IBM Managed Security Services for Security Event and Log Management

Transcription

1 Service Description IBM Managed Security Services for Security Event and Log Management 1. Scope of Services IBM Managed Security Services for Security Event and Log Management (called MSS for SELM ) is designed to help provide a secure comprehensive Web-driven solution for archival and expert analysis of security events and log data. Security event and log data is consolidated into the Virtual-SOC,which can result in reduced on-premise security event and log management infrastructure costs, while helping to provide secure storage and archival of security event and log data for up to seven years. IBM offers MSS for SELM at the following alternative service levels. MSS for SELM Standard MSS for SELM Select both described in further detail below. The details of your order (e.g., the services you require (including service levels), contract period, and charges) will be specified in an Order. Definitions of service-specific terminology can be found at The following table provides an overview of the features and services which comprise MSS for SELM - Standard and Select service levels. Table 1 Features and Services Feature and Services Standard Level Select Level Project kickoff, assessment, and implementation Supported products Automated analysis of event data X-Force Protection System ( XPS ) alerts Any device or application that creates log data in a text based format (supported IDS/IPS devices, most routers, network infrastructure devices, operating systems, and applications) Generic based text logs, syslog, and W3C Not available Not available Included Supported Intrusion Detection and Intrusion Prevention devices Provided for Intrusion Detection and Intrusion Prevention events Provided for selected Intrusion Detection and Intrusion Prevention security events via and the Web Detailed reporting Events per second Out of band ( OOB ) access Security event and log delivery on encrypted DVD to specified location Duration security event and log Included templates Unlimited within the constraints of the platform creating the log data Available as an option Available as an option Up to 1 year Page 1 of 13

2 data is available online Duration security event and log data is archived offline Incident ticketing Integration with Customer ticketing system Simple and advanced querying Data delivery Integrated security intelligence Trouble ticket integration Up to 7 years Included Available as an option Included Available as an option - provided via encrypted DVD Included Available as an option Multiple report audiences Not available Included XFTAS 1 seat for the XFTAS security intelligence service MSS for SELM - Standard MSS for SELM Standard provides a central source for security event and log data from a variety of network devices. The service allows organizations to collect information from different technologies into one seamless platform to archive, analyze, correlate and trend security events and logs. 2. IBM Responsibilities 2.1 Deployment and Initiation Data Gathering During deployment and initiation, IBM will work with the Customer to deploy an On-site Aggregator ( OA ) and IBM MSS Universal Logging Agents ( ULAs ) on Hosts, as needed Project Kickoff IBM will send the Customer a welcome and conduct a kickoff call to: introduce the Customer contacts to the assigned IBM deployment specialist; set expectations; and begin to assess the Customer requirements and environment. IBM will provide a document called Network Access Requirements, detailing how IBM will connect remotely to the Customer s network, and any specific technical requirements to enable such access. Typically, IBM will connect via standard access methods through the Internet; however, a site-to-site VPN may be used, if appropriate Assessment Data Gathering IBM will provide a form for the Customer to document detailed information for the initial setup of the Agent and associated service features. Most of the questions will be technical in nature and help determine the layout of the Customer network, Hosts on the network, and desired security policies. A portion of the requested data will reflect the Customer organization, and will include security contacts and escalation paths. Environment Assessment Using the provided information, IBM will work with the Customer to understand the existing Customer environment. During this assessment, IBM may make recommendations to adjust the policy of security devices or the layout of the network to enhance security. Page 2 of 13

3 2.1.4 On-site Aggregator Implementation The Customer is responsible for providing the hardware platform for the OA. The Customer must ship the hardware platform to IBM for installation of the required software. A previously owned or acquired system may require reinstallation of the applications and firmware, and overall configuration changes. IBM may require the system to be shipped to a SOC or deployment center for configuration, after which IBM will ship the configured system to the Customer for installation. In some cases, IBM may provide a system image or installation procedures, or require that other steps be taken to enable IBM to begin service. The Customer is responsible for keeping all support and maintenance contracts current for the hardware and software. In cases where a Customer already has the required hardware, IBM will begin the deployment and management takeover process with an evaluation of the current state of each part of the system. This may include