Netsurion Managed XDR Description of Service

24×7 Monitoring

Netsurion operates 24x7x365 and monitors security telemetry from the log data streams of customer assets. Alerts, incidents, reports, dashboards, and anomaly detections are generated from these data streams at the Netsurion console to identify Indicators of Compromise (IoCs) and Indicators of Attack (IoAs) that may have occurred in the monitored network.

Security Information & Event Management (SIEM)

A foundational component to Netsurion’s Open XDR platform is a SIEM application. The platform collects, standardizes, and stores security event logs, and then examines, reports, and acts upon security alerts pulled from the data in real-time.

Priority 1 (P-1) Alerts

Alerts are a core function of the Netsurion Managed XDR solution. The most critical set of perceived threats are classified as P-1 alerts. P-1s are a set of security or threat related alert conditions that encompass a large array of potential critical or immediate security issues that could occur on most of the common hardware and software used by our mid-enterprise and SMB customers. Netsurion’s XDR platform constantly analyzes the data received from monitored sources to determine if any security or threat related conditions meets defined thresholds. Detected threats are analyzed and correlated with associated activity on the impacted customer’s systems and network, as well as data available through external threat information resources. Should the P-1 be determined to be an active threat, the customer will be notified promptly with all necessary detail for them to address the concern.

P-1s are displayed in the XDR console’s incidents dashboard when triggered. These notifications can also be sent via e-mail for integration into the Customer’s own dashboarding/ticketing solution. Alerts are also included in the various system reports. Netsurion filters observed false positives to prevent alert fatigue and ensure Customers are notified only on issues needing their prompt attention. Notifications are delivered via email and are available within the console. Notification preferences are determined at service initiation and can be updated thereafter.

Customers are provided with a comprehensive pre-defined set of critical and common P-1 types for mid-enterprise and SMB customers, selected by Netsurion.

Priority 2 (P-2) Notifications

Similar to P-1 alerts, Priority 2 (P-2) notifications are derived from data received from Customer monitored sources. P-2s differ from P-1s in that they are comprised of conditions that Netsurion determines may be noteworthy and informational for the Customer, but are not likely to be a critical or immediate security issues or threats. These notifications are available for the Customer to review on the console and in reports.

Notification Tuning

One of the challenges with any security solution including a Security Information and Event Management (SIEM), which is a component of Netsurion’s Managed XDR solution, is that it requires a continuous awareness of what constitutes right and wrong within any customer’s environment. When a SIEM is first installed, events begin to be collected, and the number of events being collected in just a few minutes can be extremely large. Tuning is the process of reducing the “noise”, eliminating the non-security-related events, and making the adjustments necessary to notify on the important events that happen in the customer’s environment. This tuning is a key element of any successful SIEM implementation and is what enables Netsurion’s Managed XDR solution to provide actionable outcomes to customers.

Anomalous Login Detection

Netsurion’s Managed XDR solution includes software technology that examines attempts to access Windows workstations and servers (user logins) that are indicative of brute force attacks. When such attacks are detected an alert is generated. Depending on settings, the software can automatically block the origin of the attack, giving time for the Customer’s IT team to react and respond, or a block can be manually implemented after review.

User & Entity Behavior Analysis (UEBA)

User and Entity Behavior Analytics (UEBA) uses algorithms to detect anomalies in the behavior of not only the users in a corporate network but also the routers, servers, and endpoints in that network. UEBA seeks to recognize any peculiar or suspicious behavior—instances where there are irregularities from normal everyday patterns or usage. For example, if a particular user on the network regularly logs in to Workstation1, but starts logging into Workstation2, the UEBA system would consider this an anomaly and either alert an IT administrator, or if automations are in place, automatically disconnect that user from the network. UEBA algorithms operate continuously. These jobs are used to deliver UEBA detections for further analysis.

Windows Application Control

Netsurion’s Managed XDR solution provides an optional managed application control capability that provides next-generation endpoint protection in an easy-to-deploy, software-only solution for Windows PCs and servers.

Host-Based Intrusion Detection System (HIDS)

For Windows desktops and servers, Netsurion’s Managed XDR solution incorporates a Host-based Intrusion Detection System (HIDS). A sensor installed on the Windows devices continuously monitors incoming and outgoing network traffic to identify suspicious activities. When detected, such activities will cause an event to be generated that is reviewed by the SOC and may result in escalation to the customer by SOC staff.

