BLUEVOYANT STATEMENT OF WORK

 

Subject to the terms and conditions of the Order Form and the BlueVoyant Managed Security Services Master Services Agreement, BlueVoyant will provide the services set forth in an Order Form and further described below to Client, at the service levels set forth below each Service Description. Capitalized terms used herein but not defined shall have the meanings ascribed to such terms in the Master Services Agreement.

- Managed Detection and Response (download .pdf)
- Detection As A Service (download .pdf)
- Managed SIEM (download .pdf)
- Vulnerability Management Service (download .pdf)

 

 

Managed Detection and Response

(back to top)

1. Overview: As detailed further below, BlueVoyant’s managed detection and response services consist of BlueVoyant’s monitoring and management of one or more advanced endpoint software deployments and performing incident response actions as needed. Monitoring the endpoints is performed 24 hours a day, 7 days a week. These services utilize the BlueVoyant platform, our cloud-based ingestion, processing, analysis, and reporting system (Platform), as well as analysts in BlueVoyant’s security operations centers. Management of client systems is limited to the endpoint software agent that is installed on Client hardware. Monitoring activities include collection, storage, reporting, and Client notification of security events or device health events in accordance to with specified service levels. Tools for self-service reporting and analysis are provided through WavelengthTM, BlueVoyant client portal.

 

2. MDR Services: BlueVoyant provides two tiers of managed detection and response services:

2.1. Managed Detection and Response (Tier 1): Managed Detection and Response includes managed detection and response services include MDR Services Activation, Investigation & Notification, Indicator Enrichment, Endpoint Response (excluding Remote Intrusion Response), Threat Detection (excluding Threat Hunting), Malware Prevention, Health Monitoring, and Software Upgrades (as those services are described below). Tier 1 services include access to WavelengthTM, BlueVoyant’s Client portal.

2.2. Managed Detection and Response with Advanced Threat Detection (Tier 2): Managed Detection and Response with Advanced Threat Detection include the Managed Detection and Response services plus Threat Hunting and Remote Intrusion Response (as those services are described below), and also include access to WavelengthTM, BlueVoyant’s Client portal.

 

3. MDR Service Descriptions:

3.1. Investigation & Notification: Once a suspicious event is detected or a prevention activity occurs, an alert is generated and a BlueVoyant security operations center analyst will perform triage and investigation of the event to confirm true positive, benign, or false positive. Client will be notified according to the nature of the event and service-level-agreements.

3.2. Indicator Enrichment: Indicators of compromise associated with detections are automatically extracted, scored, and enriched leveraging open source and BlueVoyant proprietary threat intelligence. Enriched indicators are visible within WavelengthTM and are assigned a reputation (ex: good, suspicious, bad) and classification (ex: botnet, Zeus, crypto-miner, etc.).

3.3. Endpoint Response: BlueVoyant will take a specific set of response actions at the completion of an investigation, subject to the pre-approved actions profile established as part of MDR Services Activation (as that term is defined below).

3.3.1. Quarantine: Isolation of an endpoint so that it can no longer communicate with any other devices in the Client environment or to the Internet. BlueVoyant will move an endpoint into the quarantine state typically when there is evidence of lateral movement of an advanced threat within the Client environment or detection command-and-control (C2) software attempting to beacon to an attacker’s infrastructure.

3.3.2. Delete File: BlueVoyant will delete specific files on an endpoint if a specific file is known and confirmed to be malicious. File deletion can occur in broader cases per the direction of the Client as part of policy enforcement (ex: pre-approval to delete potentially unwanted programs).

3.3.3. Whitelist: Typically performed as a response to an application that is incorrectly being blocked or terminated as malicious by the advanced endpoint software, BlueVoyant will update policies to whitelist the application for proper execution or set the correct privileges and actions it is allowed to perform. Whitelisting applications is also performed as part of MDR Services Activation in order to reduce the likelihood of unintended business disruption.

3.3.4. Monitor Only: As part of diagnosing misbehaving advanced endpoint software, a BlueVoyant security operations center analyst can move an endpoint into monitor only mode, this is done with collaboration with the Client. Monitor Only mode will direct the endpoint software not to interfere with any end user activities on the endpoint.

3.3.5. Blacklist: BlueVoyant will blacklist specific files on an endpoint if a specific file is known and confirmed to be malicious. Blacklisting a specific application either by computed hash or process name will inform the advanced endpoint software not to allow the application to run on any endpoint (that has the advanced endpoint software deployed).

3.3.6. Remote Intrusion Response: As part of an advancedy solutions. BlueVoyant will also conduct remote hunt missions on a regular basis that will perform manual and semi-automated activities for targeted data analysis to search for signs of advanced adversaries

3.4. Threat Detection: BlueVoyant will leverage the advanced endpoint software to perform detections and provide visibility to activity on the endpoint. BlueVoyant expands the default detections deployed to the advanced endpoint software utilizing proprietary intelligence, indicator enrichment, and enhanced behavioral correlations. 

3.4.1. Signature Detection: BlueVoyant will use traditional anti-virus techniques to identify malicious software by the reputation of their computed hash. 

3.4.1.1. BlueVoyant Signatures: BlueVoyant may detect new malware before it has been included into the signature database of advanced endpoint platforms. When this happens, BlueVoyant may deploy proprietary new signatures to the advanced endpoint software. 

3.4.2. Behavioral Detection: BlueVoyant will classify activity on endpoints as distinct actions and then holistically analyzing them as part of known tactics, techniques, and procedures (TTPs) to detect patterns of adversarial behavior. Behavioral Detection enables identification of malware, not by whether it has been seen previously by detection software, but instead by how it behaves. BlueVoyant may expand on the list of known TTPs provided by the advanced endpoint software with BlueVoyant developed set of TTPs. 

3.4.3. Reputational Detection: Utilizing proprietary and open source threat intelligence, BlueVoyant will detect threats based upon reputation by correlating inbound and outbound network traffic to monitor for suspicious and malicious domains and IP addresses. 

3.4.4. Threat Hunting: Some advanced adversaries can evade the standard detection mechanisms of cyber security detection tools. BlueVoyant will proactively and iteratively searching through events to detect and isolate advanced threats that evade existing security solutions. BlueVoyant will also conduct remote hunt missions on a regular basis that will perform manual and semi-automated activities for targeted data analysis to search for signs of advanced adversaries. 

3.4.5. Threat Fusion: The BlueVoyant Threat Fusion Cell is a team of cyber intelligence analysts and threat researchers focused on identifying and prioritizing information about threats using BlueVoyant proprietary and opensource intelligence. The team undertakes threat hunt missions (based on the tier of service), new detection signatures, new indicators and reputation scoring.

3.5. Malware Prevention: BlueVoyant will utilize the advanced endpoint software to automatically prevent the execution of suspicious or known malicious software based upon detection mechanisms to prevent the outbreak or spread of malware. BlueVoyant will also administer malware prevention by blacklist policy management, delivery of unique signatures, and threat intelligence indicator matching.

3.5.1. Deny or Terminate Process: Some applications will not exhibit suspicious or malicious behaviors until after the process has been running. If an application exhibits TTPs behaviors after it has run the advanced endpoint software can terminate the application as prescribed by the malware prevention blacklist. BlueVoyant can extend or manage the conditions which will cause an application to be terminated or denied.

3.5.2. Block Operation: The actions that an application can take can be controlled with a high degree of granularly, including block network connections, execution of a file-less script, invocation of a command interpreter, etc. BlueVoyant will work with the Client on what activities are allowed by specific applications to reduce the possibility of malware, most often file-less malware, can infect the Client’s environment.

3.6. Health Monitoring: BlueVoyant will monitor communication between the Platform and the advanced endpoint software vendor’s infrastructure. Should the communication vendor’s infrastructure become uncommunicative or unreachable, BlueVoyant will notify the vendor to take corrective action. BlueVoyant will notify the Client if the issue leads to an outage.

3.7. Software Upgrades: As software patches and upgrades are released by the third-party vendor, BlueVoyant will assess the release for security, stability, and functionality before certifying it as a supported version. BlueVoyant will work with the Client to schedule any necessary remote upgrades. Under specific circumstances, BlueVoyant may proactively reach out to the Client to request an upgrade such as if the current version has a major failure or severe vulnerability. It is Client’s responsibility to maintain the current or one previously supported version.

 

4. Supporting Features and Teams:

4.1. Security Operations Centers (SOC): BlueVoyant’s managed detection and response services are supported by BlueVoyant’s SOCs, which operate 24 hours a day, 7 days a week across multiple locations.

4.2. WavelengthTM (BlueVoyant’s Client Portal): Wavelength is a web-based portal that provides real-time visibility to detected alerts, confirmed incidents, enables approved Client employees to interact with BlueVoyant’s security operations center analysts, view all detected assets, and if applicable, view vulnerabilities.

4.2.1. Dashboards: Available through WavelengthTM, dashboards representing a variety of content including but not limited to event volume, alert volume, detected assets, and analyst response actions.

4.2.2. Reports: Available through WavelengthTM, reports include Client environment content related to alerts, incidents, indicators, assets and vulnerabilities. If needed, the Client can request specific reporting on events be delivered as a report on an automated basis. Extensive customization of report templates and or creation of custom reports are not included in the service and can be performed on an engagement basis subject to the mutual agreement of a separate signed Statement of Work.

4.2.3. Threat Intelligence Reports: Threat landscape, sectorial, and intelligence summary reports are developed by the BlueVoyant Threat Fusion Cell.

4.3. Security Orchestration and Automation: Although not directly visible to Clients, the orchestration and automation system is a key component of the Platform that supports the BlueVoyant SOC. Orchestration accelerates triage, reduces false positives, and improves mean time to resolve (MTTR).

4.3.1. Playbooks: BlueVoyant SOC and engineering teams have developed automations to support the Services and continue to deliver new automations. For example, an automated Emotet investigation, confirmation, and response playbook to quickly respond to specific outbreak strains.

4.4. BlueVoyant Client Experience Team: BlueVoyant’s client experience team is the primary support team for the Client. The assigned Client advisor acts as the Client’s consultant and enables the best experience for BlueVoyant services. The advisor will meet with the Client on a regular basis (most often monthly) to understand Client’s security program goals and will advise how BlueVoyant services can best meet their needs. The advisor is also engaged in any significant security events that occur for the Client. Additionally, the advisor will deliver any requested feedback to the BlueVoyant product and service delivery teams.

5. Client Communications: Below are the standard methods for Clients to obtain information related to the Services or engage BlueVoyant staff.

5.1. Wavelength™ (BlueVoyant Client Portal): Wavelength is the primary method for Clients to stay informed of security activity in their environment and activities of the BlueVoyant SOC. At any time, a Client end user may go to Wavelength and review any security alerts, dashboards, or reports.