a review of current hardware, software applications, and overall system configuration. Based on the results of the evaluation of each system, IBM may require reinstallation of, or updates to, the application and firmware, and/or overall configuration changes to bring each system s settings in line with the latest managed services certified release. Note: Hardware requirements for each implementation depend on the number of alerts the platform receives in a given time frame Transition to SOC Once the OA is configured, physically installed and implemented, and connected to the IBM Managed Security Services infrastructure such that the Hosts are successfully sending data to XPS, IBM will provide the Customer with the option of having a demonstration of the Virtual-SOC capabilities and performance of common tasks. The final step of services deployment occurs when the SOC takes over management and support of the OA Appliance and the relationship with the Customer. At this time, the ongoing management and support phase of the services officially begins. Typically, IBM will introduce the Customer via phone to the SOC personnel. 2.2 Ongoing Management and Support After the MSS for SELM - Standard environment has been established, and during any renewal contract period, IBM will provide MSS for SELM - Standard on a 24 hours/day by 7 days/week basis XFTAS XFTAS provides proactive security management through comprehensive evaluation of global online threat conditions and detailed analyses. The service provides threat information collected from the SOCs, trusted security intelligence from the IBM X-Force research and development team and from the IBM Global Threat Operations Center, and secondary research from other public and private resources. This combination helps to identify the nature and severity of external Internet threats. In addition to alerts and X-Force intelligence, each registered security contact will receive detailed information regarding real-time Internet port metrics, Web defacements, worms and virus activity, as well as daily analysis of Internet threat conditions. For each Agent purchased, the Customer will receive the XFTAS service for the duration of the contract Event Collection and Transmission Security event and log data travels between the SOC and the OA via the Internet, using industry-standard strong encryption algorithms whenever possible. Requests for connectivity through alternate means (e.g., private data circuit or VPN) will be addressed on a case-by-case basis. Additional monthly fees may apply to accommodate connection requirements outside of the standard in-band connectivity. To confirm that valid security event and log data is being received from devices and security platforms on a daily basis, the XPS is designed to evaluate security event and log data upon receipt. A device that is not delivering data over the course of a single calendar day is designed to generate an automated problem alert. Agent-Based Collection When the log source is not capable of streaming log data to a collection point in a supported format, a ULA is required to transmit security event and log data. The ULA may require installation directly on Page 3 of 13

4 certain devices or management consoles. This installation will allow the ULA to collect, encrypt, and transmit security event data back to IBM through an OA Appliance. The ULA is lightweight and, in most typical implementations, carries a negligible performance overhead. SNMP agents can also be used to send data to an OA Appliance. Agentless Collection Security event and log data from contracted devices can be sent directly to the SOC via syslog or SNMP events. Data transmitted across the Internet is encrypted using industry standard strong encryption algorithms whenever feasible. Such practices help to transfer data securely and cost-effectively. Transmission through an On-site Aggregator When transmitting security event and log data to the SOC, security events and logs will be aggregated through an OA located within the Customer environment. The OA is a required Appliance-based solution that will be installed on the Customer premise to collect data, via syslog or a ULA on the Hosts. Once the data is collected at the OA, it will be compressed and sent to the XPS system located at IBM SELM Connectivity and OA Device Management Platform and Agent Troubleshooting If problems develop with the OA receiving data, an IBM security analyst will assist the Customer in troubleshooting those issues that relate to IBM s successful receipt of security event and log data from the contracted Hosts. As long as security event and log data is being successfully received, IBM will not provide further troubleshooting assistance on the Customer premise platforms. Should problems arise on the ULA, IBM will work directly with authorized Customer security contacts to diagnose whether the ULA is the cause of the underlying problem. If it is determined that the ULA is not the cause of the problem, no further support will be provided by the IBM SOC for the platform or its management infrastructure. OA Device Management The OA is required for all MSS for SELM - Standard deployments. The OA captures security event and log data from supported devices in a syslog / World Wide Web Consortium (called W3C ) format or any generic text based format. Once the OA receives the data from all of the Hosts, the OA will aggregate, compress, encrypt, and transmit the data to the SOC via the Internet. This is performed in real time with configurable flow