Managed Detection and Response Essentials and Managed Detection and Response Complete
This Service Description describes Sophos Managed Detection and Response Essentials and Sophos Managed Detection and Response Complete (each a “Service”). All capitalized terms in this Service Description have the meaning ascribed to them in the Agreement (defined below) or in the Definitions section below.
Notwithstanding anything to the contrary in the Agreement, Customer/MSP acknowledges and agrees that: (i) Sophos may modify or update the Service from time to time without materially reducing or degrading its overall functionality; and (ii) Sophos may modify or update this Service Description at any time to accurately reflect the Service being provided, and any updated Service Description will become effective upon posting to https://www.sophos.com/legal.
Capitalized terms used in this Service Description, and not otherwise defined in the Agreement, have the meaning given below:
“Case” is a Detection or set of Detections that has high severity level and warrants human review. Cases can be (i) generated automatically by policies or analytics applied to telemetry from Managed Endpoints and Third-Party Systems, (ii) identified through Threat Hunting activities, or (iii) manually created at the discretion of the Security Services Team or at the request of the Customer/MSP.
“Detection” is a condition where data generated by a Managed Endpoint or Third-Party Systems is identified as an indicator of malicious or suspicious activity.
“Health” is the state of configurations and settings for a Managed Endpoint running Sophos Intercept X Advanced with XDR that affect the efficacy of the security of that Managed Endpoint.
“Health Check” is the act of reviewing Health to identify configurations and settings that may impact the efficacy of the security of a Managed Endpoint.
“Incident” is a confirmed compromise or un-authorized access of system(s) that poses an imminent threat to Customer/MSP assets, which includes interactive attackers, data encryption or destruction, and exfiltration.
“Incident Response Lead” is a member of the Sophos Security Services Team who is identified as the primary individual responsible for assisting a Customer/MSP during Incident Response.
“Incident Response” is the technical process performed remotely by the Security Services Team to Investigate, mitigate, and neutralize an Incident.
“Investigation” is the formal process and methods used by the Security Services Team to confirm whether activity in a Case is malicious and requires Threat Response.
“Managed Endpoint(s)” is any physical or virtual endpoint device or a server system where Sophos Intercept X Advanced with XDR or Sophos XDR Sensor is installed, up-to-date, and operational in support of Service delivery.
“MDR Compatible Sophos Products” refers to any Sophos products that send security telemetry and alerts to Sophos Central that can be used in support of Service delivery.
“Response Action” is an interaction with Managed Endpoints to perform Investigation and Threat Response, including but not limited to remote query, host isolation, terminating a process, blocking an IP address, and deleting malicious artifacts. Sophos’s escalation of Cases using Customer’s/MSP’s pre-selected communication preferences shall also be deemed Response Action.
“Security Services Team” is the Sophos team conducting security Investigations, Threat Hunting, Response Actions, and Incident Response.
“Third-Party Systems” are supported non-Sophos systems (e.g., endpoints, servers, firewalls, etc.) which are configured to send security telemetry from Customers’ security tools to the Service using Sophos integrations and integration mechanisms.
“Third-Party Remediation Guidance” refers to guidance provided by Sophos regarding actions that may need to be taken by Customer/MSP on Third-Party Systems or Customer’s security tools during Threat Response, or in order to help mitigate or resolve an Incident.
“Threat Hunting” is the process of proactively and iteratively searching through data originating from Service Software and/or Third-Party Systems using a combination of manual and semi-automated activities to identify signals and indicators of malicious activity that may have bypassed existing prevention and detection controls.
“Threat Response” includes the methods, processes, communications, and Response Actions utilized by the Security Services Team and the Customer/MSP, as applicable, to contain or disrupt malicious activity.
“Threat Response Mode” is the type of action to be taken (i.e., Collaborate, or Authorize as set forth in Article III, Section 1.2) by the Security Services Team during delivery of the Service as determined by Customer/MSP during onboarding.
- Sophos Intercept X Advanced with XDR is hereinafter referred to as "Sophos XDR," and Sophos XDR Sensor is herinafter referred to as "XDR Sensor."
- Where the term Service Software is used within this Service Description, it shall be deemed to mean Sophos XDR and/or XDR Sensor, as the context dictates.
II. TIERS OF SERVICE
There are two tiers of Service available for purchase by Customer/MSP: Managed Detection and Response Essentials (“MDR Essentials”) and Managed Detection and Response Complete (“MDR Complete”).
