Service Description - Sophos Managed Threat Response and Sophos Rapid Response

This Service Description describes Sophos Managed Threat Response and Sophos Rapid Response (each a “Service”). All capitalized terms in this Service Description have the meaning ascribed to them in the Agreement (defined below) or in the Definitions section below.

This Service Description is part of and incorporated into: (i) Customer’s manually or digitally‐signed agreement with Sophos covering the purchase of a Service subscription; or (ii) if no such signed agreement exists, then this Service Description will be governed by the terms of the Sophos Services Agreement posted at https://www.sophos.com/en-us/legal.aspx (collectively referred to as the “Agreement”). To the extent there is a conflict between the terms and conditions of the Sophos Services Agreement and this Service Description, the terms and conditions of this Service Description will take precedence.

Notwithstanding anything to the contrary in the Agreement, Customer acknowledges and agrees that: (i) Sophos may modify or update the Service from time to time without materially reducing or degrading its overall functionality; and (ii) Sophos may modify or update this Service Description at any time to accurately reflect the Service being provided, and any updated Service Description will become effective upon posting to https://www.sophos.com/en-us/legal.aspx.

I. DEFINITIONS

  1. “Active Threat” is an infection, compromise, or un-authorized access of asset(s) that is attempting to circumvent controls in an effort to compromise a Managed Endpoint.
  2. “Case” is a Detection or set of Detections that (i) is generated by a Managed Endpoint for human review, (ii) has been identified through Threat Hunting activities, or (iii) has been manually created at the discretion of the Security Services Team or at the request of the Customer.
  3. “Deployment” is guidance, advice, and remote assistance service offered by Sophos with configuration and deployment of Service Software.
  4. “Detection” is a condition where data generated by a Managed Endpoint has been identified as an indicator of malicious or suspicious activity.
  5. “Health” is the state of configurations and settings for the Managed Endpoint that affect the efficacy of the Managed Endpoint.
  6. “Health Check” is the act of reviewing Health to identify configurations and settings that may negatively impact the efficacy of the Managed Endpoint.
  7. “Managed Endpoint” is a desktop or server system where the Service Software is installed, up-to-date, and operational in support of Service delivery.
  8. “Security Services Team” is the Sophos team conducting Threat Hunting, investigation, and Response Actions.
  9. “Response Action” is an interaction with Managed Endpoints to investigate and neutralize Active Threats, including but not limited to remote query, host isolation, killing a process, blocking an IP address, and deleting malicious code.
  10. “Threat Hunting” is the process of proactively and iteratively searching through data originating from Service Software to identify signals and indicators of malicious activity.
  11. “Threat Response” includes the methods, processes, communications, and Response Actions utilized by the Security Services Team and the Customer, as applicable, to neutralize Active Threats.
  12. “Threat Response Lead” is a member of the Sophos Security Services Team who is identified as the primary individual responsible for assisting a Customer during an Active Threat.
  13. “Threat Response Mode” is the approach to notification, collaboration, and Threat Response adopted by the Security Services Team during delivery of the Service per Customer direction.

II. MANAGED THREAT RESPONSE (“MTR”)

1. SCOPE OF SERVICE.

The MTR Service is provided on Managed Endpoints and includes the following activities:

1.1 Onboarding. During the onboarding process, the following activities must occur as a precondition to delivery of the Service:

  1. Customer will (i) provide contact information, (ii) determine Customer communication preferences, and (iii) determine the Threat Response Mode.  

    Categories of Threat Response Modes are described below:

    • Notify: Investigate Cases to: (i)  determine if a Response Action is advisable or required to stop an Active Threat or to improve Health, and (ii) provide related guidance to Customer through email or the Sophos Central portal. No Response Actions are taken by the Security Services Team.
    • Collaborate: Conduct investigation and Response Actions in conjunction with Customer. No Response Actions are taken by the Security Services Team without Customer’s prior consent.
    • Authorize: Customer is notified of Response Actions taken by the Security Services Team.
  2. The Customer or Partner will install the required Service Software on all Managed Endpoints to be covered by the Service.
  3. On receipt of the telemetry from a Managed Endpoint, a Health Check will be initiated by Sophos to determine if the policies configured are suitable for the environment and expected capabilities.
    1. Before any investigation and Response Actions are initiated, any configurations that could diminish the Customer’s security posture will be communicated to the Customer, along with recommended steps to remediate the issues identified by the Health Check.
    2. Failure of Customer to implement Health Check recommendations during onboarding or during subsequent evaluations may result in diminished Service quality.

