ReliaQuest’s Security Operations Platform – GreyMatter – is powered by Ongoing Enablement. Ongoing Enablement is the security expertise and codified best practices delivered by ReliaQuest personnel through GreyMatter to achieve Customer outcomes. To the extent included in the scope of an Order, the Ongoing Enablement delivered to Customer may include:
ReliaQuest will assign an implementation specialist who is responsible for managing the implementation process. The implementation process is done remotely and starts with a kickoff call with the Customer. The following will be delivered during implementation:
- Setup of site-to-site VPN, API integration of GreyMatter, and PAM tool (See Section 7.1 – Connectivity and Access for further details). ReliaQuest is authorized to use Third Party Platform Providers to support or enable the ReliaQuest Platform.
- Workflow configuration to include data flows, communication mapping, and change management
- Configuration of GreyMatter for Customer environment:
- Modification of parsing and field mapping for GreyMatter Integration and Log Source Technologies
- GreyMatter Detect and tuning of ReliaQuest Labeled Content
- GreyMatter Health for SIEM and/or EDR health alerting
- GreyMatter Intel for threat intelligence integration
2. Customer Success Manager
ReliaQuest will assign a Customer Success Manager who is responsible for ensuring customer success. The Customer Success Manager will provide the following:
- Develop and maintain the Customer Roadmap
- Coordinate and deliver reporting and analytics including semi-annual executive business reviews
- Communicate with pertinent teams for GreyMatter enhancement and feature requests
- Partner with Customer teams to ensure GreyMatter is being utilized to optimize overall security posture to attain positive business outcomes
3. GreyMatter Health Support
- GreyMatter Health is utilized to monitor the performance of SIEM and EDR technologies included in the Order as Integration Plus line items, including:
- Interfacing directly with OEM support as needed for specific troubleshooting of software issues, request for enhancements, or misconfigurations
- Identifying detected outages and the source of the problem
- Health support for the GreyMatter Integration has limitations for cloud-based technologies attributable to the level of access provided by the hosting provider
- For SIEM Integration Plus only, the following is included:
- Monitoring source device feeds to ensure that events are being received and parsed correctly
- Monitoring of Core Components to ensure event receipt, processing, and forwarding are being performed correctly
- Monitoring of system performance to ensure normal utilization ranges
- Provide patching, software updates, maintenance, performance tuning, and troubleshooting for any Core Components (to the extent applicable and as agreed upon by the parties)
- Implementing event filtering of data collection as needed or applicable
- Installing and testing of all SIEM Integration Plus product upgrades (testing will be completed in RQLabs prior to Customer production) to the extent applicable
- ReliaQuest will create parsers for the log source technologies identified in the Order; All Log Sources supported by the applicable SIEM technology will be integrated using the methodology provided or defined by the OEM of such SIEM technology. Log Sources that are not supported by the SIEM technology will be integrated using ReliaQuest defined methodologies.
- For EDR Integration Plus only, the following is included:
- Monitoring the health of sensors, if applicable
4. GreyMatter Detect
GreyMatter Detect provides visibility to Content deployed based upon the agreed scope and subject to the deployment restrictions below. The following will be delivered as part of the Ongoing Enablement:
4.1 Rule Tuning
- After implementation, ongoing tuning will be performed “on demand” to support the Customer’s environment
- Tuning may be initiated by the Customer by contacting a Customer Success Manager, the Security Operations Center, or through the RQ Portal
- Rule tuning is limited to the ReliaQuest Labeled Content
The detection deployment model is determined based on the GreyMatter Integrations included in the Order including:
- Continual updates and tuning of existing ReliaQuest labeled content
- Newly developed content as applicable to the Log Source Technologies and/or GreyMatter Integrations included in the Order
- Customer requirements (i.e., lists, reference sets, or other Customer context) must be available at least thirty (30) days prior to next release window to allow for necessary tuning periods. Customer requirements that are not provided within that timeframe will be scheduled for the next release cycle.
- For SIEM technologies, Log Sources Technologies must be available in the SIEM environment at the appropriate logging levels at least thirty (30) days prior to next release window for ReliaQuest to verify Log Source readiness and perform the necessary parsing. Any Log Source Technologies that are not in the SIEM environment at the appropriate logging levels within that timeframe will be scheduled for integration at the next release cycle.