- MDR Essentials - Includes the activities and benefits described in Article III Section 1. Customers must run Sophos XDR and/or XDR Sensor on Managed Endpoints.
- MDR Complete - Includes the activities and benefits described in Article III Sections 1 and 2. Activities and benefits described in Article III Section 2 are only available on Managed Endpoints running Sophos XDR.
III. SCOPE OF SERVICE
The Service consists of the activities described below for the tier purchased by Customer/MSP.
1. The following activities are applicable to both MDR Essentials and MDR Complete Service tiers:
1.1 Onboarding. During the onboarding process, the following activities must be performed by Customer/MSP as a precondition to delivery of the Service.
a. Customer/MSP will (i) provide contact information, (ii) determine Customer/MSP communication preferences (i.e., email, phone, Sophos Central portal), and (iii) determine the Threat Response Mode. MSP must act as the contact for any Service to be provided to a Beneficiary of MSP's.
b. MSP is solely responsible for: (i) obtaining any consents or information required from its Beneficiaries in order for Sophos to perform the service, (ii) ensuring that Beneficiaries take all actions required for Customers in this Service Description, and (iii) advising Beneficiaries of the risks and potential impacts of the Service.
c. The Customer, MSP, or Partner will install either Sophos XDR or the XDR Sensor on all Managed Endpoints to be covered by the Service. Additionally, the Customer, MSP, or Partner will configure all required Third-Party Systems.
1.2. Categories of Threat Response Modes
In accordance with 1.1, the Customer, MSP, or Partner will select the desired Threat Response Mode for the Security Services Teams’ interaction with the Customer or MSP when an Investigation warrants Threat Response. Threat Response Mode choices are:
- Collaborate: The Security Services Team will conduct Investigations but no Response Actions are taken without Customer/MSP’s prior consent or active involvement. However, certain Response Actions such as remote query may be undertaken without Customer consent or involvement.
- An option exists under Collaborate, which if selected, authorizes the Security Services Team to operate in Authorize mode in the event Sophos does not receive acknowledgment from Customer/MSP after attempting to contact all Customer defined contacts.
- Authorize: Security Services Team performs Threat Response independent of Customer/MSP and Customer/MSP is notified of Response Actions taken.
1.3 Sophos Account Health Check. Health Check capabilities are only available on Managed Endpoints running Sophos XDR. Security Services Team will run a Health Check on all applicable Managed Endpoints as part of the onboarding process.
Customer/MSP will be notified of any configurations that could diminish the Customer’s/MSP’s/Beneficiary’s security posture along with the required steps to remediate the issues identified by the Health Check.
Failure of Customer/MSP/Beneficiary to implement Health Check recommendations during onboarding or during subsequent evaluations may result in diminished Service quality.
1.4 Triage, Investigation, and Threat Response. Sophos will conduct the following investigation and analysis activities for Cases originating from Managed Endpoints and Third-Party Systems:
a. Analysis is conducted to enhance identification, aggregation, and prioritization of Detections, resulting in machine-generated Cases.
b. Investigations are performed to confirm threats, and Threat Response is performed where appropriate. During the course of Service performance, Security Services Team may use the results of Investigations to filter out expected activity to enhance the visibility of suspicious activities in Customer’s environment.
c. Notification and information about the Case is shared with the Customer/MSP based on Customer’s/MSP’s pre-selected communication preferences.
1.5. Availability. All monitoring, Investigation, and Response Actions described in Section 1.4 above will be provided on a 24/7/365 basis. Customer will also have direct call-in access to the Security Services Team to review suspected Incidents on a 24/7/365 basis.
1.6 Service Level Targets. The following service level targets are utilized to provide Customers/MSPs with guidelines around timing expectations for Case creation and Response Actions resulting from Investigations but excluding Threat Hunting. These targets only apply to Investigations on Managed Endpoints and Third-Party Systems.
|Target time for Case creation||2 minutes from Detection|
|Target time for initial Response Action||30 minutes from Case creation|
1.7 Threat Hunting. Security Services Team will conduct Threat Hunting to proactively search for threats that may have evaded existing detection controls based on threat intelligence and relevant indicators of compromise observed in Incident Response engagements and Investigations. Threat Hunting is limited to data collected from Managed Endpoints and supported Third-Party Systems and will focus on identification of attacker behaviors and tactics. If Threat Hunting reveals indicators of malicious activity, a Case will be created and an Investigation will be performed.