control to manage bandwidth consumption. The health and performance of the OA is monitored by IBM using a Host based monitoring Agent (when possible) or via SNMP. The device is regularly polled by the SOC, keeping IBM security analysts informed of potential problems as they develop. Key metrics analyzed by IBM monitoring systems include: hard disk capacity (if applicable); CPU utilization; memory utilization; and process availability. In addition to system health metrics, IBM will monitor for device availability. If contact with an OA is lost, additional time-based checks will be initiated to verify a valid outage has been identified. In the event system health problems or an outage has been confirmed, a trouble ticket will be created and an IBM security analyst will be notified to begin research and investigation. The status of all system health tickets is available through the Virtual-SOC. Outage Notification If the OA is not reachable through standard in-band means, the Customer will be notified via telephone using a predetermined escalation procedure. Following telephone escalation, IBM will begin investigating problems related to the configuration or functionality of the managed platform. Patch and Firmware Updates Periodically, it will be necessary for IBM to install patches and firmware updates to improve OA performance, enable additional functionality, and resolve potential application problems. The application of such patches and updates may require platform downtime or Customer assistance to complete. If Page 4 of 13

5 required, IBM will declare a maintenance window in advance of any such updates, and the notification will clearly state the impacts of the scheduled maintenance and any Customer-specific requirements. OA Device Troubleshooting If the OA does not perform as expected, or is identified as the potential source of a network-related problem, IBM will examine the device configuration and functionality for potential issues. Troubleshooting may consist of an offline analysis by IBM, or an active troubleshooting session between IBM and the Customer. IBM will attempt to resolve any technical issues as expediently as feasible. If the platform is eliminated as the source of a given problem, no further troubleshooting will be performed by IBM. Out-of-Band Access (Optional) Out-of-band ( OOB ) access is an optional feature that assists the SOC in the diagnosis of potential device issues. Implementing OOB requires the Customer to purchase an IBM-supported OOB device and provide a dedicated analog phone line for connectivity. If the Customer has an existing OOB solution, IBM will use this solution for OOB access to managed devices, provided: the solution does not allow IBM access to any non-managed devices; using the solution does not require installation of any specialized software; the Customer provides detailed instructions for accessing IBM-managed devices; and the Customer is responsible for all aspects of managing the OOB solution. Data Transmission There are two methods of sending security event and log data to the OA: ULA - a small Java-based application that can be installed directly onto log sources to securely send security event and log information to the OA; and Syslog stream - data can be sent using syslog, the defacto standard for forwarding log messages to a syslog daemon running on the OA Appliance. The Customer will be responsible for installing all required Agent software and configuring all log sources to properly send data, as instructed by IBM. At the Customer s request, physical installation may be provided by IBM Professional Security Services ( PSS ) for an additional fee Virtual-SOC The Virtual-SOC is a Web-based interface designed to enable delivery of key service details and ondemand protection solutions. The Virtual-SOC is structured to deliver a consolidated view of the Customer s overall security posture. The portal is capable of merging data from multiple geographies or technologies into a common interface, allowing for comprehensive analysis, alerting, remediation, and reporting. The Virtual-SOC provides real-time access for communications including ticket creation, security event handling, incident response, data presentation, report generation, and trend analysis. Reporting The reporting feature of MSS for SELM Standard allows the Customer to view their security event and log data in a single dataset, and generate reports, based on that data, that span the entire enterprise. Reports can be generated across multiple data types and time intervals, including daily, weekly, monthly, custom, and real-time. Reports will vary based on service level and device platform. The Customer will have access to comprehensive service information, via the Virtual-SOC, to review service tickets and Security Incidents, and generate activity reports at any time. One time per month, IBM will produce a summary report that includes: a. number of SLAs invoked and met; b. number and type of service requests; c. list and summary of service tickets; d. number of Security Incidents detected, priority and status; and e. list and summary of Security Incidents. Querying Capabilities Page 5 of 13

