Unify Security Operations
Go Back

Unify Security operations

Reduce Alert Noise and False Positives

Automate Security Operations

Dark Web Monitoring

Maximize Existing Security Investments

Beyond MDR

Secure Multi-Cloud Environments

Secure Mergers and Acquisitions

Secure Operational Technology

Eliminate Mundane SecOps Tasks

Unify Your Security Operations

Whether you’re starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Explore Our Solutions
Why ReliaQuest
Go Back

The ReliaQuest GreyMatter Platform

Detection Investigation Response

Threat Hunting

Threat Intelligence

Model Index

Automated Response Playbooks

Breach and Attack Simulation

Digital Risk Protection

Phishing Analyzer

Technology Partners

AI Agent for SecOps

Why ReliaQuest?

Whether you’re starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Explore the GreyMatter Platform
Learn
Go Back

Learn

Blog

Threat Research

Case Studies

Data Sheets

eBooks

Industry Guides

Research Reports

ShadowTalk Podcast

Solution Briefs

White Papers

Videos

Events & Webinars

ReliaQuest Resource Center

From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Resource Center
Company
Go Back

Company

About ReliaQuest

Leadership

No Show Dogs Podcast

Make It Possible in the Community

Careers

Press and Media Coverage

Become a Technology Partner

Contact Us

A Mindset Like No Other in the Industry

Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
Search
Go Back

Ongoing Enablement Description

ReliaQuest’s Security Operations Platform – GreyMatter – is powered by Ongoing Enablement. Ongoing Enablement is the security expertise and codified best practices delivered by ReliaQuest personnel through GreyMatter to achieve Customer outcomes. To the extent included in the scope of an Order, the Ongoing Enablement delivered to Customer may include:

1. Implementation

ReliaQuest will assign an implementation specialist who is responsible for managing the implementation process. The implementation process is done remotely and starts with a kickoff call with the Customer. The following will be delivered during implementation:

Setup of site-to-site VPN, API integration of GreyMatter, and PAM tool.
- ReliaQuest is authorized to use Third Party Platform Providers to support or enable the ReliaQuest Platform.
Workflow configuration to include data flows, communication mapping, and change management
Configuration of GreyMatter for Customer environment:
- Modification of parsing and field mapping for GreyMatter Sources (direct and/or indirect connection)
- GreyMatter Detect and tuning of ReliaQuest Labeled Content
- GreyMatter Health for applicable Storage Technologies (SIEM, Data Lake, etc.)
- GreyMatter Intel for threat intelligence integration

2. Customer Success Manager

The Customer Success Manager is responsible for ensuring customer success. The Customer Success Manager will provide the following:

Develop and maintain the Customer Roadmap
Coordinate and deliver reporting and analytics including quarterly or periodic executive business reviews
Communicate with pertinent teams for GreyMatter enhancement and feature requests
Partner with Customer teams to ensure GreyMatter is being fully utilized to optimize overall security posture to attain positive business outcomes li>

3. ReliaQuest Supported Sources

A supported source is any technology that GreyMatter connects to, either directly or indirectly, to deliver its capabilities. If the connection is indirect, a supported storage tool is required. GreyMatter’s capabilities depend on the supported source and the connection type:

Direct Source (Direct Connection): GreyMatter connects directly to the source technology via API, enabling real-time data retrieval and potential response actions.
Indirect Source (Indirect Connection): GreyMatter accesses the source’s data through a supported storage solution (such as a SIEM or Data Lake). The data is first collected and stored in the storage solution before GreyMatter retrieves it.
- Security tools that send their data to Storage Technologies often are referred to as log source technologies
- Log Source Technologies contribute to the capacity, volume or other metric (e.g., EPS, GBS, SVC) utilized in the Storage Technology

