Services

• 1: Managed Detection and Response (MDR)
• 1.1: Managed Detection & Response (MDR) Service Description
• 1.2: MDR Security Incident Management
• 1.3: MDR Threat Reviews
• 1.4: Onboarding Managed Detection and Response (MDR)
• 2: Additional Subscriptions
• 2.1: Dynamic Blocklist
• 2.1.1: Dynamic Block List Configuration Guides
• 2.1.1.1: Cisco Firepower DBL Configuration Guide
• 2.1.1.2: McAfee Web Gateway (Skyhigh Secure Web Gateway) DBL Configuration Guide
• 2.1.1.3: Palo Alto Networks DBL Configuration Guide
• 2.1.1.4: Squid DBL Configuration Guide
• 2.1.1.5: Zscaler Internet Access DBL Configuration Guide
• 3: Consulting and Supplemental Services
• 3.1: Data Discovery Service Description
• 3.2: Incident Response Retainer Service Description
• 3.3: Samurai Cybersecurity Advisor Service Description
• 3.4: Samurai Onboarding Service Description
• 3.5: Table-Top Exercise Service Description
• 4: Superseded Documents
• 4.1: Managed Detection & Response (MDR) Service Description (v1.0 2023-09-11)
• 4.2: Onboarding Managed Detection and Response (MDR) (v1.0 2023-09-11)

1 - Managed Detection and Response (MDR)

1.1 - Managed Detection & Response (MDR) Service Description

1. Introduction

NTT’s Managed Detection and Response service builds on the capabilities of the Samurai platform to provide a Managed Detection and Response service which delivers cybersecurity insights, advanced threat detection, response, and protection capabilities via the ingestion of varied telemetry sources including cloud, network, compute and mobility sources. Supported telemetry combined with our proprietary Advanced Analytics, analyst threat hunting, and AI-based threat detection capabilities translate to faster, more accurate detections and most importantly reduced business risk.

NTT’s Managed Detection and Response service offers the sophisticated threat detection capabilities of the Samurai platform along with, 24/7 threat monitoring, analyst-driven threat hunting, and comprehensive threat intelligence delivered by NTT’s Global Threat Intelligence Center. By combining the advanced analytics capability of the Samurai platform with the expertise of the skilled analysts in the NTT SOC, threats are identified and separated from a large number of false positives typically generated by security technologies. 

Managed Detection and Response is a service that utilises security alerts along with relevant contextual information identified by the Samurai platform. This information is analysed by a skilled Security Analyst, who engages in threat hunting and validation activities to verify the threat, its impact, and to identify additional information associated with a potential breach. Once the threat is validated, the Security Analyst creates a detailed Security Incident Report for the Client. The Security Incident Report includes a detailed description of the security incident combined with scenario-specific actionable response recommendations. This significantly assists in reducing the time taken for informed responsive measures, thereby, lowering associated risks.

2. Service Elements

Samurai Managed Detection and Response provides the Client with a service overlay which provides advanced detection and response capabilities delivered by skilled Security Analysts in the NTT Security Operations Center, leveraging the Samurai platform. The Samurai Managed Detection and Response service provides a set of components which provide the Client with:

• Onboarding guidance
• Access to SOC Analysts
• Threat Intelligence
• Threat Detection and Investigation
• Threat Hunting
• Security Incident Reports
• Threat Response
• Service Management Portal and Service Reporting
• Incident Response
• Service Assurance through regular Threat Reviews

3. Onboarding

Onboarding of the Managed Detection and Response service commences with the activation of the Client’s Samurai tenant. Activation of the Client’s tenant will provide the Client with a link to online documentation and the access and instructions required in order to integrate with the Samurai platform. This includes:

• Deploying Local Collector appliances;
• Connecting telemetry sources (including logs, enrichment and other data sources); and;
• Configuring integrations to client applications such as Endpoint Detection and Response, network security controls and other cloud-based platforms.

Within two business days of activation, NTT will host a Managed Detection and Response introductory conference call with the Client. This meeting will explain the onboarding process and will include an overview of the Samurai MDR application and configuration steps to be completed by the Client. Follow-up progress calls may be scheduled to ensure setup progress and status.

Within fourteen days of activation a Samurai MDR orientation conference call will be held with the Client which upon completion, Service Delivery will begin. This meeting will outline what to expect from the service including how SOC analysts will interact with the Client, overview of Security Incident Reports and how to utilize the Samurai MDR.

For more details please visit the Samurai MDR Onboarding Guide.

4. Service Features

Samurai Managed Detection and Response provides the following service features:

4.1 Threat Detection

The Samurai platform detects threats and suspicious behavior using the Samurai AI Engine. The AI Engine makes use of a combination of traditional threat detection techniques, Advanced Analytics, machine learning and Threat Intelligence to detect sophisticated threats. To ensure service quality, NTT continuously makes detection-tuning decisions based on the validity and relevance of alerts and security incidents.

4.2 Threat Intelligence

The Global Threat Intelligence Center delivers Threat Intelligence, which enhances the Managed Detection and Response service. Additionally, the Managed Detection and Response service includes continuous Threat Intelligence updates driven by investigations of security incidents.

4.3 Dynamic Blocklist

The Dynamic Blocklist feature provides a real-time feed of curated Indicators of Compromise. The Client can configure supported devices, such as next generation firewalls and internet proxies, to receive the dynamic list to proactively block threats. IoCs are added to the Dynamic Blocklist on an ongoing basis. The Dynamic Blocklist option is available at no additional charge. Additional details can be found in the Dynamic Blocklist overview.

4.4 24/7 Security Analyst Interaction

The Managed Detection and Response service includes detailed security investigation of alerts detected via Samurai by Security Analysts in NTT’s SOC. Investigation includes threat analysis and threat hunting activities across the Client’s telemetry environment to provide validation and assessment of the malicious nature of a threat and its potential impact.

Security Analysts use the MITRE ATT&CK framework as a reference model in presenting the nature of a threat and assigning appropriate severity to identified security incidents.

The Managed Detection and Response service also provides validation of threats through vendor integration and evidence collection for selected security technologies, such as packet capture data (PCAP) and malware execution reports.

4.5 Investigations

When the Samurai platform generates an alert indicating a potential threat, a SOC Analyst will begin an investigation. The investigation includes validating the presence of a threat via client telemetry and evidence data, threat intelligence, and other data and information sources within the Samurai platform. Using this information and automation capabilities of the Samurai platform, the analyst then determines the nature and extent of any compromise which may have occurred. Depending on the nature of the potential threat, activities conducted during the process of the investigation may include:

• Threat analysis.
• Threat hunting across the Client’s telemetry data which has been ingested into the Samurai platform.
• Assessment of the malicious nature of a threat and its potential impact.
• Contextualisation of validated threats based on factors such as industry vertical and geopolitical context.
• Categorisation according to industry best practice frameworks including MITRE ATT&CK.
• Forensic analysis of telemetry data stored in the Samurai platform.
• Malware analysis; and
• Recommendation to the Client of a suggested response covering suggested next steps.

4.6 Security Incident Reports

If, as a result of an investigation, a threat is identified, the Security Analyst creates a Security Incident Report detailing the cybersecurity incident, including plain-language observations and incident mitigation and/or remediation recommendations.

Client notifications can be provided by phone or email based on severity:

• Critical severity; Phone / E-mail notifications.
• Low, Medium, High severity; E-mail notifications.

Clients requiring Phone notifications must provide NTT with a prioritized list of Client contacts.

4.7 Threat Hunting

Utilizing Client telemetry and evidence data, NTT will perform Threat Hunting to detect activities such as persistence mechanisms, application usage, network activity or the tactics and techniques and procedures (“TTPs”) of threat actors. When a threat is detected, a security analyst will create a security incident and notify the Client.

4.8 Threat Response

NTT can perform actions on the Client’s behalf when an investigation results in the detection of a threat.

NTT will take actions to isolate compromised/malicious host Endpoints following Security Analyst incident validation. Remote isolation actions are performed using the isolation capabilities of the Client’s Endpoint Detection and Response (EDR) technology.

4.9 Samurai MDR Application

Managed Detection and Response Clients have access to the Samurai MDR application, including self service features such as telemetry integration and collector configuration. Details of the functionality can be found in Samurai online documentation.

In addition to the Samurai MDR application, Samurai Managed Detection and Response provides the client with access to the Samurai Help Center, which provides online access to:

• interact with us online by logging incidents and requests;
• view security incident reports;
• track, view and submit comments within incident and request tickets; and
• browse / search our knowledge base which contains online documentation for the Samurai MDR service and application. 

Additional information regarding support can be found in our Support Policy.

4.10 Incident Response

The Incident Response add-on is a retainer which the Client may choose to utilize if the Client requires the NTT SOC to perform additional threat investigation activities. Clients can continue to leverage the services of the NTT SOC in instances where the severity of an incident justifies additional effort to perform tasks such as threat hunting, malware analysis or forensic analysis of data in the Samurai platform.

This add-on provides the Client with the facility of additional post root-cause analysis to assist with containment of a threat.

The Incident Response retainer includes 40 hours per year. If the Client requires additional Incident Response beyond 40 hours, additional retainers of 40 hours can be purchased.

