KMT XDR Overview
KMT XDR (Extended Detection and Response) is an affordable, highly automated SOC-as-a-Service platform that simplifies and extends security visibility and management across your entire organization.
KMT fuses leading technology with hands-on cybersecurity expertise to actively protect your organization in today’s rapidly evolving threat landscape. KMT XDR mixes advanced deep packet inspection of network data with comprehensive security event logging and vulnerability detection to gain a complete view of your IT infrastructure. We further apply threat intelligence, anomaly detection and deception technology to automatically detect and block potential intrusions and to significantly reduce alert volumes. Additional automation and filtering are applied so that alerts are distilled down to a meaningful and manageable total, which is constantly analyzed and reviewed by the KMT 24-7-365 US based SOC – seasoned industry experts with context, tactics, and behavior needed to diagnose and resolve real threats.
KMT fuses leading technology with hands-on cybersecurity expertise to actively protect your organization in today’s rapidly evolving threat landscape. KMT XDR mixes advanced deep packet inspection of network data with comprehensive security event logging and vulnerability detection to gain a complete view of your IT infrastructure. We further apply threat intelligence, anomaly detection and deception technology to automatically detect and block potential intrusions and to significantly reduce alert volumes. Additional automation and filtering are applied so that alerts are distilled down to a meaningful and manageable total, which is constantly analyzed and reviewed by the KMT 24-7-365 US based SOC – seasoned industry experts with context, tactics, and behavior needed to diagnose and resolve real threats.
KMT XDR Suite Features
24/7 U.S. SOC
U.S. based 24x7 security operations including threat hunting, forensic investigations, and remediation recommendations.
Network Detection & Response
Extend packet layer detection and response to any device connected to the network. Ideal for detecting advanced threats that bypass EDR or the Firewall and for protecting devices that cannot support an agent.
SIEM + SOAR
KMT's Fully-Managed SIEM + SOAR shortens the response time to the most critical cybersecurity alerts putting your organization at risk.
Cloud Monitoring
Comprehensive monitoring of all leading Cloud environments including Azure, Google Cloud, AWS, and Office 365.
Vulnerability Detection
Agentless vulnerability scanning for all network devices and agent-based vulnerability detection for all endpoints and servers wherever they reside - on-premises, at home, or in the cloud.
Cybersecurity for Remote Teams
KMT XDR agent uploads security incident and event logs for remote users to the on-prem Analysis Edge Node via a secure cloud connection broker.
EDR Integrations
KMT XDR is integrated with leading EDR solutions such as Sentinel One, Sophos, Windows Defender, Malware Bytes, Symantec, and Crowd Strike
KMT XDR Platform Supporting Technology
Security Operation Center (SOC)
KMT's SOC is a virtual operation that is hosted in Amazon Web Services (AWS). Access to systems hosted in our virtual SOC is tightly controlled and logged through both 2FA VPN access, ED25519 key exchanges and hardware OTP keys. While KMT does maintain secure areas at our corporate headquarters for SOC operations, our platform is designed for zero-trust, virtual SOC operations from anywhere in the world, allowing our analysts to work remotely at any time for any reason.
Cyber Threat Edge Nodes
Analytics Nodes
The analytics nodes are the brains of the KMT XDR system. They securely collect and store data from both the PCAP nodes and the XDR Agents, both for real time and historical analysis and for archival purposes. Analytics nodes can be clustered for both added compute capacity and added redundancy. Customers can receive credentials for read-only access of the system dashboards and reporting features.
Analytics nodes can be run in the cloud, on customer COTS hardware or can be purchased pre-configured from KMT and/or its partners. They run a hardened version of the Linux Operating System (Ubuntu 20.04 LTS Server). No customer or third-party access is allowed to the device via SSH. Only authorized KMT personnel with proper credentials to access our SOC are allowed to access the device via our zero-trust agent.
Each Analytics Node is uniquely keyed at provisioning with KMT's PKI infrastructure that allows that node to securely communicate with our SOC via non-publicly available APIs. Keys are both pre-shared keys (PSK) and signed 4096 RSA public/private keys.
In addition, each device is given both a unique device id, and API key at provisioning to further secure access to our API infrastructure.
Lastly, each node shares a unique ED25519 SSH key exchange with our SOC infrastructure, so all access to the node data from our SOC is double-encrypted from our SOC.
PCAP Nodes
KMT's PCAP Nodes can be run on customers' COTS hardware or purchased pre-configured from KMT and/or its partners. They run a hardened version of the Linux operating system (Ubuntu 20.04 LTS Server). No customer or third party access is allowed to the device via SSH. Only authorized KMT personnel with proper credentials to access our SOC are allowed to access the device via our agent.
Each node is uniquely keyed at provisioning with KMT's PKI infrastructure that allows that node to securely communicate with our SOC via non-publicly available APIs. Keys are both pre-shared keys (PSK) and signed 4096 RSA public/private keys. In addition, each device is given both a unique device ID, and API key at provisioning to further secure access to our API infrastructure.
Lastly, each node shares a unique ED25519 SSH key exchange with our SOC infrastructure, so all access to the node data from our SOC is double-encrypted from our SOC.
PCAP Nodes ingest and decode network traffic and feed that decoded traffic securely to the Analytics node. Additional services such as intrusion detection and prevention, deception, vulnerability scanning and threat intelligence are provided by the PCAP nodes.
Full Nodes
All in one combined Analytics and PCAP Node.