6 MSS for SELM - Standard provides user-friendly querying capabilities that allow security event and log data to be queried in near real-time, including similar data from disparate, multivendor technologies. Customers can query security events and logs along with data received from other IBM fully-managed solutions. Users of the System MSS for SELM - Standard is designed to help Customers manage security event and log data across the enterprise. Multiple individuals, holding varying roles within an organization, may require different levels of access to the system. Three levels of system access are available to designated Customer contacts. All designated Customer contacts will be authenticated via static password or Customer-provided publickey encryption technology (e.g., RSA SecureID token). a. Authorized Security Contacts Users classified as Customer security contacts will be the primary users of MSS for SELM - Standard and will have full access to the system including the ability to generate tickets, evaluate all data, and export security events and logs for offline processing. IBM SOC analysts will only accept phone calls from authorized Customer security contacts. Customers may identify up to three authorized security contacts for MSS for SELM - Standard. b. Subordinates/System Administrators Users classified at this level will receive limited access to the MSS for SELM - Standard system. Subordinates/system administrators are identified by authorized Customer security contacts, and are then assigned specific devices for which they may have access. Subsequently, subordinates/system administrators may login to the system, review and research security event and log data, as well as generate tickets for anomalous or suspicious activity. Users at this level do not have the authority to review data or make changes outside of devices assigned directly to them. Customers may identify an unlimited number of subordinates/system administrators for the MSS for SELM - Standard service. c. Custom Access Custom access allows for granular assignment of access permissions to individual contacts. Such a capability allows for specific contacts to be granted access to individual features on a per device basis (e.g., security event query, export, and reporting). There is no limit to the number of custom access users within the MSS for SELM - Standard implementation. SELM Dashboard In addition to security event and log access and archival, MSS for SELM - Standard provides an overview at a glance (called Dashboard ) to deliver a snapshot of the Customer s security event and log management status. The Dashboard provides administrators with a comprehensive overview of security event and log sources, total volumes of data, dates and times of last security event and log receipt, and other information relevant to the organization s implementation. Authorized Customer security contacts will have access to the entire Dashboard and all service features and functionality. Other Customer users (e.g., system administrators) will receive a more focused view that outlines security event and log sources to which they have been assigned. Functionality of MSS for SELM - Standard begins with the collection of security event and log data from a selection of security products, network infrastructure devices, and applications. Security event and log data can be collected with a software agent (depending on the security event and log type), and the data is transmitted with assistance of an OA device. Security Event and Log Querying The Virtual-SOC allows online data to be queried directly through the portal for up to one year. Queries for security event and log data can be issued on a per device basis or across user-defined groups. Devices sharing the same log format can all be queried simultaneously through a common interface for rapid analysis of potential security impacts. Retrieved security events and logs can be sorted or filtered further by using a contextual interface to select specific IP addresses, security event types, ports, and dates. Once data has been filtered to the desired level of detail, security events and logs may be exported for offline analysis. Customers who use MSS for SELM Standard in conjunction with other IBM fully-managed services, will have access to most of their security event and log data from both managed and unmanaged security devices through a common interface. An appropriate combination of services may allow for simultaneous Page 6 of 13

7 querying of all security devices across the enterprise, whether managed by IBM or the Customer. In most circumstances, normalized log data and raw log data will need to be queried separately. The log querying function provided by MSS for SELM Standard provides the capability of granular reporting, by device type. Security Event and Log Archival IBM will retain security event and log data for up to seven years from the date of creation. Customers must specify exact retention periods on a per device basis in one year increments. Devices for which retention times have not been specified will automatically default to one year of retention. Archived security events and logs are stored natively in a compressed format, preserving the original raw data. As each security event and log (or group of data) is written to disk, a unique hash is automatically generated to ensure the integrity of the unaltered data can be maintained. At the close of each 24 hour period, a checksum of all hashes generated over the course of the day is created, serving as a snapshot of the previous day s activity. Long term storage is provided by XPS. XPS provides a highly scalable architecture for the organization and retrieval of security event and log data, while maintaining applicable safeguards required for the proper logical separation of data by device and by Customer. MSS for SELM Standard delivers improved redundancy by