4. GreyMatter Health Support

GreyMatter Health is utilized to monitor the performance of applicable sources and Storage Technologies, including:
- Interfacing directly with OEM support as needed for specific troubleshooting of software issues, request for enhancements, or misconfigurations
- Identifying detected outages and the source of the problem
- Health support for cloud-based technologies has limitations attributable to the level of access provided by the hosting provider
Health support will vary based on the technology provider, the following is included:
- Monitoring source device feeds to ensure that events are being received and parsed correctly
- Monitoring of Core Components to ensure event receipt, processing, and forwarding are being performed correctly
- Monitoring of system performance to ensure normal utilization ranges
- Provide patching, software updates, maintenance, performance tuning, and troubleshooting for any Core Components (to the extent applicable and as agreed upon by the parties)
- Implementing event filtering of data collection as needed or applicable
- Installing and testing of all product upgrades (testing will be completed in ReliaQuest’s lab environment prior to Customer production) to the extent applicable
- ReliaQuest will create parsers for indirect sources (log source technologies) supported by the applicable storage (SIEM, Data Lake, etc.) technology using the methodology provided or defined by the OEM of such Storage Technology. Indirect sources (log source technologies) not supported by the OEM will be integrated using ReliaQuest defined methodologies.

5. GreyMatter Detect

GreyMatter Detect centralizes management of ReliaQuest Labeled Content, with transparent visibility into detection logic and deployment status. All detection logic is deployed remotely via API by connecting to a Storage Technology, directly at the source, or a combination of both. The following will be delivered as part of the Ongoing Enablement:

5.1. Rule Tuning

After implementation, ongoing tuning will be performed “on demand” to support the Customer’s environment
Tuning may be initiated by the Customer by contacting a Customer Success Manager, the Security Operations Center, or through the RQ Portal
Rule tuning is limited to the ReliaQuest Labeled Content

5.2. Detection

The detection deployment cadence is determined based on the Customer’s sources and priorities including:

Continual updates and tuning of existing ReliaQuest Labeled Content
Newly developed Content as applicable
Customer requirements (i.e., lists, reference sets, or other Customer context) must be available at least thirty (30) days prior to next release window to allow for necessary tuning periods. Customer requirements that are not provided within that timeframe will be scheduled for the next release cycle.
For storage solutions, indirect sources (log sources technologies) must be available in the SIEM/Data Lake environment at the appropriate logging levels at least thirty (30) days prior to next release window for ReliaQuest to verify readiness and perform the necessary parsing. Any Log Source Technologies that are not in the environment at the appropriate logging levels within that timeframe will be scheduled for integration at the next release cycle.

5.3. Critical Content

ReliaQuest will make commercially reasonable efforts to provide Critical Content in the event of an ongoing compromise or breach, a high severity vulnerability for which Customer has no prevention remediation options, or other such urgent situation as mutually agreed upon by the parties. Critical Content rules will function as a targeted short-term supplement to Customer’s unique threat detection capability. Customer should send Critical Content requests to its Customer Success Manager and Security Operations Center with a description of the desired rule. Once the request is received, ReliaQuest will make commercially reasonable efforts to provide the rule within twenty-four (24) business hours.

5.4. Emergency Content

The purpose of Emergency Content is to provide immediate coverage for high-risk malware outbreaks such as WannaCry, NonPetya, etc., until anti-virus and malware vendors respond with appropriate signatures. As part of this coverage, Customer will have pre-defined rules created which will reference a centrally provisioned set of indicators of compromise (associated malicious IPs, domains, hashes, or signatures) which are pulled hourly from GreyMatter Intel. These are generic detections that allow ReliaQuest to upload IPs, domains, hashes as needed. Deployment of Emergency Content is at the sole discretion of ReliaQuest; however, the following general guidelines apply:
- The exploit or malware campaign propagates unabated (e.g., WannaCry)
- The impacts to Customer present an extreme or critical risk
- The exploit or campaign applies to the majority of ReliaQuest’s other customers
- The campaign has gained the attention of the press at the national level

6. Incident Analysis and Response

ReliaQuest will provide alert triage and qualification which will include:

Providing context for a triggered alert that can be gained from data within GreyMatter
Providing feedback to the Customer team for source or Content tuning
Escalating all potential true-positive alerts from ReliaQuest Labeled Content to Customer teams per configured escalation paths
ReliaQuest will have the ability to leverage production “playbooks” within the GreyMatter Respond capability for automation of enrichment, containment, and remediation actions

Ongoing enablement does not include ReliaQuest performing any of the below:

Taking any potentially destructive response actions such as wipe/reimage of a machine or device, forensic capture to a legal standard, advanced techniques such as advanced malware reversing (disassembly) or encryption/hash cracking, etc.

