This is the multi-page printable view of this section. Click here to print.
Superseded Documents
1 - Managed Detection & Response (MDR) Service Description (v1.0 2023-09-11)
This document has been superseded. For the latest version please click HERE.
1. Introduction
NTT’s Managed Detection and Response service builds on the capabilities of Samurai XDR to provide a Managed Detection and Response service which delivers cybersecurity insights, advanced threat detection, response, and protection capabilities via the ingestion of varied telemetry sources including cloud, network, compute and mobility sources. Supported telemetry combined with our proprietary Advanced Analytics, analyst threat hunting, and AI-based threat detection capabilities translate to faster, more accurate detections and most importantly reduced business risk.
NTT’s Managed Detection and Response service offers the sophisticated threat detection capabilities of the Samurai XDR platform along with, 24/7 threat monitoring, analyst-driven threat hunting, and comprehensive threat intelligence delivered by NTT’s Global Threat Intelligence Center. By combining the advanced analytics capability of the Samurai XDR platform with the expertise of the skilled analysts in the NTT SOC, threats are identified and separated from a large number of false positives typically generated by security technologies.
Managed Detection and Response is a service that utilises security alerts along with relevant contextual information identified by the Samurai XDR platform. This information is analysed by a skilled Security Analyst, who engages in threat hunting and validation activities to verify the threat, its impact, and to identify additional information associated with a potential breach. Once the threat is validated, the Security Analyst creates a detailed Security Incident Report for the Client. The Security Incident Report includes a detailed description of the security incident combined with scenario-specific actionable response recommendations. This significantly assists in reducing the time taken for informed responsive measures, thereby, lowering associated risks.
2. Service Elements
Samurai Managed Detection and Response provides the Client with a service overlay which provides advanced detection and response capabilities delivered by skilled Security Analysts in the NTT Security Operations Center, leveraging the Samurai XDR platform. The Samurai Managed Detection and Response service provides a set of components which provide the Client with:
- Onboarding guidance
- Access to SOC Analysts
- Threat Intelligence
- Threat Detection and Investigation
- Threat Hunting
- Security Incident Reports
- Threat Response
- Service Management Portal and Service Reporting
- Incident Response
- Service Assurance through regular Threat Reviews
3. Onboarding
Onboarding of the Managed Detection and Response service commences with the activation of the Client’s Samurai XDR tenant. Activation of the Client’s tenant will provide the Client with instant access to Help Center online documentation and the access and instructions required in order to configure the Samurai XDR platform. This includes:
- Deploying Local Collector appliances;
- Connecting telemetry sources (including logs, enrichment and other data sources); and;
- Configuring integrations to client applications such as Endpoint Detection and Response, IT Service Management, and other cloud-based platforms.
Within two business days of activation, NTT will host a Managed Detection and Response introductory conference call with the Client. This meeting will explain the onboarding process and will include an overview of the Samurai XDR application and configuration steps to be completed by the Client. Follow-up progress calls may be scheduled to ensure setup progress and status.
Within fourteen days of activation a Samurai MDR orientation conference call will be held with the Client which upon completion, Service Delivery will begin. This meeting will outline what to expect from the service including how SOC analysts will interact with the Client, overview of Security Incident Reports and how to utilize the Samurai MDR.
For more details please visit the Samurai MDR Onboarding Guide.
4. Service Features
Samurai Managed Detection and Response provides the following service features:
4.1 Threat Detection
The Samurai XDR platform detects threats and suspicious behavior using the Samurai XDR AI Engine. The AI Engine makes use of a combination of traditional threat detection techniques, Advanced Analytics, machine learning and Threat Intelligence to detect sophisticated threats. To ensure service quality, NTT continuously makes detection-tuning decisions based on the validity and relevance of alerts and security incidents.
4.2 Threat Intelligence
The Global Threat Intelligence Center delivers Threat Intelligence, which enhances the Managed Detection and Response service. Additionally, the Managed Detection and Response service includes continuous Threat Intelligence updates driven by investigations of security incidents.
4.3 Dynamic Blocklist
The Dynamic Blocklist feature provides a real-time feed of curated Indicators of Compromise. The Client can configure supported devices, such as next generation firewalls and internet proxies, to receive the dynamic list to proactively block threats. IoCs are added to the Dynamic Blocklist on an ongoing basis. The Dynamic Blocklist option is available at no additional charge. Additional details can be found in the Dynamic Blocklist overview.
