The MDR Services described herein are subject to the License and Services Agreement located at https://www.cybereason.com/license-agreement, unless the customer receiving the services (“Customer”) has executed a different license and services agreement, in which case the executed version shall supersede, (the “Agreement”). In the event of any conflict between the terms hereof and the Agreement, the terms hereof shall control.
Cybereason shall provide those services listed below subject to the terms of the Agreement, provided that in the event of any conflict between the terms hereof and the Agreement, the terms hereof shall control. Customer’s order of MDR Services shall be specifically designated in the applicable Quote.
- MDR Complete Services Descriptions. Cybereason shall provide MDR Services on Customer’s authorized number of endpoints that have the Cybereason Sensor installed on them. The following services are included in the respective MDR Services:
- All services included in MDR Essentials above
- Tuning and configurations on demand
- Premium onboarding
- Cybereason NGAV Prevention Analysis
- Ongoing Proactive Threat Hunting
- Active Response and Guided Compromise Containment
- Critical Malops report
- Threat Intelligence report
All MDR Services will be provided in accordance with the Cybereason MDR: GSOC MDR Service Definition (“Service Definition”) which includes further detail and is provided by Cybereason upon request. Cybereason reserves the right to update the contents of the Service Definition at any time. All Customers who subscribe to notifications will be informed of material changes with advance notice. For the avoidance of doubt, authorization and direction from Customer for active remediation or any security service under the MDR Services shall be obtained in writing and in accordance with the applicable notification provisions of the Agreement, or as otherwise agreed to by the parties in writing.
Onboarding
Cybereason will conduct a live onboarding meeting with a Cybereason GSOC resource.
Tasks in this stage (“Onboarding”) include:
- Conduct remote onboarding meeting to provide an overview of MDR Complete service to Customer
- Review the security questionnaire to understand Customer’s IT environment, administrative processes, and current detection and response capabilities.
- Provide a Q&A session to answer any Customer questions specific to the MDR Complete service.
Monitoring
Cybereason shall monitor and triage malops by leveraging its Software Platform and provide remediation recommendations.
Tasks in this stage (“Monitoring”) will include:
- Triage initial findings and expand investigation scope from malops generated by the Software Platform based on any confirmed suspicious indicators, behaviors or attack patterns within 24 hours from Malop ingestion.
- Recommendation regarding what action, if any, should be taken by Customer designed to eliminate security threats from malware detected by the Software Platform (“Cybereason-classified Known Malware”).
- Notification of Customer regarding critical findings, as applicable.
Monthly Reports
Each MDR customer will receive a standard monthly report. This report is aimed at providing an overview of the Customer’s environment and Malop activity that was seen within the previous calendar month. Cybereason reserves the right to update the contents of the Monthly Reports to provide enhanced metrics for reporting.
Proactive Hunting
Cybereason shall proactively search customers’ environments with queries based on Threat Intelligence and research done on new and emerging threats, and focus on indicators of behavior and indicators of compromise identified by research.
Tasks in this stage (“Proactive Hunting”) will include:
- Triage initial findings and expand investigation scope from hunting query searches on the Software Platform within 24 hours from hunting lead ingestion.
- Notification to Customer regarding hunting findings within Customer’s environment, which shall constitute Confidential Information of each of the parties.
- Provide at a minimum a Quarterly Threat Intelligence report which details which hunting queries were created and provides a global overview of the threats for which the hunting queries were built.
Managed Response
By ordering MDR Complete, Customer provides authorization and direction, on behalf of itself, its affiliates and its users, and subject to the limitations set forth in the “Other Details” section below, to remediation of Cybereason-classified Known Malware of any criticality affecting Customer’s, its affiliates’ and/or its users’ endpoints accessible to the Software Platform, utilizing the remediation actions identified below as “Common Remediation Actions”. All other remediation actions will require the express authorization and direction of Customer. Specific tasks under this service (“Managed Response Remediation Action”) will include:
- Determining the presence of Cybereason-classified Known Malware by the proprietary Software Platform.
- Killing the process, quarantining the file, and removing registry keys with respect to Cybereason-classified Known Malware (“Common Remediation Actions”); all other remediation actions to be taken by Cybereason MDR Complete services will require written customer authorization and direction prior to being performed. For the avoidance of doubt, machine isolation response actions cannot be part of any pre-authorized remediation actions. Customer authorization and direction of any remediation actions may not be withdrawn or suspended without at least 2 hours advance proper notification to Cybereason as outlined in the Service Definition.
