Managed Detection & Response (MDR) Service Description (v1.0 2023-09-11)
This document has been superseded. For the latest version please click HERE.
1. Introduction
NTT’s Managed Detection and Response service builds on the capabilities of Samurai XDR to provide a Managed Detection and Response service which delivers cybersecurity insights, advanced threat detection, response, and protection capabilities via the ingestion of varied telemetry sources including cloud, network, compute and mobility sources. Supported telemetry combined with our proprietary Advanced Analytics, analyst threat hunting, and AI-based threat detection capabilities translate to faster, more accurate detections and most importantly reduced business risk.
NTT’s Managed Detection and Response service offers the sophisticated threat detection capabilities of the Samurai XDR platform along with, 24/7 threat monitoring, analyst-driven threat hunting, and comprehensive threat intelligence delivered by NTT’s Global Threat Intelligence Center. By combining the advanced analytics capability of the Samurai XDR platform with the expertise of the skilled analysts in the NTT SOC, threats are identified and separated from a large number of false positives typically generated by security technologies.
Managed Detection and Response is a service that utilises security alerts along with relevant contextual information identified by the Samurai XDR platform. This information is analysed by a skilled Security Analyst, who engages in threat hunting and validation activities to verify the threat, its impact, and to identify additional information associated with a potential breach. Once the threat is validated, the Security Analyst creates a detailed Security Incident Report for the Client. The Security Incident Report includes a detailed description of the security incident combined with scenario-specific actionable response recommendations. This significantly assists in reducing the time taken for informed responsive measures, thereby, lowering associated risks.
2. Service Elements
Samurai Managed Detection and Response provides the Client with a service overlay which provides advanced detection and response capabilities delivered by skilled Security Analysts in the NTT Security Operations Center, leveraging the Samurai XDR platform. The Samurai Managed Detection and Response service provides a set of components which provide the Client with:
- Onboarding guidance
- Access to SOC Analysts
- Threat Intelligence
- Threat Detection and Investigation
- Threat Hunting
- Security Incident Reports
- Threat Response
- Service Management Portal and Service Reporting
- Incident Response
- Service Assurance through regular Threat Reviews
3. Onboarding
Onboarding of the Managed Detection and Response service commences with the activation of the Client’s Samurai XDR tenant. Activation of the Client’s tenant will provide the Client with instant access to Help Center online documentation and the access and instructions required in order to configure the Samurai XDR platform. This includes:
- Deploying Local Collector appliances;
- Connecting telemetry sources (including logs, enrichment and other data sources); and;
- Configuring integrations to client applications such as Endpoint Detection and Response, IT Service Management, and other cloud-based platforms.
Within two business days of activation, NTT will host a Managed Detection and Response introductory conference call with the Client. This meeting will explain the onboarding process and will include an overview of the Samurai XDR application and configuration steps to be completed by the Client. Follow-up progress calls may be scheduled to ensure setup progress and status.
Within fourteen days of activation a Samurai MDR orientation conference call will be held with the Client which upon completion, Service Delivery will begin. This meeting will outline what to expect from the service including how SOC analysts will interact with the Client, overview of Security Incident Reports and how to utilize the Samurai MDR.
For more details please visit the Samurai MDR Onboarding Guide.
4. Service Features
Samurai Managed Detection and Response provides the following service features:
4.1 Threat Detection
The Samurai XDR platform detects threats and suspicious behavior using the Samurai XDR AI Engine. The AI Engine makes use of a combination of traditional threat detection techniques, Advanced Analytics, machine learning and Threat Intelligence to detect sophisticated threats. To ensure service quality, NTT continuously makes detection-tuning decisions based on the validity and relevance of alerts and security incidents.
4.2 Threat Intelligence
The Global Threat Intelligence Center delivers Threat Intelligence, which enhances the Managed Detection and Response service. Additionally, the Managed Detection and Response service includes continuous Threat Intelligence updates driven by investigations of security incidents.
4.3 Dynamic Blocklist
The Dynamic Blocklist feature provides a real-time feed of curated Indicators of Compromise. The Client can configure supported devices, such as next generation firewalls and internet proxies, to receive the dynamic list to proactively block threats. IoCs are added to the Dynamic Blocklist on an ongoing basis. The Dynamic Blocklist option is available at no additional charge. Additional details can be found in the Dynamic Blocklist overview.
