Ongoing Enablement Description
Ongoing enablement is a key component of GreyMatter. For each Primary Technology, the following is included with the purchase of a license for GreyMatter:
ReliaQuest will assign an implementation specialist that is responsible for managing the implementation process. The process will start with a kickoff call with customer (“Customer”) and be a remote process with the exception of an optional onsite workshop. The following will be delivered during implementation:
- Setup of Site to Site VPN, API integration of GreyMatter, and Thycotic (See Section 6.1 – Connectivity and Access for further details)
- Workflow configuration to include data flows, communication mapping, and change management
- Configuration of ReliaQuest GreyMatter for Customer environment:
- Modification of parsing and field mapping to ensure integration
- Configuration of GreyMatter Health for primary technology health alerting
- Configuration of GreyMatter Intel for threat intelligence integration into Primary Technologies (as applicable)
- Configuration of GreyMatter Detect and implementation of ReliaQuest content to primary technology enabling GreyMatter investigate
- Includes tuning of all content
- Integration of GreyMatter Secondary Technology
- See Section 6.4 – Primary and Secondary Technologies for additional detail on supported technologies
2. Delivery Manager
The ReliaQuest Delivery Manager (“Delivery Manager”) is responsible for ensuring customer success. The Delivery Manager will provide the following:
- Development and maintenance of a customer roadmap
- Coordinate and delivery reporting and analytics including quarterly or periodic executive business reviews
- Assist customer in navigating feature requests
- Partner with Customer teams to ensure GreyMatter is being fully utilized to optimize overall security posture and attain positive business outcomes
3. Primary Technology Health Support
- ReliaQuest engineers will monitor the performance of the Primary Technologies (“Primary Tech(s)”) referenced in an order (the “Order”), which includes:
- Monitoring source device feeds to ensure that events are being received and parsed correctly
- Monitoring of the non agent based components to ensure event receipt, processing, and forwarding are being performed correctly and that system performance is within normal utilization ranges
- Monitoring of the Primary Technology database to ensure responsiveness for event processing, throughput, data archival, and report performance
- For detected outages, identify the source of the problem and notify Customer representative of any outages or issues
- Provide patching, software updates, maintenance, performance tuning, and troubleshooting for any core components of the Primary Technology.
- Interfacing directly with Primary Technologies support function as needed for specific troubleshooting of software issues, RFEs, or misconfigurations
- Changes shall be managed and documented per the Customer’s change management procedures
- Implement event filtering of data collection as needed
- Installing and testing of all Primary Technologies product upgrades (testing will be completed in RQLabs prior to Customer production)
- For SIEM technologies, ReliaQuest will:
- Create custom parsers that are associated with any unique log sources identified in the Order (the “Log Sources”); and
- ReliaQuest will work with Customer to continuously integrate the Log Source and during integration, the ReliaQuest engineering team will work with the ReliaQuest content team to update and maintain parsing for the integrated Log Sources (SIEM Technologies Only)
- Health support for the Primary Technology has limitations for cloud based technologies attribute to the level of access provided by the hosting provider.
- ReliaQuest will create custom parsers that are associated with any unique log sources identified in the Order (the “Log Sources”)
4. Content Development
ReliaQuest shall provide unlimited access to the security tool content (“Content”) available for deployment based upon the agreed upon scope, subject to the deployment restrictions below. During the term of an applicable Order, ReliaQuest shall maintain any such Content with ongoing tuning and quarterly updates. The following will be delivered as part of the ongoing enablement:
4.1. Rule Tuning
- After implementation, ongoing tuning will be performed “on demand” to support the customer’s environment.
- Tuning may be initiated by the customer by contacting a ReliaQuest Delivery Manager, the ReliaQuest Security Operations Center, or through the RQPortal.
- Primary Technology rule tuning is based upon the capabilities allotted by the software manufacturer.
- For EDR and SIEM Primary Technologies rule tuning is limited to RQ created content only.