- Any and all remediation actions taken will be sent to Customer via a “Remediation Report”.
Managed Response remediation actions are a set of pre-approved, proactive remediation actions, as detailed below, and Malop-specific, customer approved host isolation.
Other details:
- Managed Response remediation actions will commence upon a Malop being recognized as a “critical” event by Cybereason. Critical criteria is defined in the Service Definition, and is subject to change with prior notice.
- Pre-approved “Common Remediation Actions” are defined in the Service Definition, and set forth as the following:
- Process termination
- Image file quarantine
- Registry key removal
- Addition of malicious domains/ IPs /hashes to Software Platform’s reputation list
- Item marking for prevention
- Managed Response Host isolation by Cybereason will occur upon receipt of written consent from the customer, will detail specific machines in the Customer environment to be isolated, and shall be limited to the Malop that triggered Managed Response remediation actions.
- Managed Response remediation actions apply to all Customer sensors in the environment, and shall not be scoped customized subset of endpoints.
- In the event that a machine is offline at the time Managed Response remediation actions are attempted, they shall be queued in the Cybereason Defense Platform pending restoration of connectivity to the offline machine’s sensor.
- Application Control can be enabled as part of Managed Response remediation actions provided customer permission is obtained in advance.
NGAV Prevention Analysis (MDR Complete Only and Requires Software Subscription)
Upon request by the Customer, Cybereason will take a specified binary sample linked to the Software Platform and analyze it to determine the likely cause of classification.
Tasks in this stage (“NGAV Prevention Analysis”) will include:
- Analysis and report of a binary on a per binary basis.
- Analysis requests are limited to 50 per customer per month, which may be increased in increments of 50 per month for an additional fee.
- Analysis and report from binary analysis within 3 business days from commencement of MDR Complete services.
- In order to facilitate timely notifications for potential incidents, Customer shall meet the following obligations (as applicable):
- Customer will provide the necessary personnel including a named point of contact to communicate and work with Cybereason to allow all tasks to be effectively completed.
- Customer will complete a security questionnaire 10 business days prior to kick-off regarding the Customer's IT environment, current security practices, and preferred points of contact for communication and escalation.
- Customer will provide a list of 24/7 reachable Points of Contact (POCs), where, in the event of an incident, Cybereason will notify these designated POCs.
- Customer will share historical findings and incident investigations to support Malop tuning and rule configuration.
- Customer will provide full cooperation delivering additional data and information as requested by Cybereason.
- In the event of an investigation pertaining to the Customer’s cybersecurity, whether by a third-party or by law enforcement, Customer will promptly notify Cybereason.
- Customer is solely responsible for obtaining all consents, if necessary, for performing the Services in accordance with the service description, Documentation and Customer’s instructions.
- Customer will provide instruction for any isolation requests in writing to Cybereason.
- Customer has authorized and directed remediation utilizing Common Remediation Actions, and will not require Cybereason to obtain additional permission for their deployment globally in Customer’s environment.
- Customer will assist in enabling Application Control as needed.
- Scope Changes.Any changes to the nature or scope of the MDR Service being provided which is not expressly included herein may impact the scheduled timeline, fees charged or deliverables. Any other oral instructions shall be reduced to writing and confirmed by the parties. Depending on the scope of such changes, Cybereason may require that a separate Statement of Work, which shall detail the work to be performed including any changes, the impact of the proposed change on the charges and schedule (if any), and other relevant terms, be mutually agreed to in a signed writing.
For avoidance of doubt, the Cybereason MDR Service is bound to the activities of triage, investigation and analysis of a malop within the Cybereason Software Platform and, as such, is not within the scope of Incident Response services, such as, but not limited to, determining initial infection vector, professional services consulting, crisis management, digital forensics, advanced analysis, malware analysis, external log analysis, threat intelligence research, vulnerability research, root cause analysis and guided disaster recovery. Incident Response services will require a separate Professional Services Statement of Work as detailed above.
- Other Terms. In the event that the customer is unable or unwilling to provide accurate and current contact information, Cybereason will not be held liable for any delays in establishing communication. All services related to the Packages will be performed in a professional and workmanlike manner. Customer understands that the Packages and all related services are dependent on Customer’s cooperation and obligations, and that Cybereason does not guarantee that it will identify, remediate or prevent all threats or Incidents. Further, for the avoidance of doubt Cybereason is not liable for any actions taken at the direction of Customer hereunder.