Service Description - Sophos Rapid Response

This Service Description describes Sophos Rapid Response (the “Service” or “Rapid Response”).  All capitalized terms in this Service Description have the meaning ascribed to them in the Agreement (defined below) or in the Definitions section below.

This Service Description is part of and incorporated into, as applicable: (i) Customer’s or Managed Service Provider’s (“MSP”) manually or digitally‐signed agreement with Sophos covering the purchase of a Service subscription; (ii) MSP’s manually or digitally-signed agreements with Sophos covering its purchase of  Offerings of which the Service is a part; or (iii) if no such signed agreement exists, then this Service Description will be governed by the terms of the Sophos Services Agreement and/or Sophos End User Terms of Use, as applicable, posted at https://www.sophos.com/en-us/legal (collectively referred to as the “Agreement”). To the extent there is a conflict between the terms and conditions of the Sophos Services Agreement and this Service Description, the terms and conditions of this Service Description will take precedence.

Notwithstanding anything to the contrary in the Agreement, Customer/MSP acknowledges and agrees that: (i) Sophos may modify or update the Service from time to time without materially reducing or degrading its overall functionality without notice to Customer/MSP; and (ii) Sophos may modify or update this Service Description at any time to accurately reflect the Service being provided, and any updated Service Description will become effective upon posting to https://www.sophos.com/en-us/legal.

I. DEFINITIONS

  1. “Active Threat” is an infection, compromise, or un-authorized access of asset(s) that is attempting to circumvent controls in an effort to compromise a Managed Endpoint.
  2. “Case” is a Detection or set of Detections that (i) is generated by a Managed Endpoint for human review, (ii) has been identified through Threat Hunting activities, or (iii) has been manually created at the discretion of the Security Services Team or at the request of the Customer/MSP.
  3. “Deployment” is guidance, advice, and remote assistance service offered by Sophos with configuration and deployment of Service Software.
  4. “Detection” is a condition where data generated by a Managed Endpoint has been identified as an indicator of malicious or suspicious activity.
  5. “Health” is the state of configurations and settings for the Managed Endpoint that affect the efficacy of the Managed Endpoint.
  6. “Health Check” is the act of reviewing Health to identify configurations and settings that may negatively impact the efficacy of the Managed Endpoint.
  7. “Managed Endpoint” is a desktop or server system where the Service Software is installed, up-to-date, and operational in support of Service delivery.
  8. “Security Services Team” is the Sophos team conducting Threat Hunting, investigation, and Response Actions.
  9. “Response Action” is an interaction with Managed Endpoints to investigate and neutralize Active Threats, including but not limited to remote query, host isolation, killing a process, blocking an IP address, and deleting malicious code.
  10. “Threat Hunting” is the process of proactively and iteratively searching through data originating from Service Software to identify signals and indicators of malicious activity.
  11. “Threat Response” includes the methods, processes, communications, and Response Actions utilized by the Security Services Team and the Customer/MSP, as applicable, to neutralize Active Threats.
  12. “Threat Response Lead” is a member of the Sophos Security Services Team who is identified as the primary individual responsible for assisting a Customer/MSP during an Active Threat.
  13. “Threat Response Mode” is the approach to notification, collaboration, and Threat Response adopted by the Security Services Team during delivery of the Service per Customer/MSP direction.

II. SCOPE OF SERVICE

Rapid Response service is built on, and provides the benefits of the Advanced tier of the Managed Threat Response service (“MTR Advanced Service”), and provides Customers/MSPs with Threat Response during an Active Threat present at the point of Service purchase. The subscription for Rapid Response service includes the scope and benefits of the MTR Advanced Services which will be provided to the Customer for free and in accordance with the Managed Threat Response Service Description during the Subscription Term.

All aspects of the Service will be provided remotely.

In addition to the activities set forth in the Managed Threat Response Service Description, Rapid Response specifically includes the following:

1. THREAT NEUTRALIZATION PROCESS

1.1 Kick-off. A kick-off call will be conducted to: a) exchange information about the Active Threat and Customer/MSP’s/Beneficiary’s existing infrastructure; b) identify the scope and impact of the Active Threat; c) mutually define a response plan; d) establish communication preferences for Customer/MSP; and e) identify key stakeholders from Customer/MSP and their role in Service delivery.

1.2 Installation of Service Software. Once Service Software is installed and activated, the Security Services Team will utilize Service Software to perform Detection, investigation, and Response Actions. Until Service Software is installed in the Customer/MSP’s environment, the Security Services Team will only be able to provide technical advice and guidance for Active Threat triage and response planning. If Customer/MSP requires Deployment assistance for the Services Software, Security Services Team will assist the Customer, MSP or Partner with installation of Service Software at no additional charge.

1.3 Threat Triage. The Threat Response Lead will work with the Customer/MSP to: a) conduct an assessment of Customer/MSP’s operating environment; b) understand any threat intelligence and/or other indicators of compromise or indicators of attack; c) perform the necessary data collection, which may include supplemental data (as further described in Section IV. 4); and d) initiate investigative activities and collaborate on a plan for initiating Response Actions.

1.4 Threat Neutralization. Additional investigation will be conducted and Response Actions will be performed to: a) remove the attacker’s access; b) stop further damage to compromised assets or data; c) recommend preventative actions to address the cause of the Active Threat; and d) monitor the compromised assets and data to detect reoccurrence.