Supported SIEM and/or EDR Integration Plus line items, include:
- GreyMatter Detect will deploy all eligible detection based on the log source technologies integrated and/or EDR integration
- If a new log source technology is integrated and validated by ReliaQuest, the next release cycle will include all eligible detection for said log source technology within 90 days
To the extent the prior detection deployment model is unsupported, the following will apply:
- Releases are aligned to calendar quarters starting the first of the month post completion of implementation
- Quarterly releases will not include more than twenty (20) rules
4.3 Critical Content
- ReliaQuest will make commercially reasonable efforts to provide Critical Content in the event of an ongoing compromise or breach, a high severity vulnerability for which Customer has no prevention remediation options, or other such urgent situation as mutually agreed upon by the parties. Critical Content rules will function as a targeted short-term supplement to Customer’s unique threat detection capability. Customer should send Critical Content requests to its Customer Success Manager and Security Operations Center with a description of the desired rule. Once the request is received, ReliaQuest will make commercially reasonable efforts to provide the rule within twenty-four (24) business hours. Critical Content can only be applied to the Log Source Technologies in scope in the Order.
4.4 Emergency Content
- The purpose of Emergency Content is to provide immediate coverage for high-risk malware outbreaks such as WannaCry, NonPetya, etc., until anti-virus and malware vendors respond with appropriate signatures. As part of this coverage, Customer will have pre-defined rules created which will reference a centrally provisioned set of indicators of compromise lists (associated malicious IPs, domains, hashes, or signatures) which are pulled hourly from GreyMatter Intel. These are generic rules that allow ReliaQuest to upload IPs, domains, hashes as needed. Deployment of Emergency Content is at the sole discretion of ReliaQuest; however, the following general guidelines apply:
- The exploit or malware campaign propagates unabated (e.g. WannaCry)
- The impacts to Customer present an extreme or critical risk
- The exploit or campaign applies to the majority of ReliaQuest’s other customers
- The campaign has gained the attention of the press at the national level
4.5 Log Source Technologies in Scope
- Log Source Technologies in scope are included in the Order
- If Customer removes a SIEM Log Source Technology out of scope, then the following applies:
- ReliaQuest will no longer update, maintain, or monitor applicable ReliaQuest labeled content
- Analysts will continue to use the Log Source Technology for context/analysis to ReliaQuest labeled content, if applicable
- Customer can adjust or rotate up to two (2) Log Source Technologies per twelve (12) months of the Order for Log Source Technologies in scope. Provided, however, such Log Source Technology cannot be adjusted or rotated if it has already been integrated into the SIEM and is being managed by ReliaQuest.
5. Incident Analysis and Response
ReliaQuest will provide alert triage and qualification which will include:
- Providing context for a triggered alert that can be gained from data within GreyMatter
- Providing feedback to the Customer team for source or content tuning
- Escalating all potential true-positive alerts from ReliaQuest labeled content to Customer teams per configured escalation paths
- ReliaQuest will have the ability to leverage production “playbooks” within the GreyMatter Respond capability for automation of enrichment, containment, and remediation actions
Ongoing enablement does not include ReliaQuest performing any of the below:
- Taking any potentially destructive response actions such as wipe/reimage of a machine or device, forensic capture to a legal standard, advanced techniques such as advanced malware reversing (disassembly) or encryption/hash cracking, etc.
- Hunt campaigns performed by ReliaQuest unless separately purchased in the Order. If purchased, ReliaQuest will provide prepackaged/developed hunt scenarios that may be leveraged by Customer within the GreyMatter Hunt capability. ReliaQuest will not develop custom hunt campaigns.