Incident Response effectiveness is enhanced with an installed and supported endpoint agent. If the client does not have a supported agent, NTT will work with the client to provision endpoint agents to support the investigation. For more information please read the detailed description of the Incident Response add-on.

4.11 Threat Reviews

Through a program of scheduled quarterly meetings, Threat Reviews will be conducted with the Client to derive maximum value from Samurai MDR.

Topics covered in the quarterly meetings include:

• Review service health.
• Review security incidents and how they provide insights into the Client’s security posture and attack surface; and
• Advising the Client regarding configuration of Samurai to better meet the Client’s needs.

For clients that require a dedicated resource and monthly threat reviews, the Samurai Cybersecurity Advisor subscription is available as a chargeable add-on.

5. Client Responsibilities

Client is required to perform the following obligations below:

• assign a primary Point of Contact (POC) to work with NTT. Client will ensure that NTT’s records of all Client POCs are kept up to date and are accurate.

• ensure that all telemetry sources have connectivity required in order to interact with the Samurai platform. This includes, but is not limited to, the ability to receive telemetry source feeds and evidence data and the ability as well as the ability to monitor and control any agents or virtual appliances installed in Client’s environment for the purpose of providing the service.

• ensure that endpoints falling under the scope of Samurai MDR have a supported endpoint agent installed in order to facilitate the gathering of telemetry and evidence data as well as providing the ability to perform remote isolation.

• provide knowledgeable technical staff and/or third-party resources to perform any configurations or software installations required in order for Client to consume the service. This includes, but is not limited to:

  • Configuration of connectivity.
  • Installation of Local Collector virtual appliances.
  • Provision of IP addressing required for any virtual appliances required in Client’s network; and
  • Configurations of cloud services required in order for the Samurai platformto receive telemetry from these services.

• perform all aspects of Service Onboarding, including the configuration of telemetry sources and configuration of Collectors to provide telemetry feeds to the Samurai platform. Client will ensure that all source devices are compliant with the Samurai platform configuration requirements and are running supported software and/or hardware versions.

• ensure that it does not utilise any technologies or configurations which block traffic, rotate logs or in any other way impede delivery of the service.

• procure all maintenance, support and licensing agreements with third-party vendors for all telemetry sources.

• comply with all the relevant data privacy, regulatory, and administrative laws, policies and procedures related to monitoring user traffic and communications.

• bring a threat, identified in a security incident report, to closure.

Failure to provide any of the service requirement information on a timely basis can result in delays in Service Onboarding and Service Delivery by NTT and NTT shall not be liable for any consequences of such delays.

6. Service Level Agreements

The Service Level Agreements (SLAs) listed in this section will become active once Onboarding of the Client is considered complete.

6.1 Availability

The Availability SLA is determined by the ability of the Client to access the Samurai MDR platform. This is measured by the ability of the Client to log into the Samurai MDR application.

NTT will use reasonable commercial means to ensure an availability of the Samurai MDR app of at least 99.9%. If the availability of the platform drops below this level, the Client may claim a Service Level Credit as set out in the table below:

6.2 Validated Security Incident Notification

NTT will analyze alerts and related available data sources on a 24/7 basis for signs of malicious activity which has bypassed preventative security controls.

If malicious activity is confirmed, NTT will determine the severity of the threat. For Security Incidents with a severity of high or critical NTT will provide an Incident Report within 30 minutes of determining the severity.

For Security Incidents with a severity of low or medium, NTT will endeavor to provide an Incident Report within 120 minutes of determining the severity.

If the creation of a security incident report in relation to an incident with a severity of high or critical takes longer than 30 minutes, the Client may claim a Service Level Credit as set out in the table below:

A Client may make a maximum of 1 claim against this service level per calendar day and per security incident.

6.3 Receiving Service Credits

To receive a Service Credit, the Client must open a ticket via the Samurai MDR app within 30 days of the incident for which the Client is claiming a Service Level Credit.

1.2 - MDR Security Incident Management

Overview

The MDR Security Incident Management process is designed to address reported threats that pose a risk to a client’s environment and to ensure appropriate handling. When the Security Operations Center (SOC) create a Security Incident, it will remain open until the client reports back that the threat had been handled, risk mitigated and closure request submitted.

The more information included in a Security Incident, the easier it will be for a client’s security staff to understand and mitigate the threat, therefore the SOC create a detailed Security Incident viewable within the Samurai MDR web application and downloadable in PDF format as required. The SOC also recommend you provide feedback of your incident handling as this could improve future security incidents from the SOC and your own handling of them. 

Below is a description of how the SOC performs Security Incident Management when relevant threats are detected and how the Security Incident life-cycle is managed.

Security Incident life-cycle 

The Security Incident Management process starts with an alert from a High Value Detection source (EDR, IDS/IPS, NG-FW, CTS, etc.) or from NTT Security Log Analytics engine RTCE (Real Time Correlation Engine). In both cases, the alert is presented to the the Analyst in the Samurai platform. Another possible trigger for the Security Incident management process could relate to a known high risk global Security Incident or threat, for example Log4shell or SolarWinds. In this instance, the Analyst conducts Retroactive Hunting in available telemetry data to search for indicators of compromise (IOCs) and determine if a client has been affected by the newly discovered global threat. 

Once the Analyst receives an alert, they will start to analyze the threat through an investigation process that includes reviewing AI/ML correlations and threat hunting across all telemetry data and older Security Incidents. In some cases, the Analyst will also try to recreate the threat in the SOC malware lab.

The analysis phase can be time-consuming, but the purpose is to find attack vectors to first verify how the attack has affected the client and how the threat can be mitigated. The more detail known about a threat, the easier it will be to mitigate. However, if the SOC observes that the threat is actively damaging client systems or leaking client data, an initial and expedited Security Incident will be created to inform the client so that client assets can be protected. The SOC will then update the initial Security Incident with all needed threat details. 

Security Incident Management

When a new Security Incident is created it will be made available within the Samurai MDR web application and an automated email notification is sent to predefined email addresses (collected during the MDR onboarding phase). The email will contain key information such as severity, title, reference ID and a link to the Security Incident within the Samurai MDR web application. The initial Security Incident Status is set to Awaiting feedback. If the Security Incident severity is critical, the SOC will also call the client. 

When creating the Security Incident, the SOC may perform remote isolation of infected client endpoints using the client’s Endpoint Detection and Response (EDR) platform. The SOC will also include a recommendation whether the client should engage your Incident Response Team (either you have an internal team, NTT is providing or a 3rd party). If further remediation is required the client can also engage the NTT Incident Response Team.

Once the client is informed by a notification email (or telephone call if severity is critical), the Security Incident will enter the handling phase.

The SOC will also include recommendation (actions) for the client to perform. Additional questions can be asked by the client in the Security Incident Situation Room communication channel (Click to read more) Type feedback or comments/questions, in the communications channel and click ‘Send message’.

Once the client clicks ‘Send message’, the Security Incident status is updated to Awaiting SOC, meaning the next action is on the SOC. The SOC will respond to your question or feedback. You may still add feedback and questions even if the status is Awaiting SOC and next actions will remain with the SOC.

It is important to ensure that any critical or high severity Security Incidents progress towards closure, therefore you are advised to keep the SOC updated and respond in a timely manner when the status is Awaiting feedback.

As long as the SOC is working on a response to your questions, the Security Incident status will remain as Awaiting SOC. When the SOC responds, the status will be updated to Awaiting feedback. If the SOC detects that a new or existing threat re-emerges or there is new vital information, the Security Incident will be updated, a new revision created and a notification emailed to you.

Closure

When the risk has been mitigated or the client has accepted the risk (e.g. managing the threat), the client can request the Security Incident to be closed via the Security Incident Situation Room. This decision is based on the client’s assessment that sufficient action to mitigate the risk has been taken and is now comfortable with closure of the Security Incident. In the event the SOC receive feedback to close the request during an open investigation, confirmation of the request will be included in the ticket details.

Non-closure

If the SOC does not receive a closure request from the client, the security incident will be kept active and in an Awaiting feedback status. The SOC will present and go through all of the non-closed security incidents during the regular Threat Review Meetings. This to ensure client handling of all reported threats and risks, If the SOC has received no feedback, this could mean that the threat is still present and active, despite being reported months ago.

1.3 - MDR Threat Reviews

The Managed Detection and Response (MDR) service will detect, respond and report relevant threats that pose a risk to a client, but it is the client’s responsibility to bring the risk to closure. To help the client with this, a program of quarterly threat reviews is included with the MDR service.

For clients that require a dedicated resource and monthly threat reviews, the Samurai Cybersecurity Advisor add-on subscription is available for an additional fee. 

The key focus of threat reviews is to help MDR clients get the most value from the service, reduce business risk based on security incidents reported, and ensure security incidents are handled appropriately.

Through regular threat reviews, a client will:

• be trained and educated to understand threats and risks reported by the MDR service,
• be provided recommendations to improve detection and response, and
• receive follow-up to ensure that reported threats and risks are handled and mitigated.

The threat review program is initiated at the time of onboarding. During the orientation call the quarterly meetings will be scheduled for the remainder of the contract period. Please review Onboarding Managed Detection and Response (MDR) for further details.

