Managed Detection and Response (MDR)

• 1: Managed Detection & Response (MDR) Service Description
• 2: MDR Security Incident Management
• 3: MDR Threat Reviews
• 4: Onboarding Managed Detection and Response (MDR)

1 - Managed Detection & Response (MDR) Service Description

1. Introduction

NTT’s Managed Detection and Response service builds on the capabilities of the Samurai platform to provide a Managed Detection and Response service which delivers cybersecurity insights, advanced threat detection, response, and protection capabilities via the ingestion of varied telemetry sources including cloud, network, compute and mobility sources. Supported telemetry combined with our proprietary Advanced Analytics, analyst threat hunting, and AI-based threat detection capabilities translate to faster, more accurate detections and most importantly reduced business risk.

NTT’s Managed Detection and Response service offers the sophisticated threat detection capabilities of the Samurai platform along with, 24/7 threat monitoring, analyst-driven threat hunting, and comprehensive threat intelligence delivered by NTT’s Global Threat Intelligence Center. By combining the advanced analytics capability of the Samurai platform with the expertise of the skilled analysts in the NTT SOC, threats are identified and separated from a large number of false positives typically generated by security technologies. 

Managed Detection and Response is a service that utilises security alerts along with relevant contextual information identified by the Samurai platform. This information is analysed by a skilled Security Analyst, who engages in threat hunting and validation activities to verify the threat, its impact, and to identify additional information associated with a potential breach. Once the threat is validated, the Security Analyst creates a detailed Security Incident Report for the Client. The Security Incident Report includes a detailed description of the security incident combined with scenario-specific actionable response recommendations. This significantly assists in reducing the time taken for informed responsive measures, thereby, lowering associated risks.

2. Service Elements

Samurai Managed Detection and Response provides the Client with a service overlay which provides advanced detection and response capabilities delivered by skilled Security Analysts in the NTT Security Operations Center, leveraging the Samurai platform. The Samurai Managed Detection and Response service provides a set of components which provide the Client with:

• Onboarding guidance
• Access to SOC Analysts
• Threat Intelligence
• Threat Detection and Investigation
• Threat Hunting
• Security Incident Reports
• Threat Response
• Service Management Portal and Service Reporting
• Incident Response
• Service Assurance through regular Threat Reviews

3. Onboarding

Onboarding of the Managed Detection and Response service commences with the activation of the Client’s Samurai tenant. Activation of the Client’s tenant will provide the Client with a link to online documentation and the access and instructions required in order to integrate with the Samurai platform. This includes:

• Deploying Local Collector appliances;
• Connecting telemetry sources (including logs, enrichment and other data sources); and;
• Configuring integrations to client applications such as Endpoint Detection and Response, network security controls and other cloud-based platforms.

Within two business days of activation, NTT will host a Managed Detection and Response introductory conference call with the Client. This meeting will explain the onboarding process and will include an overview of the Samurai MDR application and configuration steps to be completed by the Client. Follow-up progress calls may be scheduled to ensure setup progress and status.

Within fourteen days of activation a Samurai MDR orientation conference call will be held with the Client which upon completion, Service Delivery will begin. This meeting will outline what to expect from the service including how SOC analysts will interact with the Client, overview of Security Incident Reports and how to utilize the Samurai MDR.

For more details please visit the Samurai MDR Onboarding Guide.

4. Service Features

Samurai Managed Detection and Response provides the following service features:

4.1 Threat Detection

The Samurai platform detects threats and suspicious behavior using the Samurai AI Engine. The AI Engine makes use of a combination of traditional threat detection techniques, Advanced Analytics, machine learning and Threat Intelligence to detect sophisticated threats. To ensure service quality, NTT continuously makes detection-tuning decisions based on the validity and relevance of alerts and security incidents.

4.2 Threat Intelligence

The Global Threat Intelligence Center delivers Threat Intelligence, which enhances the Managed Detection and Response service. Additionally, the Managed Detection and Response service includes continuous Threat Intelligence updates driven by investigations of security incidents.

4.3 Dynamic Blocklist

The Dynamic Blocklist feature provides a real-time feed of curated Indicators of Compromise. The Client can configure supported devices, such as next generation firewalls and internet proxies, to receive the dynamic list to proactively block threats. IoCs are added to the Dynamic Blocklist on an ongoing basis. The Dynamic Blocklist option is available at no additional charge. Additional details can be found in the Dynamic Blocklist overview.