- Ad-hoc investigation requests by Customer
5.1 Phishing Analyzer
Phishing Analyzer helps investigate user reported emails to identify malicious email threats and campaigns attempting to infiltrate an organization. ReliaQuest will classify user email submissions within a Customer’s abuse mailbox using applicable Email Security technologies, including:
- ReliaQuest will classify the user reported email as benign or malicious and leverage applicable “playbooks” for remediation
- Providing context for a reported email can be gained from data within GreyMatter
6. Digital Risk Protection
DRP is an add on to GreyMatter Intel to detect data loss, identify brand impersonation, and monitor the Customer’s web and digital attack surface. Post asset collection from Customer, the following will be included:
- Configuration of risk alerting based on Customer assets
- Monitoring of open, deep, and dark web sources to isolate legitimate threats and provide real time alerting
- Escalating all potential true-positive alerts from ReliaQuest labeled content to Customer teams per configured escalation paths
- Customer will have access to Search Light (now ReliaQuest GreyMatter Digital Risk Protection), DRP platform, to triage and remediate risk alerts, perform IOC investigations, CVE tracking, and industry news
6.1 Managed Takedown Service
- Managed Takedown Service is an add on to DRP and provides customers end-to-end management of submitting, tracking, and confirming takedown requests across all available risk categories (i.e., Cease and desist requests, including DMCA, ISP/host level content suspension, registrar or registry level domain suspension, incorrect WHOIS suspension, social media page suspensions, mobile app suspensions, domain takedown, law enforcement escalation)
- The following are examples of activities not included in Managed Takedown Service: dispute resolution including uniform domain-name dispute resolution policy (UDRP), acquiring domains, supporting the Customer in litigation matters, marketplace listing
7. Customer Responsibilities
Customer responsibilities are outlined in the following section:
- Customer will create a ReliaQuest service account for health monitoring
- Customer will allow ReliaQuest to create SSH key pairs for secure communication between Customer and ReliaQuest
- Customer agrees to set up policy-based Site-to-Site Virtual Private Networking (VPN) tunnels to ensure proper routing between ReliaQuest and Customer.
- Policy based VPNs ensure that traffic is routed to the proper customer tunnel by eliminating IP conflicts
- By leveraging Network Address Translation (NAT), ReliaQuest can use a unique source for each customer which ensures a unique encryption domain regardless of the destination. Every major firewall manufacturer supports at least interoperability with policy-based VPN devices.
- On premise systems in scope will be directly accessible via the mutual site to site VPN.
- Customer will provide timely support in troubleshooting issues with connectivity to include opening the necessary ports on their firewalls to enable traffic.
- Customer will communicate in advance to ReliaQuest, any change to the IP, Port, Hostname, parameters of the Site-to-Site VPN, or changes to any other technology in scope of the Order, or necessary for connecting to the technologies in scope of the Order, to ensure the delivery of the Ongoing Enablement activities are not substantively impacted
- Customer is responsible for working with ReliaQuest to set up access for the ReliaQuest team
- Customer acknowledges and agrees to the use of ReliaQuest’s approved Privileged Identity Management solution, or other supported access solution for the performance of Ongoing Enablement.
- For end user authentication, Customer’s technologies must be integrated with Active Directory, either directly through LDAP(s) or Kerberos method, or indirectly through SSO (SAML/OAuth) or via SSH to include local accounts
- Customer is responsible for creating the required set of accounts that ReliaQuest will use in association with delivery of Ongoing Enablement
- Customer will be required to create accounts within its Active Directory or LDAP, or locally for SSH for ReliaQuest to use the PAM Tool which will facilitate access for the initial implementation as well as for ongoing enablement
- Customer will provide any additional access required to facilitate GreyMatter interaction with the GreyMatter Integrations identified in an Order
7.3 Account Creation
Customer must provide ReliaQuest access to provide Ongoing Enablement, and any such access shall be provided within thirty (30) days of access request.
7.4 Customer Response
If the Customer does not provide feedback/closure communication within fifteen (15) days from alert escalation, ReliaQuest reserves the right to transition that rule into a tuning state. This means if there is no feedback or response from Customer around alerts escalated, ReliaQuest can move a rule into tuning.
