This Service Description describes Sophos Rapid Response (the “Service” or “Rapid Response Service”). All capitalized terms in this Service Description have the meaning ascribed to them in the Agreement (defined below) or in the Definitions section below.
Notwithstanding anything to the contrary in the Agreement, Customer/MSP acknowledges and agrees that: (i) Sophos may modify or update the Service from time to time without materially reducing or degrading its overall functionality without notice to Customer/MSP; and (ii) Sophos may modify or update this Service Description at any time to accurately reflect the Service being provided, and any updated Service Description will become effective upon posting to https://www.sophos.com/legal.
“Active Threat” is an infection, compromise, or un-authorized access of asset(s) that is attempting to circumvent controls in an effort to compromise a Managed Endpoint.
“Case” is a Detection or set of Detections that has high severity level and warrants human review. Cases can be (i) generated automatically by policies or analytics applied to telemetry from Managed Endpoints, (ii) identified through Threat Hunting activities, or (iii) manually created at the discretion of the Security Services Team or at the request of the Customer/MSP.
“Deployment” is guidance, advice, and remote assistance service offered by Sophos with configuration and deployment of Service Software.
“Detection” is a condition where data generated by a Managed Endpoint is identified as an indicator of malicious or suspicious activity.
“Health” is the state of configurations and settings for the Managed Endpoint that affect the efficacy of the security of a Managed Endpoint.
“Health Check” is the act of reviewing Health to identify configurations and settings that may negatively impact the efficacy of the security of a Managed Endpoint.
"Incident" is a confirmed compromise or un-authorized access of system(s) that poses an imminent threat to Customer/MSP assets, which include interactive attackers, data encryption or destruction, and exfiltration.
"Incident Response" is the technical process performed remotely by the Security Services Team to Investigate, mitigate, and neutralize an Incident.
“Incident Response Lead” is a member of the Sophos Security Services Team who is identified as the primary individual responsible for assisting a Customer/MSP during an Incident Response.
"Investigation" is the formal process and methods used by the Security Services Team to confirm whether activity in a Case is malicious and requires Threat Response.
“Managed Endpoint(s)” is any physical or virtual endpoint device or a server system where the Service Software is installed, up-to-date, and operational in support of Service delivery.
“Security Services Team” is the Sophos team conducting Investigations, Threat Hunting, Response Actions, and Incident Response.
“Response Action” is an interaction with Managed Endpoints to perform Investigation and Threat Hunting, including but not limited to remote query, host isolation, terminating a process, blocking an IP address, and deleting malicious artifacts.
“Threat Hunting” is the process of proactively and iteratively searching through data originating from Service Software using a combination of manual and semi-automated activity to identify signals and indicators of malicious activity that may have bypassed existing prevention and detection controls.
“Threat Response” includes the methods, processes, communications, and Response Actions utilized by the Security Services Team and the Customer/MSP, as applicable, to contain or disrupt malicious activity.
“Threat Response Mode” is the type of action to be taken (i.e., Collaborate, or Authorize) by the Security Services Team during delivery of the Service as determined by Customer/MSP during onboarding.
II. SCOPE OF SERVICE
Rapid Response service is built on, and provides the benefits of Managed Detection and Response Complete service (“MDR Complete”), and provides Customers/MSPs with Threat Response during an Incident present at the point of Service purchase. The subscription for Rapid Response Service includes the scope and benefits of the MDR Complete (except for SLA and Warranty) which will be provided to the Customer for free and in accordance with the Managed Detection and Response Service Description during the Subscription Term. Managed Detection and Response Service Description is incorporated by reference herein and terms and conditions applicable to MDR Complete will also apply to Rapid Response Service.
All aspects of the Service will be provided remotely.
In addition to the activities set forth in the Managed Detection and Response Service Description, Rapid Response Service specifically includes the following:
1. THREAT NEUTRALIZATION PROCESS
1.1 Kick-off. A kick-off call will be conducted to: a) exchange information about the Incident and Customer/MSP’s/Beneficiary’s existing infrastructure; b) identify the scope and impact of the Incident; c) mutually define a response plan; d) establish communication preferences for Customer/MSP; and e) identify key stakeholders from Customer/MSP and their role in Service delivery.
