Accenture MxDR Quick Start Guide for AER Access in Carbon Black

The following guide will provide you with instructions to setup the Accenture MxDR Carbon Black service.

 The document includes the following topics:

• Managed Extended Detection Response (MxDR) Introduction

• Managed Extended Detection Response (MxDR) Overview

• Pre-Installation Questionnaire (PIQ)

Introduction 

The Accenture Managed Extended Detection Reponse (MxDR) service delivers visibility and response, where Accenture SOC analysts action suspicious threat activities and find emerging and unknown threats across on-premises and cloud endpoints using forensics data coupled with machine learning analytics and the Accenture Global Intelligence Network. MxDR allows for close collaboration and seamless handoff of incident intelligence and helps to prioritize efforts and relieve security teams of valuable time and effort that would have been spent investigating incident alerts and detecting and responding to advanced attacks.

Overview

 The Carbon Black MxDR service has three primary components:

• Log Collection Platform (LCP)

• Carbon Black Cloud Console

• Endpoint Management

Open

MxDR Access and Logging Architecture

Log Collection Platform (LCP) 

The Log Collection Platform (LCP) is designed to collect, compress, and send your log data securely to Accenture MxDR. The LCP is deployed in the Accenture Security Cloud and pulls the data directly from Carbon Black’s Cloud via API (application programming interfaces).

Carbon Black Cloud

 The Carbon Black Cloud Console will be co-managed by Accenture MxDR for shared services with client. After signing-up for the service, client’s will be provided with an Authorization Form for Access to Carbon Black Hosts by MSP (Managed Service Provided) Personnel which will need to be provided to Carbon Black. This will grant Accenture MxDR access to the client’s Carbon Black data.

• Topology

• Existing Accenture clients who currently own Carbon Black will be moved under the Accenture MxDR CID (Customer ID) in a coordinated manner

• New Carbon Black clients will be deployed under the Accenture MxDR CID

• Each CID has a stand-alone Splunk backend for data isolation purposes

Access Control 

• Accenture will be granted access to the client’s Carbon Black Cloud portal after a MSSP Authorization Form is submitted to VMWare

• Accounts for Accenture will be housed at the Accenture MxDR CID

  • User permissions in the Accenture MxDR CID will extend to all client CIDs

  • Accenture MxDR analyst accounts and access will be managed by Accenture MxDR

• Access and entitlements for clients will be managed in their respective CIDs and will allow the choice of the existing Carbon Black roles

 Permissions

• Accenture will use two custom roles to access the client’s CID

  • MxDR – Sr. Analyst | GIO Analyst

    • Senior and Principal Analysts responsible for response and detection management

  • MxDR – Analyst

    • Responsible for investigations and isolation

 Event Data and Detections

•  Detections

  • Detections will flow from the client CIDs into the Accenture MxDR CID

  • Detections can be managed by either Accenture MxDR or the client

•  Raw event data

  • Endpoint data will be housed and stored in each client environment and will only be searchable across the CIDs that house it

  • Accenture MxDR analysts will be able to search client Endpoint Activity data by pivoting into the respective CID

•  SIEM (Security Information Event Management) Connections for Detections

  • Accenture will consume detection data directly from each respective client CID

Policy Management

Accenture MxDR will have access to policy management, but clients will handle managing these policies. Unless pre-authorized to do so, Accenture MxDR will not update policies.

 Endpoint Management

 Carbon Black Endpoint Standard agent installation and management are the responsibility of the client. If applicable, remediation is performed by MxDR analysts via the Carbon Black Cloud Console.

 Pre-Installation Questionnaire (PIQ)

The pre-installation questionnaire (PIQ) is used to capture device and network details from your environment to begin the onboarding process. The PIQ requires information about the network ranges eligible for pre-authorized containment if applicable, how you will deploy the agent, and information about your current environment.

•  An Accenture MxDR Engineer will supply the PIQ for the client to complete via email or Service Request within the MxDR portal.

• The client is expected to complete the PIQ and return it to the MxDR Engineer for processing.

• Complete and return the PIQ – If remediation is authorized, the network range(s) of the hosts authorized for remediation must be defined in proper section of PIQ.

 FAQ (Frequently Asked Question)

 Will Accenture MxDR handle deployment of Carbon Black agents to new clients?

No. Accenture MxDR will have co-management access to Carbon Black Cloud console to supply MxDR service, but this will not include deployment of agents.

 Will Accenture MxDR update the Carbon Black agent configurations?

We will update the Endpoint Detection & Response (EDR) policy (blacklist, whitelist, etc.) if authorized. We will not update the endpoint policies (AV signatures, firewall rules, etc.).