The threat review meetings are scheduled during business hours within central European time (CET) and conducted by an MDR analyst who is or has been part of 24/7 MDR service delivery. This resource is not a dedicated resource per client but is a shared responsibility for analysts within our Security Operations Center (SOC). With access to the SOC workbench and a client’s Samurai tenant our analysts have detailed knowledge of potential threats and risks, and skills to perform searches and hunts.

The MDR service will detect and respond to relevant threats that pose a risk. These threats are reported via Security Incident Reports. It is the client’s responsibility to handle and bring the risk to closure. All actions related to the handling of the security incident will be performed through the 24/7 MDR service and not during threat reviews. We understand that threats and risks can often be difficult to understand, our recommendations can often mitigate risk, however our aim during threat reviews is to enable clients to fully understand the risk so they can stay proactive, mitigate root cause, and avoid future security incidents. Hence during a threat review meeting we will present reported security incidents to a client and their stakeholders outlining the threats reported and risks posed. 

We will also maintain and update a detection and response improvement list through the entire lifecycle of the MDR service. The improvement list focuses on suggestions that will improve detection of threats e.g. new systems that should be onboarded into the MDR service, or could also include actions that either the client, the SOC or NTT Security Holdings need to take in relation to improving threat detection and response. The ultimate benefit of this process to the client is an improved security posture.

Threat reviews will also follow up on any actions performed by a client after a Security Incident was reported. This will help to confirm that the client was able to take suitable actions based on the threat identified. Depending on the client’s security posture and risk profile, the client may either take mitigation actions that remove the threat or decide to accept risk. Clients should provide feedback on the reported Security Incident and the actions taken as it enables the 24/7 MDR service to verify if the threat was removed or if still present after any actions. During Threat Review meetings we will work through these actions with the client so that the client handling time for any subsequent Security Incident will decrease, reducing risk exposure time.

If a client has any general questions or requests related to the MDR service and/or how to detect and respond to threats not related to a reported Security Incident, a request can be raised via the Samurai MDR application, and be handled by the Threat Review team.

1.4 - Onboarding Managed Detection and Response (MDR)

Overview

Welcome to NTT Security Holdings (NTTSH) and the Managed Detection and Response (MDR) Service Powered by our Samurai platform.

We have made onboarding simple and shall support you through each phase.

MDR Security Operations Center (SOC)

The SOC provide guidance and expertise during onboarding and service delivery, however it is important to understand the role and responsibilities of you and our team.

The SOC will be your main contact during onboarding and will schedule introduction and orientation calls with you to ensure your journey to MDR is problem free. You as a Client will still need to perform your responsible actions outlined in the rest of this document and specifically for onboarding MDR telemetry sources, unless you have purchased Samurai Onboarding.

After your orientation meeting, MDR Service delivery begins. The SOC will schedule and conduct regular threat review meetings as outlined within the MDR Service Description to ensure you derive maximum value from the service.

Suggested Resources

During onboarding you will likely need to call upon various teams within your organization, we understand you may not have all of the appropriate roles but suggest the following:

Onboarding Phases

The image and table below outline the main phases of onboarding including responsibilities, resources and deliverables. 

Your Responsibilities

Below are your primary responsibilities during onboarding. Additional responsibilities may arise as needed to support aspects of the implementation that are unique to your specific environment(s):

• Create user accounts for additional users of the Samurai MDR application, maintain all user accounts, ensuring that contact information for each user is complete and accurate.
• Deploy Samurai Collector(s) and successfully configure required integrations.
• Configure and manage all resources required to support the deployment of Collector(s) - virtual / physical.
• Configure and maintain supported on-premises log sources and cloud integrations in line with Samurai MDR requirements.
• Ensure that all telemetry sources have connectivity required in order to interact with the Samurai platform. This includes, but is not limited to, the ability to receive telemetry source feeds and evidence data as well as the ability to monitor and control any agents or virtual appliances installed in your environment for the purpose of providing the service.
• Respond to NTTSH communications in a timely manner and ensure attendance of the necessary resources for all meetings to ensure timely completion of onboarding and during service lifecycle.
• Bring a threat, identified in a security incident report, to closure.

Your overall responsibilities for the service can be found in the MDR Service Description.

2 - Additional Subscriptions

2.1 - Dynamic Blocklist

Dynamic Blocklist (DBL) is a feature included with Samurai MDR. The list is a feed of high fidelity indicators of compromise (IOC) which when subscribed to by a supporting device, provides the ability to block traffic to the identified threat actor. Typical devices which can make use of DBL include Secure Web Gateways (SWG) and Next Generation Firewalls (NGFW).

The DBL contains IP addresses, domain names and Uniform Resource Locators (URLs) of servers hosting malware, exploits, botnet Command and Control (C&C) servers and other known malicious activity.

Feeds are updated hourly and as emerging threats are discovered. Devices which are subscribed to the DBL will receive updated IoCs at the next “push” or “pull” event, depending on the manufacturer.

Our high fidelity IoCs contained in the Dynamic Blocklist originate from sources including:

• NTT’s proprietary Threat Intelligence data sources
• IoCs based on security incident investigations from all clients subscribed to NTT’s threat detection services
• Threat Intelligence obtained via partner intelligence relationships
• Open Source Intelligence feeds which have been analyzed and vetted by NTT
• NTT analysis tools which detect malicious websites (especially phishing and fraud) and extract intelligence of phishing reports from social media.

Onboarding

During the MDR onboarding or during service, the client can choose to enable DBL.

If the client elects to enable DBL and has Supported Devices:

• The client must submit a DBL Request via the Samurai MDR application
• Include the relevant information required within the request as outlined within the DBL Configuration Guide
• Once access has been enabled, the client will be notified via the ticket with relevant configuration information.
• The client may then proceed with configuration of their devices as per the relevant DBL Configuration Guide

Supported Devices

NTT provides configuration guides to assist the Client in configuring Dynamic Blocklist on supported devices. The following device types are currently supported:

• McAfee WebGateway (Skyhigh Secure Web Gateway)
• Palo Alto Networks NGFW
• ZScaler Internet Access (ZIA) - Proxy
• Squid proxy
• Cisco Firepower

Depending on the capabilities of individual device types, DBL will be configured using one of two possible methods:

• “pull”: In a “pull” configuration the device is set up to connect to NTT’s servers and fetch the threat feed. The frequency of retrieval is dependent on the device configuration.
• “push”: In a “push” configuration the device is set up to receive connections from NTT’s servers in order to receive the threat feed. The frequency with which the threat feed is pushed to the client device is usually determined by the configuration of the client device.

If the client is interested in using DBL with a device that is currently not supported, this can be discussed with NTT during onboarding.

Connectivity Requirements

In addition to configuring the devices for DBL, the client will also need to ensure that Internet connectivity is in place:

• for devices using a “pull” configuration, outbound TCP connections to the DBL server, typically on port 443.
• for devices using a “push” configuration, inbound TCP connections are possible from DBL servers to the client device.

NTT will provide the client with the DBL server IP addresses and/or URLs and other relevant details of the via the ‘DBL On-boarding request’ ticket.

2.1.1 - Dynamic Block List Configuration Guides

2.1.1.1 - Cisco Firepower DBL Configuration Guide

Our Dynamic Block List (DBL) configuration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a request in the Samurai MDR application and we shall get it updated.

The guide outlined steps to automatically integrate DBL with Cisco Firepower. The maximum list size for DBL is 20,000. This maximum is subject to change without notice due to device specifications and performance.

Raise a Request

To continue with this configuration guide you must first raise a request via the Samurai MDR application. Add the following information within your request:

Submit the ticket and you will hear back from us with additional information (e.g DBL URL) to continue with the configuration below.

Connection Requirements

You will need to ensure your Firepower device(s) can reach a specific URL to obtain the DBL. This information will be provided to you once subscribed.

Table 1: Connections requirements

To complete this integration you have to:

• Have submitted a request via the Samurai MDR web application and have been provided the necessary DBL endpoint URL/IP address.

From your Cisco Firepower Management Console (FMC):

• Create a feed that captures the DBL URLs
• Set Security Intelligence Settings for DBL URL
• Confirm Blocking
• Create a feed that captures the DBL IP list
• Set Security Intelligence Settings for DBL IP

You may also want to refer to the Cisco FMC documentation.

Create a feed that captures the DBL URLs

1. Login to your FMC

2. Click Objects – Object Management

3. Click Security Intelligence – URL Lists and Feeds in the left pane.

4. Click Add URL Lists and Feeds

5. Enter the following information in Security Intelligence for URL List/Feed and click Save

Set Security Intelligence Settings

Set the feed you created in Create a feed that captures the DBL URLsto Security Intelligence.

1. Click Policies – Access Control

2. Select the Policy for which you want to set the Feed

(For example: Select sample-fp-policy as depicted below)

3. If you do not have a Policy, create one from New Policy and follow the procedure

4. Select Security Intelligence

5. Select URLs

6. Select the Feed you created in Create a feed that captures the DBL URLs(our example was ABTI_for_URL)

7. Under Available Zones, select Any and click Add to Block List

8. Click Save

9. Click Deploy

Confirm Blocking

Verify that the test URL is blocked.

