Introduction

Field Effect MDR is a cybersecurity solution that includes endpoint sensors, cloud monitoring integrations, and (for MDR Complete customers) network monitoring. When Field Effect MDR detects a cybersecurity situation that requires action or follow-up, you will be notified via our core reporting mechanism - an ARO (Action, Recommendation, or Observation).

How Users Interact with Field Effect MDR

Field Effect MDR's primary access point is the Field Effect MDR Portal. It hosts AROs, several dashboards, and report repositories, for performing investigations and analysis. It also hosts your administration and profile settings for management and configuration. 

If you are a direct client, this will be the main tool used to interact with your Field Effect deployment and configure the services. 

If you are a partner, the MDR Portal will have an instance available for every client organization you manage. Managing license allocations is done through the License Management Portal (LMP). 

How Field Effect MDR Works

The following sections explain how Field Effect MDR works at a high level, across three main areas: the appliance, the endpoint, and cloud monitoring. 

The Appliance

Field Effect MDR starts with the primary appliance, which acts as the service's main controller. Primary appliances can be hosted on your network (physically or virtually) or hosted by Field Effect in the cloud, depending on your service tier and network setup. Your appliance type will depend on the network it's being deployed to. Our Sales Engineers and Customer Success teams help ensure that the appropriate appliance is selected for each location. 

Only one primary appliance is required, and additional branch locations that require network monitoring will receive a secondary appliance - which we will also help ensure is appropriate for the network. These secondary appliances communicate with the primary appliance, via this encrypted relay, where the analysis takes place.

For MDR Core customers, we will provision you a cloud-hosted primary appliance.

Endpoint Monitoring

Our Endpoint agent (available for macOS, Windows, and Linux) communicates with the primary appliance either directly (when on the same network) or through an encrypted relay connection. Depending on how the service is configured, the agent will be able to intervene (isolate, block, etc.) when a threat is detected.

Installers can be downloaded from the primary appliance and the MDR Portal, and they support several installation types including GPO, RMM, etc. See our Installer Guides for more on this.

Cloud Monitoring

Finally, Field Effect MDR integrates with several cloud services, which are set up in the MDR Portal. Once a cloud service is enrolled, we will monitor and analyze the service's telemetry and user activity for reporting and ARO creation, when appropriate.

The following diagram shows how the components of Field Effect MDR fit into your network and communicate with each other.

How Endpoints Communicate with the Appliance

The endpoint device can communicate with the primary appliance in two ways: 

• Network: when connected to the same network, they will communicate directly.
• Relay: when the agent can not directly connect to the appliance (example: remote location), an encrypted "relay" connection is used. This relay connection is the only method for virtual deployments, where the network is not applicable.

Each agent is typically configured with two domains; one that resolves to the appliance's local IP and the other resolves to the relay. These are configured automatically during the installation process, and the agent cycles between these two options, only connecting to a server with a valid certificate.

Our configurations are signed by our root of trust, which is hard coded into the agent. All messages sent from an agent to the appliance are additionally encrypted with the appliance key using X25519. Messages sent from the appliance to the agent are ED25519 signed with the appliance key. Further, sensitive messages such as those related to our EDR rules are separately ED25519 signed with keys that are not present on the appliance, minimizing the impact of an appliance compromise.

Additional Connections

There are some scenarios when the endpoint will make a connection to one of two global servers, the "Identity Server" and "Log Server" as described below:

Identity Server (epid.fieldeffect.net)

When an endpoint agent is installed, it connects to the Identity Server to retrieve its configuration (the appliance and relay domains for your organization). If the agent loses its connection with the configured servers for more than a week, it will reconnect to this Identity Server in an attempt to restore the connection and reconfigure the agent. 

Log Server (installlogs.fieldeffect.net)

This server collects data that supports installation/health related debugging. Following an installation, the agent provides a one-time report that includes some basic host telemetry to help investigate failures. This server can also request remote diagnostics via this service.

When an agent has an issue, such as an unexpected service disruption or restart, it is reported to the Log Server. If the server detects that it is not running, it can automatically force the agent to restart.

Digging Deeper into Field Effect MDR

For MDR Complete customers that want to dive deeper into the telemetry, alerts, and data that determine when we generate AROs, you can access the Field Effect Appliance Dashboard.