5.2. Email: The Client will receive emails as a regular function of the Services. Email topics can span a wide variety of matters, but most often they relate to security investigations: notification of risk or questions on appropriate environment use or behaviors. 5 Clients can also initiate service change requests via email by sending an email to soc@bluevoyant.com. Upon receipt of any emails, a service request case is created and can be viewed within Wavelength.

5.3. Calling Security Operations: The BlueVoyant SOC operates 24/7 days a year and can be reached by calling 1-833-BLUEMSS or +1-833-258-3677. Only approved Client end-users will be allowed to talk with BlueVoyant SOC personnel.

 

6. Managed Detection and Response Service Levels

6.1. Security Monitoring: Client will receive communications to security incidents according to (a) the escalation procedures defined or in the manner pre-selected in writing by Client, either through Wavelength, email, or by telephone, and (b) the matrix below. Event classification is the process that a BlueVoyant security analyst performs an investigation to confirm the validity of an alert, impact and assigns a severity. Notification times for Client notification are measured by the time difference between when event classification has completed and when the Client is notified. Client notification occurs after event classification in order to prevent notification for benign or false positive alerts.

Severity  Definition Notification Time Notification Method
Critical Events that represent an eminent threat to Client assets, including: data destruction, encryption, exfiltration, or malicious interactive attacker.

30 minutes  of event classification completion

1. Email

2. Phone Call

3. Wavelength

High Events that represent a significant threat to Client assets, including: rootkits, keyloggers, or trojans, but not defined as “critical”, ransomware, confirmed suspicious privilege escalation, confirmed social engineering-based attack.

1 hour  of event classification completion

1. Email

2. Phone Call

3. Wavelength

Medium Events that represent a potential threat to Client assets, including: malware types that include bots or spyware, but not defined as “critical” or “high”. No Notification Wavelength
Low Events that represent a minimal threat to Client assets. This includes, adware or other potentially unwanted programs (PUPs). No Notification  Wavelength

 

6.2. Managed Detection and Response Service Requests: Standard service requests (applies to all non-change and non- incident tickets) submitted via Wavelength TM , email, or via telephone will be subject to “acknowledgement” (either through the BlueVoyant ticketing system, email or telephonically) within one (1) business day from the time stamp on the managed detection and response service ticket created by the Platform.

6.3. Maintenance Windows: BlueVoyant may schedule maintenance outages for BlueVoyant software which enables log collection with 24-hours’ notice to designated Client contacts. Service levels shall not apply during maintenance outages and therefore are not eligible for any service level credit during these periods.

6.3.1. Emergency Maintenance: In the circumstance of immediate necessary changes, BlueVoyant may initiate an emergency maintenance window. When this situation occurs, BlueVoyant will use commercially reasonable efforts to provide notice and minimize the impact to Clients.

6.4. Client Outage: The service levels do not apply in the event of any Client-caused outage that prohibits or otherwise limits BlueVoyant from providing the managed detection and response services or otherwise delivering the service levels, including, but not limited to, Client’s misconduct, negligence, inaccurate or incomplete information, modifications made to the Services, or any unauthorized modifications made to any managed hardware or software devices by Client, its employees, agents, or third parties acting on behalf of Client.

6.5. Third Party Outages: service levels are not applicable for any outages of the third-party vendor’s advanced endpoint software related to the delivery of security events or alerts to the Platform.

6.6. SLA Credits: Client will receive credit for any failure by BlueVoyant to meet the service levels outlined above within thirty (30) days of notification by Client to BlueVoyant of such failure. In order for Client to receive a service level credit, the notification of the service level failure must be submitted to BlueVoyant within thirty (30) days of such service level failure occurring. BlueVoyant will research the request and respond to Client within thirty (30) days from the date of the request. The total amount credited to Client in connection with any of the above service levels in any calendar month will not exceed the monthly Services fees paid by Client for such Services. Except as otherwise expressly provided hereunder or in the BlueVoyant Managed Security Services Master Services Agreement, the foregoing service level credit(s) shall be Client’s exclusive remedy for failure to meet or exceed the applicable service levels.

 

7. Managed Detection and Response Services Activation: Managed detection and response services activation (MDR Services Activation) consists of three phases: introduction, provisioning, and tuning. MDR Services Activation begins after a signed Order Form is received and ends with the activation of the managed detection and response services. MDR Services Activation is dependent on a number of factors, such as the number of endpoints, central management of endpoints, the number of physical sites, the complexity of the Client’s network, Client requirements, and the ability of Client to provide BlueVoyant with requested information and deployment of supporting software and configuration within a mutually agreed-upon timeframe.

7.1. Introduction Phase: The introduction phase facilitates information gathering and begins with project kickoff. During this phase there are introductions between key BlueVoyant and Client staff and Client priorities, expectations, and project timelines are established.

7.1.1. BlueVoyant Project Manager: At the beginning of Client deployment, a BlueVoyant implementation project manager will be assigned and coordinate the onboarding process. The implementation project manager will work with the Client to establish their timeline goals and what sources and devices will be onboarded in what priority and timeline and when they will move to steady-state monitoring.

7.1.2. Client Experience Team: At the beginning of Client deployment, a BlueVoyant technical account manager will be assigned to the Client. This person will work directly with the Client and will act as their main point of contact beyond direct calls to the SOC. 8

7.1.3. Threat Profile: In order to provide organizational specific threat intelligence, BlueVoyant will collect information about the Client to better understand potential threats. Collected information will include information about the organization's industry, segment, key employees, key systems and what types of digital assets they own including domains and IP address segments.

7.1.4. Approved Response Plan: The Client and BlueVoyant will discuss and agree upon rules of engagement for service operation e.g., response actions and policies, vulnerability scanning policies, authorized Client points of contact, and other operational considerations. Included in the response plan is the creation of the escalation procedures which defines who in the Client’s organization should be contacted in the event of an incident.

7.1.4.1. Pre-approved Response Actions: A set of pre-approved response actions will be established to inform the SOC to which response actions they can perform under what conditions. For example, do not perform any response actions and only notify the Client’s IT staff for specific set of business-critical assets.

7.2. Provisioning Phase: The provisioning phase is focused on deployment of the advanced endpoint software to endpoint visibility and response actions.

7.2.1. Advanced Endpoint Software: Deployment of the advanced endpoint software on the identified endpoints with Internet access to connect to the vendor infrastructure.

7.2.2. Wavelength TM User Onboarding: Client will provide a list of identified users and their email addresses for access to Wavelength TM and SOC. Client users will receive an onboarding email to access Wavelength and will configure multi-factor authentication with their device. BlueVoyant will conduct Wavelength TM training for Client users.

7.2.3. Deployment Audit: Once all advanced endpoint software has been deployed and are functioning, an audit is performed to ensure the software has been correctly deployed on all the correct systems and managed detection and response services are ready to commence. Security monitoring will begin once 80% of the target deployment has been met.

7.3. Tuning Phase: BlueVoyant will use the first 14-30 days post installation to identify a baseline of the Client environment and tune the managed detection and response services. Tuning is a process of factoring out some of the expected noise of the Client’s environment and optimizing the service to provide better visibility and anomaly detection.

7.3.1. Endpoint Policy: As part of malware protection, applications may be automatically terminated or disallowed based on whether the application exhibits specific behaviors. As part of the tuning phase, any applications are that are incorrectly prevented from executing will be identified and appropriately whitelisted with Client consultation. Endpoint policies will continue to be refined through steady-state operations as the Client’s information technology infrastructure changes.

7.3.2. Inventory of Assets: Once the advanced endpoint software has been deployed, identification and contextualization of assets can occur. This includes the identifying “key terrain” devices and applications as well as asset tagging and assigning asset criticality.

7.4. Onsite Deployment: Should onsite installation and configuration be necessary, BlueVoyant will provide such a resource for an additional fee as well as travel and lodging expenses.

 

8. Client Responsibilities

8.1. Software Deployment: During the MDR Services Activation process, the Client will deploy the advanced endpoint software on identified endpoints.

8.2. Notification of Environment Changes: Client will notify BlueVoyant of any environment changes that may affect execution of the MDR Services.

8.3. Notification of User Changes: Client will notify BlueVoyant of any necessary user account changes tied to Client employee termination; this includes employees or contractors that have access to Wavelength TM or approval to contact the SOC.

8.4. Internet Access: Client is required to maintain internet connection to endpoints that are actively monitored.

8.5. Additional Remediation: During investigation of security alerts BlueVoyant may give guidance to a Client to perform specific actions in their environment in order to improve their security posture or to fully remediate an incident. Performance of these actions are the Client’s responsibility.

8.6. Software Updates: Client is responsible for performing upgrades on deployed on advanced endpoint software in a timely manner.

 

9. Other Services & Capabilities (Not Included): Below is a list of other notable services and capabilities provided by BlueVoyant that are outside the scope of this MDR Services. These services and capabilities can be purchased alongside this MDR Services.

9.1. Detection-as-a-service: Monitoring of Client’s devices and infrastructure for security and compliance.

9.2. Managed SIEM: Delivered utilizing Splunk as a best-of-breed security information and event management (SEIM) tool to monitor the Client’s devices and applications. Clients have access to Splunk directly to create their own searches, correlations, searches, reports, and deploy approved add-ons.

9.3. Vulnerability Management MDR Services (VMS): Delivers vulnerability scanning, remediation tracking, active asset discovery, and reporting.

9.4. Deception: Using next-generation honey pot technology to detect advanced threats in your environment using featherweight, agentless technology.

 

10. Out of Scope: In the event the Client requests BlueVoyant to provide additional services that are outside of the scope what is set forth in this Statement of Work, to the extent BlueVoyant is able to provide such services, the services will be mutually agreed in separate Statement of Works executed by both parties. Available additional services include:

10.1. breach response & compromise assessment;

10.2. forensics;

10.3. vulnerability patching and resolution; and

10.4. tabletop exercises;

10.5. network architecture design;

10.6. hardware procurement; and

10.7. security or technology training for end users.

 

11. MDR Services Termination: If an Order Form including managed detection and response services is cancelled or the Agreement is terminated, the Client will have thirty (30) days from the time a cancellation request is initiated, or the Agreement has expired (whichever comes first) to request the receipt of archived data. Hourly consulting fees will apply for time spent as well as data transfer cost related to archived data. If a request is not received within the thirty (30) day period, BlueVoyant will permanently destroy all archived data pertaining to security devices no longer under a valid Order Form.

 

12. Additional MDR Services Terms and Conditions:

12.1. Modify Terms: BlueVoyant reserves the right to modify the terms of this Statement of Work, including the service levels, with 30 days prior notice.

12.2 Risk Elimination: This Statement of Work provides expert security analysis and response to the Client. However, deployment of BlueVoyant managed detection and response services in a Client network does not achieve the impossible goal of risk elimination, and therefore BlueVoyant makes no guarantee that intrusion, compromises, or any other unauthorized activity will not occur on a Client network.

