Service Description – Sophos Managed Detection and Response

This Service Description describes Sophos Managed Detection and Response Essentials and Sophos Managed Detection and Response Complete (each a “Service”). All capitalized terms in this Service Description have the meaning ascribed to them in the Agreement (defined below) or in the Definitions section below.

This Service Description is part of and incorporated into, as applicable: (i) Customer’s or Managed Service Provider’s manually or digitally‐signed agreement with Sophos covering the purchase of a Service subscription; (ii) Managed Service Provider’s manually or digitally-signed agreement(s) with Sophos covering its purchase of Offerings of which the Service is a part; or (iii) if no such signed agreement exists, then this Service Description will be governed by the terms of the Sophos End User Terms of Use posted at https://www.sophos.com/legal (collectively referred to as the “Agreement”). To the extent there is a conflict between the terms and conditions of the Agreement and this Service Description, the terms and conditions of this Service Description will take precedence.

Notwithstanding anything to the contrary in the Agreement, Customer/MSP acknowledges and agrees that: (i) Sophos may modify or update the Service from time to time without materially reducing or degrading its overall functionality; and (ii) Sophos may modify or update this Service Description at any time to accurately reflect the Service being provided, and any updated Service Description will become effective upon posting to https://www.sophos.com/legal.

I. DEFINITIONS

Capitalized terms used in this Service Description, and not otherwise defined  in the Agreement, have the meaning given below:

“Case” is a Detection or set of Detections that has high severity level and warrants human review. Cases can be (i) generated automatically by policies or analytics applied to telemetry from Managed Endpoints and Third-Party Systems, (ii) identified through Threat Hunting activities, or (iii) manually created at the discretion of the Security Services Team or at the request of the Customer/MSP.

“Detection” is a condition where data generated by a Managed Endpoint or Third-Party Systems is identified as an indicator of malicious or suspicious activity.

“Health” is the state of configurations and settings for a Managed Endpoint running Sophos Intercept X Advanced with XDR that affect the efficacy of the security of that Managed Endpoint.

“Health Check” is the act of reviewing Health to identify configurations and settings that may impact the efficacy of the security of a Managed Endpoint.

“Incident” is a confirmed compromise or unauthorized access of system(s) that poses an imminent threat to Customer/MSP assets, which includes interactive attackers, data encryption or destruction, and exfiltration.

“Incident Response Lead” is a member of the Sophos Security Services Team who is identified as the primary individual responsible for assisting a Customer/MSP during Incident Response.

“Incident Response” is the technical process performed remotely by the Security Services Team to Investigate, mitigate, and neutralize an Incident.

“Investigation” is the formal process and methods used by the Security Services Team to confirm whether activity in a Case is malicious and requires Threat Response.

“Managed Endpoint(s)” is any physical or virtual endpoint device or a server system where Sophos Intercept X Advanced with XDR or Sophos XDR Sensor is installed, up-to-date, and operational in support of Service delivery.

“MDR Compatible Sophos Products” refers to any Sophos products that send security telemetry and alerts to Sophos Central that can be used in support of Service delivery.

“Response Action” is an interaction with Managed Endpoints to perform Investigation and Threat Response, including but not limited to remote query, host isolation, terminating a process, blocking an IP address, and deleting malicious artifacts. Response Action also includes (i) Sophos’s escalation of Cases using Customer’s/MSP’s pre-selected communication preferences; and (ii) Sophos's insertion of suspected malicious URLs, IPs, and domains in Sophos Firewall. 

“Security Services Team” is the Sophos team conducting security Investigations, Threat Hunting, Response Actions, and Incident Response.

“Third-Party Systems” are supported non-Sophos systems (e.g., endpoints, servers, firewalls, etc.) which are configured to send security telemetry from Customers’ security tools to the Service using Sophos integrations and integration mechanisms.

“Third-Party Remediation Guidance” refers to guidance provided by Sophos regarding actions that may need to be taken by Customer/MSP on Third-Party Systems or Customer’s security tools during Threat Response, or in order to help mitigate or resolve an Incident.

“Threat Hunting” is the process of proactively and iteratively searching through data originating from Service Software and/or Third-Party Systems using a combination of manual and semi-automated activities to identify signals and indicators of malicious activity that may have bypassed existing prevention and detection controls.

“Threat Response” includes the methods, processes, communications, and Response Actions utilized by the Security Services Team and the Customer/MSP, as applicable, to contain or disrupt malicious activity.

“Threat Response Mode” is the type of action to be taken (i.e., Collaborate, or Authorize as set forth in Article III, Section 1.2) by the Security Services Team during delivery of the Service as determined by Customer/MSP during onboarding.