1. From a browser that leverages the Cisco Firepower inspection path, access the following test URL:

• http://ameblo.jp/testment12016/entry-12576105325.html

2. Verify that it is blocked. If blocking does not occur check through the configuration again. Our example block screen looks like this:

Create a feed that captures the DBL IP list

1. Click Objects – Object Management

2. Click Security Intelligence – Network Lists and Feeds in the left pane

3. Click Add Network Lists and Feeds

4. Enter the following information in Security Intelligence for URL List/Feed and click Save

Set Security Intelligence Settings for DBL IP

1. Click Policies – Access Control**

2. Select the Policy for which you want to set the Feed

(For example: Select sample-fp-policy as depicted below)

3. If you do not have a Policy, create one from New Policy and follow the procedure

4. Select Security Intelligence

5. Select Networks

6. Select the Feed you created in Create a feed that captures the DBL IP list (our example was ABTI_for_IP)

7. Under Available Zones, select Any and click Add to Block List

8. Click Save

9. Click Deploy

2.1.1.2 - McAfee Web Gateway (Skyhigh Secure Web Gateway) DBL Configuration Guide

Our Dynamic Block List (DBL) configuration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a request in the Samurai MDR application and we shall get it updated.

The DBL provides a maximum of 80,000 listings. This limit may be updated without notice.

Raise a Request

To continue with this configuration guide you must first raise a request via the Samurai MDR application. Add the following information within your request:

Submit the ticket and you will hear back from us with additional information (e.g DBL URL’s) to continue with the configuration below.

Connection Requirements

You will need to ensure your Secure Web Gateway can reach a specific URL to obtain the DBL. This information will be provided to you once subscribed.

Table 1: Connections requirements

From your Secure Web Gateway:

• Configure the External Lists Module
• Create a Rule

Configure the External Lists Module

Follow the steps outlined within the Skyhigh Security documentation:

• Configure the External Lists Module

Use the following parameters when completing the steps:

Table 2: External Lists Module

Tip: To find out more information about External Lists refer to Skyhigh Security documentation About External Lists

Create a Rule

Follow the steps outlined within the Skyhigh Security documentation:

• Create a Rule

You need to configure a rule that denies access if the URL requested by the client matches the external list previously created.

Use the following parameters when completing the steps:

Table 3: Rule creation

2.1.1.3 - Palo Alto Networks DBL Configuration Guide

Our Dynamic Block List (DBL) configuration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a request in the Samurai MDR application and we shall get it updated.

The DBL is sized at approximately 40,000 URLs. Should memory exhaustion occur due to multiple Profile usage, ensure to manage your device(s) to avoid such a situation by performance and log monitoring.

Raise a Request

To continue with this configuration guide you must first raise a request via the Samurai MDR application. Add the following information within your request:

Submit the ticket and you will hear back from us with additional information (e.g DBL URL) to continue with the configuration below.

Connection Requirements

You will need to ensure your Palo Alto Networks device(s) can reach a specific URL to obtain the DBL. This information will be provided to you once subscribed.

Table 1: Connections requirements

To complete this configuration you will need to:

From your Palo Alto Networks device:

• Configure an External Dynamic List (EDL)
• Configure a URL Filtering Profile
• Configure security policy rule

Configure an External Dynamic List (EDL)

Follow the steps outlined within the Palo Alto Networks documentation:

• Configure the Firewall to Access an External Dynamic List

Use the following parameters when completing the steps:

Table 2: EDL Configuration

Tips:

• Select your specific PAN OS version when reviewing Palo Alto Networks documentation (we have linked version 10.2)
• To find out more information about EDL’s refer to Palo Alto Networks documentation External Dynamic Lists
• Once completed, follow the Palo Alto Networks documentation linked to y’Test Source URL’ to ensure the DBL can be accessed

Configure a URL Filtering Profile

Follow the steps outlined within the Palo Alto Networks documentation:

• Configure URL Filtering

Use the following parameters for the EDL created in Configure an External Dynamic List when completing the steps:

Table 3: URL filtering profile

Configure security policy rule

Follow the steps outlined within the Palo Alto Networks documentation:

• Create a Security Policy Rule

Use the following parameters in the Actions tab when completing the steps:

Table 4: Security policy rule

2.1.1.4 - Squid DBL Configuration Guide

Our Dynamic Block List (DBL) configuration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a request in the Samurai MDR application and we shall get it updated.

Refer to Squid Documentation as needed: http://www.squid-cache.org/

Raise a Request

To continue with this configuration guide you must first raise a request via the Samurai MDR application. Add the following information within your request:

Submit the ticket and you will hear back from us with additional information (e.g DBL URL) to continue with the configuration below.

Connection Requirements

You will need to ensure your Squid proxy can reach a specific URL to obtain the DBL. This information will be provided to you once subscribed.

Table 1: Connections requirements

From your Squid Proxy:

• Import the DBL
• ACL Configuration
• Confirm configuration and auto run

Import the DBL

1. Store the DBL list retrieval script as below:

/usr/local/squidList/getSquidACL.sh

2. Back up the script file:

# cp /usr/local/squidList/getSquidACL.sh /usr/local/squidList/getSquidACL.sh.org

3. Open the script file using your favorite editor. In the examples we use “vi” for editing

# vi /usr/local/squidList/getSquidACL.sh

4. Set the DBL URL to import URL list.

(Example)DBL_URL="http://<IP address>/dbl/block_plain.txt"

5. Set the DBL URL to import IP list.

(Example)DBL_IP="http://<IP address>/dbl/block_ip_plain.txt"

6. Rewrite the reboot command to any command which used in production environment.

(Example)restart =/etc/rc.d/init.d/squid restart

7. Set the place to output the URL list

(Example)DBL_URL_OUTPUT="/etc/squid/block_plain.txt"

8. Set the place to output the IP list

(Example)DBL_IP_OUTPUT="/etc/squid/block_ip_plain.txt"

9.Save and close ”vi”

# :wq

10. Give the execute permission to the script.

# chmod 775 /usr/local/squidList/getSquidACL.sh

ACL Configuration

1. Edit the “squid.conf” file

# vi /etc/squid/squid.conf

2. Add ACL setting for the list that set in steps 7 and 8 of the previous section.

(Example)acl blocklist_regex url_regex“/etc/squid/block_plain.txt”acl blockip dst “/etc/squid/block_ip_plain.txt”http_access deny blocklist_regexhttp_access deny blockip

3. Save and close

# :wq

Confirm configuration and auto run

1. Run the DBL retrieval script manually with the following command:

# /usr/local/squidList/getSquidACL.sh

After execution, check your standard Squid logs. If you receive an error, check the status of your network because it is highly likely that the DBL destination URL is not communicating.

2. If there are no errors, set the execute command on Cron. (Following setting is run every 10 minutes.)

*/10 * * * * /usr/local/squidList/getSquidACL.sh

2.1.1.5 - Zscaler Internet Access DBL Configuration Guide

Our Dynamic Block List (DBL) configuration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a request in the Samurai MDR application and we shall get it updated.

Follow the steps below and then submit an onboarding request raise a request via the Samurai MDR application.

Access Requirements

Threat data will be pushed using the Zscaler native API with standard HTTPS TCP/443 to your Zscaler cloud instance.

From Zscaler Internet Access Portal:

• Create a dedicated user for NTT

• Provide your API base URL and API key

• Create a URL category

• Configure URL and Cloud App control

• Configure Monthly Reporting

Once completed you will need to provide specific information to NTT via a ticket in the Samurai MDR application.

Create a dedicated user with a specific role for NTT

Follow the steps outlined in Zscaler documentation to create an admin role: 

• Adding Admin Roles

Use the following parameters when completing the steps:

Table 1: Admin role

Follow the steps outlined in Zscaler documentation to create a user and assign the role:

• Adding ZIA Admins

Use the following parameters when completing the steps:

Table 2: Admin user

You will need to share these credentials when raising a ticket with us.

Provide your API base URL and API key

Review the Zscaler documentation to find your Base URL and API Key:

• Managing Organization API Keys

You can also read more information about the Zscaler API at:

• https://help.zscaler.com/zia/about-cloud-service-api-key-management

You will need this information when raising a ticket with us.

Create a dedicated URL category for the DBL:

Follow the Zscaler documentation:

• Configuring Custom URL Categories

You need to create two URL categories. Use the following parameters when completing the steps:

Table 3: Custom URL category 1

Table 4: Custom URL category 2

Configure URL and Cloud App control

Follow the steps outlined in Zscaler documentation:

• Configuring the URL Filtering Policy

Use the following applicable parameters when completing the steps (set other parameters according to your specific configuration):

Table 5: URL filtering policy

Configure Monthly Reporting

To enable improvements of DBL we recommend that you schedule monthly reports that are automatically emailed to us. 

Follow the steps in the Zscaler documentation, Refer to Copying a Standard Report:

• Creating or Copying a Report

Select the Blocked Web Traffic Overview under Standard Reports - Web Activity to copy 

Table 6: Copy Report

Follow the steps in Zscaler documentation to Schedule the Report:

• Scheduling Reports

Use the following parameters when completing the steps:

Table 7: Scheduled Report

Raise a Request

Now that you have completed all of the steps above you must now raise a request via the Samurai MDR application. Add the following information (created from the steps above) within your request:

Submit the ticket and you will hear back from us when onboarding is complete.