 

Detection As A Service:

(back to top)

1. Service Overview: BlueVoyant’s monitoring of pre-agreed network security device(s) (Devices) and application(s) (Applications), and provides Client with real-time, security event analysis across monitored security and critical infrastructure 24 hours a day, 7 days a week. The service utilizes the BlueVoyant platform, our cloud-based ingestion, processing, analysis, and reporting system (Platform) as well as analysts in BlueVoyant’s security operations centers. Implementation and configuration changes necessary for provisioning of software agents are included in the services, as are (1) vendor software updates in line with the BlueVoyant software update policy, and (2) collection, storage, reporting, and Client notification of security events or device health events in accordance with specified service levels. Tools for self-service reporting and analysis are provided through WavelengthTM, BlueVoyant’s client portal.


2. Service Feature:

2.1. Log Collection: Software agents will be deployed on Devices to enable collection of logs for security event monitoring. Using BlueVoyant Virtual Appliances (described below), logs are aggregated and stored within Platform from the Devices and Applications.

2.2. Security Event Monitoring: Process of detecting threats in the environment and performing security investigations 24/7.

2.2.1. Threat Detection: Filters, normalization, correlation, and data analysis will be applied to identify anomalous, suspicious, or malicious behaviors indicative of threats in the monitored environment. Threat detection occurs through threat detection methods, including but not limited to signature, behavioral, and cross-source correlations.

2.2.2. Reputational Detection: A notable detection method, reputation detection occurs by utilizing proprietary and open source threat intelligence, BlueVoyant will identify threats based upon reputation by correlating inbound and outbound threat intelligence with network traffic to monitor for suspicious and malicious domains and IP address.

2.2.3. Investigation & Notification: Once a suspicious event is detected or an automatic prevention activity occurs, an alert is generated and a BlueVoyant security operations center analyst will investigate the event to determine whether or not there is a true positive, benign, or false positive. Client will be notified according to the nature of the event and service-level-agreements.

2.2.4. Managed Detection and Response (Separate): If a client has also purchased managed detection and response (services from BlueVoyant, then the BlueVoyant security analyst will also undertake response activities on the endpoint as a result of the investigation if applicable and appropriate.  BlueVoyant’s Managed detection and response managed services are described in BlueVoyant’s Managed Detection and Response Statement of Work].

2.2.5. Indicator Enrichment: Indicators of compromise associated with detections within the monitored environment are automatically
extracted, scored, and enriched leveraging open source and BlueVoyant proprietary threat intelligence. Enriched indicators are visible within WavelengthTM, and are assigned a reputation (ex: good, suspicious, bad) and classification (ex: botnet, Zeus, crypto-miner, etc.).

2.3. Health Monitoring: BlueVoyant will monitor installed endpoint agent communications using the Platform. Should agents become uncommunicative and unreachable, BlueVoyant will notify the Client and assist with troubleshooting. BlueVoyant will monitor log sources that are within the scope of service and will generate an alert when a log source’s output has not been received in a specified interval.

2.4. Log Retention & Archiving: All log data collected from Devices and Applications will be retained by BlueVoyant for a period of 30 days for security event analysis and retained in archive storage for a period of one year or as specified in the service order. Logs older than 30 days can be retrieved and delivered to Client upon written request, for an additional retrieval fee.

 

3. Supporting Features and Teams

3.1. Security Operations Center (SOC): The Service is supported by the BlueVoyant Security Operations Center which operates 24 hours a day, 7 days a week, and across multiple locations.

3.2. WavelengthTM (BlueVoyant’s Client Portal): Wavelength is a web-based portal that provides real-time visibility to detected alerts, confirmed incidents, enables approved Client employees to interact with BlueVoyant’s security operations center analysts, view all detected assets, and if applicable, view vulnerabilities.

3.2.1. Dashboards: Available through WavelengthTM, dashboards representing a variety of content including but not limited to event volume, alert volume, detected assets, and analyst response actions.

3.2.2. Reports: Available through WavelengthTM, reports include client environment content related to alerts, incidents, indicators, assets and vulnerabilities. If needed, the client can request specific reporting on events be delivered as a report on an automated basis. Extensive customization of report templates and or creation of custom reports are not included in the service and can be performed on an engagement basis subject to the agreement of a separate signed Statement of Work.

3.2.3. Threat Intelligence Reports: Threat landscape, sectorial, and intelligence summary reports are developed by the BlueVoyant Threat Fusion Cell. The BlueVoyant Threat Fusion Cell is a team of cyber intelligence analysts and threat researchers focused on identifying and prioritizing information about threats using BlueVoyant proprietary and open source intelligence.

3.3. BlueVoyant Virtual Appliance: The BlueVoyant virtual appliance is a software package that enables log collection from external sources and delivers it to the BlueVoyant platform. It enables log collection and monitoring for devices and systems in which deployment of a log collection agent is not possible, such as a router or firewall. Most often devices are configured to deliver Syslog content to a BlueVoyant virtual appliance.

3.4. Collection Agents: Collection agents are software that are installed directly on client endpoints and servers to enable log collection and delivery to the BlueVoyant platform.

3.5. Security Orchestration and Automation: Although not directly visible to Clients, the orchestration and automation system is a key component of the Platform that supports the BlueVoyant SOC. Orchestration accelerates triage, reduces false positives, and improves mean time to resolve (MTTR).

3.5.1. Playbooks: BlueVoyant SOC and engineering teams have developed automations to support the Services and continue to deliver new automations. For example, an automated Emotet investigation, confirmation, and response playbook to quickly respond to specific outbreak strains.

3.6. BlueVoyant Client Experience Team: The Client Experience team is the primary support team for the client. The assigned client advisor acts as the client’s consultant and enables the best experience for BlueVoyant services. The advisor will meet with the client on a regular basis (most often monthly) to understand client’s security program goals and will advise how BlueVoyant services can best meet their needs. The advisor is also engaged in any significant security events that occur for the client. Additionally, the advisor will deliver any requested feedback to the BlueVoyant product and service delivery teams.

 

4. Client Communications: Below is the standard methods that the Service enables for the client to obtain information related to the Service or engage BlueVoyant staff.

4.1. Wavelength™ (BlueVoyant Client Portal): Wavelength is the primary method for Clients to stay informed of security activity in their environment and activities of the BlueVoyant SOC. At any time, a Client end user may go to Wavelength and review any security alerts, dashboards, or reports.

4.2. Email: The client will receive Emails as a regular function of the Service. Email topics can span a wide variety of matters, but most often they relate to security investigations: notification of risk or questions on appropriate environment use or behaviors.

4.3. Clients can also initiate service change requests via Email by sending an Email to soc@bluevoyant.com. Upon receipt of any emails, a service request case is created and can be viewed within the BlueVoyant Customer Portal.

4.4. Calling Security Operations: The BlueVoyant SOC operates 24/7 days a year and can be reached by calling 1-833-BLUEMSS or 1-833-258-3677. Only approved Client end-users will be allowed to talk with BlueVoyant SOC personnel.

 

5. Log Collection Sources

5.1. Minimum Collection Sources: In order to provide adequate detection and highest quality service, there are a minimum set of log collection source types that must be monitored. BlueVoyant reserves the right to refuse service and is unable to meet service level agreements if any of these sources are not included as part of the agreed monitored sources:

5.1.1. Network Perimeter Visibility: Visibility of network traffic entering or leaving the environment, which typically provided by means of access to a Client’s firewalls or next-generation firewalls or equivalent within a cloud environment.

5.1.2. Advanced Endpoint Visibility: Comprehensive visibility of activities occurring on the client’s endpoints including behavioral detections. Visibility can be provided either through Bluevoyant’s managed detection 4 and response services (available separately), or by means of allowing BlueVoyant access to Clients’ deployed next-generation anti-virus agents or Client’s deployed endpoint detection and response agents.

5.1.3. User Authentication & Access: Visibility to users and user accessed systems typically provided through Microsoft Active Directory, Lightweight Directory Access Protocol (LDAP) server or 3rd party federated login provider. 5.1.4. Dynamic Host Configuration Protocol (DHCP): Access to DHCP logs to enable understanding of assets in the environment using IP resolution. Alternatives to DHCP log collection can be substituted if it provides full asset visibility (such as Cloud IaaS).

5.2. Non-standard Sources: BlueVoyant will provide a set of correlations and detections for commonly supported sources and platforms. For nonstandard log sources, BlueVoyant may require its consultants or engineers to work with Client to understand the Client’s log source(s), important event criteria, and any custom reporting or real-time alerting requirements. The scope of this analysis will be set out in a separate mutually agreed signed statement of work as this work is separate and distinct from the efforts of the deployment engineers described below and specifically excluded from the Services.

5.3. Correlation Development: BlueVoyant Engineering implements and delivers new correlations on a regular basis; Client requests for new correlations are prioritized by BlueVoyant’s product management process. If Client has urgent correlations that it would like BlueVoyant to prioritize, the scope of this analysis will be set out in a separate mutually agreed signed statement of work.

5.4. Scope of Service: The Service is limited to monitoring the devices & sources subscribed for service as defined in the associated Service Order and does not include management or monitoring of any unsubscribed end-point or intermediary log sources.

5.4.1. Unapproved Sources: Sources that have been configured to relay their logs to a BlueVoyant but are Devices or Applications are deemed as “unapproved”. Log collection from unapproved sources may be blocked by BlueVoyant and a Client may receive charges related to the monitoring of unapproved sources.

 

6. Service Level Agreements

6.1. Security Monitoring: Client will receive communications to security incidents according to (a) the escalation procedures defined or in the manner pre-selected in writing by Client, either through Wavelength, email, or by telephone, and (b) the matrix below. Event classification is the process that a BlueVoyant security analyst performs an investigation to confirm the validity of an alert, impact and assigns a severity. Notification times for Client notification are measured by the time difference between when event classification has completed and when the Client is notified. Client notification occurs after event classification in order to prevent notification for benign or false positive alerts.

Severity  Definition Notification Time Notification Method
Critical Events that represent an eminent threat to Client assets, including: data destruction, encryption, exfiltration, or malicious interactive attacker.

30 minutes  of event classification completion

1. Email

2. Phone Call

3. Wavelength

High Events that represent a significant threat to Client assets, including: rootkits, keyloggers, or trojans, but not defined as “critical”, ransomware, confirmed suspicious privilege escalation, confirmed social engineering-based attack.

1 hour  of event classification completion

1. Email

2. Phone Call

3. Wavelength

Medium Events that represent a potential threat to Client assets, including: malware types that include bots or spyware, but not defined as “critical” or “high”. No Notification Wavelength
Low Events that represent a minimal threat to Client assets. This includes, adware or other potentially unwanted programs (PUPs). No Notification  Wavelength

 

6.2. Service Requests: Standard service requests (applies to all non-change and non-incident tickets) submitted via WavelengthTM, email, or via telephone will be subject to “acknowledgement” (either through the BlueVoyant ticketing system, email or telephonically) within one (1) business day from the time stamp on the managed detection and response service ticket created by the Platform

6.3. Maintenance Windows: BlueVoyant may schedule maintenance outages for BlueVoyant software which enables log collection with 24-hours’ notice to designated Client contacts. Service levels shall not apply during maintenance outages and therefore are not eligible for any service level credit during these periods.

