Sophos Threat Advisor – Service Description

This Service Description describes Sophos Threat Advisor (“Service”).  All capitalized terms in this Service Description have the meaning ascribed to them in the Agreement (defined below) or in the Definitions section below.

This Service Description is part of and incorporated into, as applicable: (i) Customer’s manually or digitally‐signed agreement with Sophos covering the purchase of a Service subscription; or (ii) if no such signed agreement exists, then this Service Description will be governed by the terms of the Sophos End User Terms of Use posted at https://www.sophos.com/legal (the “Agreement”). To the extent there is a conflict between the terms and conditions of the Agreement and this Service Description, the terms and conditions of this Service Description will take precedence.

Notwithstanding anything to the contrary in the Agreement, Customer acknowledges and agrees that: (i) Sophos may modify or update the Service from time to time without materially reducing or degrading its overall functionality; and (ii) Sophos may modify or update this Service Description at any time to accurately reflect the Service being provided, and any updated Service Description will become effective upon posting to https://www.sophos.com/legal.  

DEFINITIONS

“Case” is a Detection or set of Detections that has high severity level and warrants human review. Cases can be (i) generated automatically by policies or analytics applied to telemetry from MDR Compatible Sophos Products or Third-Party Systems, or (ii) manually created at the discretion of the Security Services Team.

“Detection” is a condition where data generated by MDR Compatible Sophos Products or Third-Party Systems is identified as an indicator of malicious or suspicious activity.

Incident” is a confirmed compromise or un-authorized access of system(s) that poses an imminent threat to Customer assets, which includes interactive attackers, data encryption or destruction, and exfiltration.

“Investigation” is the formal process and methods used by the Security Services Team to confirm whether activity in Cases are malicious. 

“MDR Compatible Sophos Products” refers to any Sophos products that send security telemetry and alerts to Sophos Central that can be used in support of Service delivery.

“Security Services Team” is the Sophos team conducting security Investigations and recommending Remediation Guidance.

“Third-Party Systems” are supported non-Sophos systems (e.g., endpoints, servers, firewalls, etc.) which are configured to send security telemetry from Customers’ security tools to the Service using Sophos integrations and integration mechanisms.

“Remediation Guidance” refers to guidance provided by Sophos regarding actions that may need to be taken by Customer on MDR Compatible Sophos Products or Third-Party Systems  in order to help mitigate or resolve an Incident.

I. SCOPE OF SERVICE

1. The Service monitors security alerts from supported MDR  Compatible Sophos Products and Third-Party Systems and includes the following activities:

1.1 Onboarding. During the onboarding process, the following activities must be performed by Customer as a precondition to delivery of the Service: (i) provide contact information, (ii) determine communication preferences (i.e., email, phone, Sophos Central portal), and (iii) configure all required Third-Party Systems. 

1.2 Investigations and Escalation. Sophos will conduct the following Investigation and analysis activities for Cases originating from MDR Compatible Sophos Products and Third-Party Systems:

a) Analysis is conducted to enhance identification, aggregation, and prioritization of Detections, resulting in machine-generating Cases.

b) Investigations are performed to confirm threats, and Remediation Guidance is provided where applicable. No remediation actions are taken by the Security Services Team. 

c) Notification and information about the Case is shared with the Customer based on Customers pre-selected communication preferences. 

1.3 Availability. All monitoring and Investigation described in Section 1.2 above will be provided on a 24/7/365 basis. 

1.4 Service Level Targets. The following service level targets are utilized to provide Customers with guidelines around timing expectations for Case creation and notification resulting from Investigations. These targets only apply to Investigations on Third-Party Systems.

Target time for Case creation

2 minutes from Detection

Target time for notification

30 minutes from Case creation

 

1.5 Reporting. Periodically, the Customer will be provided with reports relating to Detections and Cases.

1.6 Threat Intelligence Webinar. Sophos will provide Customer with access to the Sophos MDR ThreatCast webinar. During the webinar, Sophos ill provide Customers insight into observed threat activity, the actions the Security Services Team has taken for such threat activity and discuss the broader threat landscape. 

