IBM Managed Security Services for Security Event and Log Management

Transcription

1 Service Description IBM Managed Security Services for Security Event and Log Management 1. Scope of Services IBM Managed Security Services for Security Event and Log Management (called MSS for Security Event and Log Management ) is designed to provide a security-enhanced Web-based solution for the consolidation, analysis and archiving of security event and log data. Security event and log data is initially consolidated into the Virtual-SOC, but can be archived to a security-enhanced, off-site facility (designed to be scalable and fault tolerant) for up to seven years. The Virtual-SOC is designed to provide a functionally rich, easy-to-use interface to facilitate access to, and searching of, security event and log data. MSS for Security Event and Log Management may also help Customers reduce data storage infrastructure costs. IBM offers MSS for Security Event and Log Management at two service levels. MSS for Security Event and Log Management Standard MSS for Security Event and Log Management Select Both service levels are described in further detail below. The details of your order (e.g., the services, service level, contract period, and fees) will be specified in an Order form. Definitions of service-specific terminology can be found at The following table provides a feature and services comparison overview for MSS for Security Event and Log Management Standard and Select service levels. Table 1 Features and Services Feature and Services Standard Level Select Level Project kickoff, assessment, and implementation Supported product categories Automated analysis of event data SOC event monitoring X-Force Protection System alerts Any device or application that creates log data in a textbased format (supported IDS/IPS devices, most routers, network infrastructure devices, operating systems, and applications). Generic text logs, syslog, and World Wide Web Consortium ( W3C ). Not available Not available Not available Included Supported network Intrusion Detection and Intrusion Prevention device that creates security event data Provided for network Intrusion Detection and Intrusion Prevention events Available as an option for network Intrusion Detection and Intrusion Prevention events Provided for selected network Intrusion Detection and Intrusion Prevention security events via and the Web Detailed reporting Included templates provided for Intrusion Detection and Intrusion Prevention devices as well as firewall devices INTC /2007 Page 1 of 13

2 Events per second Out of band ( OOB ) access Security event and log delivery on encrypted DVD to specified location Duration security event and log data is available online Duration security event and log data is archived offline Incident ticketing Integration with Customer ticketing system Simple and advanced querying Integrated security intelligence Multiple audience reports Determined by the platform creating the log data Available as an option for the On-site Aggregator ( OA ) only Available as an option Up to 1 year Up to 7 years Included Available as an option Included Included Included MSS for Security Event and Log Management - Standard MSS for Security Event and Log Management Standard provides a central source for security event and log data from a variety of devices. The service enables organizations to collect security events and logs from various technologies and consolidate this voluminous data into the Virtual-SOC for archival, analysis, correlation, trending, and reporting. 2. IBM Responsibilities 2.1 Deployment and Initiation Project Kickoff IBM will send the Customer a welcome and conduct a kickoff call to: introduce the Customer contacts to the assigned IBM deployment specialist; set expectations; and begin to assess the Customer requirements and environment. IBM will provide a document called Network Access Requirements, detailing how IBM will connect remotely to the Customer s network, and any specific technical requirements to enable such access Assessment Data Gathering IBM will provide a form for the Customer to document detailed information for the initial setup of the Agent and associated service features. Most of the questions will be technical in nature to help determine the layout of the Customer network, Hosts on the network, and desired security policies. A portion of the requested data will reflect the Customer organization, and will include security contacts and escalation paths. Environment Assessment Using the provided information, IBM will work with the Customer to understand the existing Customer environment. During this assessment, IBM may make recommendations to adjust policies on devices or modify the network architecture to enhance security On-site Aggregator Implementation IBM will assist in the installation of the Customer- provided hardware platform for the OA Appliance. INTC /2007 Page 2 of 13