6.3.1. Emergency Maintenance: In the circumstance of immediate necessary changes, BlueVoyant may initiate an emergency maintenance window. When this situation occurs, BlueVoyant will use commercially reasonable efforts to provide notice and minimize the impact to Clients

6.4. Client Service Outage: The service levels do not apply in the event of any Client-caused Service outage that prohibits or otherwise limits BlueVoyant from providing the Service or otherwise delivering service levels including, but not limited to, Client’s misconduct, negligence, inaccurate or incomplete information, modifications made to the Services, or any unauthorized modifications made to any managed hardware or software Devices by Client, its employees, agents, or third parties acting on behalf of Client.

6.5. Third Party Outage: For log collection of third-party sources such as Software-as-a-Service or Cloud Infrastructure providers, SLAs are not applicable for any outages of the third party in which related to the delivery of their logs to the Platform.

6.6. SLA Credits: Client will receive credit for any failure by BlueVoyant to meet the SLAs outlined above within thirty (30) days of notification by Client to BlueVoyant of such SLA failure. In order for Client to receive an SLA credit, the notification of the SLA failure must be submitted to BlueVoyant within thirty (30) days of such SLA failure occurring. BlueVoyant will research the request and respond to Client within thirty (30) days from the date of the request. The total amount credited to Client in connection with any of the above SLAs in any calendar month will not exceed the monthly Service fees paid by Client for such Service. Except as otherwise expressly provided hereunder or in the BlueVoyant Detection-as-a-Service Master Services Agreement, the foregoing service level credit(s) shall be Client’s exclusive remedy for failure to meet or exceed the applicable service levels.

 

7. Service Activation: Service activation (“Service Activation”) consists of three phases: introduction, provisioning, and tuning. Service Activation begins once the signed Service Order is received and ends with the activation of the Service. Service Activation is dependent on a number of factors, such as the number of log collection sources, the number of physical sites, the complexity of the Client’s network, Client requirements, and the ability of Client to provide BlueVoyant with requested information and deployment of supporting software and configuration within a mutually agreed-upon timeframe. BlueVoyant does not provide SLAs for completing Service Activation within a specified period of time.

7.1. Introduction Phase: The introduction phase facilitates information gathering and begins with project kickoff. During the phase there are Introductions between key BlueVoyant and client staff and client priorities, expectations, and project timelines are established.

7.1.1. BlueVoyant Project Manager: At the beginning of client deployment, a BlueVoyant implementation project manager will be assigned and coordinate the onboarding process. The implementation project manager will work with the client to establish their timeline goals and what sources and devices will be onboarded in what priority and timeline and when they will move to steady-state monitoring.

7.1.2. Client Experience Team: At the beginning of client deployment, a BlueVoyant Technical Account Manager will be assigned to the client. This person will work directly with the client and will act as their main point of contact beyond direct calls to the SOC.

7.1.3. Threat Profile: In order to provide organizational specific threat intelligence, BlueVoyant will collect information about the Client to better understand potential threats. Collected information will include information about the organization's industry, segment, key employees, key systems and what types of digital assets they own including domains and IP address segments.

7.1.4. Approved Response Plan: The Client and BlueVoyant will discuss and agree upon rules of engagement for service operation e.g., response actions and policies, vulnerability scanning policies, authorized client points of contact, and other operational considerations. Included in the response plan is the creation of the escalation procedures which defines who in the client’s organization should be contacted in the event of an incident

7.2. Provisioning Phase: The provisioning phase is focused on deployment of software to enable log collection and the configuration of devices and applications to deliver logs to the BlueVoyant platform for storage and analysis.

7.2.1. BlueVoyant Virtual Appliance: Provisioning of client equipment and installation of BlueVoyant virtual appliances at agreed upon locations for collection of logs for specific devices. Client would enable connectivity of BlueVoyant virtual appliances to the Platform. BlueVoyant will provide minimum system requirements for hosting BlueVoyant virtual appliance software. 

7.2.2. Software Agents: Deployment of software agents to identified endpoints and servers to enable log collection. Client would enable connectivity of software agents to the Platform.

7.2.3. Source Configuration: Configuration of devices and applications to enable collection of logs. This most often includes configuration of network devices such as firewalls to direct syslog content to a BlueVoyant Virtual Appliance for log collection.

7.2.4. Wavelength TM User Onboarding: Client will provide a list of identified users and their email addresses for access to WavelengthTM and SOC. Client users will receive an onboarding email to access Wavelength and will configure multi-factor authentication with their device. BlueVoyant will conduct WavelengthTM training for Client users

7.2.5. Log Collection Audit: Once all collection software has been deployed and sources have been appropriately configured to enable detection, an audit is performed to ensure the Service is ready to commence.

7.3. Tuning Phase: BlueVoyant will use the first 14-30 days post installation to identify a baseline of the Client environment and tune the Service. Tuning is a process of factoring out some of the expected noise of the Client’s environment and optimizing the service to provide better visibility and anomaly detection.

7.3.1. Inventory of Assets: Once the collection and agent software has been deployed, identification and contextualization of assets can occur. This includes the identifying “Key Terrain” devices and applications as well as asset tagging and assigning asset criticality.

7.4. Onsite Deployment: Should onsite installation and configuration be necessary, BlueVoyant will provide such a resource for an additional fee as well as travel and lodging expenses.

 

8. Client Responsibilities

8.1. Software Deployment: During the service activation process, the client will deploy BlueVoyant Virtual Appliances and software agents where appropriate to enable collection of logs and appropriate environment visibility. Additionally, the client will support configuration of devices and applications for collection where necessary; for example, configuring their firewall to direct changes over syslog

8.2. Source Configuration: Client is responsible for configuring all log sources so that logs are appropriately sent to the agents and log collection devices. This includes, but is not limited to, any intermediary log sources. If changes to Client’s existing network architecture are required for Service implementation, BlueVoyant will communicate these changes to Client

8.3. Notification of Environment Changes: Client will notify BlueVoyant of any environment changes that may affect execution of the Service.

8.4. Notification of User Changes: Client will notify BlueVoyant of any necessary user account changes tied to Client employee termination; this includes employees or contractors that have access to WavelengthTM or approval to contact the SOC.

8.5. Internet Access: Client is required to maintain Internet connection to all systems that are performing log collection.

8.6. Additional Remediation: During investigation of security alerts the BlueVoyant Security Operation Center may give guidance to a client to perform specific actions in their environment in order to improve their security posture or to fully remediate an incident. Performance of these actions are the Client’s responsibility

8.7. PII Obfuscation: Client is responsible for filtering all data delivered to BlueVoyant for Personally Identifiable Information (PII), credit card information, or other protected content.

 

9. Other Services & Capabilities (Not Included): Below is a list of other notable services and capabilities provided by BlueVoyant that are outside the scope of this Service. These services and capabilities can be purchased alongside this Service.

9.1. Managed Detection and Response (MDR): Advanced detection of threats against the client’s endpoints with supporting response action including process termination, whitelisting, blacklisting, and quarantining.

9.2. Managed SIEM: Delivered utilizing Splunk as a best-of-breed Security Information and Event Management tool to monitor the Client’s devices and applications. Clients have access to Splunk directly to create their own searches and correlations.

9.3. Vulnerability Management Service (VMS): Delivers vulnerability scanning, remediation tracking, active asset discovery, and reporting.

9.4. Deception: Using next-generation honey pot technology to detect advanced threats in your environment using featherweight, agentless technology.

 

10. Out of Scope: The parties agree that services, deliverables and equipment not listed in the applicable Service Order (as agreed to by the parties) are out of scope and are not part of this Agreement. In the event the client requests BlueVoyant to provide serves that are outside of the scope of this Schedule, to the extent BlueVoyant is able to provide such services, the services will be detailed in a statement of work executed by both parties

10.1. Breach Response & Compromise Assessment

10.2. Forensics

10.3. Vulnerability Patching and Resolution

10.4. Tabletop Exercises 1

10.5. Network architecture design

10.6. Hardware procurement

10.7. Security or Technology Training for End Users

 

11. Service Termination: If the Service Order with BlueVoyant is cancelled or the Agreement is terminated, the Client will have thirty (30) days from the time a cancellation request is initiated, or the Agreement has expired (whichever comes first) to request the receipt of archived data. Hourly consulting fees will apply for all time spent restoring the archived data. If a request is not received within the thirty (30) day period, BlueVoyant will permanently destroy all archived data pertaining to security devices no longer under a valid Service Order or Agreement.

 

12. Additional Service Terms and Conditions:

12.1. Modify Terms: BlueVoyant reserves the right to modify the terms of this Statement of Work, including the service levels, with 30 days prior notice.

12.2. Risk Elimination: This Statement of Work provides expert security analysis to the Client. However, deployment of BlueVoyant Detection-as-Service in a Client network does not achieve the impossible goal of risk elimination, and therefore BlueVoyant makes no guarantee that intrusion, compromises, or any other unauthorized activity will not occur on a Client network.

 

Managed SIEM

(back to top)

1. Description of Service:  This Service Description and Service Level Agreement (“Service Description”) describes the Service (as defined below) being provided to you (“Customer”, “Client”, or “you”) by BlueVoyant executed by Client for the purchase of this Service. 

This Service is provided in connection with Client’s signed Service Order and separate signed master services agreement that explicitly authorizes the sale of managed security and consulting services. In the absence of either a master services agreement or security services schedule, the Services described under this Service Description will be governed by and subject to the terms and conditions of the BlueVoyant Master Services Agreement (“MSA”). 

2. Service Overview:  The BlueVoyant Managed SIEM offering (the “Service”) consists of BlueVoyant’s monitoring of the contracted Client-owned security device(s) (“Devices”) and application(s) (“Applications”) as specified on the Service Order. It provides Client with real-time, security event analysis across Client’s security and critical infrastructure 24 hours a day, 7 days a week.  This Service utilizes the BlueVoyant platform (“The Platform”) in conjunction with analysts in BlueVoyant’s Security Operations Center (“SOC”).

Management activities include Service implementation, configuration changes necessary for the successful provision of the Service, as well as vendor software updates in line with the BlueVoyant software update policy described in this Service Description. Monitoring activities include collection, storage, reporting, and Client notification of security events or device health events in accordance to Service Level Agreements. Tools for self-service reporting and analysis are provided through Wavelength™, the BlueVoyant Client Portal ("Wavelength").

