New Extended Detection and Response (XDR) Capabilities Recently Added to the Vectra AI Platform

March 14, 2024
Mark Wojtasiak
VP of Product Research and Strategy
New Extended Detection and Response (XDR) Capabilities Recently Added to the Vectra AI Platform

Six months ago, we launched the Vectra AI Platform with the promise to deliver our customers the integrated signal powering their XDR. Six months in on our extended detection and response (XDR) platform journey, we’ve made some amazing progress with the help of our customers who continue to push us to deliver innovative ways to help them...

  • Build resilience to the ever evolving and emerging sophistication of hybrid attacks.
  • Modernize their security operations with AI and ML without needing to completely start over.  
  • Move at the speed and scale of attackers and stop them earlier in their progression.  

Core to our XDR platform: Coverage, Clarity and Control

Coverage is about integrating attack signal across the entire hybrid attack surface leveraging both native AI-driven detections for data center and cloud networks (NDR), identity (ITDR), public cloud and SaaS (CDR). In 2024, we are adding third-party detections for endpoints (EDR), email, threat intel and signatures (Suricata).  

Clarity comes from our AI-driven Attack Signal IntelligenceTM. Attack Signal Intelligence harnesses a cloud-based AI prioritization engine to answer two simple questions: is this real and do I care? The combination of Attack Profile (is this real) and Entity Importance (do I care) results in what we call an Attack Urgency score. The higher the urgency score, the more critical for the SOC analyst to follow-up on.  

Control is all about enabling security analysts to investigate and respond to an attack as early and quickly as possible. It’s about providing analysts with all the context they need on a hybrid attack in one console and enabling them with flexible response actions that can be executed manually or automatically at any stage of attack progression.

Staying true to our customers and our platform pillars, our product and engineering teams have been busy bringing platform enhancements and new capabilities to market over the past six months. Here is a glimpse:

Major Announcements:

  • Vectra AI Launches the Industry's First Global, 24x7 Open MXDR Service Built to Defend Against Hybrid Attacks. With Vectra MXDR, enterprises can consolidate every aspect of extended threat detection and response in one unified service, eliminating the need for multiple providers. Integrations with the industry’s leading EDR platforms, including CrowdStrike, SentinelOne and Microsoft Defender, enable Vectra AI’s MXDR analysts to monitor the health of an entire security system and take direct action no matter where the signal is generated. Learn more.  
  • Vectra AI and Gigamon Announce New OEM Partnership to deliver intelligent extended detection and response (XDR) across hybrid cloud environments. Vectra AI combines the power of its AI-driven Attack Signal Intelligence with the deep observability capabilities of the Gigamon GigaVUE Cloud Suite to effectively detect and respond to previously unseen threats using cloud network-derived intelligence and insights. Learn more.

Detection Coverage and Signal Clarity

Our core belief: build and integrate comprehensive detection coverage across the entire hybrid attack surfaces to deliver the most accurate hybrid attack signal at speed and scale. Below is a roundup of new detection coverage added and enhanced in the last six months further enhancing our XDR signal.  