1.2 Installation of Service Software. Once Service Software is installed and activated, the Security Services Team will utilize Service Software to perform Detection, Investigation, and Response Actions. Until Service Software is installed in the Customer/MSP’s environment, the Security Services Team will only be able to provide technical advice and guidance for Incident triage and response planning. If Customer/MSP requires Deployment assistance for the Services Software, Security Services Team will assist the Customer, MSP or Partner with installation of Service Software at no additional charge.
1.3 Threat Triage. The Threat Response Lead will work with the Customer/MSP to: a) conduct an assessment of Customer/MSP’s operating environment; b) understand and assess any threat intelligence and/or other indicators of compromise or indicators of attack; c) perform the necessary data collection, which may include supplemental data (as further described in Section IV. 4); and d) initiate Investigation and collaborate on a plan for initiating Response Actions.
1.4 Threat Neutralization. Additional Investigation will be conducted and Response Actions will be performed to: a) remove the attacker’s access; b) stop further damage to compromised assets or data; c) recommend preventative actions to address the cause of the Incident; and d) monitor the compromised assets and data to detect reoccurrence.
1.5 Remote Access Tools. To support Service delivery, the Security Services Team may utilize Sophos owned or selected remote access tools to access or make changes to Managed Endpoints and may utilize administrative access to Customer’s/MSP’s Sophos Central environment to view or modify configurations. Access will be subject to Customer/MSP approval, either on a per-escalation basis or based on blanket pre-approval if the Customer/MSP has selected the “Authorize” Threat Response Mode. All access by the Security Services Team to Managed Endpoints and Sophos Central is recorded and logged.
CUSTOMER/MSP ACKNOWLEDGES AND AGREES THAT CUSTOMER’S AUTHORIZATION FOR SOPHOS TO MAKE ANY CHANGES TO, OR MODIFY CONFIGURATIONS IN, CUSTOMER’S/MSP’S/BENEFICIARY’S ENVIRONMENT COULD RESULT IN INTERRUPTION OR DEGRADATION OF CUSTOMER’S/MSP’S/BENEFICIARY’S SYSTEMS AND INFRASTRUCTURE.
2. SERVICE COMPLETION.
Sophos will provide written notification to Customer/MSP upon neutralization of the Incident present at the point of Service purchase. Thereafter, Customer/MSP will be provided with the MDR Complete for free and in accordance with the Managed Detection and Response Service Description for the remainder of the Subscription Term.
3. THREAT SUMMARY.
After of completion of the Rapid Response Service, Sophos will deliver a written threat summary containing the following: a) a summary of the Investigation; b) technical findings; c) analysis of identified threats; d) threat specific remediation/mitigation steps; and e) general recommendations. Customer/MSP must within ten (10) days of receipt of the foregoing threat summary, provide written acknowledgement of Sophos’s completion of the Service. Customer/MSP’s failure to acknowledge completion of the Rapid Response Service or to provide reasons for refusing to confirm completion within the ten (10) day period will be deemed as Customer/MSP’s acceptance of completion of the Service.
III. CUSTOMER/MSP RESPONSIBILITIES.
Customer/MSP acknowledges and agrees that, in addition to the actions set out in Section II. 1.1 above, Customer/MSP must take the following actions to facilitate and enable delivery of the Service, and Sophos shall have no liability for any degraded, incomplete, or failed Service delivery which may result from Customer/MSP’s failure to do so. Sophos reserves the right to suspend Service delivery until such time as Customer/MSP performs the required actions. Failure to complete the required actions after written notice from Sophos (including email notice from the Security Services Team to the Customer/MSP designated contacts) shall constitute a material breach by Customer/MSP of the Agreement.
