MDR Shared Responsibility Model
Armor works with our customers (and their partners and providers) to ensure their environments are secure and compliant using a shared responsibility model. This model allows our customers to focus on the aspects of the stack that they are uniquely qualified or positioned to maintain, and rely on Armor to provide the reference architecture and guidance stemming from our expertise.
As a security best practice Armor will not have direct access to your environment beyond the permission set required to deploy and maintain the portions of the solution for which Armor is responsible. Armor will provide support and guidance, working with you and relevant vendors to ensure you’re enabled to manage the portions of the solution for which you’re responsible.
Armor’s Responsibilities
Armor is responsible for providing the Infrastructure-as-Code (IaC) reference architecture and solution templates that can be used to deploy and update the solution stack, ensuring that they comply with current best practice standards. This includes:
- The infrastructure code for the deployment of:
- Any required infrastructure and cloud services
- Armor’s rule library and custom-developed rules
- Automation and analytics playbooks
- Dashboards and reporting workbooks
- The content library and support for:
- Detection and correlation rules
- Threat hunting playbooks
- Curated threat intelligence feeds
- And the documentation for:
- Deploying log collectors (where needed)
- Schema definitions for log events
Once the solution is fully deployed and alerts begin to be emitted that require investigation, it is Armor’s responsibility to triage and investigate those alerts. Armor will follow our Incident Response Plan (IRP) and do so within our Service Level Agreement (SLA). Armor will provide detection, investigation, mitigation and remediation guidance, and strategies for improving your security posture. Implementation of guidance and suggestions is the responsibility of the customer (see below).
Customer’s Responsibilities
As our customer, it is your responsibility to ensure the devices that Armor is monitoring are properly sending logs and events to our the XDR+SOC platform. This includes:
- Configuring devices to match their output to Armor-defined schemas
- Deploying log collectors (where required)
- Ensuring proper, secure network connectivity between your cloud environment and on-premise networks
- Ensure that Armor maintains access to the environment in which the XDR+SOC stack is deployed (credentials, network connectivity, etc.)
- Facilitate any required change management processes for the application of updates to the stack.
With regards to incident response, Armor may require additional context and insight that is known only to the customer (or isn’t reasonable for Armor to discover on its own). In such cases, Armor will respond to the support ticket that was created to track the incident, requesting additional information. It is important that the customer respond promptly to such inquiries to ensure the timely remediation of security incidents.
Furthermore, once Armor has triaged and investigated an incident, we will provide mitigation and remediation guidance, as well as suggestions of strategies to help improve your security posture. Because Armor’s concrete experience with your specific infrastructure and devices is limited, and as a security principle Armor will not have direct access to your environment, the responsibility of implementing such guidance and suggestions is yours.
Shared Responsibilities
Customers may choose to have Armor manage the deployment and maintenance of the XDR+SOC stack, or may choose to deploy and manage it themselves (most commonly this is to integrate with an existing CI/CD and infrastructure-as-code pipeline). Segmentation of responsibilities varies based on this choice – where the following items are the responsibility of the party who owns deployment and management of the stack:
- Ensure that infrastructure and content updates are deployed when available
- Ensure the subscribed XDR+SOC capabilities are operational
In cases where the customer has chosen to own the deployment and management of the stack, Armor (through its standard support channels) is available to provide guidance and assist if needed.