This Service Description describes Sophos Managed Threat Response (the “Service”). All capitalized terms in this Service Description have the meaning ascribed to them in the Agreement (defined below) or in the Definitions section below.
Notwithstanding anything to the contrary in the Agreement, Customer/MSP acknowledges and agrees that: (i) Sophos may modify or update the Service from time to time without materially reducing or degrading its overall functionality; and (ii) Sophos may modify or update this Service Description at any time to accurately reflect the Service being provided, and any updated Service Description will become effective upon posting to https://www.sophos.com/en-us/legal.
- “Active Threat” is an infection, compromise, or un-authorized access of asset(s) that is attempting to circumvent controls in an effort to compromise a Managed Endpoint.
- “Case” is a Detection or set of Detections that (i) is generated by a Managed Endpoint for human review, (ii) has been identified through Threat Hunting activities, or (iii) has been manually created at the discretion of the Security Services Team or at the request of the Customer/MSP.
- “Detection” is a condition where data generated by a Managed Endpoint has been identified as an indicator of malicious or suspicious activity.
- “Health” is the state of configurations and settings for the Managed Endpoint that affect the efficacy of the Managed Endpoint.
- “Health Check” is the act of reviewing Health to identify configurations and settings that may negatively impact the efficacy of the Managed Endpoint.
- “Managed Endpoint” is a desktop or server system where the Service Software is installed, up-to-date, and operational in support of Service delivery.
- “Security Services Team” is the Sophos team conducting Threat Hunting, investigation, and Response Actions.
- “Response Action” is an interaction with Managed Endpoints to investigate and neutralize Active Threats, including but not limited to remote query, host isolation, killing a process, blocking an IP address, and deleting malicious code.
- “Threat Hunting” is the process of proactively and iteratively searching through data originating from Service Software to identify signals and indicators of malicious activity.
- “Threat Response” includes the methods, processes, communications, and Response Actions utilized by the Security Services Team and the Customer/MSP, as applicable, to neutralize Active Threats.
- “Threat Response Lead” is a member of the Sophos Security Services Team who is identified as the primary individual responsible for assisting a Customer/MSP during an Active Threat.
- “Threat Response Mode” is the approach to notification, collaboration, and Threat Response adopted by the Security Services Team during delivery of the Service per Customer/MSP direction.
II. SCOPE OF SERVICE
1. The Service is provided on Managed Endpoints and includes the following activities:
1.1 Onboarding. During the onboarding process, the following activities must occur as a precondition to delivery of the Service:
- Customer/MSP will (i) provide contact information, (ii) determine Customer/MSP communication preferences (i.e. email, phone, Sophos Central portal), and (iii) determine the Threat Response Mode. MSP must act as the contact for any Service to be provided to a Beneficiary of MSP’s.
- MSP is solely responsible for: (i) obtaining any consents or information required from its Beneficiaries in order for Sophos to perform the Service, (ii) ensuring that Beneficiaries take all actions required of Customers in this Service Description; (iii) advising Beneficiaries of the risks and potential impacts of the Service.
- The Customer, MSP, or Partner will install the required Service Software on all Managed Endpoints to be covered by the Service.
Categories of Threat Response Modes are described below:
- Notify: Investigate Cases to: (i) determine if a Response Action is advisable or required to stop an Active Threat or to improve Health, and (ii) provide related guidance to Customer/MSP through email or the Sophos Central portal. No Response Actions are taken by the Security Services Team.
- Collaborate: Conduct investigation and Response Actions in conjunction with Customer/MSP. No Response Actions are taken by the Security Services Team without Customer/MSP’s prior consent.
- Authorize: Customer/MSP is notified of Response Actions taken by the Security Services Team.
- On receipt of the telemetry from a Managed Endpoint, a Health Check will be initiated by Sophos to determine if the policies configured are suitable for the environment and expected capabilities.
- Before any investigation and Response Actions are initiated, any configurations that could diminish the Customer’s/MSP’s/Beneficiary’s security posture will be communicated to the Customer/MSP, along with recommended steps to remediate the issues identified by the Health Check.
- Failure of Customer/MSP/Beneficiary to implement Health Check recommendations during onboarding or during subsequent evaluations may result in diminished Service quality.
1.2 Investigations and Response. The following investigation and analysis activities for Detections originating from Managed Endpoints will be conducted by Sophos:
- Analysis is conducted to enhance identification, aggregation, and prioritization of Detections, resulting in machine-generated Cases.
- Cases are reviewed to determine what investigation and Response Actions are appropriate for neutralizing Active Threats.
- A formal investigation framework is utilized to supplement Cases with attack intelligence, drive continuous enrichment of Case details, and provide situational awareness throughout the investigation lifecycle.
- Escalation: information about the Case is shared with the Customer/MSP based on Customer’s/MSP’s pre-selected communication preferences.
- All monitoring, investigation, and Response Actions described in this Section 1.2 will be provided on a 24/7/365 basis.
- The following service level targets are utilized to provide Customers/MSPs with guidelines around timing expectations for Case creation and Response Actions resulting from investigations but excluding Threat Hunting.