- INSTALLATION REQUIREMENTS. Customer/MSP/Beneficiary must: a) have a valid, active Sophos Central account, b) deploy and configure the Service Software to Managed Endpoints, and c) maintain compliance with all the requirements identified in Health Checks, and d) meet minimum system requirements to install Service Software.
- REMEDIATING KNOWN COMPROMISES. Customer/MSP must make reasonable efforts to timely remediate any compromises reported by Sophos or by other third-party technologies that Customer/MSP/Beneficiary utilizes for cybersecurity detection and protection. Sophos will not be responsible or liable for any issues caused by Customer's/MSP's failure to take remediation steps in a timely manner. Additionally, the Security Services Team has no obligatin to notify Customer/MSP or generate new Cases from Detections for which Sophos has already provided recommended remediation steps.
- TIME AND DATE SETTINGS. Customer/MSP must ensure that all Managed Endpoints have accurate time and date settings. Sophos will not be responsible for errors, issues, and residual risk experienced or incurred by Customer/MSP for Detections generated by Managed Endpoints with inaccurate time and date settings.
- SUPPORTING DATA. During the course of providing the Rapid Response Service, the Security Services Team may request additional supporting data, and Customer/MSP will ensure that Sophos has access to such supporting data at all times. Such supporting data may include, but is not limited to: ai) endpoint, server or network logs, b) architecture diagrams, and c) materials and resources related to Customer’s/MSP’s/Beneficiary’s business and technical environment. Supporting data removal from Sophos systems will be initiated upon Customer/MSP’s written request.
- CUSTOMER/MSP PERSONNEL. Customer/MSP must identify an appropriate number of suitably skilled personnel who will work with Sophos during the provision of the Service. Customer/MSP’s personnel must have the necessary technical and business knowledge and authority to make decisions concerning the Service.
- TIMELY RESPONSE. Customer/MSP must promptly acknowledge receipt of Sophos communications in writing and must timely respond to Sophos’s requests.
- THREAT RESPONSE MODE FOR RAPID RESPONSE. Customer/MSP must select the “Authorize” Threat Response Mode in Sophos Central for the Rapid Response Service.
- ACTIONS OUTSIDE THE SCOPE OF SERVICE. All activities that are not expressly provided in this Service Description are outside the scope of the Service. Customer/MSP is solely responsible and liable for (i) taking any actions that are outside of the scope of the Service (e.g., Sophos's suggestions regarding on-site response; all litigation and e-Discovery suppot; and collaboration with law enforcement); and (ii) for any actions undertaken by Sophos that are not provided in this Service Description under Customer's/MSP's specific direction.
- ACTIONS TAKEN BY PARTNERS. Customer may allow Partners to take certain actions within the scope of the Rapid Response Service on Customer's behalf, in which case Customer is responsible for all actions or omissions of such Partner. Sophos will not be liable for Partners' actions or omissions.
IV. ADDITIONAL TERMS.
1. Service Exclusion. Customer/MSP agrees and acknowledges that Sophos will not be liable or be considered in breach of this Service Description or the Agreement (including any applicable SLA): (i) due to any delay or failure to perform its obligations hereunder as a result of industry or infrastructure wide ransomware, cyberwarfare or other cyberattacks that causes Security Services Team to be unable to provide resources to address an Incident in a timely manner; (ii) due to unforeseen circumstances or to causes beyond Sophos reasonable control including but not limited war, strike, riot, crime, acts of God, or shortage of resources; (iii) due to legal prohibition, including but not limited to, passing of a statute, decree, regulation, or order; (iv) during any period of Service suspension by Sophos in accordance with the terms of the Agreement; (v) if Customer/MSP is in breach of the Agreement (including without limitation if Customer has any overdue invoices); or (vi) during any scheduled maintenance windows.
2. Service Capabilities. Customer/MSP agrees and acknowledges while Sophos has implemented commercially reasonable technologies and process as part of the Service, Sophos makes no guarantee that the Service will detect, prevent, or mitigate all Incidents. Customer/MSP agrees not to represent to anyone that Sophos has provided such a guarantee or warranty.
Revision Date: 9 February 2023