1.5 Remote Access Tools. To support Service delivery, the Security Services Team may use remote access tools to access or make changes to Managed Endpoints and may utilize administrative access to Customer’s/MSP’s Sophos Central environment to view or modify configurations. Access will be subject to Customer/MSP approval, either on a per-escalation basis or based on blanket pre-approval if the Customer/MSP has selected the “Authorize” Threat Response Mode. All access by the Security Services Team to Managed Endpoints and Sophos Central is recorded and logged.

CUSTOMER/MSP ACKNOWLEDGES AND AGREES THAT CUSTOMER’S AUTHORIZATION FOR SOPHOS TO MAKE ANY CHANGES TO, OR MODIFY CONFIGURATIONS IN, CUSTOMER’S/MSP’S/BENEFICIARY’S ENVIRONMENT COULD RESULT IN INTERRUPTION OR DEGRADATION OF CUSTOMER’S/MSP’S/BENEFICIARY’S SYSTEMS AND INFRASTRUCTURE.

2. SERVICE COMPLETION.

Sophos will provide written notification to Customer/MSP upon neutralization of the Active Threat present at the point of Service purchase.. Thereafter, Customer/MSP will be provided with the MTR Advanced Service for free and in accordance with the Managed Threat Response Service Description for the remainder of the Subscription Term.

3. THREAT SUMMARY.

After of completion of the Rapid Response Service, Sophos will deliver a written threat summary containing the following: a) a summary of investigation activities; b) technical findings; c) analysis of identified threats; d) threat specific remediation/mitigation steps; and e) general recommendations. Customer/MSP must within ten (10) days of receipt of the foregoing threat summary, provide written acknowledgement of Sophos’s completion of the Service. Customer/MSP’s failure to acknowledge completion of the Rapid Response Service or to provide reasons for refusing to confirm completion within the ten (10) day period will be deemed as Customer/MSP’s acceptance of completion of the Service.

III. CUSTOMER/MSP RESPONSIBILITIES.

Customer/MSP acknowledges and agrees that, in addition to the actions set out in Section II. 1.1 above, Customer/MSP must take the following actions to facilitate and enable delivery of the Service, and Sophos shall have no liability for any degraded, incomplete, or failed Service delivery which may result from Customer/MSP’s failure to do so. Sophos reserves the right to suspend Service delivery until such time as Customer/MSP performs the required actions.

  1. INSTALLATION REQUIREMENTS. Customer/MSP/Beneficiary must: a) have a valid, active Sophos Central account, b) deploy and configure the Service Software to Managed Endpoints, and c) maintain compliance with all the requirements identified in Health Checks, and d) meet minimum system requirements to install Sophos Software.
  2. REMEDIATING KNOWN COMPROMISES. Customer/MSP must make reasonable efforts to timely remediate any compromises reported by Sophos or by other third-party technologies that Customer/MSP/Beneficiary utilizes for cybersecurity detection and protection.
  3. TIME AND DATE SETTINGS. Customer/MSP must ensure that all Managed Endpoints have accurate time and date settings. Sophos will not be responsible for errors, issues, and residual risk experienced or incurred by Customer/MSP for Detections generated by Managed Endpoints with inaccurate time and date settings.
  4. SUPPORTING DATA. During the course of providing the Rapid Response Service, the Security Services Team may request additional supporting data, and Customer/MSP will ensure that Sophos has access to such supporting data at all times. Such supporting data may include, but is not limited to: ai) endpoint, server or network logs, b) architecture diagrams, and c) materials and resources related to Customer’s/MSP’s/Beneficiary’s business and technical environment. Supporting data removal from Sophos systems will be initiated upon Customer/MSP’s written request.
  5. CUSTOMER/MSP PERSONNEL. Customer/MSP must identify an appropriate number of suitably skilled personnel who will work with Sophos during the provision of the Service. Customer/MSP’s personnel must have the necessary technical and business knowledge and authority to make decisions concerning the Service.
  6. TIMELY RESPONSE. Customer/MSP must promptly acknowledge receipt of Sophos communications in writing and must timely respond to Sophos’s requests.
  7. THREAT RESPONSE MODE FOR RAPID RESPONSE. Customer/MSP must select the “Authorize” Threat Response Mode in Sophos Central for the Rapid Response Service.
  8. ACTIONS OUTSIDE THE SCOPE OF SERVICE. Customer/MSP is solely responsible for taking any actions suggested by Sophos that are outside of the scope of the Service (e.g., Sophos’s suggestions regarding on-site response, litigation and e-Discovery support, and collaboration with law enforcement).
  9. MSP ADDITIONAL RESPONSIBILITIES. MSP is solely responsible for: (i) obtaining any consents or information required from its Beneficiaries in order for Sophos to perform the Service, (ii) ensuring that Beneficiaries take all actions required of Customers in this Service Description; (iii) ensuring that its Beneficiaries understand the risks associated with performance of this Service, and (iv) that any Beneficiary for which MSP performs this Service has agreed to accept all such risks. MSP will indemnify and hold Sophos harmless for any claim brought against Sophos by a Beneficiary if such claim results, in whole or in part, from MSP’s failure to fully perform its obligations under this Service Description, the Services Agreement or the Agreement with respect to the Service.

Revision Date: 17 January 2022