Rapid Assist Services
Services Description. Rapid Assist is a managed service that provides real-time monitoring of Client systems through esNETWORK Services and esENDPOINT Services to assist in post-breach identification and containment of threats that may still be within Client environment, with the following standard services capabilities and modules (the “Rapid Assist Services”):
esNETWORK Description. esNETWORK standard services capabilities and modules:
- Intrusion Detection and Prevention. This capability facilitates the identification and mitigation of specific dangerous TCP traffic.
- Full packet capture and playback. This capability allows for forensic analysis of suspicious activity after the fact.
- ExecutionerTM. This module that prevents “drive-by downloads” of malicious executables through domain white-listing technology.
- Asset Manager Protect (“AMP”). This module protects Client’s assets against threats known to eSentire using a global IP blacklist updated in close to real-time by the SOC. The blacklist is updated each time a new threat or vector of infection is identified on any network monitored by the SOC.
Sensors. Upon client ordering the esNETWORK Services, eSentire will provide at least one physical and/or virtual security appliance (a “Sensor”) for each location that is to receive the esNETWORK Services as detailed on the applicable Order Form. Sensors will be sized according to traffic volumes and storage requirements and identified on the applicable Order Form. Monitoring of Small Office Home Office (“SOHO”) Sensors will be restricted to internal network traffic only.
Sensor(s) will be deployed with one or more SPAN(s) to analyze network traffic flows of the following types:
- External Network (Internet) to Internal Network.
- Internal Network to External Network (Internet).
- Other data segments depending on the volume of data to be monitored and capacity of the implemented Sensor (VPN, DMZ, VoIP, Market Data, etc.).
- For SOHO Sensor Only: Home network user traffic should be segregated from business user traffic. Non business users should not have access to the eSentire SOHO solution.
- For SOHO Sensor Only: Sensor deployment on the local network needs to support Ethernet (IEEE 802.3x) standards and throughputs. WAN / Internet (site-site VPN) needs to support typical consumer broadband services available from major network operations (e.g. Cable, DSL, FTTx, WiMax, etc.).
The Sensor(s) will analyze the network traffic to watch for:
- Reconnaissance attempts through scanning of Client networks by unauthorized individuals.
- Specific attack attempts by unauthorized individuals using hacking tools.
- Traffic generated by infected systems (Client computers compromised by specific viruses or worms).
- Misconfigured internal systems (Client computers generating inappropriate traffic).
- Security Policy/Acceptable Use Violations (Employees using the network for inappropriate uses).
eSentire will configure and remotely manage the Sensor and its embedded software as part of the esNETWORK services. Client may only access the configuration of such Sensor with eSentire’s prior written authorization. eSentire shall only access the configuration of other network devices connected to the Sensor with Client’s authorization, and shall do so through an encrypted and secure means.
Client Responsibilities. Client is responsible for:
- any and all data and systems which Client grants access to for receipt of the esNETWORK Services;
- obtaining all necessary licenses, permissions and consents to enable eSentire to access the Client’s network and servers in order to provide the esNETWORK Services;
- designating a Project Coordinator to work directly with and serve as the primary Client contact with eSentire for the duration of Client’s receipt of the esNETWORK Services;
- providing eSentire a complete copy of its security (including privacy) policies, as available. Client is solely responsible for creating, maintaining and enforcing its security policies to protect the security of Client Data and Systems;
- its choice of equipment, systems, software and online content;
- providing the necessary resources, information, documentation and access to personnel, equipment and systems, as reasonably required by eSentire, to allow eSentire to perform the esNETWORK Services;
- providing a current network topology diagram to ensure capturing the correct traffic and correct configuration of the esNETWORK Services;
- notifying eSentire in advance of any network changes that will affect Client’s network topology and configuration so that all relevant traffic is being captured within the Sensor; and
- communicating all network infrastructure changes to eSentire. Effective monitoring requires that ability to SPAN an interface on any applicable segment.
In event Client fails to perform its obligations in the time and manner specified or contemplated above, or should any assumption outlined herein with respect to the esNETWORK Services fail to be valid or accurate, then eSentire will not be responsible for any related delay or damages. In the event that Client fails to notify eSentire of network changes as above, then eSentire shall be released from any and all obligations to monitor the Client’s network until Client has notified eSentire of such change.
Exclusions. The esNETWORK Services exclude the following:
- the design, creation, maintenance and enforcement of a security policy for Client;
- eSentire attempting to access Client’s servers without Client’s express written or verbal consent; and
- eSentire is not responsible to provide network hardware required to SPAN networks (such as switches, hubs, or network taps) and has no liability or responsibility in the event of inability to SPAN any interface.