4.2. Quarterly Content Releases:
- Releases are aligned to calendar quarters
- Each release includes upgrades and patches to existing Content/rules. Rules that have been deployed will be enhanced or patched during the quarterly release for the Log Sources
- Newly developed Content during the term of an Order will be implemented as available and as applicable to in-scope Log Sources
- Quarterly releases will be scheduled at three (3) month update intervals, starting the first of the month following the completion of content implementation
- For SIEM technologies, Log Sources must be available in the SIEM environment at the appropriate logging levels prior to the start of the scheduled quarterly (three (3) month) release window for engineers to verify Log Source readiness and perform the necessary parsing. Any Log Sources that are not in the SIEM environment at the appropriate logging levels within that timeframe will be scheduled for integration at the next quarterly release cycle
- Customer requirements (i.e. lists, reference set, or other customer context) must be available at least thirty (30) days prior to end of the three (3) month release window to allow for necessary tuning periods. Customer requirements that are not provided within that timeframe will be scheduled for integration at the next quarterly release cycle.
- Quarterly releases will not include more than thirty (30) rules, unless mutually agreed upon by ReliaQuest and Customer prior to the deployment window.
- Development of new or modification of existing machine learning models is not in scope for content releases.
4.3. Critical Content
- Critical Content rules will function as a targeted short-term supplement to the Customer’s threat detection capability. Customers should send critical Content requests to their Delivery Manager with a description of the desired rule. Once the request is received by ReliaQuest, the Delivery Manager and ReliaQuest Content team will make commercially reasonable efforts to provide the rule within twenty-four (24) business hours. Critical Content can only be applied to the Log Sources in scope.
4.4. Emergency Content
- The purpose of emergency Content is to provide immediate coverage for high risk malware outbreaks such as WannaCry, NotPetya, etc., until anti-virus and malware vendors respond with appropriate signatures. As part of this coverage, Customer will have pre-defined rules created which will reference a centrally provisioned set of IOC lists (associated malicious IPs, domains, hashes or signatures) which are pulled hourly from GreyMatter Intel. These are generic rules that allow ReliaQuest to upload IPs, domains, hashes as needed. These lists will be updated from our threat intelligence unit who will be tracking the malware outbreak as it unfolds, in addition to reversing the sample, should it be readily available.
4.5. Discretionary Content Request
- Discretionary ad-hoc Content is defined as rules, reports, or dashboards that are unique to a customer’s environment, usually based on a custom application with a customized log source. Customers should send discretionary ad-hoc Content requests to the Delivery Manager with a description of the desired ad-hoc Content artifact. Customers are eligible for up to eight (8) total releases of discretionary ad-hoc Content artifacts annually; however, ReliaQuest shall only be obligated to implement a maximum of six (6) discretionary ad-hoc Content requests in any single quarter.
4.6. SIEM Log Sources in Scope
If a customer removes a SIEM Log Source out of scope:
- ReliaQuest no longer monitors or maintains applicable rules
- No additional updates to applicable rules will be implemented
- Analysts will continue to use log source for context/analysis for response to an in-scope rule/log source
- Customer can adjust up to two (2) log sources in scope quarterly. Once a log source is rotated out content will no longer be updated or maintained for the log source
5. Incident Analysis and Response
ReliaQuest analysts will provide alert triage and qualification which will include:
- Providing context for a triggered alert that can be gained from data within GreyMatter, including any additional data from primary and secondary technologies as well as enrichment data from Intel.
- Providing feedback to the Customer engineering or content development team for source tuning or content tuning
- Escalating all potential true-positive, in scope rules/alerts to Customer teams per configured escalation paths
- For technologies where alerting relies on a “risk score”, Incident Response and Analysis will be completed for any alert scoring over 90%.
- Analyst will have the ability to leverage all production “playbooks” within the GreyMatter Automate platform in which to leverage for automation of enrichment, containment and remediation actions based on agreed upon actions.
- Ongoing enablement not include ReliaQuest analysts taking any potentially destructive response actions such as wipe/reimage of a machine or device.
- Ongoing enablement does NOT involve forensic capture to a legal standard or such advanced techniques such as advanced malware reversing (disassembly) or encryption/hash cracking, etc.
