Ongoing Enablement Description
Ongoing enablement is a key component of GreyMatter. For each Integrated Technology, the following is included with the purchase of a license for GreyMatter:
ReliaQuest will assign an implementation specialist that is responsible for managing the implementation process. The process will start with a kickoff call with Customer and be a remote process with the exception of an optional onsite workshop. The following will be delivered during implementation:
- Setup of site to site VPN, API integration of GreyMatter, and Thycotic (See Section 6.1 – Connectivity and Access for further details), and ReliaQuest is authorized to use Third Party Platform Providers to support or enable GreyMatter and the Ongoing Enablement.
- Workflow configuration to include data flows, communication mapping, and change management
- Configuration of GreyMatter for Customer environment:
- Modification of parsing and field mapping to ensure integration
- Configuration of GreyMatter Health for Integrated Technology health alerting
- Configuration of GreyMatter Intel for threat intelligence integration into Integrated Technologies (as applicable)
- Configuration of GreyMatter Detect and implementation of Content to Integrated Technology enabling GreyMatter Investigate (as applicable)
- Includes tuning of all Content
- Customer Success Manager
The Customer Success Manager is responsible for ensuring customer success. The Customer Success Manager will provide the following:
- Develop and maintain the Customer Roadmap
- Coordinate and deliver reporting and analytics including quarterly or periodic executive business reviews
- Assist Customer in navigating feature requests
- Partner with Customer teams to ensure GreyMatter is being fully utilized to optimize overall security posture to attain positive business outcomes
- Integrated Technology Health Support
- ReliaQuest engineers will monitor the performance of the Integrated Technologies referenced in an Order, which includes:
- Monitoring source device feeds to ensure that events are being received and parsed correctly
- Monitoring of Core Components to ensure event receipt, processing, and forwarding are being performed correctly and that system performance is within normal utilization ranges
- Monitoring of the Integrated Technology database to ensure responsiveness for event processing, throughput, data archival, and report performance
- For detected outages, identify the source of the problem and notify Customer representative of any outages or issues
- Provide patching, software updates, maintenance, performance tuning, and troubleshooting for any Core Components of any Integrated Technology (to the extent applicable and as agreed upon by the parties)
- Interfacing directly with Integrated Technologies support function as needed for specific troubleshooting of software issues, request for enhancements, or correcting misconfigurations
- Changes shall be managed and documented per the Customer’s change management procedures
- Implement event filtering of data collection as needed or applicable
- Installing and testing of all Integrated Technologies product upgrades (testing will be completed in RQLabs prior to Customer production) to the extent applicable and as agreed upon by the parties
- For SIEM technologies, ReliaQuest will create custom Parsers that are associated with any unique Log Sources identified in the Order; and ReliaQuest will work with Customer to continuously integrate the Log Sources and during integration, the ReliaQuest engineering team will work with the Detection team to update and maintain parsing for the integrated Log Sources (SIEM technologies only) All Log Sources supported by the applicable SIEM technology will be integrated using the methodology provided or defined by the OEM of such SIEM technology. Log Sources that are not supported by the SIEM technology will be integrated using ReliaQuest defined methodologies.
- Health support for the Integrated Technology has limitations for cloud-based technologies attributable to the level of access provided by the hosting provider.
- Content Development
If supported by the Customer’s integrated technology, ReliaQuest shall provide unlimited access to the Content
available for deployment based upon the agreed upon scope and (if applicable) selected plan, subject to the
deployment restrictions below. During the Term of an applicable Order, ReliaQuest shall maintain any such Content
with ongoing tuning and quarterly updates. The following will be delivered as part of the ongoing enablement:
4.1 Rule Tuning
- After implementation, ongoing tuning will be performed “on demand” to support the Customer’s environment.
- Tuning may be initiated by the Customer by contacting a Customer Success Manager, the Security Operations Center, or through the RQ Portal.
