What is
...
MDR?
Network and system protections only tell part of the story. Modern cybersecurity threats involve compromising more than just a single endpoint – lateral movement, cloud service exploits, and advanced persistent threats are the new norm. XDR or Extended Detection and Response extends endpoint and network detection and response (EDR and NDR respectively) and correlates log event and telemetry data from across your environment to deliver comprehensive security insights to detect even the most advanced threats.
Armor
...
MDR Solution
Armor’s XDR MDR solution is a managed, cloud-native, and DevOps-centric solution that provides detection and correlation capabilities across all aspects of your operation. As detailed below, this includes:
Deployment and configuration of a cloud-native Security Information and Event Management (SIEM) solution
Deployment and management of detection and correlation models and rules
Integration of threat intelligence and other enrichment data sources
Deployment and configuration of analytics tools for threat hunting and rule tuning
Deployment and management of automation playbooks
Standalone and Full-Service Options
Our XDR MDR solution is typically combined with our SOC solution (collectively XDR+powered by our expert Security Operations Centre (SOC) to ensure that incidents generated by the XDR MDR solution are properly investigated and remediated.
Read more about our managed SOC solution
...
Integrations
Integrations can include ingesting the logs and telemetry data from a system as well as integrating with a system’s API to perform automated tasks. Below is a list of example system archetypes that can be integrated into the Armor XDR MDR solution. We can integrate with your existing tools or recommend new solutions to fill detection and protection gaps.
Endpoint Protection and Detection
Anti-Virus and Anti-Malware
File Integrity Monitoring (FIM)
Endpoint Log Management
Vulnerability Scanning
Host Intrusion Detection (HIDS/IDPS)
Asset Inventory and CMDB Systems
Network Protection and Detection
Firewalls
Cloud-Native Network Security Groups and Network ACLs
On-Premise Network Firewalls
Network Intrusion Detection (NIDS/IDPS)
Zero-Trust and Service Mesh Transports
On-Premise Routing and Switching
Application Protection and Detection
Web Application Firewalls (WAF)
Container and Serverless Orchestration/Runtimes
Application Telemetry
Vulnerability Scanning
API Security Scanning
Identity and Access Management Systems
Cloud-Native IAM and Identity-as-a-Service Providers
On-Premise Identity Management (such as Active Directory, LDAP, etc.)
...
Log Source Integrations
Armor works with you to ingest the logs and event data from sources throughout your environments so that those events can be analyzed and correlated in the chosen SIEM platform. This event data is first ingested, then parsed and normalized before being passed through the platform’s various analytics capabilities.
Read more about log source integrations
...
Detection & Correlation Rules
As part of the XDR Armor MDR subscription, Armor provides a library of advanced detection and correlation rules that are designed to run on your chosen SIEM platform. These rules can detect everything from basic indicators to behavioral anomalies and Advanced Persistent Threats (APTs). Additionally, XDR Professional and Enterprise subscribers have access to customers can leverage Armor Professional Services to access our team of experts who can craft custom rules for their specific requirements.
Read more about our detection and correlation rules
...
Cyber Threat Intelligence (CTI)
Armor provides our XDR MDR subscribers with curated feeds of threat intelligence data that integrate into the chosen SIEM platform to ensure that it has the latest intelligence upon which our detection and correlation assertions are based. These feeds use the standard STIX/TAXII protocol and can be integrated into other aspects of your security stack as well.
Read more about our threat intelligence feeds
...
Enrichment
In addition to CTI, Armor utilizes several types of enrichment data depending on the types of events that a log source produces. These data sources include both static databases that are periodically updated based on each dataset’s expiry and dynamic, on-demand datasets that are polled as-needed by a specific enrichment routine. Some examples of types of enrichment data include:
Customer-provided asset classification
Customer-provided user profile information
Customer-provided network topology information
IP reputation
IP metadata (ASN and GeoIP)
Reverse DNS
Passive DNS
Binary hash lookup tables
Binary static analysis
Executable dynamic analysis
Dynamically generated UEBA behavioral profiles
...
SOAR
Security Orchestration and Automated Response (SOAR) is an important part of how security operations can achieve scale. As patterns emerge in the investigation and response procedures for each type of alert, these tasks can be automated to ensure your teams are focused on the work that matters. Armor includes standard automations and integrations including notifications and ChatOps, and can work with you to build custom automations that will address security workflow bottlenecks.
Read more about our orchestration and automated response capabilities
...
Dashboards & Reporting
Understanding your cybersecurity and risk posture is critical. Armor’s included library of dashboards and reports, and our consultative review process makes this easy. In addition to our out-of-the-box library, Armor can work with you to understand your specific requirements and develop custom dashboards and reports that meet those needs.
Read more about dashboards and reporting
...
Deployment Model
Armor’s XDR+SOC MDR solution is deployed with an Infrastructure-as-Code (IaC) model using Terraform (and Terragrunt). This modular approach ensures that deployments are predictable, repeatable, thoroughly-tested, and have security best practices built-in.
Read more about Armor’s IaC deployment model
Upon signing up as a customer, you will receive access to our IaC libraries and can use the included tools to integrate the continuous deployment of the stack with your existing CI/CD pipeline, or we’re happy to manage the deployment for you. Customers can change this preference at any time – for example, taking over pipelines as their DevOps capabilities mature, or out-sourcing in order to dedicate resources to a specific project.
Armor-Managed Deployments
Customers may choose to have Armor manage the initial deployment and application of updates to their XDR MDR solution. This can be deployed using CI/CD tools you already use or Armor can host a pipeline for you and delegate access to it – maintaining end-to-end transparency.
Customer-Managed Deployments
Customers may also choose to manage the deployment and updates themselves. You may reference the step-by-step deployment guides for your chosen cloud:
- Deployment Guide
- AWS Deployment Guide
- GCP
Additionally, there are several guides available with step-by-step instructions for setting up CI/CD pipelines in various platforms such as GitHub Actions, Azure DevOps, GitLab, CircleCI, and more.
...
Shared Responsibility Model
Armor works with our customers (and their partners and providers) to ensure their environments are secure and compliant using a shared responsibility model. This model allows our customers to focus on the aspects of the stack that they are uniquely qualified or positioned to maintain, and rely on Armor to provide the reference architecture and guidance stemming from our expertise.