1.2 Investigations and Response. The following investigation and analysis activities for Detections originating from Managed Endpoints will be conducted by Sophos:

  1. Analysis is conducted to enhance identification, aggregation, and prioritization of Detections, resulting in machine-generated Cases.
  2. Cases are reviewed to determine what investigation and Response Actions are appropriate for neutralizing Active Threats.
  3. A formal investigation framework is utilized to supplement Cases with attack intelligence, drive continuous enrichment of Case details, and provide situational awareness throughout the investigation lifecycle.
  4. Escalation: information about the Case is shared with the Customer based on Customer’s pre-selected communication preferences.
  5. All monitoring, investigation, and Response Actions described in this Section 1.2 will be provided on a 24/7/365 basis. 
  6. The following service level targets are utilized to provide Customers with guidelines around timing expectations for Case creation and Response Actions resulting from investigations but excluding Threat Hunting.
    Target time for Case creation 2 minutes from Detection
    Target time for initial Response Action 30 minutes from Case creation

1.3 Threat Hunting. Threat Hunting will be conducted on Managed Endpoints to search for undiscovered or new threats, indicators of attack or compromise, or other attacker activities. When a Threat Hunt reveals signals or indicators of malicious activity, a Case is created, investigation is conducted, and upon verification of an Active Threat, Response Actions are initiated.

1.4 Reporting; Health Monitoring; Notification. Periodically, the Customer will be provided with (a) reports relating to Detections, investigations and Response Actions, and (b) notification of Health issues or significant misconfigurations that can degrade real-time protection, investigation, or the ability to take Response Actions.

1.5 To support Service delivery, the Security Services Team may use remote access tools to access or make changes to Managed Endpoints and may utilize administrative access to Customer’s Sophos Central environment to view or modify configurations. Access will be subject to Customer approval, either on a per-escalation basis or based on blanket pre-approval if the Customer has selected the “Authorize” Threat Response Mode. All access by the Security Services Team to Managed Endpoints and Sophos Central is recorded and logged.

CUSTOMER ACKNOWLEDGES AND AGREES THAT CUSTOMER’S AUTHORIZATION FOR SOPHOS TO MAKE ANY CHANGES TO, OR MODIFY CONFIGURATIONS IN, CUSTOMER’S ENVIRONMENT COULD RESULT IN INTERRUPTION OR DEGRADATION OF CUSTOMER’S SYSTEMS AND INFRASTRUCTURE.

2. TIERS OF MTR SERVICE OFFERINGS.

The Service is offered under two tiers: Standard and Advanced. The Standard tier of the Service includes the scope and benefits described in Section 1 above. The Advanced tier of the Service includes the Standard tier plus the following:

  • enhanced Threat Hunting utilizing proprietary methods to anticipate and identify indicators of attack and compromise based on factors specific to Customer’s environment;
  • assignment of a Dedicated Response Lead during Threat Response (Dedicated Response Lead is a named lead per shift on the Security Services Team who is the single point of contact during Threat Response);
  • direct call-in access to the Security Services Team;
  • proactive recommendations to prevent or reduce Active Threats;
  • scheduled discussion with Customer to review MTR capabilities and Cases upon Customer’s request; and
  • analysis of Detections originating from other Sophos Central-managed products via connectors.

III. RAPID RESPONSE

1. SCOPE OF SERVICE.

Rapid Response is a separate Service offering that is built on the MTR Advanced Service, and provides Customers with Threat Response during an Active Threat. All aspects of the Service will be provided remotely. Throughout the Rapid Response Service delivery phase, Rapid Response includes the scope and benefits of MTR Advanced Service (in accordance with Section II above) in addition to the following activities:

1.1 Kick-off. A kick-off call will be conducted to: a) exchange information about the Active Threat and Customer’s existing infrastructure; b) identify the scope and impact of the Active Threat; c) mutually define a response plan; d) establish communication preferences for Customer; and e) identify key stakeholders from Customer and their role in Service delivery.