6.1. Threat Hunting

GreyMatter Hunt allows the Customer and ReliaQuest to perform threat hunting campaigns to identify threats and/or anomalous activity, limited to the scope in the Order, including:

ReliaQuest will proactively perform threat hunting campaigns leveraging GreyMatter, in response to high risk and/or visibility threats or attacks, as determined by ReliaQuest in its sole discretion. Examples of high risk or visibility attacks include WannaCry, Solarwinds, Kaseya, etc.
Hunt campaigns will identify any known threats or anomalous activity in the Customer’s environment up to ninety (90) days prior to the date the campaign was conducted
Threat hunting will be conducted autonomously by ReliaQuest when applicable, based on the industry vertical, profile of targeted organization, and technology footprint of the customer
ReliaQuest shall notify Customer within a reasonable period of time if ReliaQuest believes that it has identified a threat within Customer’s environment as a result of a threat hunting campaign.

7. Phishing Analyzer

Phishing Analyzer helps investigate user reported emails to identify malicious email threats and campaigns attempting to infiltrate an organization. ReliaQuest will classify user email submissions within a Customer’s abuse mailbox using applicable Email Security technologies, including:

ReliaQuest will classify the user reported email as benign or malicious and leverage applicable “playbooks” for remediation
Providing context for a reported email can be gained from data within GreyMatter

8. Digital Risk Protection

DRP is an add on to GreyMatter Intel to detect data loss, identify brand impersonation, and monitor the Customer’s web and digital attack surface. Post asset collection from Customer, the following will be included:

Configuration of risk alerting based on Customer assets
Monitoring of open, deep, and dark web sources to isolate legitimate threats and provide real time alerting
Escalating all potential true-positive alerts from ReliaQuest Labeled Content to Customer teams per configured escalation paths
Customer will have access to SearchLight to triage and remediate risk alerts, perform IOC investigations, CVE tracking, and industry news

8.1. Managed Takedown Service

Managed Takedown Service is an add on to DRP and provides customers end-to-end management of submitting, tracking, and confirming takedown requests across all available risk categories

9. Customer Responsibilities

Customer responsibilities are outlined in the following section:

9.1. Connectivity

Customer will create a ReliaQuest service account for health monitoring for applicable Storage Technologies
Customer will allow ReliaQuest to create SSH key pairs for secure communication between Customer and ReliaQuest
Customer agrees to set up policy-based Site-to-Site Virtual Private Networking (VPN) tunnels to ensure proper routing between ReliaQuest and Customer.
- Policy based VPNs ensure that traffic is routed to the proper customer tunnel by eliminating IP conflicts
- By leveraging Network Address Translation (NAT), ReliaQuest can use a unique source for each customer which ensures a unique encryption domain regardless of the destination. Every major firewall manufacturer supports at least interoperability with policy-based VPN devices.
On premise systems in scope will be directly accessible via the mutual site to site VPN.
Customer will provide timely support in troubleshooting issues with connectivity to include opening the necessary ports on their firewalls to enable traffic.
Customer will communicate in advance to ReliaQuest, any change to the IP, Port, Hostname, parameters of the Site-to-Site VPN, or changes to any other technology in scope of the Order, or necessary for connecting to the technologies in scope of the Order, to ensure the delivery of the Ongoing Enablement activities are not substantively impacted

