The SDR Services described herein are subject to the License and Services Agreement located at https://www.cybereason.com/license-agreement, unless the customer receiving the services (“Customer”) has executed a different license and services agreement, in which case the executed version shall supersede, (the “Agreement”). In the event of any conflict between the terms hereof and the Agreement, the terms hereof shall control.
SDR is a Software-as-a-Service (SaaS) platform and managed service which integrates and automates the enrichment of security telemetry, events, and log data with the aim to provide visibility of an organization's entire technology stack. The SDR Platform seeks to consolidate previously siloed data stacks into one unified platform providing observability, detection, automation, and analytics.
Cybereason reserves the right to update the contents of this Service Description at any time. All Customers who subscribe to notifications will be informed of material changes with advance notice. In the event of any inconsistency between the English version and a version in any other language, the English version shall control.
Cybereason SDR includes 24/7 Monitoring of SDR Malops within the SDR Platform, in either English or Japanese. Triage concludes with analysis summary and remediation recommendations recorded within the SDR Platform (which is visible in the Unified Portal), and/or email notifications being sent as configured in the Unified Portal, whichever comes first.
Powered by Malop Severity Score, this severity scoring system process maps SDR Malops to the MITRE ATT&CK framework. High and Critical Malops, will normally receive additional Root Cause Triage in order to scope the scale of the larger attack and help enable the Customer to successfully isolate, remediate, and restore their network (see the “Malop Root Cause Triage” section). For more information about the Malop Severity Score scoring system, please refer to the separate Malop Severity Score Definition or Nest portal.
Malops in Cybereason SDR are subject to an internal auditing process to help ensure that the triage was both accurate and complete. Additionally, the Cybereason Global SOC constantly monitors Customers’ environments for “Escalation Criteria”. This helps to identify and escalate a situation to the Customer based on the cross-correlation of the Malops within the environment. In the event of an escalation, up to five (5) Customer-provided points of contact will be contacted via phone in either English or Japanese.
Malop root cause triage, as outlined in the 24x7 Monitoring section, is provided for identified Malops. For Malops scored as ‘High’ or ‘Critical’, an analyst will normally conduct a follow-on root cause analysis of the Malop. If, upon the analyst’s conclusion, the Malop continues to meet Critical criteria, it will be escalated to the Customer.
Customers can visualize SDR Malop and associated environment information through the Cybereason Unified Portal. The Unified Portal helps provide Customers with the ability to quickly analyze and evaluate information through a suite of dashboards delivering high-level overviews of security data. The Unified Portal can also generate customized reports to assess security posture such as Malop trends, threat landscape, and critical Malop attack overviews.
Each quarter, the Cybereason Nocturnus Team publishes a Quarterly Threat Intelligence Hunt Report via the Unified Portal. The Cybereason Threat Research team is a global team that focuses on campaigns seen both in and outside of the Cybereason Customer base. Threat Research covers topics ranging from, but not limited to, global campaigns, nation-state APTs, and commodity cybercrime.
In the event that a Malop meets the Critical Severity threshold after an analyst’s triage, the Customer will be notified via phone where a Cybereason Global SOC analyst will provide an overview of the threat, detailed response recommendations, and follow-on advanced service recommendations.
With SDR, more than 50 3rd party data sources can normally be supported. If a new data source is required to be onboarded, a four-step process will be followed. This can partly be accomplished in parallel during the onboarding process. This process is outlined below and further detailed following this chart:
|
Step |
Estimated Timeline |
Cybereason |
Customer |
|
Requirements Scoping |
1 week |
Yes |
Yes |
|
Building and Testing |
1-3 weeks |
Yes |
No |
|
Deployment, monitoring, and maintenance |
1 week |
Yes |
Yes |
|
Dataset creation and normalization |
1 week |
Yes |
No |
In this step, representatives from Cybereason will work with the Customer to outline the data source, location of egress (e.g. cloud or on-premise), authentication mechanisms, format, and any other pertinent information related to building the integration. This step can often be accomplished in a single meeting. However, in the event that follow-up information is required, several days may be required. The targeted SLO for this step is within 5 business days.