MacOS and Linux Support

Netsurion’s Managed XDR provides support for MacOS and Linux. The supported versions can be found in the data source integrations pages for MacOS and Linux, located here: https://www.netsurion.com/data-source-integrations. Device telemetry is gathered via a Netsurion sensor that must be installed on the MacOS of Linus endpoint. This sensor can be installed directly on each endpoint or distributed via software management framework like JAMF (a common device management solution for Apple devices). Once installed, this program extracts logs containing device telemetry from the secure repository on the Mac or Linux endpoint and transmits them securely to the Netsurion Open XDR Console where they are processed for security value. Various notifications and dashboards are available to detect user authentication failures, user and group management, command execution, login/out activities which are commonly used to support Security, Compliance and Operations use cases. The Netsurion MacOS and Linux sensors do not support the application control capabilities found in the Windows agents.

Threat Hunting

Threat hunting is included for all Netsurion’s Managed XDR customers. Confirmed malicious activity on Windows devices with an installed Netsurion agent can be automatically blocked or terminated by the platform if directed by the Customer to do so in advance. Threat hunting is characterized by a proactive investigation of known Indicators of Compromise (IoCs) / Indicators of Attack (IoAs) such as bad IPs, hashes, malicious processes and connections, suspicious identities and access events that are contained in the systems and security event logs. Standard threat hunting also includes the aggregation and investigation of signals from integrated security technologies and suspicious events to discover new IoAs and IoCs. Netsurion uses information from notification definitions, active watch lists, and various threat feeds to investigate suspect activity and either dismiss them as false positive or escalate as true positives with guidance for remedial action. Threat hunting is performed in association with P-1 alerts.

MITRE ATT&CK Integration

The MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework is a curated knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s attack lifecycle and the platforms they are known to target. The tactics and techniques abstraction in the model provide a common taxonomy of individual adversary actions understood by both offensive and defensive sides of cybersecurity. It also provides an appropriate level of categorization for adversary action and specific ways of defending against it. The MITRE ATT&CK matrix contains a set of techniques used by adversaries to accomplish a specific objective. Those objectives are categorized as tactics in the ATT&CK Matrix. The MITRE ATT&CK framework is integrated directly into Netsurion’s Managed XDR solution and is used for threat hunting and identification of IoCs and IoAs.

Threat Intelligence Integration

Netsurion Threat Center is a dedicated threat intelligence platform (TIP) used to detect IoC’s in customer logs.  Threat Center integrates several threat intelligence sources to check the reputation of IP addresses and file hashes, etc. The XDR platform leverages the threat intelligence to identify and potentially block the behaviors that may be IoAs.

Data Source Integrations & Detections Library

Netsurion’s Managed XDR solution ingests, parses, and alerts on incoming security telemetry to identify potential threats discovered in the system information, events, and log data from various data sources. Netsurion has created a library of data source integrations to cover a wide array of telemetry including, but not limited to, workstations, servers, network devices, applications, cloud-hosted applications, etc. Our Enterprise Customers can use as many or as few data source integrations as necessary and Netsurion will work with the customer to potentially develop new data source integrations if a customer has a data source for which there is no existing Netsurion integration.

Essentials Customers are provided with a pre-defined set of the most critical and common Data Source Integrations for SMBs, selected by Netsurion. Additional Integrations are available for a fee. A list of Data Source Integrations available for Essentials is at www.netsurion.com/service-description/mxdr/essentials.

Enterprise Customers can deploy an unlimited number of Data Source Integrations. Netsurion’s extensive library of Data Source Integrations is available at www.netsurion.com/data-source-integrations.

Threat and Incident Review Report

Netsurion’s Managed XDR solution provides an optional Threat and Incident Review Report (TIRR) that summarizes and categorizes all incidents (P-1s and P-2s) in the reporting window. The report identifies incidents with risk scores of Critical, Serious, or High, as per defined procedures. The TIRR provides details and context of the incidents observed and recommends any remediation action that needs to be taken by the Customer. Netsurion analysts are also available to answer questions and provide support for incident review and forensics, audit assistance, etc. The reports can be generated at a Customer’s convenience and provide an excellent overview with observations of all incidents, critical or otherwise noteworthy, that occurred in the customers’ network. 

Security and Compliance Reports and Dashboards

Netsurion’s Managed XDR solution helps meet the requirements of numerous compliance standards, including establishing network baselines, tracking user activity, alerting on potential violations, and generating audit-ready reports. Log and security data is received, parsed, and retained for at least 400 days (provided the Customer remains an active Managed XDR customer). Predefined detailed audit ready reports and dashboards are provided for twenty-six compliance standards. Reports are accessible via the Netsurion Managed XDR console, where they can be reviewed and/or downloaded.

Customer Admins

All Customer Admins are provided role-based access control (RBAC) to the Netsurion Managed XDR console to review their alerts, reports, and dashboards as well as perform log searches. The Customer Admin is responsible for assigning roles to their end-customers.

