MDR Essential Services
“Asset” means a computing device, either physical or virtual, deployed on premise, remotely or in the cloud that requires protection from cyber threats
“Project Scope” means network segments, cloud environments, security log sources and endpoint devices to be monitored for cyber threats
“Endpoint Device” means a workstation, laptop, desktop or server running a supported Operating System
“Out-of-Band” means placement of a sensor on a span port of a networking device so traffic may be monitored without the sensor being in line with traffic
“EDR agent” means Endpoint Detection and Response software installed on endpoints (workstations, laptops, servers) which collect and analyze telemetry and behavior in order to detect potential threats
The Managed Detection and Response Essentials Service (“MDR Essentials Services” or “Services”) provide the Client with comprehensive threat detection and response across network and cloud assets.
The Service consists of
Managed detection and response – Instrumentation of the Client’s endpoints, network and log monitoring of existing security controls and assets for the purpose of analyzing behavior and monitoring for cyber threats. This involves 24X7 expert monitoring and human analysis with real-time notification and response actions.
Service provisioning. eSentire will perform remote configuration and tuning of all software and hardware required for the Service. Physical hardware must be installed by the Client or its designate in network locations suggested by eSentire; required software must be deployed by the Client to in scope Assets; log forwarding configuration for existing Client assets is the responsibility of the Client.
Management – All hardware and software deployed as part of the service will be actively monitored and maintained by eSentire including maintaining uptime, implementation of patches and other updates.
Service Interaction – 24X7 ticketing, email and phone support; access to service status reports and interactive incident handling via the eSentire Portal.
- 24X7 monitoring and expert analysis of events and alerts generated by Endpoint Detection and Response (EDR) software agents, correlated with network and log signals.
- Intrusion detection and packet inspection on the network supplementing endpoint detections.
- Log collection from existing cyber security controls to support investigation and response activity.
- Analyst-initiated isolation and response on endpoints to contain and mitigate active threats.
- Active automated blocking of potentially malicious network traffic based on eSentire threat intelligence, blacklisted source countries and attempted initiation of executables.
- (optional) Endpoint Protection Platform (EPP) on endpoints monitoring for known threats and automated prevention.
- eSentire Portal access providing:
- Pre-defined searches and reports against audit, log and alert data.
- Ticketing, investigation and change request tracking.
- Provisioning, maintenance and monitoring of EDR agents to all in scope endpoints.
- Provisioning, maintenance and monitoring of eSentire esNetwork appliance.
- Provisioning of a log collection device or virtual target.
Endpoint detection and response – Instrumentation on nominated in scope endpoint devices will analyze activity and behavior for potential threats, monitored by eSentire SOC. Endpoint agents will provide eSentire the platform to initiate isolation and response actions as necessary. Optional addition of EPP to the agent will provide automated prevention against known threats.
Network monitoring and threat prevention – Out-of-band network sensors analyzing observable traffic for potential threats, blocking traffic where appropriate and monitored by eSentire SOC.
Log collection and analysis – Collection, storage and analysis of security audits and logs from in scope existing security devices and services for use in investigations and threat hunts.
Investigation, Analysis and Response
eSentire provides detection, analysis, investigation, escalation of suspected threats on Client networks where visibility is available via EDR agents, the esNetwork sensor and/or log data collected from existing security controls. Isolation and response are performed on endpoints where eSentire EDR agents are installed.
eSentire’s threat detection platform and associated network and endpoint tools identify potential indicators of attacks and attempts to compromise the Client network environment. eSentire analysts will monitor in real time telemetry and detection from the EDR agents. The esNetwork sensor will perform packet inspection and network intrusion detection and attempt to automatically block traffic suspected to be malicious. Both blocked and potentially threating traffic detections will be logged to the eSentire platform. Log data collected from existing security controls will be normalized and stored in the platform and be available to support investigations and threat hunting by analysis.
eSentire security analysts perform analysis and investigation to determine if a threat is valid, warranting an escalation to the Client and potential response action. If an event is deemed as actionable it will be escalated to the Client as an Alert. If possible, malicious activity will be contained (isolated) immediately by eSentire once identified in conjunction with the Client notification. Additional investigation and response will continue as necessary and as defined during the on-boarding process.
eSentire will investigate all security events identified through the Service and escalate actionable alerts as appropriate in accordance with the established and agreed upon Service Level Objectives (“SLOs”). eSentire will utilize the escalation process, agreed upon during the on-boarding process, to contact and relay information to the Client. The defined escalation process is a mutually agreed upon process between the Client and eSentire.
