Frequently Asked Questions

XDR Endpoint Agent

What are the threat detection capabilities of the Eclipse.XDR Endpoint Agent?

The Eclipse.XDR Endpoint Agent offers a range of advanced threat detection capabilities to quickly identify and respond to threats such as Advanced Persistent Threats (APTs), ransomware, and other types of malware (both file-based and fileless).

These capabilities include:
- Real-time adversary detection: Identifies threats as they occur.
- Automatic response: Includes host isolation, shutdown, or malicious process termination.
- Deep forensic detection: Detects elusive threats designed to bypass existing antivirus (AV) and endpoint detection and response (EDR) solutions.
- Automatic ransomware detection and response: Provides immediate action against ransomware threats.
- Microsoft Defender integration: Monitors and configures alerts from Microsoft Defender.
- Alert suppression: Manages false-positive alerts for simpler management.
- Custom detection rules: Allows creation of custom adversary detection and response rules, including correlated and chained rules..
- MITRE ATT&CK Framework mapping: Utilizes MITRE ATT&CK Framework for threat detection.
- Machine Learning (ML) validation: Validates suspicious forensic artifacts using ML.
- Dynamic Analysis (sandboxing): Analyzes suspicious artifacts to aid human analysis.
- Yara-based scans: Conducts scans and detection based on Yara rules. Single-click response: Facilitates quick response actions.
- VirusTotal integration: Leverages VirusTotal for additional threat analysis.

What operating systems are supported by the Eclipse.XDR Endpoint Agent?

The Eclipse.XDR Endpoint Agent supports the following operating systems:

- Windows
- Linux
- MacOS

What is the retention policy for Eclipse.XDR Endpoint Data?

The default data retention periods for the Eclipse.XDR Endpoint Agent are as follows:

- Forensic Survey Data = 14 days
- Alerts = 30 days

Clients may also configure alerts to be sent to their SIEM or Webhook for extended retention based on their data retention requirements.

Does Real-Time monitoring impact the performance of the system?

Real-Time Monitoring is designed to have virtually no impact on endpoint performance. The agent operates at a low priority to avoid affecting system functionality. Although there might be a minor increase in storage usage, the overall effect is negligible and typically goes unnoticed by users and other applications.

Resource Usage with Real-Time Monitoring Enabled:

- CPU: 3% or below
- Memory: 10 MB or less
- Network: 10 - 100 bytes/sec
- Disk I/O: 5 - 25 KB/sec

What data is collected by the Eclipse.XDR Endpoint Agent? Is any sensitive or PII data collected?

The Eclipse.XDR Endpoint Agent does not collect personally identifiable information (PII) or sensitive business files. It focuses on collecting meta-data from post-breach artifacts.

Data Collected Includes:
- Active processes (similar to Windows Task Manager)
- Modules loaded by processes or applications
- Memory injects and fileless objects
- Historical and scheduled applications - Usernames associated with detected actions
- Active host connections and listeners
- Applications and their versions
- Host census information (host names, IP addresses, OS versions, etc.)
- Behavioral activity

Additional Details:
- Collected data includes timestamps, file hashes, and correlated data for threat assessment.
- If the machine learning platform encounters an unknown object, it will collect code for further analysis. Analysis data packages are typically less than 1 MB in size.

Data Not Collected:
- Personally identifiable information (PII)
- Passwords
- Account numbers
- Regular data stored on the endpoint's hard drive (e.g., files, photos)

Where is the Eclipse.XDR Endpoint Agent data stored?

Data collected by the Eclipse.XDR Endpoint Agent is stored in AWS and Vultr Cloud servers based on the region.

- United States: us-east-1 (Virginia)
- European Union: eu-west-1 (Ireland)
- APAC: ap-southeast-2 (Sydney)

XDR Network Gateway

What are the threat detection capabilities of the Eclipse.XDR Network Gateway?

The Eclipse.XDR Network Gateway offers specialized threat detection and protection through the following capabilities:

- Traffic Blocking to Known Threats: Blocks network traffic to IP addresses and domains identified as "bad" based on vendor-agnostic Block Lists and Threat Lists.
- High-Risk TLD Blocking: Prevents traffic from reaching high-risk Top Level Domains (TLDs) known for hosting malicious content or services.
- GEO-IP Blocking: Restricts traffic to and from high-risk countries using GEO-IP blocking to reduce exposure to regions with known threat activity.
- ASN Blocking: Blocks traffic associated with high-risk Autonomous System Numbers (ASNs) to mitigate risks from networks linked to malicious activities.