1.8 Threat Response. Threat Response includes threat containment and disruption, and endpoint isolation on Managed Endpoints, and where possible, Sophos may provide Third-Party Remediation Guidance.
1.9 Reporting; Health Monitoring; Notification. Periodically, Sophos will provide the Customer/MSP with: (a) reports relating to Detections, Cases, and Response Actions, and (b) notification of Health issues or significant misconfigurations that can degrade real-time protection, investigation, or the ability to take Response Actions.
1.10 Threat Intelligence Webinar. Sophos will provide Customer with access to the Sophos MDR ThreatCast webinar. During the webinar, Sophos will provide Customers/MSP insight into observed global threat activity, the actions the Security Services Team has taken for such threat activity and discuss the broader threat landscape.
1.11 Remote Access Tools. To support Service delivery, the Security Services Team may utilize Sophos owned or selected remote access tools. to access or make changes to Managed Endpoints and may utilize administrative access to Customer’s/MSP’s Sophos Central environment to view or modify configurations. If Customer/MSP has selected Authorized Threat Response Mode, then such access will not require any additional approval. If Customer/MSP has selected Collaborate Threat Response Mode, Sophos will request the necessary authorization before performing any modifications. All access by the Security Services Team to Managed Endpoints and Sophos Central is recorded and logged.
CUSTOMER/MSP ACKNOWLEDGES AND AGREES THAT CUSTOMER’S AUTHORIZATION FOR SOPHOS TO MAKE ANY CHANGES TO, OR MODIFY CONFIGURATIONS IN, CUSTOMER’S/MSP’S/BENEFICIARY’S ENVIRONMENT COULD RESULT IN INTERRUPTION OR DEGRADATION OF CUSTOMER’S/MSP’S/BENEFICIARY’S SYSTEMS AND INFRASTRUCTURE. CUSTOMER/MSP FURTHER ACKNOWLEDGE THAT FAILURE TO GRANT AUTHORIZATION FOR SUCH CHANGES COULD RESULT IN NEW MALICIOUS ACTIVITY OR THE WORSENING OF EXISTING MALICIOUS ACTIVITY. SOPHOS WILL HAVE NO LIABILITY TO CUSTOMER/MSP FOR ANY DAMAGES ARISING FROM OR RELATED TO SUCH NEW OR WORSENED MALICIOUS ACTIVITY IF THE CUSTOMER/MSP HAS DENIED SOPHOS’S REQUEST FOR AUTHORIZATION TO MAKE CHANGES OR MODIFICATIONS.
1.12 Translation Services for Customers in Japan Only. Sophos may offer translation services through a third-party service provider(s) to translate all verbal communications between Sophos and Customer (“Translation Services”). The Translation Services are provided at Customer’s sole option and for Customer’s convenience only. Customer acknowledges and agrees that Sophos is not responsible for the accuracy, completeness, or reliability of the Translation Services provided by such third-party service provider(s), and Sophos is not liable for any issues arising from the Translation Services.
2. The following are applicable only to MDR Complete Service tier.
2.1 Additional Scope and Benefits. MDR Complete consists of everything described in Section 1 above, plus everything listed in this Section 2.
a. Remote Incident Response in the event of a security Incident, which includes the following activities. Incident Response is only available on Managed Endpoints running Sophos XDR prior to the occurrence of the Incident. All Incident Response activities are conducted remotely on Managed Endpoints using remote access tools.
- Assignment of a dedicated Incident Response Lead (one assigned per shift) to interface with the Customer.
- Perform triage and Investigation to identify the scope and impact of the Incident to support containment.
- Analysis of additional data sources and data provided or made available by the Customer.
- Response Actions will be taken to neutralize malicious access and stop further damage to compromised assets or data.
- Provide remediation guidance where Security Services Team is unable to perform Response Actions and requires Customer involvement.
- Incident status reporting and action item tracking.
- Proactive recommendations designed to prevent or reduce reoccurence of the Incident.
b. Direct call-in access to the Security Services Team to review Cases and Incidents.
c. Investigation of Cases originating from other MDR Compatible Sophos Products for which the Customer has a license.
d. Service Level Agreement in accordance with Section 2.2.
e. Warranty for the Service in accordance with the terms available at www.sophos.com/legal/mdr-complete-warranty.