3 - Consulting and Supplemental Services

3.1 - Data Discovery Service Description

1. Introduction

The Samurai Data-discovery service is a service package designed to enhance client visibility on internal IT-architecture, data flows and security posture. Through a series of workshops, interviews and reports with concrete next-step recommendations, NTT experts will help the client identify the data that’s most important to their business goals, review projects that may affect said data and recommend next-steps based on best-practices.

This service is intended for new NTT Samurai MDR clients however it can be used for clients who wish to expand or review an existing commitment.

2. Data-discovery service

2.1 Service features

The Data-discovery service is delivered in two phases. If extended support is required to fulfill the engagement scope, the service can be expanded accordingly. For more info see section 2.2 Service Package.

Phase One:

The initial phase includes an internal workshop to walk-through the client IT-environment, security posture, project roadmap, planned initiatives and any other potential future organizational/infrastructure changes.

NTT Consultants will support the client in identifying the data that´s most important to the client business and operation. The phase will be concluded with the delivery of concrete next-step recommendations tailored to the client desired future security posture, roadmap and samurai enrollment strategy in the form of a report.

Phase Two:

The second phase is initiated six months post the initial phase, during which the client and NTT Consultants review the report from the first phase, progress on next-step action plan, new projects and changes to the IT-environment.

The second phase will be concluded with the delivery of an updated version of the initial report.

2.1.1 First Phase Deliverables

• Initial workshop report containing:
  • Identified critical data elements and associated security controls.
  • Identified potential impact of internal projects and initiatives on critical data infrastructure.
  • If applicable, discuss security impact of potential organizational changes.
  • Recommendations based on best practices given the information provided by the customer.

2.1.2 Second Phase Deliverables

• Six-month update report:
  • Impact of eventual changes in the environment.
  • New projects and IT-environment updates.
  • Recommendations based on best practices given the information provided by the customer.

2.2 Service package

The Data discovery service, as defined above, is a fixed fee engagement. Additional service packages can be purchased to extend delivery.

Initial workshop and associated activities will not exceed 60 hours. Six-month follow-up and associated activities will not exceed 40 hours.

Delivery of the report associated with each portion of the service will constitute the closure of that portion.

3.2 - Incident Response Retainer Service Description

1. Introduction

With the rise of cyber-attacks in a fluid threat landscape an organization must quickly respond and be prepared to act on all threats. The ability to quickly respond to a security incident is crucial for limiting the impact of the attack, minimizing reputational damages and legal consequences.

In many cases, the damage from a cyber related incident is increased due to delays and mistakes in incident handling. Incident response is a highly specialized field that requires staffing by specialists who are engaged full-time in this area. It is likely to not be as successful when staffed by employees who only perform incident response tasks on an ad hoc basis. As a result, many organizations do not employ their own internal incident response team, but rather contract with external providers such as NTT.

NTT provides Incident Response (IR) Retainer services to assist organizations to effectively respond and rapidly remediate in the event of an incident. The NTT IR Team is experienced in handling incidents across various business verticals and provides a valuable resource to clients. The retainer service is offered as an add-on to NTT’s Samurai MDR service and also as a standalone offering for either emergency incident response needs, or proactive risk mitigation.

2. Samurai Incident Response

2.1 Service Features

The Samurai Incident Response (IR) Retainer provides incident management, containment, and root cause analysis support to assist with mitigation of incidents. The NTT IR team consists of experienced Security Analysts in the NTT Security Operations Centre (SOC) and Incident Response consultancy experts, and is delivered through the Samurai platform.

The Incident response offering provides a set of components which can provide the Client with:

• On call 24/7/365 response to incidents
• Incident lead and incident management
• Root cause analysis, containment, and eradication
• Rapid remote deployment of IR tools
• Integration with NTT’s Global Threat Intelligence Center (GTIC)
• Close collaboration with client teams
• Decades of experience in Security Monitoring and IR subjects
• Support during extended incidents
• Malware and threat behavior analysis
• Advanced Network Analysis Tools

These service components are not an exhaustive list and are provided as required during the engagement.

The IR retainer is based on an annual entitlement of 40 hours, which can be increased by the client through the purchase of additional retainer blocks of hours.

2.1.1 Incident lead and incident management

The NTT IR team will support the client by providing both hands-on and high-level incident lead and incident management, steering both NTT, client, and other involved 3rd party resources towards a common goal by assigning and prioritizing tasks, organizing meetings, risk evaluation and prioritization, damage evaluation, as well as providing stakeholder updates.

The NTT IR team will work together with the client to align reporting cadence, timelines, and updates in accordance with client requirements.

2.1.2 Root cause analysis, containment and eradication

The NTT IR team will support the incident investigation to understand the who, what, when, where, why and how of an attack. This includes:

• Review and analysis of client provided log, network, and endpoint telemetry.
• Assess the flow and history of incidents in the client’s environment to evaluate potentially related issues, campaigns, and persistence.
• Threat Intelligence, Open-Source Intelligence (OSINT), and closed source correlation.
• Providing insight and best practice guidelines on how to limit potential damage of an incident.
• Providing client’s security staff guidance on how to handle and execute the eradication process. This will be positioned from a governance approach and will guide the client’s internal security staff.
• Evaluating the possible recovery options and provide guidance to client security staff to restore affected systems from a backup or re-image the systems from a clean gold image, if applicable.

2.1.3 Rapid remote deployment of IR tools

Where the client does not have Endpoint Detection and Response (EDR) agents or a similar capability in place, NTT will work with the client to deploy EDR tools. The EDR tooling can be integrated with Samurai and will be available to the client during the incident response engagement.

On completion of the incident response engagement, the client will have the option to purchase the EDR tooling and retain this tooling in the client environment. If the client decides not to purchase EDR tooling used by NTT for the purpose of incident response, it must be removed at the end of the incident response engagement.

2.1.4 Integration with NTT’s Global Threat Intelligence Center (GTIC)

Through the NTT Incident response service, clients benefit from extensive Threat Intelligence both curated and produced by Threat Intelligence researchers in NTT’s Global Threat Intelligence Centre (GTIC) via Samurai.

2.1.5 Highly collaborative with client teams

The management of an investigation is just as important as the technical and investigative skills brought to bear during an incident. NTT IR team will work closely with the client team to provide detailed and structured status reports to communicate findings that will aid in making informed business decisions.

The frequency of status reports and interaction between NTT resources and client team will be adjusted to reflect the current requirements during the incident lifecycle.

2.1.6 Malware and threat behavior analysis

Malware is a name used for various malicious software variants, such as viruses, ransomware, spyware, etc. and is designed to infiltrate and damage computer environments and its data without knowledge of the user. Understanding malware and its behavior, is critical to an organization’s ability to respond to incidents, derive threat intelligence and boost defenses. NTT offers the knowledge and experience on how to identify key aspects and characteristics of various malware types and to understand the extent of the potential damage.

All identified Indicators of Compromise (IoCs) related to the malware or threat are shared with the client’s security team as part of the engagement.

2.1.7 Advanced network analysis tool

At times NTT IR team may recommend the deployment of advanced networking analysis tools to assist with the identification and mitigation of an incident. NTT IR team will discuss this in detail prior to authorization of its use.

These tools can be used to support the detection of behaviors that make endpoints act maliciously or outside of their normal mode of operation. They can help determine what changes occurred during a malware outbreak so that proper remediation can be planned. The tools can also track lateral movement of malware and determine how widespread it is across the entire network.

2.2 Retainer information

The Samurai Incident Response offering is provided as a retainer and includes 40 hours per year. If the Client requires additional Incident Response beyond 40 hours per year, additional retainers of 40 hours can be purchased.

Retainer hours are consumed in 4-hour increments.

3. Onboarding

As part of NTT´s proactive engagement to enhance the Incident response teams ability to respond promptly and efficiently, NTT will meet with the client to establish knowledge about the client’s current setup, introduce the workflow of incident response engagements, how the client can initialize incident engagements and open up for questions from both parties. 

The following details will be collected during the introduction call: 

• Client points of contact 
• Contacts allowed to activate IR-service 
• EDR coverage in environment 

The collected details will create a foundation for successful incident handling and a more seamless collaboration. Once the onboarding meeting has taken place and the basic requirements, such as accesses and points of contact, are in place the Incident Response Retainer can be started.

No onboarding meeting is provided when an Incident Response Retainer has been procured and activated for emergency incident response assistance. For emergency IR cases, onboarding will be done in parallel to the incident scoping call done as outlined in section 4.2.

The graphic below outlines the onboarding process:

4. Service activation

4.1 Incident response activation

MDR Client

If the cause for activation is an incident escalation from the MDR Service SOC, the customer should activate the IR-retainer directly via a request in the associated incident ticket within the Samurai MDR application.

The IR retainer may also be activated via a phone call to the Incident response on-call number which is provided during onboarding. The IR retainer can only be activated by an authorized list of individuals mandated by the client. This information is captured during the onboarding process but is naturally subject to change. Any changes to the authorization list must be communicated to the NTT IR team. 

Standalone Client

The IR retainer is activated via a phone call to the Incident response on-call number which is provided during onboarding. The IR retainer can only be activated by an authorized list of individuals mandated by the client. This information is captured during the onboarding process but is naturally subject to change. Any changes to the authorization list must be communicated to the NTT IR team.