duplicating all received security event and log data automatically, in real-time, between geographically diverse SOCs. This helps to provide assurance that sensitive data will always be attainable, even if an emergency or natural disaster should occur. Note: While the above reasonable efforts have been implemented to ensure MSS for SELM - Standard data storage will be considered forensically sound, no guarantees can be made that any domestic or international system will admit security event and log data from a given archival solution. Admissibility is based on the technologies involved and a Customer s ability to prove proper data handling and chain of custody for each set of data presented Incident Ticketing MSS for SELM - Standard provides Customers with the capability to document and record incidents of varying types. This capability can help Customers notify security teams of pending work, or track the progress of an incident remediation process. Generating Incident Tickets Incident tickets may be generated, based on manual research conducted by the Customer (while querying security event and log data) or while evaluating XPS alerts. Once the incident ticket has been created, it can be viewed and updated by specific contacts (as defined by their roles and permissions) within the Customer security team. Each incident ticket includes, but is not limited to, the following information: issue description issue type and priority relevant dates and times issue owners relevant IP addresses and ports security event names device information detailed worklog of all actions taken Security Event and Log Delivery (Optional) Customers may elect to have their security events and logs placed on an encrypted DVD and delivered to a specific location. IBM provides two options to accommodate Customer requirements for the delivery of security event and log data. The first option provides for delivery of data on a recurring basis (i.e., monthly, quarterly, or annually). The second option provides for data delivery on an ad hoc basis. Each option is available for an additional fee. Page 7 of 13

8 2.2.7 Customer Ticketing System Integration (Optional) For Customers wishing to leverage existing trouble ticketing and case management investments, IBM will provide an application program interface ( API ) which allows for customized integration with external ticketing systems. The API will be provided at the Customer s request, for an additional fee. Note: Because ticketing systems vary in design and complexity, IBM cannot provide detailed assistance or consulting for the Customer s ticket system integration. However, IBM will provide a neatly formatted ticket output that can be made available for push or pull access to import into the Customer s system Data Retention and Restoration The XPS serves as a data warehouse for event data from a variety of security devices, applications, and platforms. Following display on the Virtual-SOC, logs are migrated to a physical backup media such as tape or DVD. Backup media is archived in a secure, environmentally controlled facility. Archived data will be available for up to seven years from the date of log creation. At the Customer s request, IBM will submit a request for media location and retrieval. Hourly consulting fees will apply for all time spent restoring and preparing data in the Customer s requested format. All specified retention times assume an active SELM contract has been maintained for each unique event / log source. Cancellation of the service for a given event/log source, or cancellation of MSS for SELM Standard will require IBM to delete all collected data from the affected event/log sources Service Decommission or Turn-Down If MSS for SELM - Standard is cancelled or the contract is not renewed, the Customer will have 90 days from the time a cancellation request is initiated or the contract has expired (whichever comes first) to request the receipt of archived data on removable media (i.e., CD/DVD). Such request may be submitted through the Virtual-SOC or via telephone if access to the portal is no longer available. At the Customer s request, IBM will submit a request for media location and retrieval. Hourly consulting fees will apply for all time spent restoring and preparing data in the Customer s requested format. If a request is not received within the 90 day period, as stated above, IBM will permanently destroy all archived data pertaining to security devices no longer under a valid MSS for SELM - Standard contract. 3. Customer Responsibilities While IBM will work with the Customer to deploy and implement the Agent, and IBM will manage the Agent, the Customer will be required to work with IBM in good faith and assist IBM in certain situations as requested by IBM. 3.1 Deployment and Initiation During deployment, the Customer will work with IBM to deploy an OA. The Customer will participate in a scheduled kickoff call to introduce team members, set expectations and begin the assessment process. The Customer will be required to complete a form to provide detailed information about the network configuration (including applications and services for the Hosts on the protected network) and must work with IBM in good faith to accurately assess the Customer s network and environment. The Customer must provide contacts within the organization, and specify an escalation path through the organization in the event that IBM must contact the Customer. The Customer is responsible for providing IBM with a list of specific devices for which security events and logs will be collected. This includes platform, software revision/version, IP addresses, log retention times per device, etc.). The Customer must ensure that the OA Appliance meets IBM specifications, and must work to meet recommendations concerning the Customer s network and network access requirements, if changes are required to ensure workable protection strategies. The Customer is responsible for maintaining the most current OS version of the OA Appliance. Other required criteria may include the addition or removal of applications and user accounts. Such upgrades, additions, or removals will be the sole responsibility of the Customer. The Customer is responsible for updating any access control lists ( ACLs ) and firewall rules required to allow contracted devices to communicate with XPS. Page 8 of 13

