The Compromise Assessment Services described herein are subject to the Master Software and Services Agreement located at https://www.cybereason.com/mlsa, unless the customer receiving the services (“Customer”) has executed a different license and services agreement, in which case the executed version shall supersede, (the “Agreement”). In the event of any conflict between the terms hereof and the Agreement, the terms hereof shall control.
The Compromise Assessment (“CA”) service is an in-depth analysis aimed to uncover ongoing or historic security breaches, assess their impact, and provide recommendations for remediation. The Cybereason team will conduct hunting and analysis of the Customer environment in an effort to identify evidence of past or current compromise, subject to prerequisites and technical limitations as set out herein.
In providing the services hereunder, Cybereason may leverage third-party forensic tools in connection with the Cybereason software platform (“3PT Tools”) to collect forensic artifacts and perform endpoint querying at scale which provide additional context into active investigations. Customer understands and agrees that the 3PT Tools and any other tools and/or software deployed hereunder, are the property of Cybereason and/or its vendors, are not included as part of the Cybereason software platform and no license is granted to Customer for the same.
Any tooling or infrastructure deployed as part of the engagement hereunder, as well as all customer data collected while providing the services hereunder may be deleted remotely by Cybereason after the conclusion of the services hereunder, unless otherwise agreed in writing.
In the event that Cybereason cannot delete said tooling or infrastructure by remote means, Customer will be provided with uninstallation instructions and shall promptly delete the same.
Cybereason CA engagement by Cybereason’s Proactive Services Team is an investigation, triage and assessment of threats and communication related to security findings which may lead to identification of an ongoing or prior compromise of Customer's systems. In case of identification of an active compromise Cybereason may recommend to pivot to formal Incident Response mode before completion of the CA engagement.
As part of the CA Service, Cybereason shall:
Conduct a kick-off call to explain the engagement process.
Provide Cybereason Software Platform Sensor and Forensic Agent installers as applicable.
Execute collection of telemetry and forensic artifacts as applicable.
Run real-time monitoring throughout the duration of the CA (4 weeks from the deployment of the Cybereason Software Platform and the Forensic Agent on at least 80% of the systems agreed to be in scope of the engagement).
Perform threat analysis on collected data.
Inform about findings needing immediate attention.
Provide periodical status updates.
Perform preliminary forensic analysis in case of identified breach.
Provide an Engagement Report as described in Deliverables and Documentation to be Produced (below) within 2 weeks after ending the engagement.
Complete pre engagement questionnaire
Provide and share historical findings to support custom indicators and rules.
Deploy the Cybereason Software Platform and the Forensic Agent on at least 80% of the systems agreed to be in scope of the engagement within no longer than 1 month from the agreed start date. If this deployment goal is not achieved Cybereason reserves the right to perform the CA engagement on limited scope.
With regard to personal infrastructure protection (PIP) customers – provide authorization of restricted connection to the internet strictly to predefined CR IPs.
Take actions on findings needing immediate attention.
Provide additional context needed to verify suspicious findings.
Reasonably cooperate with Cybereason to provide information and access as necessary for the performance of the services.
Customer is responsible for any actions or remediations authorized, directed or taken that are not features of the installed version of the Cybereason Software Platform tool set.
Provide any resources necessary or requested by Cybereason for Customer authorized and directed deployment of IR toolkit that are not features of the installed version of the Cybereason Software Platform.
Appoint a representative that will participate and be the Customer point of contact for ensuring all the above.
As part of the kickoff meeting, Customer will be provided with contact information for the engagement lead. Throughout the CA Service engagement, Cybereason will provide the following Deliverables as required by the engagement:
Deployment status updates
Alerts about findings needing immediate attention
Engagement Report with appendices
Deliverables are considered confidential information and are intended for Customer and Cybereason use only. Customer may disclose a deliverable to a third party pursuant to the Agreement’s confidentiality terms.
Typical duration of steps in scope for the CA agreement:
[Customer] Cybereason Software Platform Sensor and Forensic Agent deployment on at least 80% of the agreed scope - up to 1 month
[Cybereason] Perform data collection - 2 weeks
[Cybereason] Perform data analysis - 2 weeks
[Cybereason] Deliver engagement report - 2 weeks
As set out in the Quote, to be paid in accordance with the payment terms set out in the Agreement (unless otherwise set out in the Quote).
Customer authorizes Cybereason to invoice for and shall pay additional amounts related to (i) services scope changes or exceptions; (ii) performance outside Cybereason’s normal business hours or consecutive days; and (iii) reimbursement of reasonable and actual travel-related expenses not to exceed 10% of the Fees under the SOW.
All CA Services will be performed in a professional and workmanlike manner. Customer understands that the CA Services are dependent on Customer’s cooperation and obligations, and that Cybereason does not guarantee that it will identify, remediate or prevent all threats or Incidents. In case a security incident gets identified as a result of CA findings, Customer will be given an option to engage with Cybereason Incident Response Service. The parties understand that Customer may include legal counsel at the time of a specific Incident and that such IR Services may be provided specifically to such legal counsel for purposes of providing legal advice in relation to the Incident.