Emergency Client

The IR retainer is procured and activated via a phone call to the 24/7 Emergency Incident response on-call number.

4.2 Incident scoping call

Depending on the incident severity, magnitude, urgency and known context, the NTT IR team will initiate the engagement with a scoping call. During the call, NTT and the Client’s security team will work together as one team, to gain an understanding of the current situation and how to best proceed.

NTT will meet with the POC and designated Incident Response Team members to discuss the How, What, When and Where questions. Typical questions will include - How was the issue detected? Is there any evidence, data or logs related to the incident in Samurai? What other telemetry is available outside of Samurai? What steps have been taken? What does the environment look like, where are the egress and ingress points located? 

Other discussion topics may include the gathering of additional evidence, such as providing audit log records or a network diagram showing what other devices on the network that the suspicious system has access to. The more telemetry available, the faster questions can be answered during an investigation. It is very critical for the client to document all actions taken on the suspected systems at the start of an incident. If incorrect or unknown steps are taken to clean up an infected system, block lateral movement or remediate other issues it may hinder or complicate response actions or root cause analysis at a later stage.

4.3 Engagement objectives

The NTT IR team will work together with the client POC at the time of the retainer activation to identify the immediate engagement objectives. As the incident lifecycle progresses and new evidence or information is discovered, the engagement objectives may be updated. The objectives may be to identify data loss, attack vectors or to recover from the incident and provide recommendations on actions to take to prevent the incident from repeating. NTT IR team can perform incident management, by providing remote support and coordinate with security staff to assist with incident mitigation, containment, eradication, recovery, and reporting.

The end delivery to the client will be a written report of our findings which includes:

• Executive Summary
• Overview
• Timeline of Activity
• Summary of Findings
• Recommendations

4.4 Engagement lifecycle

The figure below describes the process followed by the NTT Incident Response Team during engagements.

5. Service Provisions and Requirements

In order to ensure successful delivery of the Services, NTT and Client shall provide the following, as applicable.

• NTT personnel will maintain and track hours utilized against the retainer.
• Depending on the scope requested by the client, NTT will assign a Lead Incident manager to work with client’s main Point of Contact (POC) throughout the life of the engagement.
• NTT will assign an IR Manager to be available to client as an out-of-band resource for issue escalation.
• NTT will provide the client with ongoing status reports, as mutually defined in the project kick-off.
• If not otherwise stated above, upon completion of the Incident response engagement, NTT will provide client with a detailed report in PDF format, describing the actions performed, results and recommendations.
• Client will assign a main Point of Contact (POC) to work with NTT and will provide knowledgeable technical and administrative staff to assist NTT.
• As required, client will provide NTT with access to their network to perform Incident response services. If required client will also provide NTT with a list of areas considered “off limits”.
• Client understands NTT is not responsible for loss of business incurred by Client (or third parties associated with client), due to the performance of Services.
• As applicable, client will provide NTT with electronic copies of any applicable policies (e.g., Security Policy, Acceptable Use, Policy, Incident Response Plan, Escalation Trees, etc.), procedures, previous audits or assessments, network diagrams, configurations, evidence, and any other relevant materials (Engagement Information) associated with the Services outlined in this Service Description.
• Client explicitly understands Services may employ methods which could violate client’s policies. NTT will agree, together with the client on any actions which may violate said policies prior to taking the action.
• Client fully agrees that providing Engagement Information to NTT is not a violation of client’s policies and fully agrees not to instigate any type of prosecution against NTT, or NTT employees or third-party service providers, for the receipt and storage of such Engagement Information.
• If the in-scope environment for Services provided in this Service Description is hosted by a third-party provider, client agrees to notify the third-party provider in advance of the initiation of services and client accepts the responsibility for complying with any provisions set forth by the third-party provider.
• Should this Service Description be executed in a context where regulatory compliance, auditing, testing or assessment or other similar compliance advisory consulting services, for example under the PCI Data Security Standard or HIPAA Privacy, Security or Breach Notification Rules apply, client understands that NTT Incident response services do not constitute any guarantee or assurance that security of client’s systems, meets regulatory requirements. Furthermore, NTT is not responsible for updating its reports and assessments or inquiring as to the occurrence or absence of such in light of subsequent changes to client’s systems, networks and assets after the date of NTT´s final report absent a signed Statement of Work, or an amendment to a Statement of Work, expressly requiring the same.
• Client understands that failure to fulfil Service Requirements or provide required documentation/evidence on a timely basis can result in delay of Services or loss of contracted hours.
• If regulatory changes (e.g., changes by a regulatory agency, legislative body, or court of competent jurisdiction) require NTT to modify the Services described herein, client agrees in good faith to work with NTT to amend the scope of work accordingly.
• Upon initial client contact, NTT will respond within 2 hours.
• Client must enroll NTT IR personnel to its Samurai tenant as required.
• Client understands that NTT Incident Response services do not constitute any guarantee or assurance that security of client’s systems, networks and assets cannot be breached or are not at risk.

3.3 - Samurai Cybersecurity Advisor Service Description

1. Introduction

The Samurai Cybersecurity Advisor (CSA) service add-on provides a dedicated technical senior-level resource to help Samurai Managed Detection & Response (MDR) clients get the most value from the service, and reduce business risk.

Services provided by the CSA include:

• Monthly threat reviews
• Tracking of a detection and response recommendation improvement list
• Dialogues around detection & emerging threats
• Acting as a link between clients and the Samurai MDR service

2. Samurai Cybersecurity Advisor service

2.1 Monthly Threat Reviews

The Samurai MDR service will detect, respond and report relevant threats that pose a risk to a client, but it is the client’s responsibility to bring the risk to closure. To help the client with this, a program of monthly threat reviews is included with the CSA service.

The monthly threat reviews are the main interaction point between clients and the CSA.

Through regular CSA-led threat reviews, clients will:

• be trained and educated to understand threats and risks reported by the Samurai MDR service,
• be provided recommendations to improve detection and response, and
• receive follow-up to ensure that reported threats and risks are handled and mitigated.

The threat review program is initiated at the time of onboarding. During the onboarding orientation call the monthly meetings will be scheduled for the remainder of the contract period.

2.2 Detection and Response Recommendation Improvement List

The CSA will maintain and update a detection and response improvement list through the entire lifecycle of the Samurai MDR service. The improvement list focuses on suggestions that will improve detection of threats e.g. new systems recommended to be onboarded by the client into the Samurai MDR service, or could also include actions that either the client, the SOC or NTT Security Holdings need to take in relation to improving threat detection and response. The ultimate benefit of this process to the client is an improved security posture.

2.3 Detection & Emerging Threats

The CSA will stay informed of threat detection improvements made by NTT and follow the changing threat landscape. During the monthly threat review meetings, the CSA will lead a dialogue with the client to ensure the correct telemetry exists within the clients given Samurai MDR configuration to take full benefit of any new detections created for emerging threats, and provide actionable recommendations where needed.

2.4 Act as a link between clients and the Samurai MDR service

The CSA is a technical senior-level resource with extensive experience working within Managed Detection & Response. Complimenting the CSA’s extensive experience with the Samurai MDR service, the CSA also has access to NTT threat intelligence, the specialist MDR SOC workbench, and the client’s MDR tenant.

This access provides the CSA the ability to perform searches and threat hunts as required within the scope of the service offered, while also having well-established contact routes with the different NTT Teams involved in the Samurai MDR delivery.

2.5 Scope information

The Samurai Cybersecurity Advisor Service add-on, as defined above, is a fixed fee engagement. The engagement will not exceed 192 hours yearly, and additional service packages can be purchased to extend delivery. Used hours per single month may not exceed 40 hours unless approved in dialogue with NTT.

The CSA service is delivered during business hours of central European time (CET).

3.4 - Samurai Onboarding Service Description

1. Introduction

The Samurai Onboarding service add-on is designed to support the client journey during the transition onto the Samurai Managed Detection and Response (MDR) service. NTT personnel will through an initial workshop and subsequent interaction answer any questions and provide all the necessary documentation and information required to enroll to Samurai MDR.

This service is intended for new NTT Samurai MDR clients however it can be used for clients who wish to expand or review an existing commitment.

2. Samurai Onboarding service

2.1 Service Features

Core service activities:

• Initial workshop to define devices and/or services in scope of enrollment to Samurai.
• Supply Samurai documentation and information.
• Service onboarding support.
• Service verification post-onboarding.
• General support and inquiries regarding device and 3^rd party service support.

Core service deliverables:

• Onboarding plan
• Onboarding guides relevant for the customers environment
• Portal training session.
• Initial kick-off session, not to exceed 1 full day.
• Support during the transition

2.2 Scope information

• The Samurai Onboarding service add-on, as defined above, is a fixed fee engagement. The engagement will not exceed 60 hours and additional service packages can be purchased to extend delivery.

3.5 - Table-Top Exercise Service Description

1. Introduction

When dealing with incidents, crisis, or disasters, one of the most imperative steps in the plan is to be properly prepared. Preparation plays a major part of incident handling as it enables organizations to improve efficiency of decision making in the heat of the moment during an attack, which leads to quicker recovery, minimizing impact and costs. It is also key for incident handlers to be able to act confidently and reduce the risk of making mistakes when carrying out their work throughout an incident.