4.4 24/7 Security Analyst Interaction
The Managed Detection and Response service includes detailed security investigation of alerts detected via Samurai XDR by Security Analysts in NTT’s SOC. Investigation includes threat analysis and alert-driven threat hunting activities across the Client’s telemetry environment to provide validation and assessment of the malicious nature of a threat and its potential impact.
Security Analysts use the MITRE ATT&CK framework as a reference model in presenting the nature of a threat and assigning appropriate severity to identified security incidents.
The Managed Detection and Response service also provides validation of threats through vendor integration and evidence collection for selected security technologies, such as packet capture data (PCAP) and malware execution reports.
4.5 Investigations
When the Samurai XDR platform generates an alert indicating a potential threat, a SOC Analyst will begin an investigation. The investigation includes validating the presence of a threat via client telemetry and evidence data, threat intelligence, and other data and information sources within the Samurai XDR platform. Using this information and automation capabilities of the Samurai XDR platform, the analyst then determines the nature and extent of any compromise which may have occurred. Depending on the nature of the potential threat, activities conducted during the process of the investigation may include:
- Threat analysis.
- Alert-driven threat hunting across the Client’s telemetry data which has been ingested into Samurai XDR.
- Assessment of the malicious nature of a threat and its potential impact.
- Contextualisation of validated threats based on factors such as industry vertical and geopolitical context.
- Categorisation according to industry best practice frameworks including MITRE ATT&CK.
- Forensic analysis of telemetry data stored in Samurai XDR.
- Malware analysis; and
- Recommendation to the Client of a suggested response covering suggested next steps.
4.6 Security Incident Reports
If, as a result of an investigation, a threat is identified, the Security Analyst creates a Security Incident Report detailing the cybersecurity incident, including plain-language observations and incident mitigation and/or remediation recommendations.
Client notifications can be provided by phone or email based on severity:
- Critical severity; Phone / E-mail notifications.
- Low, Medium, High severity; E-mail notifications.
Clients requiring Phone notifications must provide NTT with a prioritized list of Client contacts.
4.7 Threat Hunting
Utilizing Client telemetry and evidence data, NTT will perform Threat Hunting to detect activities such as persistence mechanisms, application usage, network activity or the tactics and techniques and procedures (“TTPs”) of threat actors. When a threat is detected, a security analyst will create a security incident and notify the Client.
4.8 Threat Response
NTT will perform actions within the Samurai XDR platform on the Client’s behalf when an investigation results in the detection of a threat.
NTT will take actions to isolate compromised/malicious host Endpoints following Security Analyst incident validation. Remote isolation actions are performed using the isolation capabilities of the Client’s Endpoint Detection and Response (EDR) technology.
4.9 Samurai XDR Application and Help Center
Managed Detection and Response Clients have access to the Samurai XDR application, including self service features such as telemetry integration and collector configuration. Details of the functionality provided by the Samurai XDR platform can be found in the Samurai Help Center - online documentation.
In addition to the Samurai XDR application, Samurai Managed Detection and Response provides the client with access to the Samurai Help Center, which provides online access to:
- interact with us online by logging incidents and requests;
- view security incident reports;
- track, view and submit comments within incident and request tickets; and
- browse / search our knowledge base which contains online documentation for Samurai XDR and Managed Detection and Response.
Additional information regarding support for Samurai XDR and Samurai MDR can be found in our Support Policy.
4.10 Incident Response
The Incident Response add-on is a retainer which the Client may choose to utilize if the Client requires the NTT SOC to perform additional threat investigation activities. Clients can continue to leverage the services of the NTT SOC in instances where the severity of an incident justifies additional effort to perform tasks such as threat hunting, malware analysis or forensic analysis of data in Samurai XDR be performed.
This add-on provides the Client with the facility of additional post root-cause analysis to assist with containment of a threat.
The Incident Response retainer includes 40 hours per year. If the Client requires additional Incident Response beyond 40 hours, additional retainers of 40 hours can be purchased.
Incident Response effectiveness is enhanced with an installed and supported endpoint agent. If the client does not have a supported agent, NTT will work with the client to provision endpoint agents to support the investigation. For more information please read the detailed description of the Incident Response add-on.