4.4 24/7 Security Analyst Interaction

The Managed Detection and Response service includes detailed security investigation of alerts detected via Samurai by Security Analysts in NTT’s SOC. Investigation includes threat analysis and threat hunting activities across the Client’s telemetry environment to provide validation and assessment of the malicious nature of a threat and its potential impact.

Security Analysts use the MITRE ATT&CK framework as a reference model in presenting the nature of a threat and assigning appropriate severity to identified security incidents.

The Managed Detection and Response service also provides validation of threats through vendor integration and evidence collection for selected security technologies, such as packet capture data (PCAP) and malware execution reports.

4.5 Investigations

When the Samurai platform generates an alert indicating a potential threat, a SOC Analyst will begin an investigation. The investigation includes validating the presence of a threat via client telemetry and evidence data, threat intelligence, and other data and information sources within the Samurai platform. Using this information and automation capabilities of the Samurai platform, the analyst then determines the nature and extent of any compromise which may have occurred. Depending on the nature of the potential threat, activities conducted during the process of the investigation may include:

• Threat analysis.
• Threat hunting across the Client’s telemetry data which has been ingested into the Samurai platform.
• Assessment of the malicious nature of a threat and its potential impact.
• Contextualisation of validated threats based on factors such as industry vertical and geopolitical context.
• Categorisation according to industry best practice frameworks including MITRE ATT&CK.
• Forensic analysis of telemetry data stored in the Samurai platform.
• Malware analysis; and
• Recommendation to the Client of a suggested response covering suggested next steps.

4.6 Security Incident Reports

If, as a result of an investigation, a threat is identified, the Security Analyst creates a Security Incident Report detailing the cybersecurity incident, including plain-language observations and incident mitigation and/or remediation recommendations.

Client notifications can be provided by phone or email based on severity:

• Critical severity; Phone / E-mail notifications.
• Low, Medium, High severity; E-mail notifications.

Clients requiring Phone notifications must provide NTT with a prioritized list of Client contacts.

4.7 Threat Hunting

Utilizing Client telemetry and evidence data, NTT will perform Threat Hunting to detect activities such as persistence mechanisms, application usage, network activity or the tactics and techniques and procedures (“TTPs”) of threat actors. When a threat is detected, a security analyst will create a security incident and notify the Client.

4.8 Threat Response

NTT can perform actions on the Client’s behalf when an investigation results in the detection of a threat.

NTT will take actions to isolate compromised/malicious host Endpoints following Security Analyst incident validation. Remote isolation actions are performed using the isolation capabilities of the Client’s Endpoint Detection and Response (EDR) technology.

4.9 Samurai MDR Application

Managed Detection and Response Clients have access to the Samurai MDR application, including self service features such as telemetry integration and collector configuration. Details of the functionality can be found in Samurai online documentation.

In addition to the Samurai MDR application, Samurai Managed Detection and Response provides the client with access to the Samurai Help Center, which provides online access to:

• interact with us online by logging incidents and requests;
• view security incident reports;
• track, view and submit comments within incident and request tickets; and
• browse / search our knowledge base which contains online documentation for the Samurai MDR service and application. 

Additional information regarding support can be found in our Support Policy.

4.10 Incident Response

The Incident Response add-on is a retainer which the Client may choose to utilize if the Client requires the NTT SOC to perform additional threat investigation activities. Clients can continue to leverage the services of the NTT SOC in instances where the severity of an incident justifies additional effort to perform tasks such as threat hunting, malware analysis or forensic analysis of data in the Samurai platform.

This add-on provides the Client with the facility of additional post root-cause analysis to assist with containment of a threat.

The Incident Response retainer includes 40 hours per year. If the Client requires additional Incident Response beyond 40 hours, additional retainers of 40 hours can be purchased.

Incident Response effectiveness is enhanced with an installed and supported endpoint agent. If the client does not have a supported agent, NTT will work with the client to provision endpoint agents to support the investigation. For more information please read the detailed description of the Incident Response add-on.

4.11 Threat Reviews

Through a program of scheduled quarterly meetings, Threat Reviews will be conducted with the Client to derive maximum value from Samurai MDR.

Topics covered in the quarterly meetings include:

• Review service health.
• Review security incidents and how they provide insights into the Client’s security posture and attack surface; and
• Advising the Client regarding configuration of Samurai to better meet the Client’s needs.