4.4 24/7 Security Analyst Interaction
The Managed Detection and Response service includes detailed security investigation of alerts detected via Samurai XDR by Security Analysts in NTT’s SOC. Investigation includes threat analysis and alert-driven threat hunting activities across the Client’s telemetry environment to provide validation and assessment of the malicious nature of a threat and its potential impact.
Security Analysts use the MITRE ATT&CK framework as a reference model in presenting the nature of a threat and assigning appropriate severity to identified security incidents.
The Managed Detection and Response service also provides validation of threats through vendor integration and evidence collection for selected security technologies, such as packet capture data (PCAP) and malware execution reports.
4.5 Investigations
When the Samurai XDR platform generates an alert indicating a potential threat, a SOC Analyst will begin an investigation. The investigation includes validating the presence of a threat via client telemetry and evidence data, threat intelligence, and other data and information sources within the Samurai XDR platform. Using this information and automation capabilities of the Samurai XDR platform, the analyst then determines the nature and extent of any compromise which may have occurred. Depending on the nature of the potential threat, activities conducted during the process of the investigation may include:
- Threat analysis.
- Alert-driven threat hunting across the Client’s telemetry data which has been ingested into Samurai XDR.
- Assessment of the malicious nature of a threat and its potential impact.
- Contextualisation of validated threats based on factors such as industry vertical and geopolitical context.
- Categorisation according to industry best practice frameworks including MITRE ATT&CK.
- Forensic analysis of telemetry data stored in Samurai XDR.
- Malware analysis; and
- Recommendation to the Client of a suggested response covering suggested next steps.
4.6 Security Incident Reports
If, as a result of an investigation, a threat is identified, the Security Analyst creates a Security Incident Report detailing the cybersecurity incident, including plain-language observations and incident mitigation and/or remediation recommendations.
Client notifications can be provided by phone or email based on severity:
- Critical severity; Phone / E-mail notifications.
- Low, Medium, High severity; E-mail notifications.
Clients requiring Phone notifications must provide NTT with a prioritized list of Client contacts.
4.7 Threat Hunting
Utilizing Client telemetry and evidence data, NTT will perform Threat Hunting to detect activities such as persistence mechanisms, application usage, network activity or the tactics and techniques and procedures (“TTPs”) of threat actors. When a threat is detected, a security analyst will create a security incident and notify the Client.
4.8 Threat Response
NTT will perform actions within the Samurai XDR platform on the Client’s behalf when an investigation results in the detection of a threat.
NTT will take actions to isolate compromised/malicious host Endpoints following Security Analyst incident validation. Remote isolation actions are performed using the isolation capabilities of the Client’s Endpoint Detection and Response (EDR) technology.
4.9 Samurai XDR Application and Help Center
Managed Detection and Response Clients have access to the Samurai XDR application, including self service features such as telemetry integration and collector configuration. Details of the functionality provided by the Samurai XDR platform can be found in the Samurai Help Center - online documentation.
In addition to the Samurai XDR application, Samurai Managed Detection and Response provides the client with access to the Samurai Help Center, which provides online access to:
- interact with us online by logging incidents and requests;
- view security incident reports;
- track, view and submit comments within incident and request tickets; and
- browse / search our knowledge base which contains online documentation for Samurai XDR and Managed Detection and Response.
Additional information regarding support for Samurai XDR and Samurai MDR can be found in our Support Policy.
4.10 Incident Response
The Incident Response add-on is a retainer which the Client may choose to utilize if the Client requires the NTT SOC to perform additional threat investigation activities. Clients can continue to leverage the services of the NTT SOC in instances where the severity of an incident justifies additional effort to perform tasks such as threat hunting, malware analysis or forensic analysis of data in Samurai XDR be performed.
This add-on provides the Client with the facility of additional post root-cause analysis to assist with containment of a threat.
The Incident Response retainer includes 40 hours per year. If the Client requires additional Incident Response beyond 40 hours, additional retainers of 40 hours can be purchased.
Incident Response effectiveness is enhanced with an installed and supported endpoint agent. If the client does not have a supported agent, NTT will work with the client to provision endpoint agents to support the investigation. For more information please read the detailed description of the Incident Response add-on.
4.11 Threat Reviews
Through a program of scheduled quarterly meetings, Threat Reviews will be conducted with the Client to derive maximum value from Samurai MDR.
Topics covered in the quarterly meetings include:
- Review service health.
- Review security incidents and how they provide insights into the Client’s security posture and attack surface; and
- Advising the Client regarding configuration of Samurai XDR to better meet the Client’s needs.