- Integrated Technology rule tuning (as applicable) is based upon the capabilities allotted by the software manufacturer. For EDR and SIEM Technologies, rule tuning is limited to RQ created Content only
4.2 Quarterly Content Releases:
- Releases are aligned to calendar quarters
- Each release includes upgrades and patches to existing Content/rules. Rules that have been deployed will be enhanced or patched during the quarterly release for the Log Sources
- Newly developed Content during the Term of an Order will be implemented as available and applicable to in-scope Log Sources
- Quarterly releases will be scheduled at three (3) month update intervals, starting the first of the month following the completion of content implementation
- For SIEM technologies, Log Sources must be available in the SIEM environment at the appropriate logging levels prior to the start of the scheduled quarterly (three (3) month) release window for engineers to verify Log Source readiness and perform the necessary parsing. Any Log Sources that are not in the SIEM environment at the appropriate logging levels within that timeframe will be scheduled for integration at the next quarterly release cycle.
- Customer requirements (i.e. lists, reference sets, or other Customer context) must be available at least thirty (30) days prior to end of the three (3) month release window to allow for necessary tuning periods. Customer requirements that are not provided within that timeframe will be scheduled for integration at the next quarterly release cycle.
- Quarterly releases will not include more than thirty (30) rules, unless mutually agreed upon by ReliaQuest and Customer in writing prior to the deployment window.
- Development of new or modification of existing machine learning models is not in-scope for content releases.
4.3 Critical Content
- ReliaQuest will make commercially reasonable efforts to provide Critical Content in the event of an ongoing compromise or breach, a high severity vulnerability for which the customer has no prevention remediation options, or other such urgent situation as mutually agreed upon by the parties Critical Content rules will function as a targeted short-term supplement to the Customer’s unique threat detection capability. Customer should send Critical Content requests to its Customer Success Manager with a description of the desired rule. Once the request is received by ReliaQuest, the Customer Success Manager and ReliaQuest Content team will make commercially reasonable efforts to provide the rule within twenty-four (24) business hours. Critical Content can only be applied to the Log Sources in scope.
4.4 Emergency Content
- The purpose of Emergency Content is to provide immediate coverage for high risk malware outbreaks such as WannaCry, NonPetya, etc., until anti-virus and malware vendors respond with appropriate signatures. As part of this coverage, Customer will have pre-defined rules created which will reference a centrally provisioned set of indicators of compromise lists (associated malicious IPs, domains, hashes or signatures) which are pulled hourly from GreyMatter Intel. These are generic rules that allow ReliaQuest to upload IPs, domains, hashes as needed. These lists will be updated from ReliaQuest’s threat intelligence unit who will be tracking the malware outbreak as it unfolds, in addition to reversing the sample, should it be readily available. Deployment of emergency content is at the sole discretion of ReliaQuest; however, the following general guidelines apply:
- The exploit or malware campaign propagates unabated. (e.g. WannaCry)
- The impacts to Customer present an extreme or critical risk.
- The exploit or campaign applies to the majority of ReliaQuest’s other customers.
- The campaign has gained the attention of the press at the national level.
4.5 Discretionary Content Request
- Discretionary ad-hoc Content is defined as rules, reports, or dashboards (up to 10 panels) that are unique to a customer’s environment, usually based on a custom application with a customized log source. Customers should send discretionary ad-hoc Content requests to the Customer Success Manager with a description of the desired ad-hoc Content artifact. Customers are eligible for up to eight (8) total releases of discretionary ad-hoc Content artifacts annually; however, ReliaQuest shall only be obligated to implement a maximum of six (6) discretionary ad-hoc Content requests in any single quarter.
4.6 SIEM Log Sources in Scope
- If Customer removes a SIEM Log Source out of scope:
- ReliaQuest no longer monitors or maintains applicable rules
- No additional updates to applicable rules will be implemented
- Analysts will continue to use Log Sources for context/analysis for response to an in-scope rule/Log Sources
Customer can adjust up to two (2) Log Sources in scope quarterly. Once a Log Source is rotated out content will no longer be updated or maintained for the Log Source.
- Incident Analysis and Response
ReliaQuest analysts will provide alert triage and qualification from the ReliaQuest Service Locations which will include:
- Providing context for a triggered alert that can be gained from data within GreyMatter, including any additional data from the Integrated Technologies as well as enrichment data from GreyMatter Intel.
- Providing feedback to the Customer engineering or content development team for source or content tuning
- Escalating all potential true-positive, in scope rules/alerts to Customer teams per configured escalation paths
- No analysis will be performed on Low alerts. Low alerts shall be tracked within the RQ Portal and reported
on for trending metrics
- For technologies where alerting relies on a “risk score”, incident response and analysis will be completed for any alert scoring over 90%.