These features are designed not only to block malicious traffic but also to reduce exposure to most of the infrastructure used by adversaries to build and launch their attacks.

What resources are protected by the Eclipse.XDR Network Gateway?

The Eclipse.XDR Gateway provides comprehensive protection by inspecting and securing various types of inbound traffic.

Specifically, it safeguards:
- Perimeter Networks: Monitors and protects traffic from external networks, including data centers and office networks.
- Cloud Environments: Secures traffic to and from cloud platforms such as AWS, Azure, and Google Cloud.
- Home Networks: Offers protection for remote or home networks, especially for VIP and high-risk users.

In essence, the Eclipse.XDR Gateway protects a range of resources, including:
- Servers: Ensures that your servers are shielded from malicious inbound traffic.
- User Resources: Safeguards individual user devices and accounts.
- Cloud Workloads: Protects cloud-based workloads and applications from external threats.

By securing these diverse resources, the Eclipse.XDR Gateway helps to maintain a robust defense across your entire network infrastructure.

What traffic rates does the Eclipse.XDR Network Gateway support?

The Eclipse.XDR Gateway is designed to handle high traffic volumes with zero notable impact on performance. It supports traffic rates of up to 10 Gbps at line-speed, ensuring that there is no noticeable effect on end-user experience or application performance.

The XDR Gateway operates on enterprise-grade hardware appliances and is available in two sizes:
- XDR Gateway-1G: A table-top or 1RU rack-mountable server supporting line-rates of up to 1 Gbps.
- XDR Gateway-10G: A 1RU rack-mountable server capable of supporting line-rates of up to 10 Gbps.

Additionally, the XDR Gateway does not rate-limit or throttle traffic, ensuring consistent performance and reliability.

How does the Eclipse.XDR Network Gateway connect to my network?

The Eclipse.XDR Gateway integrates with your network in different ways depending on the environment:

On-Premises Environment (Office, Data Center, Home Networks):
The Eclipse.XDR Gateway functions as a layer-2 device operating in an inline tap configuration using a pair of bridge ports:
- The outside bridge port connects to your ISP link.
- The inside bridge port connects to either your uplink switch port on the corporate network or the outside/external interface of your perimeter firewall.

Cloud Environment:
In cloud environments, the Eclipse.XDR Gateway operates as a Virtual Security Appliance. It connects in parallel with your Cloud Load Balancer to monitor and protect both inbound and outbound traffic.

In both scenarios, the XDR Gateway provides comprehensive protection for all traffic flowing through your network.

Can I send the logs from the Eclipse.XDR Network Gateway to my SIEM?

Yes, you can send logs from the Eclipse.XDR Gateway to your SIEM using the syslog protocol. By default, CyberStash securely sends all logs to its own syslog collector hosted within the client environment. From there, the logs are securely transmitted to the Eclipse.XDR SIEM hosted in the CyberStash Cloud.

Additionally, clients have the flexibility to configure their log forwarding preferences to their SIEM if desired. Options include:

- All Logs: Forwarding all logs generated by the XDR Gateway. Allowed or Blocked Logs: Sending only logs related to allowed or blocked traffic. Inbound or Denied Logs: Receiving logs specifically for inbound traffic or denied requests.
- Specific Event Types: Filtering logs based on event types such as IP Traffic, DNS Logs, or DNS-Response Logs.

This setup ensures secure and efficient log management, while allowing customization based on your monitoring needs.

What data is collected by the Eclipse.XDR Network Gateway? Is any sensitive or PII data collected?

The CyberStash Eclipse.XDR Network Gateway collects the following types of data:
- IP Traffic Metadata: Includes source and destination IP addresses, source and destination ports, traffic flow direction (inbound or outbound), and actions taken (allowed or blocked).

DNS Traffic:
- Query Name: The domain name being queried.
- Query Type: The type of DNS query, such as A, AAAA, MX, or CNAME.
- Query Class: The class of the DNS query (usually IN for Internet).
- Response Code: The code indicating the result of the DNS query (e.g., NOERROR, NXDOMAIN).
- Response Data: The data returned in response to the DNS query, such as IP addresses or domain names.
- Query Timestamp: The time when the DNS query was made.
- Query Source: The IP address of the client making the DNS query. -

GEO-IP and ASN Correlation:
Correlates destination IP addresses with GEO-IP and Autonomous System Number (ASN) data for enhanced threat analysis.

Data Not Collected
- Sensitive or Personally Identifiable Information (PII).
- The Eclipse.XDR Network Gateway does not collect PII or sensitive personal data.
- Deep packet data.

This approach ensures that the data collected is relevant for network security and threat detection while respecting privacy and compliance requirements.