For clients that require a dedicated resource and monthly threat reviews, the Samurai Cybersecurity Advisor subscription is available as a chargeable add-on.
5. Client Responsibilities
Client is required to perform the following obligations below:
assign a primary Point of Contact (POC) to work with NTT. Client will ensure that NTT’s records of all Client POCs are kept up to date and are accurate.
ensure that all telemetry sources have connectivity required in order to interact with the Samurai XDR platform. This includes, but is not limited to, the ability to receive telemetry source feeds and evidence data and the ability as well as the ability to monitor and control any agents or virtual appliances installed in Client’s environment for the purpose of providing the service.
ensure that endpoints falling under the scope of Samurai MDR have a supported endpoint agent installed in order to facilitate the gathering of telemetry and evidence data as well as providing the ability to perform remote isolation.
provide knowledgeable technical staff and/or third-party resources to perform any configurations or software installations required in order for Client to consume the service. This includes, but is not limited to:
- Configuration of connectivity.
- Installation of Local Collector virtual appliances.
- Provision of IP addressing required for any virtual appliances required in Client’s network; and
- Configurations of cloud services required in order for Samurai XDR to receive telemetry from these services.
perform all aspects of Service Onboarding, including the configuration of telemetry sources and configuration of Collectors to provide telemetry feeds to the Samurai XDR platform. Client will ensure that all source devices are compliant with the Samurai XDR platform configuration requirements and are running supported software and/or hardware versions.
ensure that it does not utilise any technologies or configurations which block traffic, rotate logs or in any other way impede delivery of the service.
procure all maintenance, support and licensing agreements with third-party vendors for all telemetry sources.
comply with all the relevant data privacy, regulatory, and administrative laws, policies and procedures related to monitoring user traffic and communications.
bring a threat, identified in a security incident report, to closure.
Failure to provide any of the service requirement information on a timely basis can result in delays in Service Onboarding and Service Delivery by NTT and NTT shall not be liable for any consequences of such delays.
6. Service Level Agreements
The Service Level Agreements (SLAs) listed in this section will become active once Onboarding of the Client is considered complete.
6.1 Availability
The Availability SLA is determined by the ability of the Client to access the Samurai XDR platform. This is measured by the ability of the Client to log into the Samurai XDR app.
NTT will use reasonable commercial means to ensure an availability of the Samurai XDR app of at least 99.9%. If the availability of the platform drops below this level, the Client may claim a Service Level Credit as set out in the table below:
Application Availability | Credit as a percentage of monthly Managed Detection and Response fee |
---|---|
99.9% - 100.0% | 0% |
95.0% - 99.9% | 1% |
Less than 95% | 10% |
6.2 Validated Security Incident Notification
NTT will analyze alerts and related available data sources on a 24/7 basis for signs of malicious activity which has bypassed preventative security controls.
If malicious activity is confirmed, NTT will determine the severity of the threat. For Security Incidents with a severity of high or critical NTT will provide an Incident Report within 30 minutes of determining the severity.
For Security Incidents with a severity of low or medium, NTT will endeavour to provide an Incident Report within 120 minutes of determining the severity.
If the creation of a security incident report in relation to an incident with a severity of high or critical takes longer than 30 minutes, the Client may claim a Service Level Credit as set out in the table below:
Time taken to create a security incident report | Credit as a percentage of monthly Managed Detection and Response fee |
---|---|
Less than 30 minutes | 0% |
31 to 300 minutes | 1% |
Over 300 minutes | 5% |
A Client may make a maximum of 1 claim against this service level per calendar day and per security incident.
6.3 Receiving Service Credits
To receive a Service Credit, the Client must open a ticket in the Samurai XDR app within 30 days of the incident for which the Client is claiming a Service Level Credit.
2 - Onboarding Managed Detection and Response (MDR) (v1.0 2023-09-11)
This document has been superseded. For the latest version please click HERE.
Overview
Welcome to NTT Security Holdings (NTTSH) and the Managed Detection and Response (MDR) Service Powered by Samurai XDR.
We have made onboarding simple and shall support you through each phase.
MDR Security Operations Center (SOC)
The SOC provide guidance and expertise during onboarding and service delivery, however it is important to understand the role and responsibilities of you and our team.
The SOC will be your main contact during onboarding and will schedule introduction and orientation calls with you to ensure your journey to MDR is problem free. You as a Client will still need to perform your responsible actions outlined in the rest of this document and specifically for onboarding MDR telemetry sources, unless you have purchased enhanced onboarding consulting services.