Target time for Case creation 2 minutes from Detection Target time for initial Response Action 30 minutes from Case creation
1.3 Threat Hunting. Threat Hunting will be conducted on Managed Endpoints to search for undiscovered or new threats, indicators of attack or compromise, or other attacker activities. When a Threat Hunt reveals signals or indicators of malicious activity, a Case is created, investigation is conducted, and upon verification of an Active Threat, Response Actions are initiated.
1.4 Reporting; Health Monitoring; Notification. Periodically, the Customer/MSP will be provided with (a) reports relating to Detections, investigations and Response Actions, and (b) notification of Health issues or significant misconfigurations that can degrade real-time protection, investigation, or the ability to take Response Actions.
1.5 Remote Access Tools. To support Service delivery, the Security Services Team may use remote access tools to access or make changes to Managed Endpoints and may utilize administrative access to Customer’s/MSP’s Sophos Central environment to view or modify configurations. Access will be subject to Customer/MSP approval, either on a per-escalation basis or based on blanket pre-approval if the Customer/MSP has selected the “Authorize” Threat Response Mode. All access by the Security Services Team to Managed Endpoints and Sophos Central is recorded and logged.
CUSTOMER/MSP ACKNOWLEDGES AND AGREES THAT CUSTOMER’S AUTHORIZATION FOR SOPHOS TO MAKE ANY CHANGES TO, OR MODIFY CONFIGURATIONS IN, CUSTOMER’S/MSP’S/BENEFICIARY’S ENVIRONMENT COULD RESULT IN INTERRUPTION OR DEGRADATION OF CUSTOMER’S/MSP’S/BENEFICIARY’S SYSTEMS AND INFRASTRUCTURE.
2. TIERS OF MTR SERVICE OFFERINGS.
The Service is offered under two tiers: Standard and Advanced. The Standard tier of the Service includes the scope and benefits described in Section 1 above. The Advanced tier of the Service includes the Standard tier plus the following:
- enhanced Threat Hunting utilizing proprietary methods to anticipate and identify indicators of attack and compromise based on factors specific to Customer’s/MSP’s/Beneficiary’s environment;
- assignment of a Dedicated Response Lead during Threat Response (Dedicated Response Lead is a named lead per shift on the Security Services Team who is the single point of contact during Threat Response);
- direct call-in access to the Security Services Team;
- proactive recommendations to prevent or reduce Active Threats;
- scheduled discussion with Customer/MSP to review MTR capabilities and Cases upon Customer/MSP’s request; and
- analysis of Detections originating from other Sophos Central-managed products via connectors.
III. CUSTOMER/MSP RESPONSIBILITIES.
Customer/MSP acknowledges and agrees that, in addition to the actions set out in Section II. 1.1 above, Customer/MSP must take the following actions to facilitate and enable delivery of the Service, and Sophos shall have no liability for any degraded, incomplete, or failed Service delivery which may result from Customer/MSP’s failure to do so. Sophos reserves the right to suspend Service delivery until such time as Customer/MSP performs the required actions.
1. Onboarding. Customer/MSP will (i) provide contact information, and (ii) determine Customer/MSP communication preferences (i.e. email, phone, Sophos Central portal), MSP must act as the contact for any Service to be provided to a Beneficiary of MSP’s.
2. Installation Requirements. Customer/MSP/Beneficiary must: a) have a valid, active Sophos Central account, b) deploy and configure the Service Software to Managed Endpoints, and c) maintain compliance with all the requirements identified in Health Checks, and d) meet minimum system requirements to install Sophos Software.
3. Remediating Active Threats. Customer/MSP must make reasonable efforts to timely remediate any compromises reported by Sophos or by other third-party technologies that Customer/MSP/Beneficiary utilizes for cybersecurity detection and protection.
4. Time and Date Settings. Customer/MSP must ensure that all Managed Endpoints have accurate time and date settings. Sophos will not be responsible for errors, issues, and residual risk experienced or incurred by Customer/MSP for Detections generated by Managed Endpoints with inaccurate time and date settings.
5. Customer/MSP Personnel. Customer/MSP must identify an appropriate number of suitably skilled personnel who will work with Sophos during the provision of the Service. Customer/MSP’s personnel must have the necessary technical and business knowledge and authority to make decisions concerning the Service.
6. Timely Response. Customer/MSP must promptly acknowledge receipt of Sophos communications in writing and must timely respond to Sophos’s requests.
7. Actions Outside the Scope of Service. Customer/MSP is solely responsible for taking any actions suggested by Sophos that are outside of the scope of the Service (e.g., Sophos’s suggestions regarding on-site response, litigation and e-Discovery support, and collaboration with law enforcement).
8. MSP Additional Responsibilities. MSP is solely responsible for: (i) obtaining any consents or information required from its Beneficiaries in order for Sophos to perform the Service, (ii) ensuring that Beneficiaries take all actions required of Customers in this Service Description; (iii) ensuring that its Beneficiaries understand the risks associated with performance of this Service, and (iv) that any Beneficiary for which MSP performs this Service has agreed to accept all such risks. MSP will indemnify and hold Sophos harmless for any claim brought against Sophos by a Beneficiary if such claim results, in whole or in part, from MSP’s failure to fully perform its obligations under this Service Description, the Services Agreement or the Agreement with respect to the Service.
Revision Date: 17 January 2022