Vulnerability Management (Optional)

Vulnerability management is the process of identifying and prioritizing security weaknesses and flaws in systems and software running on them. For each device the vulnerability scanner identifies, it also attempts to identify the operating system that is running, the software installed on it, and other attributes such as open ports and user accounts. After building up an inventory, the vulnerability scanner checks each item in the inventory against one or more databases of known vulnerabilities. The result is a list of all the systems found and identified on the network, highlighting any that have known vulnerabilities and need attention. Netsurion includes the option of a Netsurion-hosted vulnerability scanner that identifies and creates an inventory of all systems connected to a network at that time. Netsurion’s SOC and the customer will mutually identify and group assets in the customer’s environment for vulnerability management. The scanning schedule will be determined at installation and a vulnerability management report will be integrated into the reports dashboard of Netsurion’s Enterprise service. Results, trends, and remediation recommendations will also be summarized for review in the Executive Summary report. Customers can also provide Netsurion the results of any vulnerability scanner they have implemented.

The service description of Netsurion’s Vulnerability Management solution can be found here: www.netsurion.com/service-description/vulnerability-management.

Managed Endpoint Security (Optional)

While Netsurion’s open XDR architecture allows us to ingest and leverage telemetry from your preferred Endpoint Detection and Response (EDR) solution, Netsurion offers an optional managed EDR solution as well, powered by Deep Instinct (www.deepinstinct.com). With Netsurion Managed Endpoint Security, we consolidate the price of Deep Instinct into our billing, manage the deployment of it to your endpoints, provide ongoing management, and provide Deep Instinct dashboards integrated into our XDR console.

The service description of Netsurion’s Managed Endpoint Security solution can be found here: www.netsurion.com/service-description/endpoint-security

Customer-Hosted Application Monitoring and Maintenance

For customers who host their Netsurion Open XDR instance on-premise or in their own data centers, Netsurion provides monitoring of the instance to ensure operational integrity. With Customer’s authorization, Netsurion can update its applications remotely as needed. The hardware, licensing, and OS patching of the server that the Netsurion Open XDR instance is installed on is the responsibility of the Customer. However, as part of the monitoring process, if issues are discovered Netsurion will notify the customer and make remediation recommendations.

Netsurion Hosting, Health Checks and Platform Tech Support

Netsurion’s XDR services are cloud-native and hosted by Netsurion. Netsurion maintains SOC 2 Type 2 (www.netsurion.com/company/soc-2-type-2) and GDPR compliant datacenters to host instances of our Managed XDR solution for customers. For all hosted instances, Netsurion engineers provide server OS licensing, patch management and backup, and 24x7x365 health monitoring, maintenance, and capacity analysis functions for the Netsurion application.

Log Retention

To meet customer compliance and audit requirements, Netsurion stores all log data for at least 400 days, provided the Customer remains an active Managed XDR customer. Unlimited raw log data is stored in hot (local SSD, 35 days), warm (local spindle disk, 36-90 days) and cold (AWS Glacier 91-400 days) locations based on age.

Customer’s canceling their Managed XDR services with Netsurion can request their log data up to 30 days following the effective date of cancelation. All log data will be purged after the 30-day mark and will be unavailable thereafter

Log Retention – Extended (Enterprise Only – Optional)

An optional service available for Enterprise Customers that extends standard customer log storage duration from 400 days to seven (7) years.

Log Searching

All received log data is indexed using an extensible Common Indexing Model (CIM) and stored on high-speed solid-state drives for a period of thirty-five (35) days. Customers may use the user interface to search for log data and thereafter drill down, pivot, time slice, and include/exclude the results. A combination of log source, time, detected fields, and pattern matching is available as search criteria. Search criteria can be saved for future use. Data that is 36-90 days old is available on spindle-based disk and can be searched. Search results can also be exported to a file.

Log Extraction by Customer (Enterprise Only – Optional)

For Enterprise Customers, any log data searched for as described above can be exported via download from the Netsurion Open XDR console. Exported log files are available in Excel format.

Assigned Customer Success Team (Enterprise Only)

Each Customer is supported by a Client Services professional who works with customers to ensure they’re receiving the tools and support needed to achieve their goals from their Netsurion relationship. The Client Services team has an in-depth understanding of use cases, customer preferences about Netsurion’s Managed XDR solution, and acts as liaisons and customer advocates with other Netsurion teams such as Sales, Marketing, and Product Development.

End-user Training

Training on the navigation and use of Netsurion’s Open XDR console is available both online via video modules and our document repository and/or can be delivered directly by a Netsurion trainer if requested.