Where is the Eclipse.XDR Network Gateway data stored?

Data collected by the Eclipse.XDR Network Gateway is stored in AWS and Vultr Cloud servers based on the following regions:

- United States: us-east-1 (Virginia)
- APAC: ap-southeast-2 (Sydney)

Clients can choose to have all data reside exclusively in the United States if required. This option allows for greater control over data residency and compliance with specific regulatory requirements.

Information Risk, Security and Compliance Statement

What is the purpose of CyberStash’s Information Risk, Security, and Compliance Statement?

The Statement outlines the security measures and compliance practices CyberStash employs to protect and manage information associated with its eclipse.xdr cyber defense platform. It assists risk, security, and compliance personnel in vendor risk assessments and ongoing security reviews.

Who should I contact for inquiries regarding this statement?

Please direct all inquiries to the CyberStash Information Compliance Officer at [email protected].

A copy of the Statement can be shared upon request.

What certifications does CyberStash hold?

- ISO/IEC 27001:2013: Certified as of August 2023, with plans to upgrade to ISO/IEC 27001:2022 by August 2024.
- SOC 2 Type-1: Achieved in July 2023, with plans to obtain SOC 2 Type-2 by July 2024.

How does CyberStash handle Personally Identifiable Information (PII)?

CyberStash does not collect, store, or process PII through its eclipse.xdr platform or Managed Detection and Response (MDR) Service. Clients are responsible for securing PII when integrating with external systems.

What types of information does the eclipse.xdr platform collect?

- Network Data: Syslog Events including IP addresses, protocols, and traffic details.
- Endpoint Data: Information on active processes, modules, and applications from Windows, Mac, and Linux systems.
- DNS Packet Data: Collected from client DNS servers and correlated within SIEM.
- Threat Intelligence Data: IP address, domain, and hash information from various threat feeds.

Where is the collected data stored?

Vultr: Certified to SOC 2 Type 2, PCI-DSS, and ISO27001.
AWS: Certified to SOC 2 Type 2, PCI-DSS, and ISO27001.

Data collected by the Eclipse.XDR Network Gateway is stored in AWS and Vultr Cloud servers based on the following regions:

- United States: us-east-1 (Virginia)
- APAC: ap-southeast-2 (Sydney)

Clients can choose to have all data reside exclusively in the United States if required. This option allows for greater control over data residency and compliance with specific regulatory requirements. Data collected by the Eclipse.XDR Endpoint Agent is stored in AWS and Vultr Cloud servers based on the region. Clients can request their preferred data storage location.

- United States: us-east-1 (Virginia)
- European Union: eu-west-1 (Ireland)
- APAC: ap-southeast-2 (Sydney)

What security controls are in place for the eclipse.xdr platform?

- Password Policy: Requires a minimum of 16 characters with a mix of letters, numbers, and special characters.
- Multi-Factor Authentication (MFA): Enforced using Google Authenticator. Encryption: Data is encrypted using TLS 1.2 or above.
- Endpoint Protection: Includes Anti-Virus, Anti-Malware, and Ransomware Protection.
- Application Control: Limits access to approved applications and restricts how applications interact with other operating system components.
- Regular Patching: Weekly for critical and monthly for non-critical patches.
- Web Application Firewall (WAF): Protects against known web-based attacks.
- Access Controls: Limited to administrative tasks with MFA and encrypted traffic.
- Data Backup: Weekly local and monthly offsite encrypted backups.
- Vulnerability Scanning: Scanned every 4 hours; web services daily.
- Penetration Testing: Conducted annually by independent testers.
- Dark Web Monitoring: Tracks compromised credentials.

What is CyberStash’s approach to disaster recovery and business continuity?

CyberStash maintains disaster recovery sites with the same security posture as its production environment. Key recovery time objectives include:

- Application Failure: 48 hours
- Data Center Failure: 120 hours
- Alternative Data Center: In AU and in the U.S. if needed.

What insurance coverage does CyberStash have?

- Public Liability Insurance: Up to AUD 10,000,000
- Professional Indemnity Insurance: Up to AUD 10,000,000
- Cyber Liability and Privacy Insurance: Up to AUD 350,000

How does CyberStash handle security training and awareness?

All employees and contractors must complete security awareness training and adhere to an Acceptable Use Policy.

What are the role-based access controls in the eclipse.xdr platform?

Roles include:

- MSP Administrator: Full system access.
- MSP Security Analyst: Access to security analysis.
- Client Administrator: Full access to specific client profiles.
- Security Analyst/Response Analyst: Access to specific tasks and client profiles.