One way to prepare for an incident and evaluate the documentation, processes and preparedness of the client’s participants is to carry out a Table-Top exercise with the goal of working through the scenario, with an open discussion in a collaborative low-stress environment. 

The output of the exercise is to develop the incident response capabilities. After the Table-Top exercise the participants will have gained an understanding for what their strengths and weaknesses are in terms of handling an incident properly, be able to update their documentation, revise their processes and train their personnel to enhance their incident response capabilities.

2. Table-Top Exercise

2.1 Visual Overview

2.2 Objectives

The exercise is conducted with the goal of improving client incident response readiness by evaluating processes, routines and documentation.

On a high level the objective is achieved through having the client’s participants test the incident response process in a “safe” environment without stress and through giving a detailed report which highlights points of improvements in the process.

Aim to have an answer to questions such as:

• Are there pre-defined roles and responsibilities and is the coverage sufficient for the incident scenario?
• Did the staff assigned to the roles have all permissions and privileges to handle the incident in a satisfactory fashion?
• Are the points of escalation and contacts documented and defined?
• When to isolate hosts on a network

2.3 Plan & Prepare

NTT will set up an initial meeting with the client to decide on suitable exercise scenarios based on the client’s wishes and NTT experts’ 20+ years of Threat Intelligence experience. The goal is to have a scenario tailored to be relevant to the client’s environment and needs, while revolving around handling incidents such as:

• Threat actors’ intrusions to deploy ransomware or steal intellectual property
• Nation-state attacks
• Insider-threats
• Successful phishing attempts
• User executing malware on corporate device

Where technical emphasis can be put on specific areas, for example:

• Workstations
• Domain-controllers
• Email-servers
• ICS/OT
• Office 365
• Cloud infrastructure

After the scoping call NTT will produce the material necessary for the scenario walkthrough.

2.4 Exercise Session

The Table-Top exercise is designed to fundamentally test the processes and routines that together are the basis for the incident response capability.

NTT experts will lead the client’s participants through the scenario, enable conversations to identify potential gaps in processes and documentation, helping to achieve an understanding of their respective strengths and weaknesses in the context of incident response. Taking the incident step by step, our consultant will walk you through the events as they unfold depending on your own incident response actions and detection capabilities.

The client’s participants will get time to discuss amongst themselves without NTT interaction to find their own genuine course of action if this were to be outside of a simulation. During the time of the scenario taking place, NTT experts will document and map out the decision making, points of escalation and threat hunting processes of the client’s participants.

2.5 Report

The reporting covers the scenario setup and walkthrough, in detail, to bring visibility to the incident response process in action during the specific engagement scenario, complete with an incident response checklist.

Analyzing the events, processes and decisions with the expertise of NTT personnel with the result of getting actionable points of improvement for the process and routines.

Moreover, comparing the incident response capability and process in the scenarios to established industry frameworks that are relevant for the scenario ensuring a benchmark to compare to global industry standards, for example, NIST 800-61 or MITRE ATT&CK.

The report can also be used to have a detailed look into how the process and routine of incident response can play out in a real-world scenario.

2.6 Scope information & Requirements

2.6.1 Requirements

NTT will require participants in the scenario session that own relevant functions within the incident response process, moreover the participants will have mandate to help choose relevant scenarios for the client’s purposes.

NTT will require an overview of the IT environment, e.g., what OS is running on endpoints, servers, geographical split of sites, high value assets, documented incident response process routine, relevant documentation and lastly, what are some of your currently known pain points that you wish to address and improve.

2.6.2 Scope Information

A standard Table-Top exercise is a fixed fee engagement that will not exceed 80 hours. An estimation of the distribution of effort is as follows for each step of the engagement:

For client’s that require a Table-Top exercise that goes beyond a standard scope of service (eg. extensive custom scenario use-cases, groups of participants, longer expected duration), a custom engagement can be scoped by the NTT team to accommodate as required.

Table-Top exercises are delivered remotely during business hours of central European time (CET).

4 - Superseded Documents

4.1 - Managed Detection & Response (MDR) Service Description (v1.0 2023-09-11)

This document has been superseded. For the latest version please click HERE.

1. Introduction

NTT’s Managed Detection and Response service builds on the capabilities of Samurai XDR to provide a Managed Detection and Response service which delivers cybersecurity insights, advanced threat detection, response, and protection capabilities via the ingestion of varied telemetry sources including cloud, network, compute and mobility sources. Supported telemetry combined with our proprietary Advanced Analytics, analyst threat hunting, and AI-based threat detection capabilities translate to faster, more accurate detections and most importantly reduced business risk.

NTT’s Managed Detection and Response service offers the sophisticated threat detection capabilities of the Samurai XDR platform along with, 24/7 threat monitoring, analyst-driven threat hunting, and comprehensive threat intelligence delivered by NTT’s Global Threat Intelligence Center. By combining the advanced analytics capability of the Samurai XDR platform with the expertise of the skilled analysts in the NTT SOC, threats are identified and separated from a large number of false positives typically generated by security technologies. 

Managed Detection and Response is a service that utilises security alerts along with relevant contextual information identified by the Samurai XDR platform. This information is analysed by a skilled Security Analyst, who engages in threat hunting and validation activities to verify the threat, its impact, and to identify additional information associated with a potential breach. Once the threat is validated, the Security Analyst creates a detailed Security Incident Report for the Client. The Security Incident Report includes a detailed description of the security incident combined with scenario-specific actionable response recommendations. This significantly assists in reducing the time taken for informed responsive measures, thereby, lowering associated risks.

2. Service Elements

Samurai Managed Detection and Response provides the Client with a service overlay which provides advanced detection and response capabilities delivered by skilled Security Analysts in the NTT Security Operations Center, leveraging the Samurai XDR platform. The Samurai Managed Detection and Response service provides a set of components which provide the Client with:

• Onboarding guidance
• Access to SOC Analysts
• Threat Intelligence
• Threat Detection and Investigation
• Threat Hunting
• Security Incident Reports
• Threat Response
• Service Management Portal and Service Reporting
• Incident Response
• Service Assurance through regular Threat Reviews

3. Onboarding

Onboarding of the Managed Detection and Response service commences with the activation of the Client’s Samurai XDR tenant. Activation of the Client’s tenant will provide the Client with instant access to Help Center online documentation and the access and instructions required in order to configure the Samurai XDR platform. This includes:

• Deploying Local Collector appliances;
• Connecting telemetry sources (including logs, enrichment and other data sources); and;
• Configuring integrations to client applications such as Endpoint Detection and Response, IT Service Management, and other cloud-based platforms.

Within two business days of activation, NTT will host a Managed Detection and Response introductory conference call with the Client. This meeting will explain the onboarding process and will include an overview of the Samurai XDR application and configuration steps to be completed by the Client. Follow-up progress calls may be scheduled to ensure setup progress and status.

Within fourteen days of activation a Samurai MDR orientation conference call will be held with the Client which upon completion, Service Delivery will begin. This meeting will outline what to expect from the service including how SOC analysts will interact with the Client, overview of Security Incident Reports and how to utilize the Samurai MDR.

For more details please visit the Samurai MDR Onboarding Guide.

4. Service Features

Samurai Managed Detection and Response provides the following service features:

4.1 Threat Detection

The Samurai XDR platform detects threats and suspicious behavior using the Samurai XDR AI Engine. The AI Engine makes use of a combination of traditional threat detection techniques, Advanced Analytics, machine learning and Threat Intelligence to detect sophisticated threats. To ensure service quality, NTT continuously makes detection-tuning decisions based on the validity and relevance of alerts and security incidents.

4.2 Threat Intelligence

The Global Threat Intelligence Center delivers Threat Intelligence, which enhances the Managed Detection and Response service. Additionally, the Managed Detection and Response service includes continuous Threat Intelligence updates driven by investigations of security incidents.

4.3 Dynamic Blocklist

The Dynamic Blocklist feature provides a real-time feed of curated Indicators of Compromise. The Client can configure supported devices, such as next generation firewalls and internet proxies, to receive the dynamic list to proactively block threats. IoCs are added to the Dynamic Blocklist on an ongoing basis. The Dynamic Blocklist option is available at no additional charge. Additional details can be found in the Dynamic Blocklist overview.

4.4 24/7 Security Analyst Interaction

The Managed Detection and Response service includes detailed security investigation of alerts detected via Samurai XDR by Security Analysts in NTT’s SOC. Investigation includes threat analysis and alert-driven threat hunting activities across the Client’s telemetry environment to provide validation and assessment of the malicious nature of a threat and its potential impact.

Security Analysts use the MITRE ATT&CK framework as a reference model in presenting the nature of a threat and assigning appropriate severity to identified security incidents.

The Managed Detection and Response service also provides validation of threats through vendor integration and evidence collection for selected security technologies, such as packet capture data (PCAP) and malware execution reports.