9.2. Access

Customer is responsible for working with ReliaQuest to set up access for the ReliaQuest team
Customer acknowledges and agrees to the use of ReliaQuest’s approved Privileged Identity Management solution, or other supported access solution for the performance of Ongoing Enablement.
- For end user authentication, Customer’s technologies must be integrated with Active Directory, either directly through LDAP(s) or Kerberos method, or indirectly through SSO (SAML/OAuth) or via SSH to include local accounts
- Customer is responsible for creating the required set of accounts that ReliaQuest will use in association with delivery of Ongoing Enablement
- Customer will be required to create accounts within its Active Directory or LDAP, or locally for SSH for ReliaQuest to use the PAM tool which will facilitate access for the initial implementation as well as for ongoing enablement
Customer will provide any additional access required to facilitate GreyMatter interaction

9.3. Account Creation

Customer must provide ReliaQuest access to provide Ongoing Enablement, and any such access shall be provided within thirty (30) days of access request.

9.4. Customer Response

If the Customer does not provide feedback/closure communication within fifteen (15) days of an alert firing, ReliaQuest reserves the right to transition that rule into a tuning state. This means if there is no feedback or response from Customer around alerts escalated, ReliaQuest can move a rule into tuning.

9.5. GreyMatter Direct Sources

Customer is responsible for meeting the following requirements for GreyMatter Direct Sources to ensure proper functionality and support:

Must be deployed and fully operational prior to engagement.
Must be on a version supported by GreyMatter for compatibility.
Customers must maintain active support and maintenance agreements.
Customers must permit ReliaQuest to configure the technology to run various maintenance tasks on the hosts, including but not limited to cron jobs, scheduled tasks, and PowerShell commands.
Customers must collaborate with ReliaQuest to provide access to applicable sources.
Customers are responsible for addressing any core technology issues (e.g., OEM bugs) and working with the OEM to remediate them.

9.6. Automation Right

Customer acknowledges and agrees that ReliaQuest reserves the right to Automate, in whole or in part, any of the Ongoing Enablement activities or GreyMatter features or functionalities, including, but not limited to, automatic retrieval and temporary storage of data. Customer further acknowledges and agrees that, in connection with the provision of the Ongoing Enablement and the ReliaQuest Platform, ReliaQuest may collect and analyze Customer’s data using Automatic processing techniques and/or manual (human) review to develop, train, produce, and enhance the automation and analytics models, features, and functionalities of the ReliaQuest Platform. To the extent ReliaQuest holds, stores, or processes any of Customer’s data, such data shall be held in accordance with the requirements as specified in the Order.

9.7. Modification of ReliaQuest Content

ReliaQuest Labeled Content should not be modified by the Customer at any time. If Content is modified by Customer or any third party, ReliaQuest will not be responsible for any negative repercussions including but not limited to, response times, GreyMatter Integration issues, or other issues caused by the changes. If Customer would like to modify ReliaQuest Labeled Content, Customer shall submit a ticket with requested modifications or make such request directly to a Customer Success Manager in writing.

9.8. Documentation

ReliaQuest recommends Customer provide the following documentation to aid ongoing enablement:

Latest risk assessment and/or penetration test that includes most credible threats and highest severity vulnerabilities
Full Log Source list with asset categories (compliance, critical, or other classification)
List of compliance requirements (SOX, HIPAA, PCI, etc.)
Security team contact information
Scanning schedules and IP addresses for both internal and external scanners
Public Domain(s) and IP Addresses
Company and Brand Name(s)

9.9 Dependencies; Remedy

The Ongoing Enablement activities are dependent upon Customer’s compliance with the Customer responsibilities described herein and the accuracy and completeness of any data, access or other information necessary for the provision of GreyMatter and the Ongoing Enablement. To the extent Customer has any disputes or claims arising out of or related to the Ongoing Enablement activities described herein, Customer’s sole and exclusive remedy for such disputes or claims is as set forth in the warranties, exclusive remedies, exclusions, and disclaimers provisions of the PSA.

10. Capitalized terms used herein not defined in context have the meanings set out in this section:

10.1 “Automate” or Automated means the use of automated processes or systems, including large language models, machine learning, or other artificial intelligence capabilities, to perform tasks or generate analysis through or in connection with GreyMatter.