7.5 GreyMatter Integrations
- GreyMatter Integrations must be deployed and functioning prior to engagement
- GreyMatter Integrations must be supported by GreyMatter and be on the supported version for active support
- Customer must maintain active support and maintenance agreements for any in-scope GreyMatter Integration
- Customer will allow RQ to configure the GreyMatter Integration to run various maintenance tasks on the hosts including but not limited to cron jobs, scheduled tasks, and PowerShell commands
- Customer will be responsible for working with ReliaQuest to provide access to the GreyMatter Integration
- For GreyMatter Integrations other than SIEM Integration Plus and EDR Integration Plus, Customer is responsible for any core technology issues (e.g. OEM bug, etc.) and working with OEM to remediate
7.6 Automation Right
Customer acknowledges and agrees that ReliaQuest reserves the right to automate, in whole or in part, any of the ongoing enablement as described herein, including, but not limited to, automatic retrieval and temporary storage of data. Customer further acknowledges and agrees that, in connection with the provision of the Ongoing Enablement and the ReliaQuest Platform, ReliaQuest may collect and analyze Customer’s data using automatic processing techniques and/or manual (human) review to develop, train, produce, and enhance the automation and analytics models, features, and functionalities of the ReliaQuest Platform. To the extent ReliaQuest holds, stores, or processes any of Customer’s data, such data shall be held in accordance with the requirements as specified in the Order.
7.7 Modification of ReliaQuest Content
RQ Labeled Content should not be modified by the Customer at any time. If any RQ Labeled Content is modified by Customer or any third party, ReliaQuest will not be responsible for any negative repercussions including but not limited to, response times, GreyMatter Integration issues, or other issues caused by the changes. If Customer would like to modify RQ Labeled Content, Customer shall submit a ticket with requested modifications within RQ Portal or make such request directly to a Customer Success Manager in writing.
ReliaQuest recommends Customer provide the following documentation to aid ongoing enablement:
- Latest risk assessment and/or penetration test that includes most credible threats and highest severity vulnerabilities
- Full Log Source list with asset categories (compliance, critical, or other classification)
- List of compliance requirements (SOX, HIPAA, PCI, etc.)
- Security team contact information
- Scanning schedules and IP addresses for both internal and external scanners
- Public Domain(s) and IP Addresses
- Company and Brand Name(s)
8. Capitalized terms used herein not defined in context have the meanings set out in this Section 7:
8.1 “Content” means the methodology, design, logic, and construction (including all code and scripts) of RQ labeled content designed to detect, correlate, and flag actionable activity.
8.2 “Content Artifact” means an alert, rule, report, or a dashboard.
8.3 “Core Component” means any component, or system that is required to normalize, aggregate, store and visualize data for a technology with the exception of agents.
8.4 “Critical Content” means a rule designed to detect a known active threat in the Customer’s environment that existing Content does not provide coverage for, for any Log Source Technologies in scope under the Order.
8.5 “Customer” means the opposite party to ReliaQuest in the Order and the party to which ReliaQuest is providing the ongoing enablement in the Order.
8.6 “Customer Roadmap” means the plan developed by ReliaQuest.
8.7 “Customer Success Manager” means a ReliaQuest dedicated point of contact responsible for customer success.
8.8 “Emergency Content” means a request for Content from the Customer to address an issue that presents an imminent threat to business continuity of Customer.
8.9 “EDR” means endpoint detection and response technology.
8.10 “EDR Technology” means EDR Vendor, Product Name.
8.11 “EDR Integration Plus” means EDR Vendor, Product name integrated into GreyMatter for all eligible GreyMatter capabilities and ReliaQuest ongoing enablement.
8.12 “GreyMatter” means ReliaQuest’s security operations platform developed by ReliaQuest and consisting of GreyMatter Respond, Detect, Health, Intel, and Investigate capabilities, and any other related ReliaQuest software tools, programs, or platforms, whether existing now or developed by ReliaQuest during the Order, including any enhancements, derivatives, or developments.
8.13 “GreyMatter Additional Integration” means Technology Vendor, Product Name, Function integrated into GreyMatter for limited GreyMatter capabilities.
8.14 “GreyMatter Respond” (formerly GreyMatter Automate) means the GreyMatter capability which supports the actions to enrich data and/or contain or remediate threats.
8.15 “GreyMatter Detect” means the GreyMatter capability which supports the overall content methodology and lifecycle to accelerate Customer’s detection visibility and facilitate evolution of Customer’s capabilities.
8.16 “GreyMatter Digital Risk Protection” means an add on to GreyMatter Intel to detect data loss, identify brand impersonation, and the Customer’s web and digital attack surface.