4.5 Investigations

When the Samurai XDR platform generates an alert indicating a potential threat, a SOC Analyst will begin an investigation. The investigation includes validating the presence of a threat via client telemetry and evidence data, threat intelligence, and other data and information sources within the Samurai XDR platform. Using this information and automation capabilities of the Samurai XDR platform, the analyst then determines the nature and extent of any compromise which may have occurred. Depending on the nature of the potential threat, activities conducted during the process of the investigation may include:

• Threat analysis.
• Alert-driven threat hunting across the Client’s telemetry data which has been ingested into Samurai XDR.
• Assessment of the malicious nature of a threat and its potential impact.
• Contextualisation of validated threats based on factors such as industry vertical and geopolitical context.
• Categorisation according to industry best practice frameworks including MITRE ATT&CK.
• Forensic analysis of telemetry data stored in Samurai XDR.
• Malware analysis; and
• Recommendation to the Client of a suggested response covering suggested next steps.

4.6 Security Incident Reports

If, as a result of an investigation, a threat is identified, the Security Analyst creates a Security Incident Report detailing the cybersecurity incident, including plain-language observations and incident mitigation and/or remediation recommendations.

Client notifications can be provided by phone or email based on severity:

• Critical severity; Phone / E-mail notifications.
• Low, Medium, High severity; E-mail notifications.

Clients requiring Phone notifications must provide NTT with a prioritized list of Client contacts.

4.7 Threat Hunting

Utilizing Client telemetry and evidence data, NTT will perform Threat Hunting to detect activities such as persistence mechanisms, application usage, network activity or the tactics and techniques and procedures (“TTPs”) of threat actors. When a threat is detected, a security analyst will create a security incident and notify the Client.

4.8 Threat Response

NTT will perform actions within the Samurai XDR platform on the Client’s behalf when an investigation results in the detection of a threat.

NTT will take actions to isolate compromised/malicious host Endpoints following Security Analyst incident validation. Remote isolation actions are performed using the isolation capabilities of the Client’s Endpoint Detection and Response (EDR) technology.

4.9 Samurai XDR Application and Help Center

Managed Detection and Response Clients have access to the Samurai XDR application, including self service features such as telemetry integration and collector configuration. Details of the functionality provided by the Samurai XDR platform can be found in the Samurai Help Center - online documentation.

In addition to the Samurai XDR application, Samurai Managed Detection and Response provides the client with access to the Samurai Help Center, which provides online access to:

• interact with us online by logging incidents and requests;
• view security incident reports;
• track, view and submit comments within incident and request tickets; and
• browse / search our knowledge base which contains online documentation for Samurai XDR and Managed Detection and Response.

Additional information regarding support for Samurai XDR and Samurai MDR can be found in our Support Policy.

4.10 Incident Response

The Incident Response add-on is a retainer which the Client may choose to utilize if the Client requires the NTT SOC to perform additional threat investigation activities. Clients can continue to leverage the services of the NTT SOC in instances where the severity of an incident justifies additional effort to perform tasks such as threat hunting, malware analysis or forensic analysis of data in Samurai XDR be performed.

This add-on provides the Client with the facility of additional post root-cause analysis to assist with containment of a threat.

The Incident Response retainer includes 40 hours per year. If the Client requires additional Incident Response beyond 40 hours, additional retainers of 40 hours can be purchased.

Incident Response effectiveness is enhanced with an installed and supported endpoint agent. If the client does not have a supported agent, NTT will work with the client to provision endpoint agents to support the investigation. For more information please read the detailed description of the Incident Response add-on.

4.11 Threat Reviews

Through a program of scheduled quarterly meetings, Threat Reviews will be conducted with the Client to derive maximum value from Samurai MDR.

Topics covered in the quarterly meetings include:

• Review service health.
• Review security incidents and how they provide insights into the Client’s security posture and attack surface; and
• Advising the Client regarding configuration of Samurai XDR to better meet the Client’s needs.

For clients that require a dedicated resource and monthly threat reviews, the Samurai Cybersecurity Advisor subscription is available as a chargeable add-on.

5. Client Responsibilities

Client is required to perform the following obligations below:

• assign a primary Point of Contact (POC) to work with NTT. Client will ensure that NTT’s records of all Client POCs are kept up to date and are accurate.

• ensure that all telemetry sources have connectivity required in order to interact with the Samurai XDR platform. This includes, but is not limited to, the ability to receive telemetry source feeds and evidence data and the ability as well as the ability to monitor and control any agents or virtual appliances installed in Client’s environment for the purpose of providing the service.

• ensure that endpoints falling under the scope of Samurai MDR have a supported endpoint agent installed in order to facilitate the gathering of telemetry and evidence data as well as providing the ability to perform remote isolation.

• provide knowledgeable technical staff and/or third-party resources to perform any configurations or software installations required in order for Client to consume the service. This includes, but is not limited to:

  • Configuration of connectivity.
  • Installation of Local Collector virtual appliances.
  • Provision of IP addressing required for any virtual appliances required in Client’s network; and
  • Configurations of cloud services required in order for Samurai XDR to receive telemetry from these services.

• perform all aspects of Service Onboarding, including the configuration of telemetry sources and configuration of Collectors to provide telemetry feeds to the Samurai XDR platform. Client will ensure that all source devices are compliant with the Samurai XDR platform configuration requirements and are running supported software and/or hardware versions.

• ensure that it does not utilise any technologies or configurations which block traffic, rotate logs or in any other way impede delivery of the service.

• procure all maintenance, support and licensing agreements with third-party vendors for all telemetry sources.

• comply with all the relevant data privacy, regulatory, and administrative laws, policies and procedures related to monitoring user traffic and communications.

• bring a threat, identified in a security incident report, to closure.

Failure to provide any of the service requirement information on a timely basis can result in delays in Service Onboarding and Service Delivery by NTT and NTT shall not be liable for any consequences of such delays.

6. Service Level Agreements

The Service Level Agreements (SLAs) listed in this section will become active once Onboarding of the Client is considered complete.

6.1 Availability

The Availability SLA is determined by the ability of the Client to access the Samurai XDR platform. This is measured by the ability of the Client to log into the Samurai XDR app.

NTT will use reasonable commercial means to ensure an availability of the Samurai XDR app of at least 99.9%. If the availability of the platform drops below this level, the Client may claim a Service Level Credit as set out in the table below:

6.2 Validated Security Incident Notification

NTT will analyze alerts and related available data sources on a 24/7 basis for signs of malicious activity which has bypassed preventative security controls.

If malicious activity is confirmed, NTT will determine the severity of the threat. For Security Incidents with a severity of high or critical NTT will provide an Incident Report within 30 minutes of determining the severity.

For Security Incidents with a severity of low or medium, NTT will endeavour to provide an Incident Report within 120 minutes of determining the severity.

If the creation of a security incident report in relation to an incident with a severity of high or critical takes longer than 30 minutes, the Client may claim a Service Level Credit as set out in the table below:

A Client may make a maximum of 1 claim against this service level per calendar day and per security incident.

6.3 Receiving Service Credits

To receive a Service Credit, the Client must open a ticket in the Samurai XDR app within 30 days of the incident for which the Client is claiming a Service Level Credit.

4.2 - Onboarding Managed Detection and Response (MDR) (v1.0 2023-09-11)

This document has been superseded. For the latest version please click HERE.

Overview

Welcome to NTT Security Holdings (NTTSH) and the Managed Detection and Response (MDR) Service Powered by Samurai XDR.

We have made onboarding simple and shall support you through each phase.

MDR Security Operations Center (SOC)

The SOC provide guidance and expertise during onboarding and service delivery, however it is important to understand the role and responsibilities of you and our team.

The SOC will be your main contact during onboarding and will schedule introduction and orientation calls with you to ensure your journey to MDR is problem free. You as a Client will still need to perform your responsible actions outlined in the rest of this document and specifically for onboarding MDR telemetry sources, unless you have purchased enhanced onboarding consulting services.

After your orientation meeting, MDR Service delivery begins. The SOC will schedule and conduct regular threat review meetings as outlined within the MDR Service Description to ensure you derive maximum value from the service.

Suggested Resources

During onboarding you will likely need to call upon various teams within your organization, we understand you may not have all of the appropriate roles but suggest the following:

Onboarding Phases

The image and table below outline the main phases of onboarding including responsibilities, resources and deliverables. 

Your Responsibilities

Below are your primary responsibilities during onboarding. Additional responsibilities may arise as needed to support aspects of the implementation that are unique to your specific environment(s):

• Create user accounts for additional users of the Samurai XDR application, maintain all user accounts, ensuring that contact information for each user is complete and accurate.
• Deploy the Samurai XDR Collector(s) and successfully configure required integrations.
• Configure and manage all resources required to support the deployment of Collector(s) - virtual / physical.
• Configure and maintain supported on-premises log sources and cloud integrations in line with Samurai XDR requirements.
• Ensure that all telemetry sources have connectivity required in order to interact with the Samurai XDR platform. This includes, but is not limited to, the ability to receive telemetry source feeds and evidence data as well as the ability to monitor and control any agents or virtual appliances installed in your environment for the purpose of providing the service.
• Respond to NTTSH communications in a timely manner and ensure attendance of the necessary resources for all meetings to ensure timely completion of onboarding and during service lifecycle.
• Bring a threat, identified in a security incident report, to closure.

Your overall responsibilities for the service can be found in the MDR Service Description.