  • New Detection Coverage - Kerberoasting: Targeted Weak Cipher Response: In addition to the two existing Kerberoasting detections for Weak Cipher Downgrade and SPN Sweep, Vectra AI has introduced a new Kerberoasting detection for when an attacker attempts to perform a quiet Kerberoasting attack with a single Weak Cipher attempt against a high privileged service. In addition, we have added the ability to configure triage rules for this detection.  
  • New Detection Coverage - Info: Single Weak Cipher Response:This is similar to the new Kerberoasting Targeted Weak Cipher Response detection but is designed to detect when the Kerberoasting target is not privileged, and thus additional review by an analyst should be considered as this may be benign activity depending on the environment. In addition, we have added the ability to configure triage rules for this detection.  
  • New Detection Coverage for AWS Relational Databases (RDS): With this enhancement, Vectra AI adds coverage surrounding abuse of relational databases in AWS housing sensitive information. The AWS Suspect Public RDS Change detection is the first in a series of detections surrounding RDS and covers methods that an attacker may use to exfiltrate backups (snapshots) of RDS databases. Prompt detection of this behavior can curb exfiltration and impact stages of an AWS cloud attack.
  • New Detection Coverage to Identify Malicious AWS Traffic Mirroring: Vectra AI added coverage to surface malicious behaviors of setting up a traffic mirror to intercept sensitive information such as credentials. The new AWS Suspect Traffic Mirror Creation detection covers methods that an attacker may leverage to create an EC2 instance as a target for mirrored traffic. Surfacing behaviors surrounding the mirroring of traffic within VPCs where traffic is usually unencrypted allows SecOps to stop adversaries from progressing towards their objective of impact.
  • New Coverage for Amazon Machine Images (AMI): With this enhancement, Vectra AI adds coverage to stop malicious exfiltration of Amazon Machine Images (AMIs). These images are templates that hold valuable information and can be used to launch EC2 instances to extract sensitive data. The new AWS Suspect Public AMI Change detection covers methods that an attacker may use to exfiltrate these AMIs. Prompt detection of this behavior can curb exfiltration and impact stages of an AWS cloud attack.
  • New Detection Coverage for AWS Organizations: AWS Organizations is a compliance service that enables guardrails and central management for all member accounts within an organization. A common tactic leveraged by attackers is to remove a compromised account from its associated Organization to bypass these compliance guardrails. The new AWS Suspect Organization Exit detection surfaces this behavior allowing SecOps to thwart attempts to bypass defenses.
  • Enhanced Triage by Account Group: To help our customers manage their detection workload effectively, we've added support for Triage by Account Group to our AI-driven Triage functionality. Now, customers can specify account groups and triage detections against any member of those groups automatically, thus streamlining the analyst experience. For example, by creating an account group for your IT admins and specifying expected admin behaviors, you can easily manage the addition of new IT admins through these account groups.
  • Enhanced Detection Coverage – M365: The M365 Disabling of Security Tools and M365 Risky Exchange Operations detection has been enhanced to cover a wider breadth of attacker activity. These enhancements include techniques such as detections of license downgrades, PowerShell access, email forwarding rules, and impersonating users.
  • Enhanced Detection Coverage for Privilege Escalation Techniques: Coverage for novel methods of privilege escalation have been added. Specifically, the techniques covered by the AWS Suspect Privilege Escalation detection have been expanded to include methods adversaries use to escalate permissions not just using policies, but also AWS services such as EC2 instances. These enhancements enable detection of methods found in attack tools such as CloudGoat.
  • Enhanced Detection Coverage for Logging Defense Evasion Techniques: Coverage for attacker methods that involve compromising logging has been expanded. The AWS CloudTrail Logging Disabled detection has been enhanced to identify adversaries that use either Event Selectors or S3 Lifecycle rules to impair logging. This is a technique used by popular attack tools such as Stratus red team and allow an attacker to avoid detection as they move towards states of Impact.
  • Enhanced Detection Coverage for Admin Persistence: Coverage for attackers adding admin persistence to Microsoft Azure AD tenants has been expanded. Specifically, Microsoft Azure AD Admin Account Creation, Azure AD Newly Created Admin Account and Azure AD Redundant Access have been enhanced to alert on accounts being created with or granted additional types of admin permissions.
  • Enhanced Detection Coverage for Microsoft Azure AD: Time-to-detect has been further reduced for real time Microsoft Azure AD alerts related to the initial access to Microsoft Azure AD account from an attacker. Specifically, algorithm enhancements to Azure AD Suspicious Sign-on, Azure AD Suspicious Sign-on MFA Failed, and Azure AD compromised Access detections have enabled faster reporting of threats without impacting coverage.

Investigation and Response Control

  • Enhanced SIEM/SOAR integration for Vectra Match Suricata Signatures: When the “Include Enhanced Details” is configured for Vectra Match alerts, we now include additional Vectra AI proprietary information in the Vectra Match alerts sent to SIEM/SOAR. These fields include valuable HostID fields and Sensor information which is included in traditional Vectra AI Detections and Metadata and useful for more easily conducting investigation workflows. If you wish to turn off this enrichment, you can do so by disabling the “Included Enhanced Detail” option under the Syslog configuration for your respective destination.
  • Enhanced Instant Investigations for Hybrid Attacks: This enhancement provides a more comprehensive and granular view of hybrid attacks by adding metadata for RPC Calls, SMB access, and Services activities for Network Accounts. In situations where the same threat actor has both Microsoft Azure AD and Microsoft 365 accounts, we link these accounts and provide metadata for activities across domains.  
  • Extended Metadata Retention for Advanced Investigations: With this enhancement, users have the flexibility to select search periods of up to 14 or 30 days, depending on their subscription plan. It's important to note that this extended metadata retention period applies uniformly across all enabled data sources on a tenant, including Network, Azure AD and M365, and others. The extended metadata search period is exclusive to Advanced Investigation and does not apply to Instant Investigation.
  • Added Multi-AD Support: We added support for integrating with more than one Active Directory server for host and account context enrichment and account Active Directory Lockdown. Host and account details now display context from multiple ADs and locking an account will disable that account across the multiple ADs.
  • Added Active Directory Custom Configuration Options: In cases where the UserAccountControl Active Directory attribute is not available to perform Account Lockdown, Vectra AI administrators now have the option to use the AccountExpires attribute for locking network accounts. You also have the option to use the Info attribute for sending additional context, such as incident number to your Active Directory when performing an Active Directory Lockdown on an account.

For more information on the Vectra AI Platform, check out these resources:

Vectra AI Platform web page

Vectra AI Platform Tour

FAQs