What is XDR?
Network and system protections only tell part of the story. Modern cybersecurity threats involve compromising more than just a single endpoint – lateral movement, cloud service exploits, and advanced persistent threats are the new norm. XDR or Extended Detection and Response extends endpoint and network detection and response (EDR and NDR respectively) and correlates log event and telemetry data from across your environment to deliver comprehensive security insights to detect even the most advanced threats.
Armor XDR Solution
Armor’s XDR solution is a managed, cloud-native, and DevOps-centric solution that provides detection and correlation capabilities across all aspects of your operation. As detailed below, this includes:
- Deployment and configuration of a cloud-native Security Information and Event Management (SIEM) solution
- Deployment and management of detection and correlation models and rules
- Integration of threat intelligence and other enrichment data sources
- Deployment and configuration of analytics tools for threat hunting and rule tuning
- Deployment and management of automation playbooks
Standalone and Full-Service Options
Our XDR solution is typically combined with our SOC solution (collectively XDR+SOC) to ensure that incidents generated by the XDR solution are properly investigated and remediated.
Integrations can include ingesting the logs and telemetry data from a system as well as integrating with a system’s API to perform automated tasks. Below is a list of example system archetypes that can be integrated into the Armor XDR solution. We can integrate with your existing tools or recommend new solutions to fill detection and protection gaps.
Endpoint Protection and Detection
- Anti-Virus and Anti-Malware
- File Integrity Monitoring (FIM)
- Endpoint Log Management
- Vulnerability Scanning
- Host Intrusion Detection (HIDS/IDPS)
- Asset Inventory and CMDB Systems
Network Protection and Detection
- Cloud-Native Network Security Groups and Network ACLs
- On-Premise Network Firewalls
- Network Intrusion Detection (NIDS/IDPS)
- Zero-Trust and Service Mesh Transports
- On-Premise Routing and Switching
Application Protection and Detection
- Web Application Firewalls (WAF)
- Container and Serverless Orchestration/Runtimes
- Application Telemetry
- Vulnerability Scanning
- API Security Scanning
Identity and Access Management Systems
- Cloud-Native IAM and Identity-as-a-Service Providers
- On-Premise Identity Management (such as Active Directory, LDAP, etc.)
Log Source Integrations
Armor works with you to ingest the logs and event data from sources throughout your environments so that those events can be analyzed and correlated in the chosen SIEM platform. This event data is first ingested, then parsed and normalized before being passed through the platform’s various analytics capabilities.
Detection & Correlation Rules
As part of the XDR subscription, Armor provides a library of advanced detection and correlation rules that are designed to run on your chosen SIEM platform. These rules can detect everything from basic indicators to behavioral anomalies and Advanced Persistent Threats (APTs). Additionally, XDR Professional and Enterprise subscribers have access to our team of experts who can craft custom rules for their specific requirements.
Cyber Threat Intelligence (CTI)
Armor provides our XDR subscribers with curated feeds of threat intelligence data that integrate into the chosen SIEM platform to ensure that it has the latest intelligence upon which our detection and correlation assertions are based. These feeds use the standard STIX/TAXII protocol and can be integrated into other aspects of your security stack as well.
In addition to CTI, Armor utilizes several types of enrichment data depending on the types of events that a log source produces. These data sources include both static databases that are periodically updated based on each dataset’s expiry and dynamic, on-demand datasets that are polled as-needed by a specific enrichment routine. Some examples of types of enrichment data include:
- Customer-provided asset classification
- Customer-provided user profile information
- Customer-provided network topology information
- IP reputation
- IP metadata (ASN and GeoIP)
- Reverse DNS
- Passive DNS
- Binary hash lookup tables
- Binary static analysis
- Executable dynamic analysis
- Dynamically generated UEBA behavioral profiles
Security Orchestration and Automated Response (SOAR) is an important part of how security operations can achieve scale. As patterns emerge in the investigation and response procedures for each type of alert, these tasks can be automated to ensure your teams are focused on the work that matters. Armor includes standard automations and integrations including notifications and ChatOps, and can work with you to build custom automations that will address security workflow bottlenecks.
Dashboards & Reporting
Understanding your cybersecurity and risk posture is critical. Armor’s included library of dashboards and reports, and our consultative review process makes this easy. In addition to our out-of-the-box library, Armor can work with you to understand your specific requirements and develop custom dashboards and reports that meet those needs.
Armor’s XDR+SOC solution is deployed with an Infrastructure-as-Code (IaC) model using Terraform (and Terragrunt). This modular approach ensures that deployments are predictable, repeatable, thoroughly-tested, and have security best practices built-in.
Upon signing up as a customer, you will receive access to our IaC libraries and can use the included tools to integrate the continuous deployment of the stack with your existing CI/CD pipeline, or we’re happy to manage the deployment for you. Customers can change this preference at any time – for example, taking over pipelines as their DevOps capabilities mature, or out-sourcing in order to dedicate resources to a specific project.
Customers may choose to have Armor manage the initial deployment and application of updates to their XDR solution. This can be deployed using CI/CD tools you already use or Armor can host a pipeline for you and delegate access to it – maintaining end-to-end transparency.
Customers may also choose to manage the deployment and updates themselves. You may reference the step-by-step deployment guides for your chosen cloud:
Shared Responsibility Model
Armor works with our customers (and their partners and providers) to ensure their environments are secure and compliant using a shared responsibility model. This model allows our customers to focus on the aspects of the stack that they are uniquely qualified or positioned to maintain, and rely on Armor to provide the reference architecture and guidance stemming from our expertise.