In this stage, the Cybereason engineering team will design, build, and begin testing the integration based on the requirements scoped in the prior step. An update will usually be provided at the end of each week to the Customer. In the event of the need to connect or otherwise receive data from the Customer, a Cybereason representative will communicate with the Customer directly. The targeted SLO for this step is within 3 weeks, depending on complexity. Oftentimes, this will occur within 5 business days for common integration types.
Upon the building and testing of the integration, a release meeting will be scheduled with the Customer where the integration will be enabled and connected to the Customer’s 3rd party data source live. This will serve to help ensure all needed personnel with access are available, that both sides can confirm the health of the ingestion, and quickly address any issues that may arise. Depending on the Customer’s schedule, this should be accomplished within 1 week of the completion step 2.
After the successful integration of data, the needed datasets for parsing and data normalization in the SDR system will be created and published to the logs explorer view. The targeted SLO for this is within 5 business days. Of note, once the dataset is built, the Customer – or any user of the SDR system – will normally be able to view data prior to the dataset’s creation in the dataset through the selection of data by the timeline function.
Note: Cybereason is not responsible for any configuration issues related to the Customer’s third-party products, inability to configure/operate Customer third-party products to support the data source integration, or issues impacting the Customer’s third-party product itself, its installation, or integration with other systems. Guidance provided by Cybereason for the purposes of onboarding and integrating data sources is provided ‘as-is’ and relies on certain actions to be taken by the Customer.
In the event that the Customer would like to change a data source integration or enable an additional data source integration, please contact monitoring@cybereason.com. A Cybereason representative will endeavor to contact Customer within one week to commence the process as delineated above.
Note: It is not the responsibility of Cybereason to ensure that data ingested into SDR remains within the Customer’s purchased data rate. If, during testing or implementation of the integration the Customer’s purchased data rate is temporarily exceeded, no additional billing will be applied to the Customer for that temporary increase. However, temporary increases that exceed the purchased data rate after completion of the four step process above will result in additional billing at Cybereason’s standard T&M rates.
In the event that the Customer would like to change or add a custom dataset a data source integration or enable an additional data source integration, it should contact monitoring@cybereason.com A Cybereason representative will endeavor to contact Customer within seven business days to commence the process as delineated above.
Each data source has a minimum of a parsing and normalization dataset. These datasets then connect to more advanced datasets providing detection and observability. So that the platform can be fully utilized for investigative purposes, policy monitoring, and unique Customer edge-cases, managed dataset customization is also provided. For this purpose, Customer should contact monitoring@cybereason.com and a Cybereason representative will endeavor to contact Customer within one week to commence the process as delineated above. The follow-on process is outlined below and further detailed following this chart:
|
Step |
Timeline |
Cybereason |
Customer |
|
Requirements Scoping |
1 week |
Yes |
Yes |
|
Dataset Design and Testing |
1-2 weeks |
Yes |
No |
|
Deployment, monitoring, and maintenance |
1 week |
Yes |
Yes |
In this step, representatives from Cybereason will work with the Customer to outline the required use-cases, associated data sources, as well as successful test criteria. This step can often be accomplished in a single meeting. However, in the event that follow-up information is required, several days may be required. The targeted SLO for this step is within 5 business days.
In this stage, the Cybereason threat detection engineering team will work to design, build, and begin testing the dataset to meet the required use-cases. An update will normally be provided at the end of each week to the Customer. In the event that additional information is required from the Customer, a Cybereason representative will communicate with the Customer directly. The targeted SLO for this step is within 2 weeks, depending on complexity. Oftentimes, this will occur within 5 business days for common integration types.