4.11 Threat Reviews
Through a program of scheduled quarterly meetings, Threat Reviews will be conducted with the Client to derive maximum value from Samurai MDR.
Topics covered in the quarterly meetings include:
- Review service health.
- Review security incidents and how they provide insights into the Client’s security posture and attack surface; and
- Advising the Client regarding configuration of Samurai XDR to better meet the Client’s needs.
For clients that require a dedicated resource and monthly threat reviews, the Samurai Cybersecurity Advisor subscription is available as a chargeable add-on.
5. Client Responsibilities
Client is required to perform the following obligations below:
assign a primary Point of Contact (POC) to work with NTT. Client will ensure that NTT’s records of all Client POCs are kept up to date and are accurate.
ensure that all telemetry sources have connectivity required in order to interact with the Samurai XDR platform. This includes, but is not limited to, the ability to receive telemetry source feeds and evidence data and the ability as well as the ability to monitor and control any agents or virtual appliances installed in Client’s environment for the purpose of providing the service.
ensure that endpoints falling under the scope of Samurai MDR have a supported endpoint agent installed in order to facilitate the gathering of telemetry and evidence data as well as providing the ability to perform remote isolation.
provide knowledgeable technical staff and/or third-party resources to perform any configurations or software installations required in order for Client to consume the service. This includes, but is not limited to:
- Configuration of connectivity.
- Installation of Local Collector virtual appliances.
- Provision of IP addressing required for any virtual appliances required in Client’s network; and
- Configurations of cloud services required in order for Samurai XDR to receive telemetry from these services.
perform all aspects of Service Onboarding, including the configuration of telemetry sources and configuration of Collectors to provide telemetry feeds to the Samurai XDR platform. Client will ensure that all source devices are compliant with the Samurai XDR platform configuration requirements and are running supported software and/or hardware versions.
ensure that it does not utilise any technologies or configurations which block traffic, rotate logs or in any other way impede delivery of the service.
procure all maintenance, support and licensing agreements with third-party vendors for all telemetry sources.
comply with all the relevant data privacy, regulatory, and administrative laws, policies and procedures related to monitoring user traffic and communications.
bring a threat, identified in a security incident report, to closure.
Failure to provide any of the service requirement information on a timely basis can result in delays in Service Onboarding and Service Delivery by NTT and NTT shall not be liable for any consequences of such delays.
6. Service Level Agreements
The Service Level Agreements (SLAs) listed in this section will become active once Onboarding of the Client is considered complete.
6.1 Availability
The Availability SLA is determined by the ability of the Client to access the Samurai XDR platform. This is measured by the ability of the Client to log into the Samurai XDR app.
NTT will use reasonable commercial means to ensure an availability of the Samurai XDR app of at least 99.9%. If the availability of the platform drops below this level, the Client may claim a Service Level Credit as set out in the table below:
Application Availability | Credit as a percentage of monthly Managed Detection and Response fee |
---|---|
99.9% - 100.0% | 0% |
95.0% - 99.9% | 1% |
Less than 95% | 10% |
6.2 Validated Security Incident Notification
NTT will analyze alerts and related available data sources on a 24/7 basis for signs of malicious activity which has bypassed preventative security controls.
If malicious activity is confirmed, NTT will determine the severity of the threat. For Security Incidents with a severity of high or critical NTT will provide an Incident Report within 30 minutes of determining the severity.
For Security Incidents with a severity of low or medium, NTT will endeavour to provide an Incident Report within 120 minutes of determining the severity.
If the creation of a security incident report in relation to an incident with a severity of high or critical takes longer than 30 minutes, the Client may claim a Service Level Credit as set out in the table below:
Time taken to create a security incident report | Credit as a percentage of monthly Managed Detection and Response fee |
---|---|
Less than 30 minutes | 0% |
31 to 300 minutes | 1% |
Over 300 minutes | 5% |
A Client may make a maximum of 1 claim against this service level per calendar day and per security incident.
6.3 Receiving Service Credits
To receive a Service Credit, the Client must open a ticket in the Samurai XDR app within 30 days of the incident for which the Client is claiming a Service Level Credit.