- ReliaQuest Analysts will have the ability to leverage all production “playbooks” within the GreyMatter Automate platform to leverage for automation of enrichment, containment and remediation actions based on agreed upon process.
- Ongoing enablement does not include ReliaQuest analysts taking any potentially destructive response actions such as wipe/reimage of a machine or device.
- Ongoing enablement does not involve forensic capture to a legal standard or such advanced techniques such as advanced malware reversing (disassembly) or encryption/hash cracking, etc.
5.1 Threat Hunting
- ReliaQuest will proactively conduct threat hunting campaigns leveraging GreyMatter, in response to high risk and/or high visibility threats or attacks, as determined by ReliaQuest in its sole discretion.
- Examples of high risk or high visibility attacks include WannaCry, Solarwinds, Kaseya, etc.
- These campaigns will help identify any known signs of such threat in your environment for up to ninety (90) days prior to the date that the threat hunting campaign is conducted.
- Threat hunting will be conducted autonomously by ReliaQuest when applicable, based on the industry vertical, profile of targeted organization, and technology footprint of the customer (as ascertained from the environmental questionnaire etc.).
- Threat Hunting shall be conducted using GreyMatter and is limited to the scope and technologies integrated within GreyMatter.
- ReliaQuest shall notify Customer within a reasonable period of time if ReliaQuest believes that it has identified a threat within Customer’s environment as a result of a threat hunting campaign.
- Customer Responsibilities
Customer responsibilities are outlined in the following section:
- Customer will create a ReliaQuest service account for health monitoring
- Customer will allow ReliaQuest to create SSH key pairs for secure communication between Customer and ReliaQuest
- Customer agrees to set up policy-based Site to Site Virtual Private Networking (VPN) tunnels in order to ensure proper routing between ReliaQuest and Customer environment.
- Policy based VPNs ensure that traffic is routed to the proper customer tunnel by eliminating IP conflicts
- By leveraging NAT, ReliaQuest is able to use a unique source for each customer which ensures a unique encryption domain regardless of the destination. Every major firewall manufacturer supports at least interoperability with policy-based VPN devices.
- Systems in scope will be directly accessible via the mutual site to site VPN
- Customer will provide timely support in troubleshooting issues with connectivity to include opening the necessary ports on their firewalls to enable traffic
- Customer will communicate in advance to ReliaQuest, any change to the IP, Port, Hostname, parameters of the Site-to-Site VPN, or changes to any other technology in the scope of the agreement, or necessary for connecting to the technologies in the scope of the agreement, to ensure the delivery of the Ongoing Enablement activities are not substantively impacted
- Customer is responsible for working with ReliaQuest to set up access for the ReliaQuest team
- Customer acknowledges and agrees to the use of ReliaQuest’s approved Privileged Identity Management solution, or other supported access solution for the performance of Ongoing Enablement.
- For end user authentication, Customer’s technologies must be integrated with Active Directory, either directly through an LDAP(s) or Kerberos method, or indirectly via an Active Directory based SSO solution (SAML/OAuth); or via SSH, to include local accounts or Active Directory method.
- Customer is responsible for creating the required set of accounts that ReliaQuest will use in association with delivery of Ongoing Enablement
- Customer will be required to create accounts within its Active Directory or LDAP, or locally for SSH in order for ReliaQuest to use the ReliaQuest access management solution which will facilitate access for the initial implementation timeline as well as for ongoing enablement
- Customer will provide any additional access required to facilitate GreyMatter interaction with the Integrated Technologies identified in an Order
6.3 Account Creation
Customer must provide ReliaQuest access to provide Ongoing Enablement, and any such access shall be provided within thirty (30) days of access request.
6.4 Customer Response
If the Customer does not provide feedback/closure communication within fifteen (15) days of an alert firing, ReliaQuest reserves the right to transition that rule into a tuning state. This means if there is no feedback or response from Customer around alerts escalated, ReliaQuest can move a rule into tuning.