3 A previously owned or acquired system may require reinstallation of applications and firmware and possibly, overall configuration changes. IBM may require the system to be shipped at the customer s expense to a deployment center for configuration, after which IBM will ship the configured system to the Customer for installation. In some cases, IBM may provide a system image or installation procedures, or require that other steps be taken to enable IBM to begin service. In cases where a Customer already has the required hardware, IBM will begin the deployment and management takeover process with an evaluation of the current state of each part of the system. This may include a review of current hardware, software applications, and overall system configuration. Based on the results of the evaluation of each system, IBM may require reinstallation of, or updates to, the application and firmware, and/or overall configuration changes to bring each system s settings in line with the latest managed services certified release. Note: Hardware requirements for each implementation depend on the number of alerts the platform receives in a given time frame Transition to SOC Once the OA Appliance is configured, physically installed, connected to the IBM Managed Security Services infrastructure and Hosts are successfully sending data to the X-Force Protection System, IBM will provide the Customer with an optional demonstration of the Virtual-SOC capabilities and performance of common tasks. The final step of services deployment occurs when the SOC takes over management and support of the OA Appliance and the relationship with the Customer. At this time, the ongoing management and support phase of the services officially begins and all applicable Service Level Agreements and Service Level Objectives will go into affect. 2.2 Ongoing Management and Support After the environment for the service has been established, and during any renewal contract period, IBM will provide MSS for Security Event and Log Management - Standard on a 24 hours/day by 7 days/week basis X-Force Threat Analysis Service X-Force Threat Analysis Service provides proactive security management through evaluation of global online threat conditions and detailed analyses. The service provides threat information collected from the SOCs, trusted security intelligence from the IBM X-Force research and development team and from the IBM Global Threat Operations Center, and secondary research from other public and private resources. This combination helps to identify the nature and severity of numerous external Internet threats. In addition to alerts and X-Force intelligence, each registered security contact will receive detailed information regarding real-time Internet port metrics, Web defacements, worms and virus activity, as well as daily analysis of Internet threat conditions Event Collection and Transmission Security events and logs will be aggregated by an OA located within the Customer environment. The OA is a required Appliance-based solution that will be installed on the Customer premise to collect data, via syslog, or the use of an ULA on a Host. Once the data is collected at the OA, it will be compressed, encrypted and sent via the Internet to the X-Force Protection System located at IBM. This is performed in real time with configurable flow control to manage bandwidth consumption. Requests for connectivity through alternate means (e.g., private data circuit or VPN) will be addressed on a case-by-case basis. Additional monthly fees may apply to accommodate connection requirements outside of the standard in-band connectivity. To confirm that valid security event and log data is being received from devices and security platforms on a daily basis, the X-Force Protection System is designed to evaluate security event and log data upon receipt. When a device does not deliver such data over the course of a single calendar day, an automated problem alert will be sent to the Customer. Agent-Based Collection If syslog cannot be supported, a ULA is required to transmit security event and log data to the OA Appliance. The ULA may require installation directly on certain devices or management consoles. This installation will allow the ULA to collect, encrypt, and transmit security event data back to IBM through an INTC /2007 Page 3 of 13

4 OA Appliance. The ULA is lightweight and, in most typical implementations, carries a negligible performance overhead Security Event and Log Management Connectivity and OA Device Management Platform and Agent Troubleshooting If problems develop with the OA receiving data, an IBM security analyst will assist the Customer in troubleshooting those issues that relate to IBM s successful receipt of security event and log data from the contracted Hosts. As long as security event and log data is being successfully received to the OA Appliance, IBM will not provide further troubleshooting assistance on the Customer premise platforms. Should problems arise on the ULA, IBM will work directly with authorized Customer security contacts to diagnose the underlying problem. If it is determined that the ULA is not the cause of the problem, no further support will be provided by the IBM SOC for the platform or its management infrastructure. OA Device Management The OA is required for all MSS for Security Event and Log Management - Standard deployments. IBM will maintain sole administration of the OA Appliance and as such reserves the right to restrict use of other Customers applications and user accounts on the OA Appliance The health and performance of the OA is monitored by IBM using a Host-based monitoring Agent. The device is regularly polled by the SOC, keeping IBM security analysts informed of potential problems as they develop. Key metrics analyzed by IBM monitoring systems include: hard disk capacity; CPU utilization; memory utilization; and process availability. In addition to system health metrics, IBM will monitor for device availability. If contact with an OA is lost, additional time-based checks will be initiated to verify a valid outage has been identified. OA Device Troubleshooting In the event system health problems or an outage has been confirmed, a trouble ticket will be created and an IBM security analyst will be notified to begin research and investigation. The status of system health tickets is available through the Virtual-SOC. IBM will examine the device configuration and functionality for potential issues. Troubleshooting may consist of an offline analysis by IBM, or an active troubleshooting session between IBM and the Customer. IBM will attempt to resolve any technical issues as expediently as feasible. If the platform is eliminated as the source of a given problem, no further troubleshooting will be performed by IBM. Outage Notification If the OA is not reachable through standard in-band means, the Customer will be notified via telephone using a predetermined escalation procedure. Following telephone escalation, IBM will begin investigating problems related to the configuration or functionality of the managed platform. Patch and Firmware Updates Periodically, it will be necessary for IBM to install patches and firmware updates to improve OA performance, enable additional functionality, and resolve potential application problems. The application of such patches and updates may require platform downtime or Customer assistance to complete. If required, IBM will declare a maintenance window in advance of any such updates, and the notification will clearly state the impacts of the scheduled maintenance and any Customer-specific requirements. Out-of-Band Access (Optional) Out-of-band ( OOB ) access is an optional feature that assists the SOC in the diagnosis of OA device issues. Implementing OOB for the OA requires the Customer to purchase an IBM-supported OOB device and provide a dedicated analog phone line for connectivity. If the Customer has an existing OOB solution, IBM will use this solution for OOB access to managed devices, provided: the solution does not allow IBM access to any non-managed devices; using the solution does not require installation of any specialized software; the Customer provides detailed instructions for accessing IBM-managed devices; and INTC /2007 Page 4 of 13