6. Customer Responsibilities
Customer responsibilities are outlined in the following section:
6.1. Connectivity and Access
- Customer will create a ReliaQuest service account for health monitoring
- Customer will allow ReliaQuest to create SSH key pairs for secure communication with ReliaQuest
- Customer agrees to set up a mutual site to site VPN
- Systems in scope will be directly accessible via the mutual site to site VPN
- Customer will provide timely support in troubleshooting issues with connectivity
- Customer is responsible for working with ReliaQuest to set up access for the ReliaQuest team
- Customer acknowledges and agrees to the usage of Thycotic for the performance of Ongoing Enablement
- For end user authentication, customers technologies must be integrated with Active Directory.
- Customer is responsible for creating the required set of accounts that ReliaQuest will use in association to delivery of services
- Customer will be required to create accounts within their Active Directory or LDAP in order for ReliaQuest to use the RQ Access Management solution which will facilitate access for the initial implementation timeline as well as for ongoing management
- Customer will provide any additional access required to facilitate GreyMatter interaction with the secondary technologies identified in an Order
6.2. Account Creation
Customer must provide ReliaQuest access to perform ongoing enablement services, and any such access shall be provided within thirty (30) days of access request
6.3. Customer Response
If the Customer does not provide feedback/closure communication within fifteen (15) days of an alert firing, ReliaQuest reserves the right to transition that rule into a tuning state. This means if there is no feedback or response from customer around alerts escalated, ReliaQuest can move a rule into tuning.
6.4. Primary and Secondary Technologies
- Unless outlined otherwise in ReliaQuest Order Form, Primary technology must be deployed and functioning prior to engagement
- Customer must maintain active support and maintenance agreements for any in-scope Customer primary and secondary technologies
- Customer will allow RQ to configure the primary technologies to run various maintenance tasks on the hosts including but not limited to cron jobs, scheduled tasks, and PowerShell commands
- Customer will be responsible for working with ReliaQuest to provide access to the primary and secondary technologies
- Customer is responsible for any core technology issues (e.g. OEM bug, etc.) and working with OEM to remediate
- Secondary technologies must be on GreyMatter supported versions to be covered by ongoing enablement
- Customer is responsible for providing support as requested by ReliaQuest for the development of a GreyMatter integration for any secondary technologies not already integrated with the GreyMatter platform
6.5. Automation Right
Customer acknowledges and agrees that ReliaQuest reserves the right to automate, in whole or in part, any of the ongoing enablement as described herein, including, but not limited to, automatic retrieval and storage of data. To the extent ReliaQuest holds, stores, or processes any of Customer’s data, such data shall at all times be held in accordance with the requirements as specified in the Order.
6.6. Modification of ReliaQuest Content
RQ created Content (“RQ Labeled Content”) should not be modified by the customer at any time. If any RQ Labeled Content is modified by Customer, ReliaQuest will not be responsible for any negative repercussions including, response times, SIEM issues, or other issues caused by the changes. If RQ Labeled Content is modified by Customer or any third party, ReliaQuest will not be responsible for any negative repercussions including, response times, SIEM issues, or any other issues caused by the changes. If Customer would like to modify RQ Labeled Content, Customer shall submit a ticket with requested modifications within RQ Portal or make such request directly to a Delivery Manager in writing.
Customer is responsible for maintaining, gathering and providing the following documentation:
- Latest risk assessment that includes most credible threats and highest severity vulnerabilities
- Primary and secondary technology architectural diagrams for streamlined integration
- Full log source list with asset categories (compliance, critical, or other classification)
- List of compliance requirements (SOX, HIPAA, PCI, etc.)
- List of compliance audit requirements with estimated dates (reports needed, etc.)
- Security team contact information
- Customer’s IT security policies
- List of critical or high-risk business applications or infrastructure (e.g. financial or HR systems)
- Network diagram
- Network ranges segmented by risk level
- Scanning schedules for both internal and external systems
- IP addresses of default scanners
- Most recent penetration test results
Addendum 1 – Definitions and Acronyms
The following is a list of defined terms and description of acronyms as used throughout the SOW, if applicable:
“Content” means the means the methodology, design, logic, and construction (including all code and scripts) of rules created by ReliaQuest and designed to detect, correlate and flag actionable activity in various security information and event management Software and other end point detection and response Software during the Term, including any improvements, modifications, changes, or enhancements made thereto. All Content shall be considered a Deliverable for the purposes of this SOW and the Agreement.