10.2 “Content” means the methodology, design, logic, and construction (including all code and scripts) of ReliaQuest Labeled Content designed to detect, correlate, and flag actionable activity.

10.3 “Content Artifact” means an alert, rule, or report.

10.4 “Core Component” means any component, or system that is required to normalize, aggregate, store and visualize data for a technology with the exception of agents.

10.5 “Critical Content” means a rule designed to detect a known active threat in the Customer’s environment that existing Content does not provide coverage for, for any Log Source Technologies in scope under the Order

10.6 “Customer” means the opposite party to ReliaQuest in the Order and the party to which ReliaQuest is providing the ongoing enablement in the Order.

10.7 “Customer Roadmap” means the plan developed by ReliaQuest

10.8 “Customer Success Manager” means a ReliaQuest dedicated point of contact responsible for customer success.

10.9 “Discretionary Content” means rules or reports that are unique to a customer’s environment, usually based on a custom application. Customers should send Discretionary Content requests to the Customer Success Manager and the SOC with a description of the desired Discretionary Content artifact. Customers are eligible for up to eight (8) total releases of Discretionary Content artifacts annually; however, ReliaQuest shall only be obligated to implement a maximum of six (6) Discretionary Content requests in any single calendar quarter.

10.10 “Direct Connection” or “Direct Sources” means GreyMatter connects directly to the source technology via API, enabling real-time data retrieval and potential response actions.

10.11 “Emergency Content” means a request for Content from the Customer to address an issue that presents an imminent threat to business continuity of Customer.

10.12 “Endpoint” means any device, system, application, or resource owned or managed by the Customer that is monitored, tracked, or managed via GreyMatter. The endpoint count includes all physical, virtual, and cloud-based resources, whether active or provisioned unless otherwise specified in the agreement.

10.13 “GreyMatter” means ReliaQuest’s Security Operations Platform developed by ReliaQuest and any other related ReliaQuest software tools, programs, or platforms, whether existing now or developed by ReliaQuest during the Order, including any enhancements, derivatives, or developments.

10.14 “GreyMatter Respond” means the GreyMatter capability which supports the actions to enrich data and/or contain or remediate threats.

10.15 “GreyMatter Detect” means a capability which centralizes management of ReliaQuest Labeled Content authored by ReliaQuest and various technology vendors, with transparent visibility into detection logic and deployment status. ReliaQuest uses GreyMatter Detect to deploy Reliaquest Labeled Content across the environment connecting through a Storage Technology or Source.

10.16 “GreyMatter Digital Risk Protection” means an add on to GreyMatter Intel to detect data loss, identify brand impersonation, and monitor the Customer’s web and digital attack surface.

10.17 “GreyMatter Health” means the GreyMatter capability which supports the overall health of the Storage Technology.

10.18 “GreyMatter Hunt” means the GreyMatter capability which supports threat hunting potentially leveraging data from Customer’s Direct Source or Indirect Source.

10.19 “GreyMatter Intel” means the GreyMatter capability which supports threat intelligence automation, aggregation, normalization, and dissemination of machine-readable threat intelligence.

10.20 “GreyMatter Investigate” means the GreyMatter capability which supports the triage and analysis of ReliaQuest Labeled Content.

10.21 “GreyMatter Verify” means the GreyMatter capability which allows Customer to test the effectiveness of Customer’s cybersecurity tools and content by simulating malicious and/or anomalous activity, within Customer’s environment.

10.22 “HIPAA” means the Health Insurance Portability and Accountability Act of 1996.

10.23 “Indirect Connection” or “Indirect Sources“” means GreyMatter accesses the source’s data via a storage solution (SIEM, Data Lake, etc.), where the data is first collected and stored before GreyMatter retrieves it.

10.24 “IP” means internet protocol.

10.25 “IT” means information technology.

10.26 “Log Source” means a data source that creates and sends logs to a Storage Technology.