 

3. Service Features

3.1 Log Collection: Depending on the scope of the client’s environment, software agents will be deployed on contracted Client own devices to enable collection of logs for security event monitoring.  Logs are aggregated and stored within the BlueVoyant platform from many sources including endpoint (workstations, laptops, servers, etc.), network, applications, and cloud infrastructure. 

3.2. Security Event Monitoring: Filters, normalization, correlation, and data analysis will be applied to identify anomalous, suspicious, or malicious behaviors indicative of threats in the client’s environment. 

3.2.1. Reputational Detection: Utilizing BlueVoyant proprietary and open source threat intelligence to detect threats based upon reputation by correlating inbound and outbound network traffic to monitor for suspicious and malicious domains and IP address.

3.2.2 Investigation & Notification: Once a suspicious event is detected, an alert is generated and a BlueVoyant security analyst will perform triage and investigation of the event to confirm true positive, benign, or false positive. The client will be notified according to the nature of the event and service-level-agreements. 

3.2.3. Managed Detection and Response (Separate): If a client has also purchased a separate BlueVoyant Managed Detection and Response (MDR) managed service, then the BlueVoyant security analyst will perform response activities on the endpoint as a result of the investigation if applicable and appropriate.  The Managed Detection and Response managed service is defined in a separate service description. 

3.2.4. Indicator Enrichment: Indicators of Compromise (“Indicators”) associated with detections are automatically extracted, scored, and enriched leveraging open source and BlueVoyant proprietary threat intelligence. Enriched indicators are visible within Wavelength™ and are assigned a reputation (ex: Good, Suspicious, Bad) and classification (ex: botnet, Zeus, crypto-miner, etc.). 

3.3. Health Monitoring: BlueVoyant is responsible for monitoring the agent communications with the BlueVoyant platform. Should agents become uncommunicative and unreachable, BlueVoyant will notify the Client and assist with troubleshooting. BlueVoyant will monitor log sources that are within the scope of service and will generate an alert when a log source’s output has not been received in a specified interval.

3.3.1 Event Flow Disruption

3.3.2 Host Health Status

3.4. Log Retention & Archiving: All log data collected from the client will be retained by BlueVoyant for a period of 30 days for security event analysis and retained in archive storage for a period of one year or as specified in the service order.  Logs older than 30 days can be retrieved and delivered to clients per written request with associated retrieval fees.

 

4. Supporting Features and Teams

4.1. Security Operations Center (SOC): The Service is supported by the BlueVoyant Security Operations Center which operates 24 hours a day, 7 days a week, and across multiple locations.  Please contact BlueVoyant staff for a list of certifications and credentials. 

4.2. Splunk: The Service is supported by a dedicated, single-tenant instance of Splunk to which you will have access for a specified number of your employees in addition to the BlueVoyant SOC and platform which will deliver services alongside your team.

4.2.1. Licensing. BlueVoyant acquires dedicated licensing for Splunk software on your behalf, based on daily log data ingest volume. This volume is determined by the log source types and quantity provided during the sales scoping process, and is confirmed during Service Activation. Data volume that exceeds what is quoted during scoping is subject to additional Splunk licensing fees.

4.3. Splunk Infrastructure: BlueVoyant will host your Splunk instance within a Virtual Private Cluster (VPC) within Amazon Web Services (AWS) which BlueVoyant will configure and maintain on your behalf. BlueVoyant stores 30 days of searchable data in the hosted environment by default. After 30 days, data is archived and no longer available for on-demand searches. 

4.4. BlueVoyant Customer Portal: The BlueVoyant Customer Portal is a web-based portal that provides real-time visibility to detected alerts, confirmed incidents, enables approved client employees to interact with the SOC, view all detected assets, and if applicable, view vulnerabilities. 

4.4.1. Dashboards: Available through Wavelength™, dashboards representing a variety of content including but not limited to event volume, alert volume, detected assets, and analyst response actions.

4.4.2. Reports: Available through the BlueVoyant Customer Portal reports include client environment content related to alerts, incidents, indicators, assets and vulnerabilities.

4.4.3. Threat Intelligence Reports: Threat landscape, sectorial, and intelligence summary reports are developed by BlueVoyant threat research and delivered as reports on a monthly basis.  

4.5. Security Orchestration and Automation: Although not directly visible to clients, the orchestration and automation system is a key component of the BlueVoyant platform that supports the BlueVoyant Security Operations Center.  Orchestration accelerates triage, reduces false positives, and improves mean time to resolve (MTTR). 

4.6. BlueVoyant Client Experience Team: The Client Experience team is the primary support team for the client. The assigned client advisor acts as the client’s consultant and enables the best experience for BlueVoyant services.  The advisor will meet with the client on a regular basis (most often monthly) to understand client’s security program goals and will advise how BlueVoyant services can best meet their needs.  The advisor is also engaged in any significant security events that occur for the client.  Additionally, the advisor will deliver any requested feedback to the BlueVoyant product and service delivery teams. 

4.7. SIEM Concierge: All customers of the service will have access to SIEM Concierge Engineers (“SCE”), a billed service for the creation of customized content. Billable hours are determined by “work effort”, or the time it takes an SCE to build, test, and deploy the requested content to your environment. SIEM Concierge requests can be created via normal ticketing mechanisms or via your BlueVoyant Client Experience Team advisor.

4.7.1. Types of Content: The types of content that SIEM Concierge Engineers can create includes (but is not limited to) customized dashboards, widgets, reports, alerts based on event and/or available threat intelligence data, and informal user training of the SIEM software.

4.7.2. Limitations: All Concierge requests are subject to the technical and contractual limitations of the SIEM Software as provided by Splunk (“the Vendor”). All Concierge requests are subject to review. SCEs will spend no more than 2 hours per day with Client, to a maximum of 10 hours in a given business week. Due to the highly customized and dynamic nature of the Concierge service, there is no specific SLA for completing Concierge requests.

4.7.3. Billing: All Managed SIEM customers receive an initial pool of forty (40) hours of SIEM Concierge time. Additional hours can be purchased through your sales representative or the Client Experience Team. Any Concierge services provided during the Service Activation process are not counted against the pool.

4.7.4. Exclusions. SIEM Concierge does not fulfill requests for security advice, posturing, incident response/remediation, legal, or audit support. Please contact your Client Experience Team advisor to direct these types of requests to the appropriate channels.

 

5. Client Communications:  Below is the standard methods that the Service enables for the client to obtain information related to the Service or engage BlueVoyant staff.  

5.1. BlueVoyant Customer Portal: The BlueVoyant Customer Portal (“Wavelength”) is the primary method for clients to stay informed of security activity in their environment and activities of the BlueVoyant Security Operations Center.  At any time, a client end user may go to the BlueVoyant Customer Portal and review any security alerts, dashboards, or reports.

5.2. Email: The client will receive Emails as a regular function of the Service.  Email topics can span a wide variety of matters, but most often they relate to security investigations: notification of risk or questions on appropriate environment use or behaviors.

Clients can also initiate service change requests via Email by sending an Email to soc@bluevoyant.com. Upon receipt of any emails, a service request case is created and can be viewed within the BlueVoyant Customer Portal. 

5.3. Calling Security Operations: The BlueVoyant Security Operations Center (SOC) is available 24/7/365 days a year and can be reached by calling 1-833-BLUEMSS or 1-833-258-3677. Only approved client end-users will be allowed to talk with BlueVoyant Security Operations and will be authenticated when their call is received. 

5.4. SIEM Concierge (optional): SCEs will record and report on hours on a weekly basis to Client as incurred, along with an email summary of work performed.

 

6. Log Collection

6.1. BlueVoyant Collector: The BlueVoyant collector is a software package that enables log collection from external sources and delivers it to the BlueVoyant platform.  It enables log collection and monitoring for devices and systems in which deployment of a log collection agent is not possible, such as a router or firewall.  Most often devices are configured to deliver Syslog content to a BlueVoyant collector.

6.2. BlueVoyant Agents: BlueVoyant agents are software that are installed directly on client endpoints and servers to enable log collection and delivery to the BlueVoyant platform.

6.3. Cloud/SaaS Platforms: The BlueVoyant platform is able to communicate directly via API with most cloud-based technologies and services for log ingestion, such as Microsoft Office365, Google GSuite, etc. Client is responsible for providing and maintaining API credentials for BlueVoyant. Contact your sales representative for a list of supported services.

6.4. Minimum Collection Sources: In order to provide the best detection and highest quality service, there are a minimum set of log collection source types that must be monitored. BlueVoyant reserves the right to refuse service and is unable to meet service level agreements if these sources are not included as part of the set of monitored sources in the associated service order. 

6.4.1. Network Perimeter Visibility: Visibility of network traffic entering or leaving the environment, typically provided via Firewall or Next-Generation Firewall or equivalent within a cloud environment.

6.4.2. Advanced Endpoint Visibility: Comprehensive visibility of activities occurring on the client’s endpoints including behavioral detections.  Visibility can be provided either through the BlueVoyant Managed Detection and Response (MDR) service, deployed Next-Generation Anti-Virus agents or deployed Endpoint Detection and Response agents. 

6.4.3. User Authentication & Access: Visibility to users and user accessed systems typically provided through Microsoft Active Directory, Lightweight Directory Access Protocol (LDAP) server or 3rd party federated login provider.

6.4.4. Dynamic Host Configuration Protocol (DHCP): Access to DHCP logs to enable understanding of assets in the environment using IP resolution. Alternatives to DHCP log collection can be substituted if it provides full asset visibility (such as Cloud IaaS).

 6.5. Non-standard Sources: BlueVoyant will provide a set of correlations and detections for commonly supported sources and platforms. For nonstandard log sources, BlueVoyant may require its consultants or engineers to work with Client to understand the Client’s log source(s), important event criteria, and any custom reporting or real-time alerting requirements. The scope of this analysis will be set out in a separate signed Statement of Work (“SOW”).  This consulting work is separate and distinct from the efforts of the deployment engineers described below.

6.6. Non-Security Data: Client may elect during the scoping phase to send non-security related log data to the SIEM Cluster, such as performance, transactional, or internal health monitoring data. Client is able to write their own dashboards, alerts, or reports against this data, but BlueVoyant will not monitor, report, or action against it. Non-security data still counts against daily ingest volume for licensing and infrastructure sizing purposes.

6.7. Scope of Service: The Service is limited to monitoring the devices & sources subscribed for service as defined in the associated Service Order and does not include management or monitoring of any unsubscribed end-point or intermediary log sources.

6.7.1. Unapproved Sources: Sources that have been configured to relay their logs to a BlueVoyant collector or agent but are not defined in the Service Order are deemed as “unapproved”. Log collection from unapproved sources may be blocked by BlueVoyant and a client may receive charges related to the monitoring of the unapproved source. 

 

7. Correlations & Detections

7.1. Managed Threat Correlations As part of the Service, BlueVoyant Engineering implements and delivers new correlations . Client may use available SIEM Concierge hours to request customized correlations, detections, and alerts that are deployed exclusively in the client’s environment.