8.17 “GreyMatter Health” means the GreyMatter capability which supports the overall health of the GreyMatter Integration.
8.18 “GreyMatter Hunt” means the GreyMatter capability which supports threat hunting potentially leveraging data from Customer’s GreyMatter Integration.
8.19 “GreyMatter Integration” means the Technology Vendor, Product Name, Function to be integrated or integrated into GreyMatter.
8.20 “GreyMatter Intel” means the GreyMatter capability which supports threat intelligence automation, aggregation, normalization, and dissemination of machine-readable threat intelligence.
8.21 “GreyMatter Investigate” means the GreyMatter capability which supports the triage and analysis of ReliaQuest labeled content.
8.22 “GreyMatter Verify” means the GreyMatter capability which allows Customer to test the effectiveness of Customer’s cybersecurity tools and content by simulating malicious and/or anomalous activity, within Customer’s environment.
8.23 “HIPAA” means the Health Insurance Portability and Accountability Act of 1996.
8.24 “IP” means internet protocol.
8.25 “IT” means information technology.
8.26 “Log Source” means a data source that creates and sends logs to a SIEM technology.
8.27 “Log Source Technology” means Log Source Vendor, Product Name, Function integrated in the SIEM.
8.28 “Managed Takedown Service” means an add on to GreyMatter Digital Risk Protection for enhanced monitoring of the Customer’s online footprint and removal of impersonating domains.
8.29 “OEM” means original equipment manufacturer.
8.30 “Ongoing Enablement” means the activities described in this Ongoing Enablement description, which activities may be performed remotely or from the ReliaQuest Service Locations.
8.31 “PAM” means a privileged access management tool provided to simplify and secure access to the Customer environment. Customer consents to ReliaQuest’s use of a PAM of its choosing during the performance of Ongoing Enablement. The PAM shall be determined by ReliaQuest, in ReliaQuest’s sole discretion, and may be changed at any time. The current PAM used by ReliaQuest is Delinea.
8.32 “Parser” means code used to assist in the processing of log events.
8.33 “PCI” means payment card industry.
8.34 “Phishing Analyzer” means investigating user reported emails within a Customer’s abuse mailbox to identify malicious email threats and campaigns attempting to infiltrate an organization.
8.35 “RQ” means ReliaQuest, LLC.
8.36 “ReliaQuest Service Locations” means the ReliaQuest facilities located in: (i) North America; (ii) India; (iii) European Union; (iv) United Kingdom; (v) Singapore or (vi) any other service location opened or started by ReliaQuest during the term of the Order. Customer consents to the performance of Ongoing Enablement activities under an Order from each ReliaQuest Service Location at any time as determined by ReliaQuest, in ReliaQuest’s sole discretion.
8.37 “RQLabs” means ReliaQuest lab environment.
8.38 “RQ Labeled Content” means Content created by ReliaQuest or that ReliaQuest is responsible for managing and monitoring.
8.39 “RQ Portal” means the portal where ReliaQuest provides alert data reporting to Customer. The RQ Portal is currently hosted by ServiceNow and Customer consents to the use of RQ Portal for the provision of Ongoing Enablement under an Order.
8.40 “SIEM” means security, information, and event management technology.
8.41 “SIEM Integration Plus” means SIEM Vendor, Product name integrated into GreyMatter for all eligible GreyMatter capabilities and ReliaQuest ongoing enablement.
8.42 “SOC” means security operation center.
8.43 “SOX” means Sarbanes Oxley act of 2002.
8.44 “SSH” means secure socket shell.
8.45 “Term” means the period of time set forth in the applicable Order during which Customer is authorized by ReliaQuest to access and use GreyMatter and entitled to receive Ongoing Enablement support.
8.46 “Third Party Platform Providers” means the third party platform providers, as designated by ReliaQuest from time to time, who support or enable ReliaQuest to provide GreyMatter and the Ongoing Enablement to Customer, as set forth and updated from time-to-time at: www.reliaquest.com/platform-sub-processors. For the avoidance of doubt, ReliaQuest may nominate or withdraw Third Party Platform Providers upon notice to Customer (notice through GreyMatter, the RQ Portal, or other electronic means being sufficient).
8.47 “VPN” means virtual private network.