9 The Customer is responsible for the installation of the ULA onto any log source (if technically applicable), and for configuring log sources (as outlined by IBM) such that they will deliver security events and logs to the OA and XPS. Customer is responsible for procurement and shipping of the OA hardware, and racking and cabling for all OA installations. 3.2 Ongoing Management and Support The Customer is responsible for maintaining current hardware and software maintenance contracts. The Customer is responsible for making agreed-to changes to the network environment based upon IBM recommendations. The Customer is required to maintain an active and fully functional Internet connection at all times. On an annual basis, the Customer agrees to work with IBM to review the current hardware configuration of the managed devices and identify required updates. These updates will be based on identified changes to the operating system and Customer application requirements Configuration / Change Management The Customer acknowledges that IBM retains sole administrative access to the OA device and is responsible for all management and maintenance functions. The Customer must work in good faith to allow IBM to upgrade its back-end infrastructure so as to improve service features, functionality, and reliability. The Customer is required to provide advance notice of any scheduled system reboots, maintenance, or power tests that may result in temporary cessation of receipt of security event and log data. Should a Customer premise device fail, the Customer is responsible for all activities associated with break-fix when the device is not managed by IBM. Server Environment Requirements Network infrastructure devices and applications sending security events and/ logs to IBM must meet the most current application minimum system requirements as outlined in the vendor s product documentation. The Customer is responsible for taking the appropriate measures to ensure the network in which the platforms are installed is properly firewalled and configured, using appropriate security practices. The Customer must provide a secure, physically controlled environment for servers on which the MSS ULA resides. MSS for SELM - Select MSS for SELM - Select provides additional value by providing an automated mechanism for analyzing security data anomalies using XPS. In connection with the above, IBM will perform the responsibilities as set forth in the section entitled MSS for SELM Standard, subsection IBM Responsibilities above. In addition, IBM will perform the responsibilities set forth in the section entitled MSS for SELM Select, subsection IBM Responsibilities below. You agree to perform all of the tasks set forth in the section entitled MSS for SELM Standard, subsection Customer Responsibilities above. In addition, you agree to perform the responsibilities set forth in the section entitled MSS for SELM Select, subsection Customer Responsibilities below. 4. IBM Responsibilities 4.1 Ongoing Management and Support Automated Analysis The automated analysis capability provided by XPS analyzes security events from supported IDS/IPS devices and responds directly to the Customer security operations team through the creation of alerts within the Virtual-SOC. Security events from supported IDS/IPS devices can be simultaneously compared and correlated to identify relationships between multivendor products and solutions. Research and Investigation Page 9 of 13

10 User-friendly query tools allow for real-time research and analysis to quickly conduct investigations of suspicious IP addresses and suspected misuse. Such tools augment the automated real-time analysis of Intrusion Detection and Intrusion Prevention devices performed by XPS. XPS Alert Review IBM security analysts are available to assist MSS for SELM - Select Customers by answering general questions regarding an XPS alert or service capability. However, IBM does not provide a personalized review of XPS alerts or a walk-through of potential incidents as a standard feature of the MSS for SELM Select service. At the Customer s request, such support may be provided by the IBM SOCs for an additional fee. Security Event Summary As part of MSS for SELM - Select, security events received from supported Intrusion Detection and Intrusion Prevention devices are summarized by XPS. This process allows for statistical reporting and analysis to be performed at a later time. Summarized data is stored in a secure database within an IBM data center, and is physically separate from the storage mechanism for unaltered raw security event data. Maintaining both sets of data provides the ability to perform analysis while maintaining the integrity of the original data