For clients that require a dedicated resource and monthly threat reviews, the Samurai Cybersecurity Advisor subscription is available as a chargeable add-on.

5. Client Responsibilities

Client is required to perform the following obligations below:

• assign a primary Point of Contact (POC) to work with NTT. Client will ensure that NTT’s records of all Client POCs are kept up to date and are accurate.

• ensure that all telemetry sources have connectivity required in order to interact with the Samurai platform. This includes, but is not limited to, the ability to receive telemetry source feeds and evidence data and the ability as well as the ability to monitor and control any agents or virtual appliances installed in Client’s environment for the purpose of providing the service.

• ensure that endpoints falling under the scope of Samurai MDR have a supported endpoint agent installed in order to facilitate the gathering of telemetry and evidence data as well as providing the ability to perform remote isolation.

• provide knowledgeable technical staff and/or third-party resources to perform any configurations or software installations required in order for Client to consume the service. This includes, but is not limited to:

  • Configuration of connectivity.
  • Installation of Local Collector virtual appliances.
  • Provision of IP addressing required for any virtual appliances required in Client’s network; and
  • Configurations of cloud services required in order for the Samurai platformto receive telemetry from these services.

• perform all aspects of Service Onboarding, including the configuration of telemetry sources and configuration of Collectors to provide telemetry feeds to the Samurai platform. Client will ensure that all source devices are compliant with the Samurai platform configuration requirements and are running supported software and/or hardware versions.

• ensure that it does not utilise any technologies or configurations which block traffic, rotate logs or in any other way impede delivery of the service.

• procure all maintenance, support and licensing agreements with third-party vendors for all telemetry sources.

• comply with all the relevant data privacy, regulatory, and administrative laws, policies and procedures related to monitoring user traffic and communications.

• bring a threat, identified in a security incident report, to closure.

Failure to provide any of the service requirement information on a timely basis can result in delays in Service Onboarding and Service Delivery by NTT and NTT shall not be liable for any consequences of such delays.

6. Service Level Agreements

The Service Level Agreements (SLAs) listed in this section will become active once Onboarding of the Client is considered complete.

6.1 Availability

The Availability SLA is determined by the ability of the Client to access the Samurai MDR platform. This is measured by the ability of the Client to log into the Samurai MDR application.

NTT will use reasonable commercial means to ensure an availability of the Samurai MDR app of at least 99.9%. If the availability of the platform drops below this level, the Client may claim a Service Level Credit as set out in the table below:

6.2 Validated Security Incident Notification

NTT will analyze alerts and related available data sources on a 24/7 basis for signs of malicious activity which has bypassed preventative security controls.

If malicious activity is confirmed, NTT will determine the severity of the threat. For Security Incidents with a severity of high or critical NTT will provide an Incident Report within 30 minutes of determining the severity.

For Security Incidents with a severity of low or medium, NTT will endeavor to provide an Incident Report within 120 minutes of determining the severity.

If the creation of a security incident report in relation to an incident with a severity of high or critical takes longer than 30 minutes, the Client may claim a Service Level Credit as set out in the table below:

A Client may make a maximum of 1 claim against this service level per calendar day and per security incident.

6.3 Receiving Service Credits

To receive a Service Credit, the Client must open a ticket via the Samurai MDR app within 30 days of the incident for which the Client is claiming a Service Level Credit.

2 - MDR Security Incident Management

Overview

The MDR Security Incident Management process is designed to address reported threats that pose a risk to a client’s environment and to ensure appropriate handling. When the Security Operations Center (SOC) create a Security Incident, it will remain open until the client reports back that the threat had been handled, risk mitigated and closure request submitted.

The more information included in a Security Incident, the easier it will be for a client’s security staff to understand and mitigate the threat, therefore the SOC create a detailed Security Incident viewable within the Samurai MDR web application and downloadable in PDF format as required. The SOC also recommend you provide feedback of your incident handling as this could improve future security incidents from the SOC and your own handling of them. 

Below is a description of how the SOC performs Security Incident Management when relevant threats are detected and how the Security Incident life-cycle is managed.