SIEM Agents
KMT XDR has the ability to ingest data from agents installed on endpoints throughout the organization, regardless of where those endpoints are physically located. Agents are available for Microsoft Windows, Linux, MacOS. Solaris, and AIX. The low memory and low CPU footprint agents allows the Analytics node to collect and analyze log and security event data, file and registry changes, system inventory, network configurations, vulnerability data, Sysmon, and other security related telemetry for analysis by the SOC.
Cloud
KMT XDR can monitor cloud infrastructures in several ways. For Amazon EC2, Azure Virtual Machines, Google Cloud Platform Virtual Machines and Digital Ocean Droplets, the XDR agent can be installed directly on the virtual instances. In addition, through API integration, KMT XDR can monitor the platform environment for Amazon AWS, Google Cloud Platform, Microsoft Azure and Azure AD.
Cloud Connection Broker
Securely uploads SIEM logs from remote / work from home users to the KMT Analytics Node.
Dashboards and Reporting
The XDR platform includes monthly automated reporting and provides for read only access to dashboards and allows for dashboard reports to be emailed on a frequency chosen by the customer. IT staff are notified of events based on their preferred method and related tickets are created and tracked via the KMT Help Desk. IT staff can, at their option, securely log in via VPN and view the on-premise back-end dashboards. Access to the new Incident Response Portal is also available in order to view automated push alerts.
Management Console
KMT also offers a web based, multi-tenant management console that displays aggregate alert and threat data over a defined time period. The KMT Management Console provides a comprehensive view of your entire secured environment and shows real-time insights into how KMT is identifying and blocking cyber adversaries attempting to gain access to your IT infrastructure, including monthly reports and real-time access to:
- Protected Devices
- Blocked Attacks
- Blocked Malicious Connections
- Network Risk Score
- SOC Alert Trends
- Vulnerability Trends
- Agent Alert Trends
KMT Advantages
- US Based SOC - All SOC analysts are US Citizens and highly trained.
- White Glove Security Operations Service - No training of IT staff is required.
- Unlimited logging -all security logs remain on-prem and may be archived forever.
- Ease of installation - pre-provisioned and pre-configured edge nodes install almost instantly.
- Advanced SOAR automation - applied to network alerts provides immediate risk reduction and prevents SOC alert fatigue. Extensive use of automation applied to packet data to detect and block malicious connections include:
- Threat Intelligence
- IDPS Engine
- External and Internal Deception
- Network Security Monitoring
- Network Vulnerability Detection
- Affordable - Extensive use of open source components reduces development and support cost without sacrificing visibility and response. (Wazuh SIEM agents, Cabana Dashboards, Suricata IDPS engine, Open Search back-end)
100% Security as a Service
The entire XDR platform is delivered, monitored and maintained as a service by KMT and the SOC. All alerts are handled by the SOC and customers are notified when anomalies are detected with recommended remediation instructions and what actions have already been taken by the SOC to isolate the issue.
All services offered by KMT are included in the monthly / annual subscription. There is no separate fee required for installation services or on-going SOC support. Those services include, but are not limited to:
All services offered by KMT are included in the monthly / annual subscription. There is no separate fee required for installation services or on-going SOC support. Those services include, but are not limited to:
The following is an example of a sample security alert report:
Timestamp: December 8th 2022 16:48
Subject: Suspicious SSH Login Attempts
Severity: High
Affected Devices:
X.X.X.X-name, X.X.X.X
Incident Details:
KMT has identified over 100 unique addresses that are currently attempting SSH brute force attacks against an externally-facing SSH server in your environment at IP: (X.X.X.X). At the present time, no attempts have been successful. Currently these external addresses are trying to authenticate with random username/password combinations that include usernames that do not exist on your server. These attacks are persistent and may not stop until countermeasures are put in place.
Recommendations:
Timestamp: December 8th 2022 16:48
Subject: Suspicious SSH Login Attempts
Severity: High
Affected Devices:
X.X.X.X-name, X.X.X.X
Incident Details:
KMT has identified over 100 unique addresses that are currently attempting SSH brute force attacks against an externally-facing SSH server in your environment at IP: (X.X.X.X). At the present time, no attempts have been successful. Currently these external addresses are trying to authenticate with random username/password combinations that include usernames that do not exist on your server. These attacks are persistent and may not stop until countermeasures are put in place.
Recommendations:
Solution Implementation Timeline
Day 0 - 14 - KMT will schedule a kick-off meeting to:
- Provide an overview of the implementation process
- Gather device provisioning requirements
- Gather access requirements for the Management Console
- Gather access requirements for XDR Console
- Document escalation procedures for alert notifications
- Post kick-off call, KMT will provision and ship an analytics Edge Node and PCAP Nodes to customer
Day 15 - 22 - Upon receipt of Edge Node(s), customer will install Edge Nodes based on KMT instructions and with KMT SOC assistance if necessary. Once Edge Node management interface is plugged in and can be accessed by the SOC, KMT will complete setup and configuration of Edge Nodes and provide customer with instructions on deployment of SIEM agents based on scripts provided by KMT, cloud connection broker for remote users, and instructions on how to configure cloud and EDR integrations.
Day 22 - 29 - Once Edge Node is collecting network, cloud, and SIEM logs, customer can view data populating in the XDR and Management Consoles. The KMT SOC will work with customer to turn on monthly reporting, and optional automated blocking and external deception. Access to the new Incident Response portal and push alerts is also available. Upon request we will demo these management interfaces to ensure the client is familiar with these tools.
Request a Demo
This site is protected by reCAPTCHA and the Google
Privacy Policy and
Terms of Service apply.