6.5 Integrated Technologies
- Unless outlined otherwise in an Order, Integrated Technology must be deployed and functioning prior to engagement
- Unless outlined otherwise in an Order, Integrated Technologies must be supported by GreyMatter for active
support. Please see https://www.reliaquest.com/greymatter/integration-partners/ for all supported
- Customer must maintain active support and maintenance agreements for any in-scope Integrated Technology
- Customer will allow RQ to configure the Integrated Technology to run various maintenance tasks on the hosts including but not limited to cron jobs, scheduled tasks, and PowerShell commands
- Customer will be responsible for working with ReliaQuest to provide access to the Integrated Technology
- Customer is responsible for any core technology issues (e.g. OEM bug, etc.) and working with OEM to remediate
- Integrated Technologies must be on GreyMatter supported versions to be covered by ongoing enablement
- Customer is responsible for providing support as requested by ReliaQuest for the development of a GreyMatter integration for any technologies not already integrated with the GreyMatter platform
6.6 Automation Right
Customer acknowledges and agrees that ReliaQuest reserves the right to automate, in whole or in part, any of the ongoing enablement as described herein, including, but not limited to, automatic retrieval and temporary storage of data. To the extent ReliaQuest holds, stores, or processes any of Customer’s data, such data shall at all times be held in accordance with the requirements as specified in the Order.
6.7 Modification of ReliaQuest Content
RQ Labeled Content should not be modified by the Customer at any time. If any RQ Labeled Content is modified by Customer, ReliaQuest will not be responsible for any negative repercussions including, response times, Integrated Technology issues, or other issues caused by the changes. If RQ Labeled Content is modified by Customer or any third party, ReliaQuest will not be responsible for any negative repercussions including, response times, Integrated Technology issues, or any other issues caused by the changes. If Customer would like to modify RQ Labeled Content, Customer shall submit a ticket with requested modifications within RQ Portal or make such request directly to a Customer Success Manager in writing.
Customer is responsible for maintaining, gathering and providing the following documentation:
- Latest risk assessment that includes most credible threats and highest severity vulnerabilities
- Integrated Technology architectural diagrams for streamlined integration
- Full Log Source list with asset categories (compliance, critical, or other classification)
- List of compliance requirements (SOX, HIPAA, PCI, etc.)
- List of compliance audit requirements with estimated dates (reports needed, etc.)
- Security team contact information
- Customer’s IT security policies
- List of critical or high-risk business applications or infrastructure (e.g. financial or human resources systems)
- Network diagram
- Network ranges segmented by risk level
- Scanning schedules for both internal and external systems
- IP addresses of default scanners
- Most recent penetration test results
- Capitalized terms used herein not defined in context have the meanings set out in this Section 7:
7.1 “Content” means the methodology, design, logic, and construction (including all code and scripts) of rules created by ReliaQuest and designed to detect, correlate and flag actionable activity in various security information and event management software and other end point detection and response software during the Term, including any improvements, modifications, changes, or enhancements made thereto. All Content shall be considered a deliverable for the purposes of the Order.
7.2 “Content Artifact” means a rule, a report, or a dashboard.
7.3 “Core Component” means any component, or system that is required to normalize, aggregate, store and visualize data for a technology with the exception of agents.
7.4 “Critical Content” means a rule designed to detect a known active threat in the Customer’s environment that existing Content does not provide coverage for, for any Log Sources in scope under the Order.
7.5 “Customer” means the party identified as or treated as the “Customer” in the Order.
7.6 “Customer Roadmap” means the plan developed by ReliaQuest during a workshop.
7.7 “Customer Success Manager” means a ReliaQuest project manager.
7.8 “Discretionary Content” means Content Artifacts that are unique to Customer’s environment (usually based on a custom application with a customized Log Source) that are used to address an issue that does not present an imminent threat to business continuity of Customer.
7.9 “Emergency Content” means a request for Content from Customer to address an issue that presents an imminent threat to business continuity of Customer.
7.10 “GreyMatter” means the overall software platform solution developed and provided by ReliaQuest to its customer and includes technology, ongoing enablement and analytics limited to GreyMatter Detect, GreyMatter Health, GreyMatter Intel, GreyMatter Investigate, GreyMatter Automate, GreyMatter Hunt and GreyMatter Verify.
7.11 “GreyMatter Automate” means the GreyMatter capability which supports the actions to enrich data and/or contain or remediate threats.
7.12 “GreyMatter Detect” means capability which supports the overall content methodology and lifecycle to accelerate Customer’s detection visibility and facilitate evolution of Customer’s capabilities.
7.13 “GreyMatter Health” means the GreyMatter capability which supports the overall health of the Integrated Technology and is inclusive of all Integrated Technology.