stream. Automated Analysis Following data collection, security events from supported Intrusion Detection and Intrusion Prevention devices are forwarded to IBM for automated analysis. This analysis process evaluates security events for statistical deviations, anomalies, and suspicious activity through the application of sophisticated algorithmic analysis. If the system identifies activity worth investigating further, an XPS alert will be generated and stored within the Virtual-SOC for further evaluation by the Customer. communications may also be configured to ensure that users of the system are notified when XPS alerts are generated for specific security devices. Such alerts are subject to the XPS alert notification guarantee as outlined in the section of this Service Description entitled Service Level Agreements. Examples of XPS-based alert types include, but are not limited to: hot decodes alert notification of specific signatures or attacks in the security event stream; malicious code alert notification of worm-like activity propagating in the environment; and probes and scans alert notification of a substantial increase in reconnaissance activity. Automated analysis of security event data applies only to IBM-supported Intrusion Detection and Intrusion Prevention devices and technologies. Automated analysis support for additional device types will be added periodically. XPS alerts should be evaluated by a member of the Customer security team as quickly as possible. Certain XPS alerts may indicate network attacks or system compromise. Evaluating an XPS alert will typically involve examining the alert type and any snapshots of security event data (either raw or summarized) that may be included with the notification. If an XPS alert is determined to require further action or investigation, a Security Incident ticket may be created from within the XPS alert for further tracking by the Customer security team. XPS Notification Upon generation of an XPS-based problem alert, the designated Customer contacts will receive an notification that outlines the nature of the problem and suggested corrective actions. 4.2 Customer Responsibilities Customer is responsible for remediation of any XPS alerts they receive. 5. Service Level Agreements for MSS for SELM - Standard and Select Service Levels IBM SLAs establish response time objectives and countermeasures for Security Incidents resulting from MSS for SELM. The SLAs become effective when the deployment process has been completed, the device has been set to live, and support and management of the device have been successfully transitioned to the SOC. The SLA remedies are available provided the Customer meets its obligations as defined in this Service Description. The following definition is provided for purpose of clarity. Page 10 of 13

11 Failed event - a device is considered to have failed reporting event data when no data of any kind has been received during a full calendar day. The absence of security focused data within a verifiable data stream does not constitute a failure condition. 5.1 SLA Guarantees The SLA guarantees described below comprise the measured metrics for delivery of MSS for SELM - Standard and Select service levels. Unless explicitly stated below, no additional guarantees or warranties of any kind shall apply to services delivered under MSS for SELM. The remedies for failure to meet the SLA guarantees are specified in the section entitled SLA Remedies, below. a. XPS alert notification guarantee - upon generation of an XPS alert, the designated Customer contact(s) for the affected security device, identified as security event management alert recipients, will be sent an notification within 15 minutes. IBM only guarantees the initial sending of the XPS alert notification; not the confirmed delivery to the end recipient(s). b. Failed security event receipt notification guarantee if a failed security event occurs, the designated Customer contact(s) for the affected security device, identified as security event management alert recipients, will be sent an notification within 15 minutes. IBM only guarantees the initial sending of the failed security event notification; not the confirmed delivery to the end recipient(s). c. Security event restoration guarantee IBM will restore offline security event data to removable media within the timeframes specified below: (1) up to 30 days of consecutive security event data will be restored within two full business days; (2) up to six months of consecutive security event data will be restored within five full business days; and (3) more than six months of security event data each request will be individually evaluated by IBM and an estimated time to restore will be provided. The security event restoration guarantee applies only to the restoration of offline security event data to removable media. It does not reflect required shipping time or shipping dates. Such dates will be mutually agreed upon at the time of the occurrence. Table 3 SLA Summary Service Level Agreement Standard Select XPS alert notification guarantee Not Available notification within 15 minutes Failed security event receipt notification guarantee notification within 15 minutes notification within 15 minutes Security event restoration guarantee As specified in Item c, above As specified in Item c, above 5.2 SLA Remedies As the sole remedy for failure to meet any of the guarantees described in the section entitled SLA Guarantees, IBM will credit the Customer s account if IBM fails to meet the SLA guarantees described