“Content Artifact” means a rule, a report, or a dashboard.
“Core Component” means any component, or system that is required to normalize, aggregate, store and visualize data for a technology with the exception of agents.
“Critical Content” means a rule designed to detect a known active threat in the Customer’s environment that existing Content does not provide coverage for, for any log sources in scope under this SOW.
“Customer” means the party identified as the “Customer” in the Order Form.
“Customer Roadmap” means the plan developed by ReliaQuest during the Workshop.
“Delivery Manager” means ReliaQuest project manager.
“Discretionary Content” means Content Artifacts that are unique to Customer’s environment (usually based on a custom application with a customized log source) that are used to address an issue that does not present an imminent threat to business continuity of Customer.
“Emergency Content” means a request for Content from Customer to address an issue that presents an imminent threat to business continuity of Customer.
“UEBA” means any User and Entity Behavior Analytics technology. This includes those technologies that rely on pre-defined machine learning algorithms to identify anomalies over a set period of time.
“GreyMatter” means the overall software platform solution developed and provided by ReliaQuest to its’ customers and includes technology, ongoing enablement and analytics.
“GreyMatter Automate” means the GreyMatter capability which supports the actions to enrich data and/or contain or remediate threats.
“GreyMatter Detect” means capability which supports the overall content methodology and lifecycle to accelerate Customer’s detection visibility and facilitate evolution of Customer’s capabilities.
“GreyMatter Health” means the GreyMatter capability which supports the overall health of the primary technologies and is inclusive of all primary technologies.
“GreyMatter Hunt” means the GreyMatter capability which supports threat hunting potentially leveraging data from customer’s primary and secondary technology.
“GreyMatter Intel” means the GreyMatter capability which supports threat intelligence automation, aggregation, normalization and dissemination of machine-readable threat intelligence.
“GreyMatter Investigate” means the GreyMatter capability which supports the triage and analysis of alerts which are generated within the customer’s primary technology.
“GreyMatter Verify” means the GreyMatter capability which allows a Customer to test the effectiveness of Customer’s cybersecurity tools and content by simulating malicious and/or anomalous activity in a benign manner, within Customer’s environment.
“HIPAA” means the Health Insurance Portability and Accountability Act of 1996.
“HR” means human resources.
“IOC” means indicators of compromise.
“IP” means internet protocol.
“IT” means information technology.
“Log Source” means a system sending log data to the SIEM.
“OEM” means original equipment manufacturer.
“Parser” or “parser” means code used to assist in the processing of log events.
“PCI” means payment card industry.
“Primary Technology” or “Primary Technologies” are technologies identified within the Order Form as a Primary Technology and is supported by all available GreyMatter capabilities.
“ReliaQuest” means ReliaQuest, LLC.
“RFEs” means request for enhancements.
“RQ” means ReliaQuest, LLC.
“RQLabs” means ReliaQuest lab environment.
“RQ Labeled Content” means Content that ReliaQuest is responsible for managing and monitoring.
“RQ Portal” means the portal where ReliaQuest provides alert data reporting to Customer. The RQ Portal is currently hosted by ServiceNow and Customer consents to the use of rqPORTAL for the performance of Services under this SOW.
“Secondary Technology” or “Secondary Technologies” are technologies identified within the Order Form as a Secondary Technology and is supported by at least one, but not all, of the GreyMatter capabilities.
“Services” means the Security Model Management consulting, integration, performance tuning, trouble-shooting, and problem isolation, support, training, and/or other services to be provided by ReliaQuest to Customer using the ReliaQuest Service Locations in the manner as described within this document.
“SIEM” means security, information, and event management software.
“SOC” or “Security Operations Center” means the ReliaQuest security operation center(s) located at the ReliaQuest Service Locations.
“SOX” means Sarbanes Oxley act of 2002.
“SSH” means Secure Socket Shell.
“Thycotic” means the solution used by ReliaQuest to simplify and secure access to customer environment. Customer acknowledges and agrees to the usage of Thycotic for the purposes of the SOW.
“VPN” means virtual private network.
“VPN Connectivity Downtime” means any time, circumstance, or occurrence where ReliaQuest cannot enter or access the Customer environment due to network outage.