7.14 “GreyMatter Hunt” means the GreyMatter capability which supports threat hunting potentially leveraging data from Customer’s Integrated Technology.
7.15 “GreyMatter Intel” means the GreyMatter capability which supports threat intelligence automation, aggregation, normalization and dissemination of machine-readable threat intelligence.
7.16 “GreyMatter Investigate” means the GreyMatter capability which supports the triage and analysis of alerts which are generated within the Customer’s Integrated Technology.
7.17 “GreyMatter Verify” means the GreyMatter capability which allows a Customer to test the effectiveness of Customer’s cybersecurity tools and content by simulating malicious and/or anomalous activity in a benign manner, within Customer’s environment.
7.18 “HIPAA” means the Health Insurance Portability and Accountability Act of 1996.
7.19 “Integrated Technology” or “Integrated Technologies” are technologies identified within the Order as a Integrated Technology and is supported by all in scope GreyMatter capabilities.
7.20 “IP” means internet protocol.
7.21 “IT” means information technology.
7.22 “Log Source” means a system sending log data to the SIEM.
7.23 “OEM” means original equipment manufacturer.
7.24 “Ongoing Enablement” means the consulting, integration, performance tuning, troubleshooting, and problem isolation, support, training, and/or other ongoing enablement activities to be provided by ReliaQuest to Customer using the ReliaQuest service locations as identified in an Order and as described within this document.
7.25 “Order” means a mutually agreed and executed written ordering document describing the components of GreyMatter licensed to Customer and the related ongoing enablement to be performed by ReliaQuest for Customer, including identification of the applicable Term and fees related thereto. An “Order” may take the form of: (i) a separate GreyMatter order form to cover the licensing of GreyMatter and any ongoing enablement; (ii) a statement of work incorporating the terms or referencing this Ongoing Enablement Description; or (iii) an amendment to and existing agreement between Customer and ReliaQuest (including a no-cost addendum or other similar document) incorporating the terms or referencing this Ongoing Enablement Description.
7.26 “Parser” means code used to assist in the processing of log events.
7.27 “PCI” means payment card industry.
7.28 “ReliaQuest” or “RQ” means ReliaQuest, LLC.
7.29 “ReliaQuest Service Locations” means the ReliaQuest facilities located in: (i) Tampa, FL; (ii) Las Vegas, Nevada; (iii) Dublin, Ireland; or (iv) any other service location opened or started by ReliaQuest during the term of the Order. Customer consents to the performance of Ongoing Enablement activities under an Order from each ReliaQuest Service Location at any time as determined by ReliaQuest, in ReliaQuest’s sole discretion.
7.30 “RQLabs” means ReliaQuest lab environment.
7.31 “RQ Labeled Content” means Content created by ReliaQuest or that ReliaQuest is responsible for managing and monitoring.
7.32 “RQ Portal” means the portal where ReliaQuest provides alert data reporting to Customer. The RQ Portal is currently hosted by ServiceNow and Customer consents to the use of RQ Portal for the provision of Ongoing Enablement under an Order.
7.33 “Security Operations Center” means security operation center.
7.34 “SIEM” means security, information, and event management software.
7.35 “SOX” means Sarbanes Oxley act of 2002.
7.36 “SSH” means secure socket shell.
7.37 “Term” means the period of time set forth in the applicable Order during which Customer is authorized by ReliaQuest to access and use GreyMatter and entitled to receive Ongoing Enablement support.
7.38 “Third Party Platform Providers” means the third party platform providers, as designated by ReliaQuest from time to time, who support or enable ReliaQuest to provide GreyMatter and the Ongoing Enablement to Customer and who abide by the principles set forth in Exhibit A (Data Security Schedule) attached to the ReliaQuest End User License Agreement, including Snowflake, Microsoft, AffectLayer, Thycotic, ServiceNow, Digital Shadows, and Amazon Web Services. For the avoidance of doubt, ReliaQuest may nominate or withdraw Third Party Platform Providers upon notice to Customer (notice through GreyMatter, the RQ Portal, or other electronic means being sufficient).
7.39 “Thycotic” means the solution used by ReliaQuest to simplify and secure access to Customer environment. Customer acknowledges and agrees to the usage of Thycotic for the purposes of the Order.
7.40 “VPN” means virtual private network.