in the section entitled SLA Guarantees during a given calendar month. For all SLAs, the Customer may obtain no more than one credit for each SLA per day, not to exceed a total for all SLAs of $25,000 (U.S.) in a given calendar month, as stated in the section entitled SLA Exclusions and Stipulations below. Specific SLA remedies are listed below: a. XPS alert notification and security event receipt notification remedies if IBM fails to meet these guarantees for any given calendar month, the Customer account will be credited the applicable charges for one day of the total invoiced security event management fee for the device at the time of failure. b. Security event restoration remedy if IBM fails to meet this guarantee for any given calendar month, the Customer account will be credited for one full week (7/30ths) of the total invoiced security event management fee for the device at the time of failure. Page 11 of 13

12 Table 4 - SLAs and Remedies Summary Service Level Agreements XPS alert notification guarantee Failed security event receipt notification guarantee Security event restoration guarantee Remedies for MSS for SELM Credit of 1 month of the security event management fee for the affected device Credit of 1 week of the security event management fee for the affected device 5.3 SLA Exclusions and Stipulations Customer Contact Information Multiple SLAs require IBM to provide notification to the designated Customer contact after certain security events occur. In the case of such a security event, the Customer is solely responsible for providing IBM with accurate and current contact information for the designated contact(s). The current contact information on record is available to authorized contacts through the Virtual-SOC. IBM will be relieved of its obligations under these SLAs if the Customer contact information provided to IBM is out of date or inaccurate due to Customer action or omission Customer Network/Server Change Notifications The Customer is responsible for providing IBM advance notice regarding any network or server changes to the environment for contracted Hosts. If the event advance notice cannot be provided, the Customer is required to provide IBM with notification of changes within seven calendar days of said network or server changes. Notification is completed by the submission or update of a critical server ticket through the Virtual-SOC. If the Customer fails to notify IBM as stated above, all SLA remedies are considered null and void Maximum Penalties/Remedies Payable to Customer The total SLA credits (called remedies ) provided by MSS for SELM Standard and Select service levels described in the sections entitled SLA Guarantees and SLA Remedies above, will not exceed a total of $25,000 (U.S.) (or the equivalent in local currency) in one calendar month SLA Compliance and Reporting SLA compliance and the associated remedies are based on fully functional network environments, Internet and circuit connectivity, and properly configured servers. If SLA compliance failure is caused by CPE hardware or software, all SLA remedies are considered null and void. IBM will provide SLA compliance reporting through the Virtual-SOC Event Restoration Each request for the restoration of security event and log data to removable media for data volumes in excess of six months in duration or size will be evaluated by IBM and an estimated time to restore will be provided. Due to a variety of technical variables involved in restoring data volumes of this size, IBM is unable to provide an SLA at this time. 6. Service Level Objectives IBM service level objectives (called SLOs ) establish nonbinding objectives for the provision of certain features of MSS for SELM Standard and Select service levels. The SLOs become effective when the deployment process has been completed, the device has been set to live, and support and management of the device have been successfully transitioned to the SOC. IBM reserves the right to modify these SLOs with 30 days prior written notice. a. Virtual-SOC - IBM will provide a 99.9% accessibility objective for the Virtual-SOC outside of the times detailed in the section entitled Scheduled and Emergency Portal Maintenance. b. Internet Emergency - In the event IBM declares an Internet emergency, it is IBM s objective to notify the Customer s specified points of contact via within 15 minutes of emergency declaration. This notification will include an incident tracking number, telephone bridge number, and the time that IBM will conduct a situation briefing. During declared Internet emergencies, IBM will provide a live telephone-conference situation briefing and summarized designed to provide information that the Customer can use to Page 12 of 13

13 protect their organization. Situation briefings following the onset of an Internet emergency will supersede any requirement for IBM to provide Customer-specific escalations for security events directly related to the declared Internet emergency. IBM will communicate all other priority level incidents, during an Internet emergency, via automated systems such as , pager and voice mail. Standard escalation practices will resume upon conclusion of the stated Internet emergency. Termination of an emergency state is marked by a decrease in the AlertCon level to AlertCon 2, or an notification delivered to an authorized Customer security contact. 7. Other Terms and Conditions IBM reserves the right to modify the terms of this Service Description, including the SLAs, with 30 days prior written notice. Page 13 of 13