Upon the building and testing of the dataset, a release meeting will be scheduled with the Customer where the new dataset will be enabled live. This will focus on meeting the required use-cases by achieving the success test criteria agreed upon prior with the Customer. Depending on the Customer’s schedule, this should be accomplished within 1 week of the completion step 2. In the event of any additional items or growth work, a follow-on meeting may be scheduled or the Customer informed indirectly as desired.
eXtended Response (XR) is a proactive and automated remediation package powered by Malop Severity Score scoring system logic. By automating the score of a Malop and verifying the applicability of remediation actions, Cybereason Services is well equipment to try to quickly and surgically stop attacks as they begin. Response actions are available when and where supported by the third-party product itself, the integration, and the Cybereason SDR Platform. For Medium and High Severity Malops, Global SOC will take Customer pre-approved response actions as part of the triage process. Any other response actions that are recommended will require Customer approval, either by writing or verbally.
During the onboarding process, available response capabilities will be reviewed with the Customer, and pre-approved response actions will be agreed upon. Currently XR is only available for Cybereason EDR data sources.
The Customer is responsible for their third-party products, their configuration, their installation and coverage, as well as their integration with the Cybereason SDR Platform via the unified platform. This includes integration connections for XR Closing or marking as complete any triaged or remediated Malop ticket in the system.
This scope of this service is bound to the Cybereason SDR Platform and the data from the Customer’s third-party vendor products that have been ingested into the product. Cybereason Global SOC is not responsible for the configuration of Customer third-party vendor products, advice on third-party product versioning, configuration, or packaging, and assumes no responsibility for the detection coverage, configuration, or other packaging that may degrade the scope of detection coverage and/or response capabilities. Additionally, direct access to Customer third-party product portals or UIs for additional detection triage, hunting, or response, is considered out of scope. In short, the Customer is responsible for their third-party products, their configuration, their installation and coverage, as well as their integration with the Cybereason SDR Platform.
For all topics related to the Cybereason EDR product, please refer to the Endpoint Detection and Response service definition. In cases where there is an overlap between the Managed Detection and Response Service Definition and this Service Description, anything specifically stated in this document overrides as scoped to SDR alone.
Any changes to the nature or scope of the Service being provided which is not expressly covered in the service descriptions and which impact the scheduled timeline, fees charged or deliverables hereunder must be mutually agreed upon by Cybereason and Customer in a signed writing. Any other verbal instructions shall be reduced to writing and confirmed by the parties. Depending on the scope of such changes, Cybereason may require that a separate Statement of Work, which shall detail the work to be performed including any changes, the impact of the proposed change on the charges and schedule (if any), and other relevant terms, be mutually agreed to in a signed writing.
The Global SOC may be contacted in the event of any questions or to notify an incident at monitoring@cybereason.com and/or at the following phone numbers (English is available 24/7, with Japanese available 0900-1800 JST):
U.S.A (Boston) - +1 (866) 373-CYBR [2927]
United Kingdom (London) +44 (20) 8158-4931
Israel (Tel Aviv) +972 (3) 376-3236
Japan (Tokyo) +81 (3) 4213-0933
Any attachments or files sent for the purposes of analysis will be removed by automated email filtering systems. If analysis of a specific sample is needed, please contact the Global SOC prior to arrange for safe transmission of the sample.
Customer shall pay Cybereason or the relevant reseller the agreed upon fees based on the agreed upon payment terms for provision of the services hereunder.
In the event that the Customer is unable or unwilling to provide accurate and current contact information and/or any other reasonable assistance required, Cybereason will not be held liable for any delays in establishing communication and/or providing the services. All services hereunder will be performed in a professional and workmanlike manner. Customer understands that successful delivery of the services requires Customer’s cooperation and fulfillment of its obligations, and that Cybereason does not guarantee that it will identify, remediate or prevent all threats or Incidents. Further, for the avoidance of doubt Cybereason is not liable for any actions taken at the direction of Customer.