7.2. Client Developed Threat Correlations: Client are able to develop their own reports, correlations, and alerts via the provided Search-Head access. The client can deliver the results of this content internally via email or other supported connection mechanism, but this content cannot be delivered to or actioned upon by the BlueVoyant SOC.

 

8. Service Level Agreements

8.1. Security Event Monitoring: The Client shall receive a communication (according to the escalation procedures defined or in the manner pre-selected in writing by Customer, either through the Portal, email, or by telephone) to security incidents according to the matrix below. Event classification is measured by the time that an analyst has completed their investigation in order to prevent notification for benign or false positive alerts. 

Severity  Definition Notification Time Notification Method
Critical Events that represent an eminent threat to Client assets, including: data destruction, encryption, exfiltration, or malicious interactive attacker.

30 minutes  of event classification completion

1. Email

2. Phone Call

3. Wavelength

High Events that represent a significant threat to Client assets, including: rootkits, keyloggers, or trojans, but not defined as “critical”, ransomware, confirmed suspicious privilege escalation, confirmed social engineering-based attack.

1 hour  of event classification completion

1. Email

2. Phone Call

3. Wavelength

Medium Events that represent a potential threat to Client assets, including: malware types that include bots or spyware, but not defined as “critical” or “high”. No Notification Wavelength
Low Events that represent a minimal threat to Client assets. This includes, adware or other potentially unwanted programs (PUPs). No Notification  Wavelength

 

8.2. Service Requests: Standard service requests (applies to all non-change and non- incident tickets) submitted via the Portal, Email, or via telephone will be subject to “acknowledgement” (either through the BlueVoyant ticketing system, email or telephonically) within one (1) hour from the time stamp on the Service Request ticket created by the BlueVoyant Platform.

8.3. Maintenance Windows: BlueVoyant may schedule maintenance outages for BlueVoyant software which enables log collection with 24-hours’ notice to designated Client contacts.  SLAs shall not apply during maintenance outages and therefore are not eligible for any SLA credit during these periods. 

8.3.1. Emergency Maintenance: In the circumstance of immediate necessary changes, BlueVoyant may initiate an emergency maintenance window.  When this situation occurs, BlueVoyant will use commercially reasonable efforts to provide notice and minimize the impact to clients. 

8.4. Client Service Outage: The SLAs shall not apply in the event of any Client-caused Service outage that prohibits or otherwise limits BlueVoyant from providing the Service, delivering the SLAs, including, but not limited to, Client’s misconduct, negligence, inaccurate or incomplete information, modifications made to the Services, or any unauthorized modifications made to any managed hardware or software Devices by Client, its employees, agents, or third parties acting on behalf of Client.

 8.5. Third Party Outage: For log collection of third-party sources such as Software-as-a-Service or Cloud Infrastructure providers, SLAs are not applicable for any outages of the third party in which related to the delivery of their logs to the BlueVoyant platform. 

 8.6. SLA Credits: Client will receive credit for any failure by BlueVoyant to meet the SLAs outlined above within thirty (30) days of notification by Client to BlueVoyant of such SLA failure. In order for Client to receive an SLA credit, the notification of the SLA failure must be submitted to BlueVoyant within thirty (30) days of such SLA failure occurring. BlueVoyant will research the request and respond to Client within thirty (30) days from the date of the request. The total amount credited to Client in connection with any of the above SLAs in any calendar month will not exceed the monthly Service fees paid by Client for such Service. Except as otherwise expressly provided hereunder or in the MSA, the foregoing SLA credit(s) shall be Client’s exclusive remedy for failure to meet or exceed the foregoing SLAs.

 

9. Service Activation: Service activation (“Service Activation”) consists of three phases: introduction, provisioning, and tuning.  Service Activation begins once the signed Service Order is received and ends with the activation of the Service.   Service Activation is dependent on a number of factors, such as the number of log collection sources, the number of physical sites, the complexity of the Client’s network, Client requirements, and the ability of Client to provide BlueVoyant with requested information and deployment of supporting software and configuration within a mutually agreed-upon timeframe. BlueVoyant does not provide SLAs for completing Service Activation within a specified period of time.

9.1. Introduction Phase: The introduction phase facilitates information gathering and begins with project kickoff.  During the phase there are Introductions between key BlueVoyant and client staff and client priorities, expectations, and project timelines are established.  

9.1.1. BlueVoyant Project Manager: At the beginning of client deployment, a BlueVoyant implementation project manager will be assigned and coordinate the onboarding process.  The implementation project manager will work with the client to establish their timeline goals and what sources and devices will be onboarded in what priority and timeline and when they will move to steady-state monitoring.  

9.1.2. Client Experience Team: At the beginning of client deployment, a BlueVoyant Client Experience Advisor will be assigned to the client.  This person will work directly with the client and will act as their main point of contact beyond direct calls to the Security Operations Center.

9.1.3. Threat Profile: In order to provide organizational specific threat intelligence, BlueVoyant will collect information about the company to better understand potential threats. Collected information will include information about the organization's industry, segment, key employees, key systems and what types of digital assets they own including domains and IP address segments.

9.1.4. Approved Response Plan: The Client and BlueVoyant will discuss and agree upon rules of engagement for service operation e.g., response actions and policies, vulnerability scanning policies, authorized client points of contact, and other operational considerations. Included in the response plan is the creation of the escalation procedures which defines who in the client’s organization should be contacted in the event of an incident. 

9.2. Provisioning Phase: The provisioning phase is focused on deployment of software to enable log collection and the configuration of devices and applications to deliver logs to the BlueVoyant platform for storage and analysis.

9.2.1. BlueVoyant Collector: Provisioning of client equipment and installation of the BlueVoyant collectors based upon agreed upon locations for collection for specific devices. Client would enable connectivity of BlueVoyant collectors to the remote BlueVoyant platform.  BlueVoyant will provide minimum system requirements for hosting the BlueVoyant Collector software

9.2.2. BlueVoyant Agents: Deployment of the BlueVoyant agents to identified endpoints and servers to enable log collection.  Client would enable connectivity of BlueVoyant agents to the remote BlueVoyant platform. 

9.2.3. Source Configuration: Configuration of devices and applications to enable collection of logs. This most often includes configuration of network devices such as firewalls to direct Syslog content to a BlueVoyant collector for log collection. 

 9.2.4. WavelengthTM User Onboarding: Client will provide a list of identified users and their email addresses for access to WavelengthTM and SOC. Client users will receive an onboarding email to access Wavelength and will configure multi-factor authentication with their device. BlueVoyant will conduct WavelengthTM training for Client users

9.2.5. Log Collection Audit: Once all collection software has been deployed and sources have been appropriately configured to enable detection, an audit is performed to ensure the Service is ready to commence; this includes a review of daily log volume ingestion to ensure the Splunk license sized during scoping is sufficient.

9.3  Tuning Phase: BlueVoyant will use the first 14-30 days post installation to identify a baseline of the Client environment and tune the Service. Tuning is a process of factoring out some of the expected noise of the Client’s environment and optimizing the service to provide better visibility and anomaly detection.

9.3.1. Inventory of Assets: Once the collection and agent software has been deployed, identification and contextualization of assets can occur. This includes the identifying “Key Terrain” devices and applications as well as asset tagging and assigning asset criticality.   

9.4. Onsite Deployment: Should onsite installation and configuration be necessary, BlueVoyant will provide such a resource for an additional fee as well as travel and lodging expenses.

10. Migration of Existing SIEM Installation

10.1. Evaluation: For clients with an existing, operational installation of Splunk software, BlueVoyant will provide an evaluation, analysis, and cost estimate migrating of the existing installation. This engagement will occur with the Professional Services team under a separate statement of work.

 

11. Migration Between BlueVoyant Services:

11.1. Migrating from DaaS to Managed SIEM: Migrating from Detection-as-a-Service (“DaaS”) to Managed SIEM will cause a project manager to re-kickoff the Service Activation process, and will be a new engagement scoped with Professional Services.

 

12. Change Management.

12.1. Client Capabilities: Client is able to create or modify searches, reports, dashboards, and alerts at any time without approval or notification to BlueVoyant; provided these changes do not impact BlueVoyant Monitoring (see “Right of Review”).

12.1.1. Exclusions. Client may not modify Any searches, reports or alerts with a “BV_” or “BV-” prefix. This indicates BlueVoyant-specific content that is required for SOC Operations.

12.1.2. Right of Review. BlueVoyant has the right to review and terminate all searches, reports, and dashboards created by Client if they are determined to be causing significant impact on system performance or BlueVoyant monitoring capabilities. In the event that this occurs, BlueVoyant will inform Client of the removed or terminated content.

12.2. Prohibited Changes: Client may not, at any time, modify or change any other aspect of the Splunk environment, with the exception of those items listed in 12.1, without review and approval from The BlueVoyant SOC.

 

13. SIEM Architecture & Content: BlueVoyant builds each Client’s SIEM infrastructure (or “SIEM Cluster”)  to custom specifications as captured during the scoping process. It is important that the Client provides accurate information on current logsources as well as future growth in order to ensure the SIEM Cluster and software license  is sized appropriately. The Client may incur additional costs if the information provided during the scoping process is inaccurate or incomplete.

13.1. Data Structures & Schema: BlueVoyant will design the data structure & schema to following the Splunk Common Information Model (“CIM”). This best-practice method ensures optimal performance, data viability, and supports BlueVoyant’s Proprietary Content..

13.2. 3rd Party Applications: BlueVoyant will install, configure, log management software applications, modules, and technology addons in the SIEM Platform on Client’s behalf. These software applications must be approved by the Vendor’s software distribution platform and will be installed from the Vendor’s software distribution platform. The software may be installed with or without custom modifications as required by BlueVoyant.  If the requested application may incur additional fees, BlueVoyant will communicate and get client acceptance of these fees before installation

13.3. Proprietary Content: BlueVoyant’s customized correlations, data analysis methods, alerting schema, threat intelligence and reporting templates are considered the intellectual property of BlueVoyant. Unauthorized use, distribution, or reverse engineering is strictly forbidden.

13.4. Data Storage: BlueVoyant stores 30 days of searchable data in the hosted environment by default. After 30 days, data is archived (non-searchable) and no longer available for on-demand searches, correlations, or on-demand reporting. Extending the period of searchable data is available at additional cost. Archived data can be retrieved and delivered to clients per written request with associated retrieval fees. All Managed SIEM customers receive a minimum of one year (365 days) of data retention by default.

 

14. Client Responsibilities

14.1. Software Deployment: During the service activation process, the client will deploy BlueVoyant Collector and Agent software where appropriate to enable collection of logs and appropriate environment visibility. Additionally, the client will support configuration of devices and applications for collection where necessary; for example, configuring their firewall to direct changes over Syslog.