Onboarding and Deployment
The Service includes a standard deployment package consisting of:
- Onboarding call with client point of contact to scope the environment and document the deployment plan
- Definition of Client playbook defining assets, escalation procedures and response scope
- Configuration of all platform systems
- Provisioning of EDR agent installers with documentation
- Provisioning and shipment of esNetwork appliance
- Provisioning of cloud log collector and/or installation and configuration of local log collector
- Standard deployment service package with engineer/professional services to assist with install and configuration.
If requested, eSentire will provide the Client with the required installation documentation for the EDR agent, the esNetwork sensor and the log collection device. eSentire will provide an expert deployment engineer resource during deployment of the Service to assist with questions around how to deploy and the requirements for the service.
The Service deployment will be subject to a tuning period of up to thirty (30) days.
Exit criteria for the tuning phase:
- Eighty percent (80%) of the contracted EDR agents are deployed and configured.
- The esNetwork sensor is deployed, communicating with the eSentire SOC and has met all criteria of the tuning checklist.
- Eighty percent (80%) of contracted log sources are forwarding logs in the expected format to the log collector.
Once tuning has been completed, the Service is transitioned to the SOC for real-time monitoring, and the Service is considered fully deployed and in-production. Monitoring, investigation and response are performed during the tuning phase but may be in a limited state.
Baselining and Ongoing Tuning and Configuration
eSentire is responsible for configuration and tuning the Service on an ongoing basis. The Service will be continuously evaluated, and changes made as required. Any changes to Client-side systems will be subject to notification and the Client’s change control processes.
The Client may contact eSentire and request specific changes as required. These changes will be scheduled as appropriate. eSentire reserves the right to limit the number of on-demand changes or consolidate multiple changes into a consolidated review (e.g. monthly).
Reporting and Data Access
The Client will be provisioned with up to 10 accounts on the eSentire customer portal. The portal will provide access to:
- Ongoing Incident tracking
- Access to historic Incidents
- Predefined Reports, Searches and other views for collected signals from the endpoints, network and in-scope security devices
- Provision customer account in eSentire portal and all service delivery systems.
- Provide software installer for EDR agents with documentation; remotely assist with deployment of agent to in scope endpoints.
- Configure EDR server and verify connection to agents.
- Preconfigure and ship esNetwork appliance to Client location; remotely assist with deployment into the Client network.
- Deploy required log collection instances and log server; remotely advise on logging configuration of in scope log sources.
- Review and tune all automated detection rules.
- Review with the Client response and notification playbooks and procedures.
- Perform automated analysis of Client data to detect potential threats.
- Monitor and review potential threats in the eSentire SOC with human expert Analysts.
- Respond to threats as defined in playbooks.
- Notify the Client to potential threats and executed responses.
- Review and tune the service on an ongoing basis.
- Provide customer notice of major changes and allow scheduling per Client change control procedures.
- Respond to Client requests for on-demand adjustments and tuning.
- Deploy EDR agent software to all in scope endpoints as advised by eSentire.
- Deploy esNetwork appliance as advised by eSentire.
- Configure in scope security controls to forward audit and log data as advised by eSentire.
- Ensure networking configuration allowing all eSentire tooling to communicate as required.
- Ensure adequate bandwidth for the service.
- Grant eSentire access to systems and data as required.
- Review eSentire/Client playbooks.
- Notify eSentire of any network or software changes which may impact the service.
- Assist eSentire staff with troubleshooting or application of updates.
- Respond to eSentire threat notifications and if required, approve response actions to initiate Client-side response processes in a timely manner.