Reports and Confidentiality. eSentire will prepare reports related to the information obtained through the esNETWORK Services. Except for the purpose of fulfilling eSentire’s obligation under this Agreement, eSentire shall not disclose the information derived to any party for any purpose without express written consent from the Client and all Client information is bound by the Confidentiality provisions set out in the Terms and Conditions.
"esENDPOINT Agent" or "Agent" means the endpoint software agent utilized in providing the esENDPOINT Services and as further described below;
"Endpoint Vendor" means the publisher of endpoint software utilized as part of the cloud services but is licensed independently by the Client or eSentire.
"MSSP Partner" means the relationship that eSentire will assume with an Endpoint Vendor on behalf of the Client.
Description. esENDPOINT Services are provided through the installation of the endpoint software agent (the “esENDPOINT Agents” or “Agents”) on client’s premise endpoints including both workstations and servers. The esENDPOINT Agents communicate events, perform analyst queries and update status to a cloud hosted esENDPOINT Server. eSentire processes events from the esENDPOINT Server within the eSentire hosted infrastructure to create investigative events and information for the SOC.
The esENDPOINT Services include the following capabilities, dependent upon the service type specificed:
- Powered by Leading Endpoint Technology. esENDPOINT Services uses leading endpoint technology provided by Carbon Black Response™ to provide insight into endpoint activity. The detection and investigation services are built on top of the endpoint platform, using APIs and services, and are combined with eSentire’s signal enrichment and processing. Investigations and alerts from threats are processed, enriched, executed and delivered to eSentire’s 24x7x365 SOC.
- Continuous and Centralized Recording. Continuously monitor, record, centralize and retain activity from every endpoint. Endpoints update status to esENDPOINT Servers typically once every thirty (30) seconds and the typical storage of events is up to thirty (30) days, allowing eSentire to:
- Root Cause. determine where and how the attack originated;
- Impact of Attack. determine what requires remediation;
- Patterns of Compromise. identify common bad behaviours; and
- Full Scope. identify which endpoints were attacked.
- Endpoint Threat Intelligence. Up-to-date threat intelligence from third party and eSentire’s own Threat Intelligence Team are frequently updated and delivered automatically to the esENDPOINT Server.
- Respond and Communicate. Prompt alerts from the SOC upon detection of a threat.
- Secure Endpoint Data. Events and endpoint data are stored on the esENDPOINT Server, with events matching security rules being sent to the SOC for investigation. Access to esENDPOINT Servers and data is privileged to eSentire analysts and systems support. Standard configuration allows access to esENDPOINT Servers from eSentire IP addresses only.
Provisioning of esENDPOINT Server for Cloud Hosted. eSentire will provide and support at least one cloud hosted esENDPOINT Server and additional severs where required for geographic availability (each, an “esENDPOINT Server”). Each set of locations within North America, will require one esENDPOINT Server, and each set of locations within Europe, Middle East and Asia will require one esENDPOINT Server.
esENDPOINT Agents. eSentire will provide installation software, supporting documentation, guides and support for installation of esENDPOINT Agent. The installation software will be made available to the designated contact in a secure manner. esENDPOINT Agents update without client intervention and will be maintained by eSentire at the latest version of detection software.
Agents will be installed by the Client and updates to the Agent software will not require Client action. Client will be responsible for ensuring esENDPOINT Agents are not prevented from communicating with the applicable esENDPOINT Server(s). The esENDPOINT Agents check in continuously with their associated esENDPOINT Server. When there is an update available, the endpoints will automatically update.
Client Responsibilities. Client is responsible for:
- granting access to any and all data and systems for receipt of the esENDPOINT Services;
- installing the esENDPOINT Agent software on workstations/endpoints, including any changes or updates to the endpoint which would have removed the esENDPOINT Agent software;
- ensuring no firewall rules or other blocking exists, as well as any other measure taken by Client, prevents the communication from endpoints to the esENDPOINT Server(s);
- obtaining all necessary licenses, permissions and consents to enable eSentire to access the Client’s network and servers in order to provide the esENDPOINT Services;
- providing the necessary resources, information, documentation and access to personnel, equipment and systems, as reasonably required by eSentire, to allow eSentire to perform the esENDPOINT Services; and
- ensuring added or changed endpoints have the esENDPOINT Agent installed.
Should Client fail to perform its obligations in the time and manner specified or contemplated above, or should any assumption set out herein with respect to the esENDPOINT Services fail to be valid or accurate, then eSentire will not be responsible for any related delay or damages.
Exclusions. The esENDPOINT Services exclude the design, creation, maintenance and enforcement of a security policy for Client.
Reports and Confidentiality. eSentire will prepare reports related to the security alerts initiated or assisted by the esENDPOINT Services. Except for the purpose of fulfilling eSentire’s obligation under the Order Form, eSentire shall not disclose the information derived to any party for any purpose without express written consent from the Client and all Client information is bound by the Confidentiality provisions set out in the Terms and Conditions.