14.2. Source Configuration: Client is responsible for configuring all log sources so that logs are appropriately sent to the agents and log collection devices. This includes, but is not limited to, any intermediary log sources. If changes to Client’s existing network architecture are required for Service implementation, BlueVoyant will communicate these changes to Client.

14.3. Notification of Environment Changes: Client will notify BlueVoyant of any environment changes that may affect execution of the Service.

14.4. Notification of User Changes: Client will notify BlueVoyant of any necessary user account changes tied to client employee termination; this includes employees or contractors that have access to the BlueVoyant client portal or approval to contact the Security Operations Center.

14.5. Internet Access: Client is required to maintain Internet connection to all systems that are performing log collection.

14.6. Additional Remediation: During investigation of security alerts the BlueVoyant Security Operation Center may give guidance to a client to perform specific actions in their environment in order to improve their security posture or to fully remediate an incident.  Performance of these actions are the Client’s responsibility. 

14.7. PII Obfuscation: Client is responsible for filtering all data delivered to BlueVoyant for Personally Identifiable Information (PII) or credit card information.

 

15. Service Termination:  If the Service Order with BlueVoyant is cancelled or the Agreement is terminated, the Client will have thirty (30) days from the time a cancellation request is initiated or the Agreement has expired (whichever comes first) to request the receipt of archived data. Hourly consulting fees will apply for all time spent restoring the archived data. If a request is not received within the thirty (30) day period, BlueVoyant will permanently destroy all archived data pertaining to security devices no longer under a valid Service Order or Agreement.

 

16. Additional Service Terms and Conditions:

16.1. Modify Terms: BlueVoyant reserves the right to modify the terms of this Service Description, including the SLAs, with 30 days prior notice.

16.2. Risk Elimination: This provides expert security analysis to the Client. However, deployment of BlueVoyant Service in a Client network does not achieve the impossible goal of risk elimination, and therefore BlueVoyant makes no guarantee that intrusion, compromises, or any other unauthorized activity will not occur on a Client network.

 

Vulnerability Management Service:

(back to top)

1. Description of Service:  This Service Description and Service Level Agreement (“Service Description”) describes the Service (as defined below) being provided to you (“Customer”, “Client”, or “you”) by BlueVoyant executed by Client for the purchase of this Service.
This Service is provided in connection with Client’s signed Service Order and separate signed master services agreement that explicitly authorizes the sale of managed security and consulting services. In the absence of either a master services agreement or security services schedule, the Services described under this Service Description will be governed by and subject to the terms and conditions of the BlueVoyant Master Services Agreement (“MSA”) listed at https://www.bluevoyant.com/bvmssterms.



2. Service Overview:  The BlueVoyant Vulnerability Management Service (“VMS” or “Service”) delivers vulnerability assessments of the Client’s environment.  The Service consists of automated, recurring vulnerability scanning and utilizes the BlueVoyant Platform (“The Platform”) in conjunction with a team of analysts in the BlueVoyant Security Operations Centers (SOCs).  Management is limited to the software application that is installed on Client hardware that performs the vulnerability assessments. Management activities include Service implementation, configuration changes necessary for the successful provision of the Service, as well as vendor software updates in line with the BlueVoyant software update policy described elsewhere in this Service Description. 

 

3. Service Tiers:  BlueVoyant VMS offers three tiers of service for the Vulnerability Management Service: 

3.1 Tier 1: Vulnerability Import:  With this tier, the Client will work with BlueVoyant to enable the automatic import of vulnerabilities into the Platform from supported a vulnerability assessment solution owned and operated by the Client.  The vulnerabilities will be visible to the Security Operations Center to inform and improve the quality of other BlueVoyant services and the Client can use the BlueVoyant Wavelength Portal to track vulnerabilities and generate reports.

3.2. Tier 2: Vulnerability Scanning:  Expanding on the previous service tier, with this service tier BlueVoyant will work with the Client to deploy Virtual Appliances and conduct asset discovery and vulnerability assessments internally in the Client’s environment.  BlueVoyant will also use our third party vulnerability management supplier (Qualys) to perform external scanning, it being understood that Qualys owns the services it provides and the Client will not receive any direct right or license to use the Qualys services.  Clients using this tier of service will have access to the BlueVoyant Wavelength Portal to track vulnerabilities, assets discovered as part of the vulnerability scan ingestion, as well as related reports.

3.3. Tier 3: Co-Managed Scanning:  Expanding on the previous service tier, Clients with this service tier will also have access to the Client experience offered by our third party vulnerability management supplier’s product.  Client provisioned access to the vendor product will experience more advanced vulnerability management capabilities. With the CoManaged tier, Client will receive a third party license as part of the service or will bring their own license. Clients will provision accounts for the BlueVoyant Platform and/or personnel to assist with policy management, vulnerability scanning scheduling, and other configuration items.  

Service Feature

Tier 1

Vulnerability Import

Tier 2

Vulnerability Scanning

Tier 3

CoManaged Scanning

Internal Scanning

 

External Scanning

 

Asset Discovery

Software Upgrades

 

Vulnerability Tracking

BlueVoyant Vulnerability Reports

Integration with BlueVoyant MSS

Access to vulnerability product to conduct scans, configure policies, and reporting

   

 

4. Service Features

4.1. Vulnerability Assessment: The Service's primary Function performance of vulnerability assessments utilizing vulnerability assessment software to discover known weaknesses in software and provide recommendations through the BlueVoyant Portal and supporting reports. to manage the vulnerabilities. 

4.1.1. External Scanning: Detection of vulnerabilities that are exposed beyond the Client’s network perimeter and are therefore visible and possibly exploitable by attackers.  External scanning is conducted against Internet facing assets; assets not accessible with a routable IP address will not be scanned. Scans are conducted from BlueVoyant systems and/or systems hosted by the vulnerability management supplier and directed at the Client infrastructure.  

4.1.2. Internal Scanning: Detection of vulnerabilities within the Client’s organization that may not be externally facing to an attacker but could be exploitable by attackers within the environment.  The internal vulnerability assessments can perform authenticated scans to obtain the highest level of detail on what software is running on the device, it’s patch levels, and possible vulnerabilities.  Internal scanning requires the deployment of appropriate infrastructure as described in Service Activation.

4.1.3. Scan Frequency:  Clients can elect for scans to be conducted on a regular basis at monthly or quarterly intervals for tier 2; and weekly, monthly, or quarterly for tier 3.  Scan frequency is established by Client request during service activation, but can be modified at any time. The Client can request execution of ad-hoc re-scans up to four (4) times per month.   

4.1.3.1. On-Demand Scanning:  BlueVoyant can conduct vulnerability scans on a Client need basis with a one (1) business day lead time.  OnDemand scans are limited to one (1) per month for tier 2, and four (4) per month for tier 3..   

4.1.4. Remediation Verification:  By comparing new vulnerability scan results against previously identified vulnerabilities the Service will determine which vulnerabilities have been appropriately remediated.  Vulnerabilities will remain in an active state within the BlueVoyant Portal until a vulnerability scan occurs, rather than when a patch or upgrade was applied in order to confirm any remediations.  

4.1.5. Policy Selection: As part of Service Activation, BlueVoyant staff will work with the Client to understand what their compliance and risk goals are, relative to the impact that vulnerability scanning may make in their environment and select an appropriate pre-configured scanning policy.

BlueVoyant’s VMS Service does not include Web Application Security Scanning.

4.2. Asset Discovery:  As part of the Service the Client can instruct BlueVoyant to conduct regular asset scanning to identify new devices in their environment or to update any identifying information on previously detected assets such as hostname or IP address, or deploy passive asset collection solutions provided by BlueVoyant.  Depending upon the scanning technology chosen, additional asset discovery may require one or more additional virtual instances to be provisioned to allow for more visibility into various network spans for asset data collection. The BlueVoyant platform makes reasonable efforts to keep the asset repository fresh, accurate and reduce the possibility of duplicate asset records or stale assets.  Asset records will automatically be created as part of processing detected vulnerabilities from the vulnerability assessment software.  

4.2.1. Asset Prioritization:  Through the BlueVoyant Portal, Clients can assign criticality to asset records to indicate which assets are the most important in their environment.  When the Service is combined with other BlueVoyant Managed Services, this enables the BlueVoyant Security Operations Center to better understand risk in the environment and take correct action in Client notifications or response actions.

4.2.2 Asset Tagging:  Through the BlueVoyant Portal, Clients can apply “tags” to asset records.  This enables grouping of assets by Client defined criteria to support dashboards and reports.

4.3. Vulnerability Tracking:  Through the BlueVoyant Portal, the Client will be able to see all active vulnerabilities that have been detected in their environment.  Vulnerabilities are mapped to asset records which are mapped to any security alerts or incidents (detected through other BlueVoyant Managed Security Services) to support traceability of the activity of assets and vulnerabilities. 

4.4. Reports:  Through the BlueVoyant Portal, the Client will have access to OnDemand vulnerability reports.  Vulnerability reports contain content such as new vulnerabilities, resolved vulnerabilities, critical vulnerabilities on critical assets, and other similar content.  

4.5. Software Upgrades:  As software patches, upgrades, and new vulnerability signatures are released for the supporting vulnerability assessment software BlueVoyant will assess the release for security, stability, and functionality before certifying it as a supported version.  BlueVoyant will perform software upgrades automatically for deployments leveraging the BlueVoyant Virtual Appliance and BlueVoyant Platform.  

4.6. Integration with BlueVoyant Managed Services: A significant value of the Service is knowledge of the vulnerabilities and exploitation risk which exists within the Client’s environment provided to the BlueVoyant Security Operations Center.  These insights may support security investigations to understand possible root cause for security incidents or how easily an attacker may traverse across systems within a Client’s environment in order to inform the best response action.  

4.7. With BlueVoyant Managed SIEM: Vulnerability dashboards can be deployed within SIEM to monitor the Vulnerability program.  Depending upon the technology selected, clients may have to provision virtual instances to host the scanning solution for internal scans.  External scans can be configured and initiated from the vendor’s cloud environment. Internal scanning can be done at the against network segments, or if desired, the vendor’s scanning agent can be installed on a per-instance basis.  Both network scanning and per-device scanning can be combined, as some device types, like network switches, wouldn’t be able to typically run a local scanning agent, but could be scanned via a network appliance as part of an internal scan.  Note that as with other scanning configurations, Managed SIEM clients will have full visibility into their scanning data via the WaveLength portal, including a list view of vulnerability scans as well as full details within specific vulnerability entries.

 

5. Existing Product Purchase (“BYOL”):  If a supported vulnerability scanning solution is already deployed and licensed directly with the Client, the Client can purchase CoManaged Scanning (Tier 3) and engage BlueVoyant for vulnerability scanning.

The Client will be responsible for provisioning a user account with appropriate privileges for the BlueVoyant SOC to enable the service. The Client will remain responsible for the terms & condition of their contract, billing, and invoicing with the vendor. 

