Skip to content

Fully automated host & network intrusion detection platform. Detects malware from behavioural patterns rather than signatures and enables deeper visibility than legacy tools.

License

Notifications You must be signed in to change notification settings

bgenev/impulse-xdr

Repository files navigation

Welcome to Impulse XDR!

๐ŸŒŸ Deep Security Visibility & Protection

Impulse is a fully automated host & network intrusion detection platform with real-time threat detection sensors, storage and visualisation. It detects malware from behavioural patterns rather than signatures and enables deeper visibility than legacy tools. It can be deployed on any device or VM running Linux such as cloud VMs in VPC networks, VPS servers or personal workstations and IoTs.

Impulse is organised around a self-hosted, manager-sensor architecture that provides traditional SIEM capabilities like centralized log storage, indexing and normalization, but also automated log-correlation and real-time threat detection via its open-source EDR/NDR sensors. It can be used as a complete security management solution or as additional layer of security that simply forwards Detections, EDR and NDR logs to your existing security stack.

instance_with_detection

What makes it better at threat detection?

Instead of looking for specific malware signatures, it tracks indicators of compromise via their on-disk forensic artefacts. Malware comes in all shapes and forms but its output is always the same - connections to C&C centres, modified files, new processes, modified services/background tasks, authentications, etc. Impulse assigns different metrics/weight to each IOC group (implemented with osquery) depending on its level of significance and continuously monitors for new events. It then aggregates bursts of events, indicative of anomalous activity, into detections.

This approach provides a much deeper visibility and allows detections of unknown threats from behavioural activity patterns rather than constantly updated signatures. Users get a full historical chain of events with everything important that has ever happened on the system and a filtered dashboard with high-severity detections.

Components

edr_diagram_v5

Host Sensor (EDR)

Tracks every important variable that could be indicator of compromise and filters noise at the edge. Core version detects:

  • Processes & Background Tasks
  • Authentications & SSH Activity
  • Connections & Socket Events
  • Shell History & Root Commands
  • Ports & Interfaces
  • Services & Crons
  • Files & Permissions
  • Users & Groups
  • Deb/RPM/Python Packages
  • Kernel Modules
  • Offensive Tools

Network Sensor (NDR)

Network monitoring & intrusion detection with turnkey Suricata solution, optimised for performance and ease-of-use. Completely decoupled from the rest of the setup and can be installed on host or VM with custom CPU/RAM and NIC:

  • Detects Malicious Traffic & Generates Alerts
  • Enriches logs with IP threat intelligence
  • Shows Signature Payloads & Packet Flows
  • Maps Attacker Geolocation
  • Create & distribute custom rulesets
  • Automatically blocks attackers via distributed nftables-based fleet firewall
  • Extracts Files from Flows
  • Tracks DNS, HTTP and DHCP requests

Threat Detection Engine

Threat Detection Engine correlates signals and aggregates them into detections.

๐Ÿšดโ€โ™‚๏ธ Main Features

  • Security Analytics: Ingests telemetry data from its fleet of monitoring sensors and provides security analytics & insights.
  • Indicators of Compormise: Built-in core indicators of compromise track security events on hosts and alert you in case of anomalous activity. Even if certain events don't generate a detection, they are still added to an "IOCs History" database which provides integrity monitoring for every aspect of your environment - files, processes, connections, ports, users, authentications, installed packages, kernel modules, etc. every variable that could be an indicator of compromise is tracked and analysed.
  • Network Visibility & IDS: Monitors network flows, detects intrusion attempts and automatically blocks offenders with active response.
  • File Integrity Monitoring: Tracks changes on the filesystem tree and notifies you about file or permission modifications.
  • Security Policies: Monitors system configuration settings to ensure compliance with preset core security policies.
  • Active Response: Automatically blocks suspicious IPs, stops processes, closes ports and quarantines files.
  • Fleet Firewall: Fleet firewall blocks offenders across the fleet.
  • Threat Intel: Integrates with high-quality threat intelligence providers to enrich your context data.
  • Vulnerability Scanning: Discovers installed packages and associated CVEs.
  • Self-Hosted & Open-Core: Data never leaves you servers.

๐Ÿ› ๏ธ Use Cases

  1. Cloud VMs in VPC. Works with any cloud provider including AWS, DigitalOcean, Azure, GCP, Alibaba, etc.

  2. VPS server. Either deploy in standalone mode or deploy the manager on one VPS and then place a sensor on the target VPS.

  3. Cluster of VPS servers. If you have multiple VPS servers spread across various providers, simply choose one of them as the manager and place light/heavy sensors on the rest.

  4. Website host. Install in standalone mode to lockdown your host and reduce load by blocking port scanners.

  5. Monitor personal workstation. The Impulse EDR provides real-time threat-detection & integrity monitoring for personal computers. A hardened Linux Desktop such as Debian with Impulse EDR monitoring is one of the most secure configurations that you can get.

  6. IOT device, Raspberry Pi or similar. Light sensors can be installed on any Linux device that provides ssh access.

  7. Install on local VM and learn cybersecurity/sysadmin. The level of visibility provided by Impulse means that you can use it to learn and play around with Linux environments. Deploy on localhost VM, then modify system settings or try to attack the VM and observe what changes in the โ€œIOT Historyโ€ dashboard.

๐Ÿ“˜ How to get started and documentation

Set up deep security visibility and protection for your infrastructure in two steps:

  1. Install the self-hosted security events manager on one of your existing machines (this could be any VM, VPS, laptop or Raspberry Pi with 1-core, 1.5gb RAM). It runs on all major Linux distributions and requires close to zero configuration.

  2. Deploy a light or heavy sensor on each endpoint, depending on the features and level of visibility that you need. That's it. Security telemetry and analytics start flowing to your screen!

Setup & Documentation

How does it compare with other security monitoring tools?

Feature Other Tools Impulse XDR
Able to detect known and unknown malware from system behaviour No Yes
Visibility level Tell you only when something really, really bad happens. Full historical chain of events for every potential indicator of compromise.
Traditional SIEM features with centralized log storage, indexing and storage Some Yes
Light, open-source sensors with host and network intrusion detection baked-in No Yes
File Integrity Monitoring Some Yes
Secure Configuration Management Basic Yes
Can work on as little as 1.5 GB RAM, 1-core CPU No way Yes
Purpose-built interface for presenting security information in digestible form No Yes
Flexible installation on any Linux OS instance with Docker containers and SystemD services Some Yes
Create and distribute custom monitoring policies Some Yes
Active response with fleet firewall, asset isolation and remote script execution No Yes
Easy self-host installation No Yes
Future proof, built with best in class components: Postgres, gRPC, Rsyslog, Osquery, Suricata No Yes
Pricing Bill shock Free version and affordable premium

Demo

fleet_firewall2

Fleet

fleet_overview

Detections

detections_v1

Network IDS

nids_alerts_v1

Secure Configuration

sca_v1

Live Query distrib_query_v1