2.2 Service Level Agreement ("SLA"). The SLA refers to the Response Time (defined below) by the Security Services Team and is only applicable to the MDR Complete Service tier. The SLA is only available to Customers that have purchased MDR Complete subscription, and not available to MSPs. For the avoidance of doubt, those Customers that have been migrated from their existing Sophos Managed Threat Response subscription to MDR Complete ("Existing Customers") will not be entitled to the SLA until such Customers renew their MDR Complete subscription. For Existing customers, the SLA will apply upon the MDR Complete subscription renewal.
a. Definitions. The following defined terms apply to this Service Level Agreement:
"High Severity Case" means a case Case created from Detections generated automatically by policies or analytics applied to telemetry from Managed Endpoints and/or Third-Party Systems that is determined to be of high or critical severity after review by the Sophos Services Team.
"Response Time" means the elapsed time between the identification of a High Severity Case and the time the Security Services Team initiates: (i) contact to notify Customer of such High Severity Case either via email or phone, or (ii) Response Action for Customers that have selected “Authorize” Threat Response Mode.
b. Service Commitments. Response Time will be within sixty (60) minutes for ninety percent (90%) of High Severity Cases measured on a monthly basis, beginning on: (i) the first day of the Service subscription renewal date for Existing Customers; and (ii) the first day of the fourth month of Sophos's provision of the Service for the net new Customer. If Sophos fails to meet the foregoing Response Time more than three times in any rolling twelve (12) month period, then Sophos shall be deemed to have missed the SLA.
c. Service Credit. In the event Sophos missed the SLA as described above, Customer will be entitled to a credit in the amount of five percent (5%) of the fees paid for the Service during the previous billing cycle, or five thousand dollars ($5,000) (the "Service Credit"), whichever is lesser. Service Credit will be applied towards the subscription fee for the next Service subscription term. If Customer has earned the Service Credit and allows the subscription to lapse for any period past the prepaid subscription term, then the Service Credit will be forfeited.
d. Service Credit Request Procedure. Customer must request the Service Credit in writing and deliver such requests to SLACreditClaims@sophos.com with "MDR Service Credit" in the subject line within thirty (30) calendar days from the time Customer becomes eligible to receive a Service Credit, and Customer’s Service Credit request must be supported with evidence from log or report data. If not requested during this time, the Service Credit will expire and no longer be claimable. Customer will be entitled to claim a Service Credit no more than three (3) times in any calendar year. All Service Credit requests will be subject to verification by Sophos.
e. Exclusions. Sophos shall not be responsible for meeting the SLA in whole or in part due to conditions provided in Article V Section 1 below.
IV. CUSTOMER/MSP RESPONSIBILITIES.
For either of the above tiers of the Service, Customer/MSP acknowledges and agrees that, in addition to the actions required of Customer/MSP in Article II above, Customer/MSP must take the following actions to facilitate and enable delivery of the Service, and Sophos shall have no liability for any degraded, incomplete, or failed Service delivery which may result from Customer/MSP’s failure to take the required actions. Sophos reserves the right to suspend Service delivery until such time as Customer/MSP performs the required actions. Failure to complete the required actions after written notice from Sophos (including email notice from the Security Services Team to the Customer/MSP designated contacts) shall constitute a material breach by Customer/MSP of the Agreement.
1. Onboarding. Customer/MSP will perform all required activities during the onboarding process.
2. Installation Requirements. Customer/MSP/Beneficiary must: a) have a valid, active Sophos Central account, b) deploy and configure the applicable Service Software to Managed Endpoints, and c) maintain compliance with all the requirements identified in Health Checks, and d) meet minimum system requirements to install Service Software, e) setup and configure all required Third-Party Systems to enable transmission of all applicable security telemetry to Sophos in a format that is compatible with the Service; and f) run only supported versions of Service Software and/or third-party security tools. Customer/MSP acknowledges and agrees that Service Software must be deployed on at least eighty percent (80%) of licensed volume as this is necessary to provide Security Services Team with sufficient visibility into Customer’s/MSP’s environment for Service delivery.