Security Incident life-cycle 

The Security Incident Management process starts with an alert from a High Value Detection source (EDR, IDS/IPS, NG-FW, CTS, etc.) or from NTT Security Log Analytics engine RTCE (Real Time Correlation Engine). In both cases, the alert is presented to the the Analyst in the Samurai platform. Another possible trigger for the Security Incident management process could relate to a known high risk global Security Incident or threat, for example Log4shell or SolarWinds. In this instance, the Analyst conducts Retroactive Hunting in available telemetry data to search for indicators of compromise (IOCs) and determine if a client has been affected by the newly discovered global threat. 

Once the Analyst receives an alert, they will start to analyze the threat through an investigation process that includes reviewing AI/ML correlations and threat hunting across all telemetry data and older Security Incidents. In some cases, the Analyst will also try to recreate the threat in the SOC malware lab.

The analysis phase can be time-consuming, but the purpose is to find attack vectors to first verify how the attack has affected the client and how the threat can be mitigated. The more detail known about a threat, the easier it will be to mitigate. However, if the SOC observes that the threat is actively damaging client systems or leaking client data, an initial and expedited Security Incident will be created to inform the client so that client assets can be protected. The SOC will then update the initial Security Incident with all needed threat details. 

Security Incident Management

When a new Security Incident is created it will be made available within the Samurai MDR web application and an automated email notification is sent to predefined email addresses (collected during the MDR onboarding phase). The email will contain key information such as severity, title, reference ID and a link to the Security Incident within the Samurai MDR web application. The initial Security Incident Status is set to Awaiting feedback. If the Security Incident severity is critical, the SOC will also call the client. 

When creating the Security Incident, the SOC may perform remote isolation of infected client endpoints using the client’s Endpoint Detection and Response (EDR) platform. The SOC will also include a recommendation whether the client should engage your Incident Response Team (either you have an internal team, NTT is providing or a 3rd party). If further remediation is required the client can also engage the NTT Incident Response Team.

Once the client is informed by a notification email (or telephone call if severity is critical), the Security Incident will enter the handling phase.

The SOC will also include recommendation (actions) for the client to perform. Additional questions can be asked by the client in the Security Incident Situation Room communication channel (Click to read more) Type feedback or comments/questions, in the communications channel and click ‘Send message’.

Once the client clicks ‘Send message’, the Security Incident status is updated to Awaiting SOC, meaning the next action is on the SOC. The SOC will respond to your question or feedback. You may still add feedback and questions even if the status is Awaiting SOC and next actions will remain with the SOC.

It is important to ensure that any critical or high severity Security Incidents progress towards closure, therefore you are advised to keep the SOC updated and respond in a timely manner when the status is Awaiting feedback.

As long as the SOC is working on a response to your questions, the Security Incident status will remain as Awaiting SOC. When the SOC responds, the status will be updated to Awaiting feedback. If the SOC detects that a new or existing threat re-emerges or there is new vital information, the Security Incident will be updated, a new revision created and a notification emailed to you.

Closure

When the risk has been mitigated or the client has accepted the risk (e.g. managing the threat), the client can request the Security Incident to be closed via the Security Incident Situation Room. This decision is based on the client’s assessment that sufficient action to mitigate the risk has been taken and is now comfortable with closure of the Security Incident. In the event the SOC receive feedback to close the request during an open investigation, confirmation of the request will be included in the ticket details.

Non-closure

If the SOC does not receive a closure request from the client, the security incident will be kept active and in an Awaiting feedback status. The SOC will present and go through all of the non-closed security incidents during the regular Threat Review Meetings. This to ensure client handling of all reported threats and risks, If the SOC has received no feedback, this could mean that the threat is still present and active, despite being reported months ago.

3 - MDR Threat Reviews

The Managed Detection and Response (MDR) service will detect, respond and report relevant threats that pose a risk to a client, but it is the client’s responsibility to bring the risk to closure. To help the client with this, a program of quarterly threat reviews is included with the MDR service.

For clients that require a dedicated resource and monthly threat reviews, the Samurai Cybersecurity Advisor add-on subscription is available for an additional fee. 

The key focus of threat reviews is to help MDR clients get the most value from the service, reduce business risk based on security incidents reported, and ensure security incidents are handled appropriately.

Through regular threat reviews, a client will:

• be trained and educated to understand threats and risks reported by the MDR service,
• be provided recommendations to improve detection and response, and
• receive follow-up to ensure that reported threats and risks are handled and mitigated.