1.2 Installation of Service Software. Once Service Software is installed and activated, the Security Services Team will utilize Service Software to perform Detection, investigation, and Response Actions. Until Service Software is installed in the Customer’s environment, the Security Services Team will only be able to provide technical advice and guidance for Active Threat triage and response planning. If Customer purchases Deployment (separately sold), Security Services Team will assist the Customer or Partner with installation of Service Software. Customer expressly agrees that any unused hours for Deployment will expire after the Rapid Response Subscription Term and payment for Deployment is non-refundable.

1.3 Threat Triage. The Threat Response Lead will work with the Customer to: a) conduct an assessment of Customer’s operating environment; b) understand any threat intelligence and/or other indicators of compromise or indicators of attack; c) perform the necessary data collection, which may include supplemental data (as further described in Section IV. 4); and d) initiate investigative activities and collaborate on a plan for initiating Response Actions.

1.4 Threat Neutralization. Additional investigation will be conducted and Response Actions will be performed to: a) remove the attacker’s access; b) stop further damage to compromised assets or data; c) recommend preventative actions to address the cause of the Active Threat; and d) monitor the compromised assets and data to detect reoccurrence.

2. SERVICE COMPLETION.

The Rapid Response phase of the Service concludes when the Active Threat present at the point of purchase of Rapid Response is neutralized. Sophos will provide written notification upon completion of the Service to Customer. Upon completion of the Rapid Response phase of the Service, Customer will be provided with the Advanced tier of the MTR Service for the remainder of the Rapid Response Subscription Term.

3. THREAT SUMMARY.

Within (10) days of completion of the Rapid Response Service, Sophos will deliver a written threat summary containing the following: a) a summary of investigation activities; b) technical findings; c) analysis of identified threats; d) threat specific remediation/mitigation steps; and e) general recommendations. Customer must within ten (10) days of receipt of the foregoing threat summary, provide written acknowledgement of Sophos’s completion of the Service. Customer’s failure to acknowledge completion of the Rapid Response Service or to provide reasons for refusing to confirm completion within the ten (10) day period will be deemed as Customer’s acceptance of completion of the Service.

IV. CUSTOMER RESPONSIBILITIES.

Customer acknowledges and agrees that, in addition to the actions set out in Section II. 1.1 above, Customer must take the following actions to facilitate and enable delivery of the Service, and Sophos shall have no liability for any degraded, incomplete, or failed Service delivery which may result from Customer’s failure to do so. Sophos reserves the right to suspend Service delivery until such time as Customer performs the required actions.

1. INSTALLATION REQUIREMENTS. Customer must: a) have a valid, active Sophos Central account, b) deploy and configure the Service Software to Managed Endpoints, and c) maintain compliance with all the requirements identified in Health Checks.

2. REMEDIATING KNOWN COMPROMISES. Customer must make reasonable efforts to timely remediate any compromises reported by Sophos or by other third-party technologies that Customer utilizes for cybersecurity detection and protection.

3. TIME AND DATE SETTINGS. Customer must ensure that all Managed Endpoints have accurate time and date settings. Sophos will not be responsible for errors, issues, and residual risk experienced or incurred by Customer for Detections generated by Managed Endpoints with inaccurate time and date settings.

4. SUPPORTING DATA. During the course of providing the Rapid Response Service, the Security Services Team may request additional supporting data, and Customer will ensure that Sophos has access to such supporting data at all times. Such supporting data may include, but is not limited to: ai) endpoint, server or network logs, b) architecture diagrams, and c) materials and resources related to Customer’s business and technical environment. Supporting data removal from Sophos systems will be initiated upon Customer’s written request.

5. CUSTOMER PERSONNEL. Customer must identify an appropriate number of suitably skilled personnel who will work with Sophos during the provision of the Service. Customer’s personnel must have the necessary technical and business knowledge and authority to make decisions concerning the Service.

6. TIMELY RESPONSE. Customer must promptly acknowledge receipt of Sophos communications in writing and must timely respond to Sophos’s requests.

7. THREAT RESPONSE MODE FOR RAPID RESPONSE. Customer must select the “Authorize” Threat Response Mode in Sophos Central for the Rapid Response Service.

8. Customer is solely responsible for taking any actions suggested by Sophos that are outside of the scope of the Service (e.g., Sophos’s suggestions regarding on-site response, litigation and e-Discovery support, and collaboration with law enforcement).

 

 

Revision Date: April 29, 2020