3. Remediating Known Threats. Customer/MSP must make reasonable efforts to timely remediate any compromises reported by Sophos or by other third-party technologies that Customer/MSP/Beneficiary utilizes for cybersecurity detection and protection. Sophos will not be responsible or liable for any issues caused by Customer’s/MSP’s failure to take remediation steps in a timely manner. Additionally, the Security Services Team has no obligation to notify Customer/MSP or generate new Cases from Detections for which Sophos has already provided recommended remediation steps.
4. Time and Date Settings. Customer/MSP must ensure that all Managed Endpoints have accurate time and date settings. Sophos will not be responsible for errors, issues, and residual risk experienced or incurred by Customer/MSP for Detections generated by Managed Endpoints with inaccurate time and date settings.
5. Customer/MSP Personnel. Customer/MSP must identify an appropriate number of suitably skilled personnel who will work with Sophos during the provision of the Service. Customer/MSP’s identified personnel must have the necessary technical and business knowledge and authority to make decisions concerning the Service.
6. Timely Response. Customer/MSP must promptly acknowledge receipt of Sophos communications in writing (via email or other agreed method) and must timely respond to Sophos’s requests.
7. Actions Outside the Scope of Service. All activities that are not expressly provided in this Service Description are outside of the scope of the Service. Customer/MSP is solely responsible and liable for: (i) taking any actions that are outside of the scope of the Service (e.g., Sophos’s suggestions regarding on-site response; all litigation and e-Discovery support; and collaboration with law enforcement); and (ii) for any actions undertaken by Sophos that are not provided in this Service Description under Customer’s/MSP’s specific direction. Customer/MSP acknowledge and agree Sophos is not responsible for any security incidents, threats or compromises that occurred or existed prior to Service subscription start date. In addition, Customer/MSP is responsible for neutralizing any Incidents and/or confirmed threats in Third-Party Systems that cannot be resolved by Sophos.
8. Non-Sophos Systems. Customer/MSP acknowledges and agrees that: (i) Sophos is not responsible for any changes made to any non-Sophos systems by their vendors or any party that impact either the integration with Service or Sophos’s ability to provide the Service; and (ii) Sophos, at its discretion, may add, remove, and modify supported non-Sophos systems. It is the responsibility of Customer/MSP to check the list of non-Sophos system then currently supported by Sophos. Additionally, Customer/MSP must ensure all Third-Party Systems integrations function and continue to function properly throughout the Term. Customer/MSP must contact Sophos immediately in the event the Third-Party Systems have not been properly configured or if the Third-Party Systems do not support transmission of security telemetry to Sophos, in which case, Sophos will reasonably work with Customer/MSP to enable security telemetry transmission.
9. Actions Taken by Partners. Customer may allow Partners to take certain actions within the scope of the Service on Customer’s behalf, in which case Customer is responsible for all actions or omissions of such Partner. Sophos will not be liable for Partners’ actions or omissions.
10. MSP Additional Responsibilities. MSP is solely responsible for: ensuring that any Beneficiary for which MSP performs this Service has agreed to accept all risks described in this Service Description or otherwise inherent in the Service. MSP will indemnify and hold Sophos harmless for any claim brought against Sophos by a Beneficiary if such claim results, in whole or in part, from MSP’s failure to fully perform its obligations under this Service Description or the Agreement with respect to the Service.
V. ADDITIONAL TERMS.
1. Service Exclusion. Customer/MSP agrees and acknowledges that Sophos will not be liable or be considered in breach of this Service Description or the Agreement (including any applicable SLA): (i) due to any delay or failure to perform its obligations hereunder as a result of industry or infrastructure wide ransomware, cyberwarfare or other cyberattacks that causes Security Services Team to be unable to provide resources to address an Incident in a timely manner; (ii) due to unforeseen circumstances or to causes beyond Sophos reasonable control including but not limited war, strike, riot, crime, acts of God, or shortage of resources; (iii) due to legal prohibition, including but not limited to, passing of a statute, decree, regulation, or order; (iv) during any period of Service suspension by Sophos in accordance with the terms of the Agreement; (v) if Customer/MSP is in breach of the Agreement (including without limitation if Customer has any overdue invoices); or (vi) during any scheduled maintenance windows.
2. Service Capabilities. Customer/MSP agrees and acknowledges while Sophos has implemented commercially reasonable technologies and process as part of the Service, Sophos makes no guarantee that the Service will detect, prevent, or mitigate all Incidents. Customer/MSP agrees not to represent to anyone that Sophos has provided such a guarantee or warranty.
Revision Date: 22 August 2023