cognito Detect™ using its Lockdown feature, made possible by integrating with CrowdStrike® Falcon Insight, CrowdStrike’s industry-leading endpoint and detection and response solution.

This deep product integration enables Vectra® to deliver well-coordinated, instantaneous responses to thwart cyberattacks directly at the device level. By blocking and isolating attackers, not resources, Lockdown gives customers the ability to significantly reduce cyber threat actor dwell-time without disrupting business operations.

Dwell time

Dwell time represents the period from when a compromise first occurs to when it is detected. According to the 2020 CrowdStrike Services Cyber Front Lines Report, the average dwell time increased from 85 days in 2018 to 95 days in 2019 due in part to advanced adversaries employing stronger countermeasures that allowed them to remain hidden longer.

Longer dwell time in an organisation’s network allows threat actors to conduct reconnaissance and to better understand how the victim environment works so they can increase the effectiveness of their attack.  

Network detection and response platform

Vectra unveiled the Cognito Lockdown feature to enable automatic enforcement of high-fidelity signals

Cognito® is a network detection and response (NDR) platform driven by artificial intelligence (AI) to provide a unique advantage to organisations to proactively stop attacks without relying on traditional or legacy prevention tools.

By detecting and responding to attacks inside the cloud, data centre, IoT, and enterprise networks, Cognito gives threat hunters the context they need to filter out false positives and prioritise threats across their network’s arsenal. Vectra unveiled the Cognito Lockdown feature to enable automatic enforcement on privilege-based, high-fidelity signals.

Controlling malicious adversaries

Essentially, Lockdown can surgically freeze account access and avoid service disruption by disabling compromised accounts at the source. This gives security operation centre (SOC) analysts time to conduct thorough investigations on alerts that matter with the knowledge that an attacker is not progressing through their network.

Lateral movement, a term used to describe this progression from one infected device or account to another, provides a definitive edge for malicious adversaries and creates a web of nearly untraceable points of control for them within a network.

Advanced capabilities

Business is no longer conducted in an office environment. It is done online with tools like Office 365, Microsoft Remote Desktop Protocol (RDP), Virtual Desktop Infrastructures (VDI), and Zoom. Due to the remote nature of our world today, detecting lateral movement quickly and reliably is one of the most critical emerging skills in information security.

“We integrated with CrowdStrike back in 2018 because we recognised the need to drastically reduce response and investigation time so security teams can focus on threats that matter,” said Kevin Kennedy, vice president of product management at Vectra. “Our expanded capabilities with Falcon Insight empower Cognito with Lockdown to take action before cyber-attacks lead to breaches, which means recognising and halting lateral movement with advanced technology features like account Lockdown.”

CrowdStrike Falcon

Falcon Insight also delivers in-depth analysis to automatically detect suspicious activity

CrowdStrike Falcon Insight delivers comprehensive endpoint visibility that spans detection, response, and forensics to ensure potential breaches are stopped. It provides unparalleled visibility through continuous monitoring, capturing endpoint activity so security teams know exactly what’s happening across the organisation.

Falcon Insight also delivers in-depth analysis to automatically detect suspicious activity and accelerate security operations, allowing users to minimise efforts spent handling alerts and quickly investigate, respond, and thwart attacks.

Putting a stop to cyber attacks

“Today, security leaders are tasked with detecting and responding to cyberattacks across multiple disparate environments and workloads – cloud, data centres, IoT devices, etc. – with more accuracy and speed than ever before,” said Amol Kulkarni, chief product officer at CrowdStrike.

“CrowdStrike Falcon Insight’s integration with Cognito Detect from Vectra enables customers to stop cyberattacks directly at the device level by offering unprecedented endpoint visibility into threat activity from network and endpoint sources and the ability to shut down affected hosts swiftly.”

Benefits of integration

The integration of Cognito Detect and Falcon Insight allows security teams to:

• Easily integrate network and endpoint content with instant access to additional information for verification and investigation. Host identifiers and other host data from Falcon Insight are shown automatically in the Cognito NDR platform UI to enrich Vectra detection information from the network perspective.
• Reveal traits and behaviors of a threat that are only visible inside the host to verify a cyberthreat quickly and conclusively while also learning more about how the threat behaves on the host itself.
• Take swift, decisive action armed with network and endpoint context. Security teams can quickly isolate compromised hosts from the network to halt cyberattacks and avoid data loss.

Enforcement based NDR solution

Vectra is the first NDR solution to confront automated enforcement based on prioritised, high-fidelity attacker behaviours and surgical, identity-based enforcement action. This safeguards against malicious access to resources that are critical to the host organisation. There is no additional charge to enable the integration of CrowdStrike with the Cognito NDR platform from Vectra.