 

6. Supporting Features and Teams

6.1. Security Operations Center (SOC):  The Service is supported by the BlueVoyant Security Operations Center which operates 24 hours a day, 7 days a week, across multiple locations.  

6.2. Wavelength (BlueVoyant’s Client Portal):  Wavelength is a web-based portal that provides real-time visibility to detected alerts, confirmed incidents, enables approved Client employees to interact with BlueVoyant’s security operations center analysts, view all detected assets, and view vulnerabilities.

6.2.1. Dashboards:  Available through Wavelength™, dashboards representing a variety of content including but not limited to event volume, alert volume, detected assets, and analyst response actions.

6.2.2. Reports: Available through Wavelength™, reports include Client environment content related to alerts, incidents, indicators, assets and vulnerabilities.  

6.3. BlueVoyant Client Experience Team: The Client Experience team is the primary support team for the Client.  The assigned technical account manager acts as the Client’s consultant and enables the best experience for BlueVoyant services.  The advisor will meet with the Client on a regular basis (most often monthly) to understand Client’s security program goals and will advise how BlueVoyant services can best meet their needs.  The advisor is also engaged in any significant security events that occur for the Client. Additionally, the advisor will deliver any requested feedback to the BlueVoyant product and service delivery teams.  

7. Client Communications:  Below is the standard methods that the Service enables for the Client to obtain information related to the Service or engage BlueVoyant staff.   

7.1 BlueVoyant Customer Portal:   The BlueVoyant Portal is the primary method for Clients to stay informed of security activity in their environment and activities of the BlueVoyant Security Operations Center.  At any time, a Client end user may go to the BlueVoyant Portal and review any vulnerabilities, dashboards, or reports.

7.2. Email:  The Client will receive Emails as a regular function of the Service.  Email topics can span a wide variety of matters, but most often they relate to security investigations: notification of risk or questions on appropriate environment use or behaviors. 

Clients can also initiate service change requests via Email by sending an Email to soc@bluevoyant.com. Upon receipt of any emails, a service request case is created and can be viewed within the BlueVoyant Portal.  

7.3. Calling Security Operations: The BlueVoyant Security Operations Center (SOC) is available 24/7/365 days a year and can be reached by calling 1-833-BLUEMSS or 1-833-258-3677.  Only approved Client end-users will be allowed to talk with BlueVoyant Security Operations and will be authenticated when their call is received.  


8. Service Level Agreements

8.1 Service Availability:  The Client shall receive a communication (according to the escalation procedures defined or in the manner pre-selected in writing by client, either through email) to security availability issues according to the matrix below.  

Impact

Definition

Agreement

Notification Method

Priority 1

In the situation of a Priority 1 issue, defined as preventing the service from functioning, or the BlueVoyant Portal outage, BlueVoyant will notify the Client in accordance to the agreement.

4 business hours of detection

    Email

Priority 2

In the situation of a Priority 2 issue, defined as one or more significant components supporting the Service as unavailable, BlueVoyant will notify the Client.  For example, OnDemand reports are unavailable.

24 business hours  of detection

Email

 

 

 

 

 

 

 

8.2. Service Requests:  Standard service requests (applies to all non-change and non-incident tickets) submitted via the Portal, Email, or via telephone will be subject to “acknowledgement” (either through the BlueVoyant ticketing system, email or telephonically) within the next business day from the time stamp on the Service Request ticket created by the BlueVoyant Platform.  

8.3. Maintenance Windows:  BlueVoyant may schedule maintenance outages for BlueVoyant software which enables vulnerability assessments with 24-hours’ notice to designated Client contacts.  SLAs shall not apply during maintenance outages and therefore are not eligible for any SLA credit during these periods.  

8.3.1. Emergency Maintenance:  In the circumstance of immediate necessary changes, BlueVoyant may initiate an emergency maintenance window.  When this situation occurs, BlueVoyant will use commercially reasonable efforts to provide notice and minimize the impact to Clients.  

8.4 Client Service Outage:   The SLAs shall not apply in the event of any Client-caused Service outage that prohibits or otherwise limits BlueVoyant from providing the Service, delivering the SLAs, including, but not limited to, Client’s misconduct, negligence, inaccurate or incomplete information, modifications made to the Services, or any unauthorized modifications made to any managed hardware or software Devices by Client, its employees, agents, or third parties acting on behalf of Client.

8.5. Third Party Outage: SLAs are not applicable for any outages of the third-party vendor’s software related to the delivery of vulnerabilities to the BlueVoyant platform or performance of vulnerability assessments.  

 

9. Service Activation: Service activation (“Service Activation”) consists of three phases: introduction, provisioning, and tuning.  Service Activation begins once the signed Service Order is received and ends with the activation of the Service.   Service Activation is dependent on a number of factors, such as the number of physical sites, the complexity of the Client’s network, Client requirements, and the ability of Client to provide BlueVoyant with requested information and deployment of supporting software and configuration within a mutually agreed-upon timeframe. BlueVoyant does not provide SLAs for completing Service Activation within a specified period of time.

9.1 Introduction Phase:  The introduction phase facilitates information gathering and begins with project kickoff.  During the phase there are Introductions between key BlueVoyant and Client staff and Client priorities, expectations, and project timelines are established.   

9.1.1 BlueVoyant Project Manager:  At the beginning of Client deployment, a BlueVoyant implementation project manager will be assigned and coordinate the onboarding process.  The implementation project manager will work with the Client to establish their timeline goals and what sources and devices will be onboarded in what priority and timeline and when they will move to steady-state monitoring.   

9.1.2 Client Experience Team:  At the beginning of Client deployment, a BlueVoyant Client Experience Advisor will be assigned to the Client.  This person will work directly with the Client and will act as their main point of contact beyond direct calls to the Security Operations Center. 

9.1.3. Network Segments:  BlueVoyant will work with the Client to understand their network environment and the best deployment locations for BlueVoyant Virtual Appliances to ensure proper vulnerability assessment coverage.  

9.1.4. Approved Notification Plan: The Client and BlueVoyant will discuss and agree upon rules of engagement for service operation which includes primary contact points for any service outages or maintenance window notifications.

9.1.5. Scan Policy and Frequency: BlueVoyant will work with the Client to understand their risk and compliance goals and select the best vulnerability scan policies and scan frequency to meet their vulnerability assessment needs.  Scan frequency can be conducted on a weekly, monthly, quarterly, semi-annual, or annual basis. Ad hoc scans are also supported with coordination with BlueVoyant.

9.1.6. Cloud Infrastructure: In order to perform vulnerability assessments against cloud infrastructure many cloud providers such as Amazon AWS, Microsoft Azure, and Google Cloud Platform require prior written approval.  During the introduction phase, the Client will identify infrastructure that is hosted with a cloud provider and BlueVoyant will work with the Client to obtain prior approval for the scan frequency of that infrastructure.  

9.2. Provisioning Phase:  The provisioning phase is focused on deployment of the advanced endpoint software to endpoint visibility and response actions.  

9.2.1. BlueVoyant Virtual Appliance:   Deployment of the BlueVoyant Virtual Appliance at specific locations in the Client environment to enable vulnerability assessments.  The BlueVoyant Virtual Appliance is a software package that runs on Client provided equipment to enable the service. BlueVoyant will provide system requirements for the software deployment to the Client. 

9.2.2. BlueVoyant Portal User Onboarding: Client will provide a list of identified users and their email addresses for access to the BlueVoyant Portal and Security Operations Center. Client users will receive an onboarding email to access the BlueVoyant Portal and will configure multi-factor authentication with their device. BlueVoyant will conduct Portal training for Client users.  
`
9.3. Tuning Phase: BlueVoyant will use the first 14-30 days post installation to identify a baseline of the Client environment and tune the Service. 

9.3.1. Inventory of Assets:  Once the BlueVoyant Virtual Appliance(s) have been deployed, the environment will be scanned to detect all assets.  The asset list will be reviewed with the Client and contextualization will be applied. This includes the identifying “Key Terrain” devices and applications as well as asset tagging and assigning asset criticality.   

9.4. Onsite Deployment:  Should onsite installation and configuration be necessary, BlueVoyant will provide such a resource for an additional fee as well as travel and lodging expenses.

 

10. Client Responsibilities

10.1. Software Deployment: If required, during the service activation process, the Client will deploy the BlueVoyant Virtual Appliance software on provisioned devices. 

10.2. Notification of Environment Changes: Client will notify BlueVoyant of any environment changes that may affect the execution of the Service.  

10.3. Notification of User Changes:  Client will notify BlueVoyant of any necessary user account changes tied to Client employee termination; this includes employees or contractors that have access to the BlueVoyant Client portal or approval to contact the Security Operations Center.

10.4. Internet Access:  Client is required to maintain Internet connection for BlueVoyant Virtual Appliances so they can deliver scan results back to the BlueVoyant Platform. 


11. Service Prerequisite: The Service requires that the Client purchase alongside or already have purchase either the BlueVoyant Protected Endpoint, Managed Detection and Response (“MDR”), Detection-as-a-Service (“DaaS”) or Managed SIEM service.  The Vulnerability Management Service is an add-on service to either of those services.

 

12. Service Termination:  If the Service Order with BlueVoyant is cancelled or the Agreement is terminated, the Client will have thirty (30) days from the time a cancellation request is initiated, or the Agreement has expired (whichever comes first) to request the receipt of archived data. Hourly consulting fees will apply for all time spent restoring the archived data. If a request is not received within the 30 day period, BlueVoyant will permanently destroy all archived data pertaining to security devices no longer under a valid Service Order or Agreement.

 

13. Additional Service Terms and Conditions: 

13.1 Modify Terms: BlueVoyant reserves the right to modify the terms of this Service Description, including SLAs, with 30 days prior notice.


13.2 Impact to Environment: The nature of vulnerability assessments is such that certain vulnerabilities and mis-configurations of Client devices can pose risks when scanned.  BlueVoyant cannot guarantee that the VMS vulnerabilities assessment will not adversely affect the performance or availability of the targeted systems.

13.3. Third Party Product:  Relevant to Tier 2 Vulnerability Scanning; Qualys, Inc. will retain ownership of the cloud services it provides.  The Client will not receive any right or license to use the Qualys cloud services. 

13.4. Indemnification: Client agrees to indemnify, defend, and hold BlueVoyant harmless from and against any and all claims, losses, liabilities and damages, including reasonable attorney’s fees, arising from any and all third party claims brought against BlueVoyant that arise out of the scanning, testing, and/or evaluation of incorrect or unauthorized IP addresses that are provided by Client or any breach of a Client representation or warranty. 

13.5. Discovery:  BlueVoyant does not guarantee that every vulnerability on every tested device will be discovered.  BlueVoyant does not guarantee that every identified vulnerability is a true vulnerability.