The threat review program is initiated at the time of onboarding. During the orientation call the quarterly meetings will be scheduled for the remainder of the contract period. Please review Onboarding Managed Detection and Response (MDR) for further details.

The threat review meetings are scheduled during business hours within central European time (CET) and conducted by an MDR analyst who is or has been part of 24/7 MDR service delivery. This resource is not a dedicated resource per client but is a shared responsibility for analysts within our Security Operations Center (SOC). With access to the SOC workbench and a client’s Samurai tenant our analysts have detailed knowledge of potential threats and risks, and skills to perform searches and hunts.

The MDR service will detect and respond to relevant threats that pose a risk. These threats are reported via Security Incident Reports. It is the client’s responsibility to handle and bring the risk to closure. All actions related to the handling of the security incident will be performed through the 24/7 MDR service and not during threat reviews. We understand that threats and risks can often be difficult to understand, our recommendations can often mitigate risk, however our aim during threat reviews is to enable clients to fully understand the risk so they can stay proactive, mitigate root cause, and avoid future security incidents. Hence during a threat review meeting we will present reported security incidents to a client and their stakeholders outlining the threats reported and risks posed. 

We will also maintain and update a detection and response improvement list through the entire lifecycle of the MDR service. The improvement list focuses on suggestions that will improve detection of threats e.g. new systems that should be onboarded into the MDR service, or could also include actions that either the client, the SOC or NTT Security Holdings need to take in relation to improving threat detection and response. The ultimate benefit of this process to the client is an improved security posture.

Threat reviews will also follow up on any actions performed by a client after a Security Incident was reported. This will help to confirm that the client was able to take suitable actions based on the threat identified. Depending on the client’s security posture and risk profile, the client may either take mitigation actions that remove the threat or decide to accept risk. Clients should provide feedback on the reported Security Incident and the actions taken as it enables the 24/7 MDR service to verify if the threat was removed or if still present after any actions. During Threat Review meetings we will work through these actions with the client so that the client handling time for any subsequent Security Incident will decrease, reducing risk exposure time.

If a client has any general questions or requests related to the MDR service and/or how to detect and respond to threats not related to a reported Security Incident, a request can be raised via the Samurai MDR application, and be handled by the Threat Review team.

4 - Onboarding Managed Detection and Response (MDR)

Overview

Welcome to NTT Security Holdings (NTTSH) and the Managed Detection and Response (MDR) Service Powered by our Samurai platform.

We have made onboarding simple and shall support you through each phase.

MDR Security Operations Center (SOC)

The SOC provide guidance and expertise during onboarding and service delivery, however it is important to understand the role and responsibilities of you and our team.

The SOC will be your main contact during onboarding and will schedule introduction and orientation calls with you to ensure your journey to MDR is problem free. You as a Client will still need to perform your responsible actions outlined in the rest of this document and specifically for onboarding MDR telemetry sources, unless you have purchased Samurai Onboarding.

After your orientation meeting, MDR Service delivery begins. The SOC will schedule and conduct regular threat review meetings as outlined within the MDR Service Description to ensure you derive maximum value from the service.

Suggested Resources

During onboarding you will likely need to call upon various teams within your organization, we understand you may not have all of the appropriate roles but suggest the following:

Onboarding Phases

The image and table below outline the main phases of onboarding including responsibilities, resources and deliverables. 

Your Responsibilities

Below are your primary responsibilities during onboarding. Additional responsibilities may arise as needed to support aspects of the implementation that are unique to your specific environment(s):

• Create user accounts for additional users of the Samurai MDR application, maintain all user accounts, ensuring that contact information for each user is complete and accurate.
• Deploy Samurai Collector(s) and successfully configure required integrations.
• Configure and manage all resources required to support the deployment of Collector(s) - virtual / physical.
• Configure and maintain supported on-premises log sources and cloud integrations in line with Samurai MDR requirements.
• Ensure that all telemetry sources have connectivity required in order to interact with the Samurai platform. This includes, but is not limited to, the ability to receive telemetry source feeds and evidence data as well as the ability to monitor and control any agents or virtual appliances installed in your environment for the purpose of providing the service.
• Respond to NTTSH communications in a timely manner and ensure attendance of the necessary resources for all meetings to ensure timely completion of onboarding and during service lifecycle.
• Bring a threat, identified in a security incident report, to closure.

Your overall responsibilities for the service can be found in the MDR Service Description.