After your orientation meeting, MDR Service delivery begins. The SOC will schedule and conduct regular threat review meetings as outlined within the MDR Service Description to ensure you derive maximum value from the service.
Suggested Resources
During onboarding you will likely need to call upon various teams within your organization, we understand you may not have all of the appropriate roles but suggest the following:
Rol****e/Function | Responsibility |
---|---|
Chief Information Security Officer (CISO) | Awareness of the service and how it functions to drive handling of security incidents reported |
Security Operations Engineer | Management and administration of the Samurai XDR Application |
System Administrator | Deployment of Collector(s) |
Network Engineer | Configuration of supported integrations, configuration of access control rules as required by Collector and integration |
Security Manager | Integration of Samurai MDR into your organization’s security practice and operating processes |
Project Manager | Initiating, planning, executing, controlling and closing work of your teams to achieve onboarding |
Onboarding Phases
The image and table below outline the main phases of onboarding including responsibilities, resources and deliverables.
Phase | NTTSH responsibilities | Client responsibilities | NTTSH Resource/Deliverable |
---|---|---|---|
Activation | * Send an activation email with instructions for accessing the Samurai XDR application (Contract term and client billing commences upon login) | * Activate Samurai XDR application | * Sales contact * Access to Samurai XDR application |
Introduction Meeting (within 2 days Samurai XDR application activation) | |||
* Schedule and conduct introductory meeting which includes: * Welcome and introduction to the MDR service * Overview of the Samurai XDR platform * Overview of setup/configuration steps and resources * Gather pertinent information (notification contacts) * Answer any questions/queries | * Attend scheduled introductory meeting * Review online documentation * Add additional Samurai XDR application users as required * Determine notification contact points and call list (this should be provided 7 days after intro call) | * SOC * Samurai XDR application | |
Setup | * Respond and assist with any issues raised | * Configure and deploy collectors * Configure integrations * Configure telemetry sources * Raise any issues via ticket | * Samurai XDR application |
MDR Service Delivery | Orientation Meeting (within 14 days of introduction meeting) | ||
* Schedule and conduct MDR orientation conference call to include: * What to expect – how SOC analysts interact with you * Overview of Security Incident Reports * Support/Help resources * Schedule Threat Review meetings | * Complete necessary Setup * Attend scheduled orientation call | * SOC * 24/7 monitoring and investigation of threats detected via Samurai XDR by Security Analysts * Security Incident Report(s) as a result of our SOC Analyst investigation(s) with recommendations * Security Incident notification options selected by you * Access to Samurai XDR application to conduct your own threat investigations and threat hunts (outside MDR service delivery) if desired * Regular Threat Review meetings * Access to Incident Response retainer (if purchased) | |
Threat Review (Quarterly during MDR Service Delivery) | |||
* Schedule regular Threat Review meetings which include: * Security Incident Management * Notable incidents during period * Review and ensure progress on any open Security Incidents * MDR scope reviews * Metrics (volume) * Implemented log sources * Improvements * Detection and response improvement recommendations | * Attend scheduled Threat Review meetings | * SOC | |
Incident Response (IR) retainer (option) | |||
* Response to IR - analysts engagement e.g hunting, malware analysis | * Invoke IR as needed via ticket | * IR response |
Your Responsibilities
Below are your primary responsibilities during onboarding. Additional responsibilities may arise as needed to support aspects of the implementation that are unique to your specific environment(s):
- Create user accounts for additional users of the Samurai XDR application, maintain all user accounts, ensuring that contact information for each user is complete and accurate.
- Deploy the Samurai XDR Collector(s) and successfully configure required integrations.
- Configure and manage all resources required to support the deployment of Collector(s) - virtual / physical.
- Configure and maintain supported on-premises log sources and cloud integrations in line with Samurai XDR requirements.
- Ensure that all telemetry sources have connectivity required in order to interact with the Samurai XDR platform. This includes, but is not limited to, the ability to receive telemetry source feeds and evidence data as well as the ability to monitor and control any agents or virtual appliances installed in your environment for the purpose of providing the service.
- Respond to NTTSH communications in a timely manner and ensure attendance of the necessary resources for all meetings to ensure timely completion of onboarding and during service lifecycle.
- Bring a threat, identified in a security incident report, to closure.
Your overall responsibilities for the service can be found in the MDR Service Description.