10.27 “Log Source Technology” or “Log Source Technologies” means the security tool (Vendor, Product Name, Function) sends data to a Storage Technology.

10.28 “Managed Takedown Service” means an add on to GreyMatter Digital Risk Protection for enhanced monitoring of the Customer’s online footprint and removal of impersonating domains.

10.29 “OEM” means original equipment manufacturer.

10.30 “Ongoing Enablement” means the activities described in this Ongoing Enablement description, which activities may be performed remotely or from the ReliaQuest Service Locations.

10.31 “PAM” means a privileged access management tool provided to simplify and secure access to the Customer environment. Customer consents to ReliaQuest’s use of a PAM of its choosing during the performance of Ongoing Enablement. The PAM shall be determined by ReliaQuest, in ReliaQuest’s sole discretion, and may be changed at any time. The current PAM used by ReliaQuest is Delinea.

10.32 “Parser” means code used to assist in the processing of log events.

10.33 “PCI” means payment card industry.

10.34 “Phishing Analyzer” means investigating user reported emails within a Customer’s abuse mailbox to identify malicious email threats and campaigns attempting to infiltrate an organization.

10.35 “Platform and Support Agreement” or “PSA” means the Platform and Support Agreement between ReliaQuest and Customer. To the extent ReliaQuest and Customer have mutually-executed a separate definitive agreement governing ReliaQuest’s provision of GreyMatter and the Ongoing Enablement activities to Customer, such agreement shall be considered the Platform and Support Agreement or PSA as such terms are used herein.

10.36 “ReliaQuest Authored Detections” means detection researched, developed, and released by ReliaQuest.

10.37 “ReliaQuest Service Locations” means the ReliaQuest facilities located in: (i) North America; (ii) India; (iii) European Union; (iv) United Kingdom; (v) Singapore or (vi) any other service location opened or started by ReliaQuest during the term of the Order. Customer consents to the performance of Ongoing Enablement activities under an Order from each ReliaQuest Service Location at any time as determined by ReliaQuest, in ReliaQuest’s sole discretion.

10.38 “ReliaQuest Labeled Content” means ReliaQuest Authored Detections and/or Vendor Authored Detection that ReliaQuest has agreed to manage. All ReliaQuest Labeled Content is stored in GreyMatter Detect.

10.39 “ReliaQuest Supported Sources” or “Sources” means any technology that GreyMatter connects to, either directly or indirectly, to deliver its capabilities, defined at: https://reliaquest1dev.wpengine.com/supported-sources/.

10.40 “RQ Portal” means the portal where ReliaQuest provides alert data reporting to Customer. The RQ Portal is currently hosted by ServiceNow and Customer consents to the use of RQ Portal for the provision of Ongoing Enablement under an Order.

10.41 “SIEM” means security, information, and event management software.

10.42 “SOC” means security operation center.

10.43 “SOX” means Sarbanes Oxley act of 2002.

10.44 “SSH” means secure socket shell.

10.45 “Storage Technology” or “Storage Technologies” means technologies designed for the long-term storage of data reported by monitoring source technologies.

10.46 “Term” means the period of time set forth in the applicable Order during which Customer is authorized by ReliaQuest to access and use GreyMatter and entitled to receive Ongoing Enablement support.

10.47 “Third Party Platform Providers” means the third party platform providers, as designated by ReliaQuest from time to time, who support or enable ReliaQuest to provide GreyMatter and the Ongoing Enablement to Customer, as set forth and updated from time-to-time at: https://reliaquest1dev.wpengine.com/security-operations-platform-sub-processors/. For the avoidance of doubt, ReliaQuest may nominate or withdraw Third Party Platform Providers upon notice to Customer (notice through GreyMatter, the RQ Portal, or other electronic means being sufficient).

10.48 “Vendor Authored Detections” means detections developed or disseminated by the vendor of the applicable third-party technology platform which are then aligned and integrated with ReliaQuest’s proprietary suite of detections. Vendor Authored Detections are not eligible for any warranty provided in connection with Security Tool Content.

10.49 “VPN” means virtual private network.