Heading to RSAC 2024? Stop by booth N-6553 in the North Expo Hall or book a meeting with our executive team!
The Incident Response Services described herein are subject to the License and Services Agreement located at https://www.cybereason.com/online-agreement/lsa, unless the customer receiving the services (“Customer”) has executed a different license and services agreement, in which case the executed version shall supersede, (the “Agreement”). In the event of any conflict between the terms hereof and the Agreement, the terms hereof shall control.
The Cybereason Incident Response Services Engagement is a retainer based engagement in which the Cybereason Incident Response Team (“CRIRT”) will provide the services set out below, for the number of hours set out in the applicable quote or purchase order for services hereunder, the which as needed may include a blend of forensic analysis and imaging, investigation, guidance and assistance for remediation, and ongoing support and communication related to a specific security incident (“Incident”) (collectively the “IR Services”). As part of the IR Services, Cybereason shall:
Provide remote IR resources upon request per the Services Scope Change section below as needed.
TTR SLO: Provide a response from remote CRIRT within 4 business hours of notification or escalation.
Advise on scope of Incident, resolution, and optimization of incident response process.
Provide an Engagement Report as described in Deliverables and Documentation to be Produced (below) within 10 business days within engagement close with a summary and findings from the Incident, including remediation actions recommended to Customer or taken by Customer.
In providing IR Services, Cybereason Incident Response team (“CRIRT”) leverages the Cybereason Software Platform which provides unified prevention, detection, response and automated hunting capabilities into a single platform. Additionally, the CRIRT leverages third-party forensic tools in connection with the Cybereason Software Platform (“3PT Tools”) to collect forensic artifacts and perform endpoint querying at scale which provide additional context into active investigations. Customer understands and agrees that the 3PT Tools and any other tools and/or software deployed hereunder, are the property of Cybereason and/or its vendors, are not included as part of the Cybereason Software Platform and no license is granted to Customer for the same.
Any tooling or infrastructure deployed as part of the engagement hereunder, as well as all customer data collected while providing the services hereunder may be deleted remotely by Cybereason after the conclusion of the services hereunder, unless otherwise agreed in writing.
In the event that Cybereason cannot remotely delete said tooling or infrastructure by remote means, the customer will be provided with uninstallation instructions and must promptly delete the same.
2.1 Investigative Lead (Uses Hours as Required) Cybereason Incident Response Team will provide Customer with an investigative lead that is a consistent interface to the CRIRT. The investigation lead will in most cases directly contribute to the delivery of reactive incident response and proactive response readiness consulting. The investigative lead will guide Customer through the incident response process and function as a project manager for all incident response activities by the CRIRT and coordination with Customer.
2.2 Digital Forensics (Uses Hours as Required) CRIRT provides digital forensics within the scope of and for the sole purpose of incident response in connection with the Incident. CRIRT may collect additional forensic artifacts through use of the Cybereason Software Platform and third-party forensic tools to provide additional context and investigative value in connection with the Incident. Additionally, Cybereason may provide analysis of additional data sources provided or made available by Customer including, but not limited to, network perimeter, domain management, or endpoint logs.
2.3 Threat Intelligence (Uses Hours as Required) Cybereason Threat Intelligence analysts work with the Customer to gather relevant information and perform investigative analysis on indicators of compromise. The results of investigative analysis are included in status updates and/or final report.
2.4 Malware Analysis (Uses Hours as Required) Malware analysis provides analysis of files that CRIRT suspects might be malicious. Malware analysis may include malware reverse engineering as necessary by the investigation lead.
2.5 Containment & Remediation Planning (Uses Hours as Required) CRIRT works with the Customer to develop a plan and execute on countermeasures, cyber posturing activities and remediation actions based on best practices.
2.6 Deliverables and Documentation (Uses Hours as Required) As part of the kickoff meeting, the Customer will be provided with contact information for the investigative lead. Throughout the IR Service engagement, Cybereason will provide the following Deliverables as required such engagement:
Cadenced status updates
Countermeasure recommendations
Remediation recommendations
Technical investigation analysis report
Remedial actions taken as instructed by Customer
Executive summary investigation analysis report
Deliverables are considered confidential information and are intended for Customer and Cybereason use only. Customer may disclose a deliverable to a third party pursuant to the Agreement’s confidentiality terms.
In addition to any other customer obligation contained herein, it is agreed that:
A Customer security representative will participate in incident response procedures.
Customer will share historical findings to support custom indicators and rules.
Customer will provide full cooperation delivering additional data as requested by Cybereason.
Customer responsible for any remediation actions authorized, directed or taken that are not features of the installed version of the Cybereason Software Platform tool set.
Customer responsible for providing any resources necessary or requested by Cybereason for Customer authorized and directed deployment of IR toolkit that are not features of the installed version of the Cybereason Software Platform.
Customer is solely responsible for obtaining all consents, if necessary, for performing the IR services in accordance with the service description, Documentation and Customer’s instructions.
Customer is responsible for consuming the Incident Response Retainer hours within one year of effective date in principle. Unused hours may be able to be repurposed to other services at Cybereason discretion within one year of effective date.
Any changes to the scope or nature of the Service to be performed, the schedule or fees charged must be mutually agreed upon in writing by Cybereason and Customer. Depending on the scope of such changes, Cybereason may require that a separate Professional Services Statement of Work detailing the changes, impact of proposed change on the fees, schedule, and other relevant terms be mutually agreed in writing.
Customer authorizes Cybereason to invoice for and shall pay additional amounts related to (i) Services Scope changes or exceptions; and (ii) reimbursement of travel-related expenses.
As set out in the applicable quote or purchase order.
All IR Services will be performed in a professional and workmanlike manner. Customer understands that the IR Services are dependent on Customer’s cooperation and obligations, and that Cybereason does not guarantee that it will identify, remediate or prevent all threats or Incidents. The parties understand that a Customer may include legal counsel at the time of a specific Incident and that such IR Services may be provided specifically to such legal counsel for purposes of providing legal advice in relation to the Incident.