 

II. CUSTOMER RESPONSIBILITIES.

Customer acknowledges and agrees that, in addition to the actions set out in Article I, Section 1.1 above, Customer must take the following actions to facilitate and enable delivery of the Service, and Sophos shall have no liability for any degraded, incomplete, or failed Service delivery which may result from Customer’s failure to do so. Sophos reserves the right to suspend Service delivery until such time as Customer performs the required actions. 

  1. Onboarding. Customer will perform all required activities during the onboarding process and maintain a valid and active Sophos Central account.

  2. Remediate Incidents. Customer must make reasonable efforts to timely remediate any Incidents reported by Sophos or by other third-party technologies that Customer utilizes for cybersecurity detection and protection. Sophos will not be responsible or liable for any issues caused by Customer’s failure to take remediation steps in a timely manner. Additionally, the Security Services Team has no obligation to notify Customer or generate new Cases from Detections for which Sophos has already provided recommended remediation steps.

  3. Customer Personnel. Customer must identify an appropriate number of suitably skilled personnel who will work with Sophos during the provision of the Service. Customer’s personnel must have the necessary technical and business knowledge and authority to make decisions concerning the Service.

  4. Timely Response. Customer must promptly acknowledge receipt of Sophos communications in writing and must timely respond to Sophos’s requests.

  5. Actions Outside the Scope of Service.  All activities that are not expressly provided in this Service Description are outside of the scope of the Service. Customer is solely responsible and liable for: (i) taking any actions that are outside of the scope of the Service (e.g., Sophos’s suggestions regarding on-site response; all litigation and e-Discovery support; and collaboration with law enforcement); and (ii) for any actions undertaken by Sophos that are not provided in this Service Description under Customer’s specific direction. Customer acknowledges and agrees Sophos is not responsible for any security incidents, threats or compromises that occurred or existed prior to Service subscription start date. 

  6. Non-Sophos Systems.  Customer acknowledges and agrees that: (i) Sophos is not responsible for any changes made to any non-Sophos systems by their vendors or any party that impact Sophos’s ability to provide the Service; and (ii) Sophos, at its discretion, may add, remove, and modify supported non-Sophos systems. It is the responsibility of Customer to check the list of non-Sophos systems then currently supported by Sophos. Additionally, Customer must ensure all Third-Party Systems integrations function and continue to function properly throughout the Term. Customer must contact Sophos immediately in the event the Third-Party Systems have not been properly configured or if the Third-Party Systems do not support transmission of security telemetry to Sophos, in which case, Sophos will reasonably work with Customer to enable security telemetry transmission.

III.  ADDITIONAL TERMS.

1. Service Exclusion. Customer agrees and acknowledges that Sophos will not be liable or be considered in breach of this Service Description or the Agreement (including any applicable SLA): (i) due to any delay or failure to perform its obligations hereunder as a result of industry or infrastructure wide ransomware, cyberwarfare or other cyberattacks that causes Security Services Team to be unable to provide resources to address an Incident in a timely manner; (ii) due to unforeseen circumstances or to causes beyond Sophos reasonable control including but not limited war, strike, riot, crime, acts of God, or shortage of resources; (iii) due to legal prohibition, including but not limited to, passing of a statute, decree, regulation, or order; (iv) during any period of Service suspension by Sophos in accordance with the terms of the Agreement; (v) if Customer is in breach of the Agreement (including without limitation if Customer has any overdue invoices); or (vi) during any scheduled maintenance windows. 

2. Service Capabilities. Customer agrees and acknowledges while Sophos has implemented commercially reasonable technologies and process as part of the Service, Sophos makes no guarantee that the Service will detect, prevent, or mitigate all Incidents. Customer agrees not to represent to anyone that Sophos has provided such a guarantee or warranty.

Revision Date: 9 February 2023