Note:

• Sophos Intercept X Advanced with XDR is hereinafter referred to as "Sophos XDR," and Sophos XDR Sensor is hereinafter referred to as "XDR Sensor."
• Where the term Service Software is used within this Service Description, it shall be deemed to mean Sophos XDR and/or XDR Sensor, as the context dictates. 

II. TIERS OF SERVICE

There are two tiers of Service available for purchase by Customer/MSP: Managed Detection and Response Essentials (“MDR Essentials”) and Managed Detection and Response Complete (“MDR Complete”).  

• MDR Essentials - Includes the activities and benefits described in Article III Section 1. Customers must run Sophos XDR and/or XDR Sensor on Managed Endpoints.
• MDR Complete - Includes the activities and benefits described in Article III Sections 1 and 2.  Activities and benefits described in Article III Section 2 are only available on Managed Endpoints running Sophos XDR.

III. SCOPE OF SERVICE

The Service consists of the activities described below for the tier purchased by Customer/MSP.

1. The following activities are applicable to both MDR Essentials and MDR Complete Service tiers:

1.1 Onboarding. During the onboarding process, the following activities must be performed by Customer/MSP as a precondition to delivery of the Service. 

a. Customer/MSP will (i) provide contact information, (ii) determine Customer/MSP communication preferences (i.e., email, phone, Sophos Central portal), and (iii) determine the Threat Response Mode. MSP must act as the contact for any Service to be provided to a Beneficiary of MSP's.

b. MSP is solely responsible for: (i) obtaining any consents or information required from its Beneficiaries in order for Sophos to perform the service, (ii) ensuring that Beneficiaries take all actions required for Customers in this Service Description, and (iii) advising Beneficiaries of the risks and potential impacts of the Service.

c. The Customer, MSP, or Partner will install either Sophos XDR or the XDR Sensor on all Managed Endpoints to be covered by the Service. Additionally, Customer, MSP, or Partner will configure all required Third-Party Systems.

1.2. Categories of Threat Response Modes

In accordance with 1.1, the Customer, MSP, or Partner will select the desired Threat Response Mode for the Security Services Teams’ interaction with the Customer or MSP when an Investigation warrants Threat Response. Threat Response Mode choices are:

• Authorize: Security Services Team performs Threat Response independent of Customer/MSP and Customer/MSP is notified of Response Actions taken.
• Collaborate: The Security Services Team will conduct Investigations but no Response Actions are taken without Customer/MSP’s prior consent or active involvement. However, certain Response Actions such as remote query may be undertaken without Customer consent or involvement.
  • An option exists under Collaborate, which if selected, authorizes the Security Services Team to operate in Authorize mode in the event Sophos does not receive acknowledgment from Customer/MSP after attempting to contact all Customer defined contacts.
• Notify Only: Conduct Investigation: (i) to determine if a Response Action is advisable or required to stop an Incident or to improve Health, and (ii) provide related guidance to Customer through phone call, email, or the Sophos Central portal. In the event of a suspected Incident where Customer is unable to timely access the Sophos Central portal, the Security Services Team will seek Customer’s express authorization to modify the Threat Response Mode from Notify Only to Authorize and initiate the applicable Response Actions.

1.3 Sophos Account Health Check. Health Check capabilities are only available on Managed Endpoints running Sophos XDR. Security Services Team will run a Health Check on all applicable Managed Endpoints as part of the onboarding process.

Customer/MSP will be notified of any configurations that could diminish the Customer’s/MSP’s/Beneficiary’s security posture along with the required steps to remediate the issues identified by the Health Check.

Failure of Customer/MSP/Beneficiary to implement Health Check recommendations during onboarding or during subsequent evaluations may result in diminished Service quality.

1.4 Triage, Investigation, and Threat Response. Sophos will conduct the following investigation and analysis activities for Cases originating from Managed Endpoints and Third-Party Systems:

a. Analysis is conducted to enhance identification, aggregation, and prioritization of Detections, resulting in machine-generated Cases.

b. Investigations are performed to confirm threats, and Threat Response is performed where appropriate. During the course of Service performance, Security Services Team may use the results of Investigations to filter out expected activity to enhance the visibility of suspicious activities in Customer’s environment.

c. Notification and information about the Case is shared with the Customer/MSP based on Customer’s/MSP’s pre-selected communication preferences.

1.5.        Availability.  All monitoring, Investigation, and Response Actions described in Section 1.4 above will be provided on a 24/7/365 basis. Customer will also have direct call-in access to the Security Services Team to review suspected Incidents on a 24/7/365 basis.

1.6         Service Level Targets. The following service level targets are utilized to provide Customers/MSPs with guidelines around timing expectations for Case creation and Response Actions resulting from Investigations but excluding Threat Hunting. These targets only apply to Investigations on Managed Endpoints and Third-Party Systems.