5 the Customer is responsible for all aspects of managing the OOB solution. Data Transmission There are two methods of sending security event and log data to the OA: ULA - a lightweight application that can be installed directly onto log sources to securely send security event and log information to the OA; and Syslog stream - data can be sent using syslog, the de facto standard for forwarding log messages to a syslog daemon running on the OA Appliance Virtual-SOC The Virtual-SOC is a Web-based interface designed to enable delivery of key service details and ondemand protection solutions. The Virtual-SOC is structured to deliver a consolidated view of the Customer s overall security posture. The interface is capable of merging data from multiple geographies or technologies into a common interface, allowing for comprehensive analysis, alerting, remediation, and reporting. The Virtual-SOC provides real-time access for communications including ticket creation, security event handling, incident response, data presentation, report generation, and trend analysis. Reporting The reporting feature of MSS for Security Event and Log Management Standard enables the Customer to view their security event and log data in a single dataset, and generate reports spanning the entire enterprise. Reports can be generated across multiple data types and time intervals, including daily, weekly, monthly, custom, and real-time. Reports will vary based on service level and device platform. The Customer will have access to comprehensive service information, via the Virtual-SOC, to review service tickets and Security Incidents, and generate activity reports at any time. Once per month, IBM will produce a summary report that includes: a. number of SLAs invoked and met; b. number and type of service requests; c. list and summary of service tickets; d. number of Security Incidents detected, priority and status; and e. list and summary of Security Incidents. Querying Capabilities MSS for Security Event and Log Management - Standard provides capabilities for near real-time querying of security event and log data, including similar data from disparate, multi-vendor technologies. Customers can query security events and logs along with data received from other IBM fully-managed solutions. Users of the System MSS for Security Event and Log Management - Standard is designed to help Customers manage security event and log data across the enterprise. Multiple individuals, holding varying roles within an organization, may require different levels of access to the system. Therefore, IBM provides three levels of Virtual-SOC system access for designated Customer contacts. All designated Customer contacts will be authenticated via static password or Customer-provided public-key encryption technology (e.g., RSA SecureID token). a. Authorized Security Contacts Users classified as Customer security contacts will be the primary users of MSS for Security Event and Log Management - Standard and will have full access to the system including the ability to generate tickets, evaluate all data, and export security events and logs for offline processing. IBM SOC analysts will only accept phone calls from authorized Customer security contacts. Customers may identify up to three authorized security contacts for MSS for Security Event and Log Management - Standard. b. Subordinates/System Administrators Users classified at this level will receive limited access to the MSS for Security Event and Log Management - Standard system. Subordinates/system administrators are identified by authorized Customer security contacts, and are then assigned specific devices for which they may have INTC /2007 Page 5 of 13

6 access. Subsequently, subordinates/system administrators may login to the system, review and research security event and log data, as well as generate tickets for anomalous or suspicious activity. Users at this level do not have the authority to review data or make changes outside of devices assigned directly to them or to interact with the SOC. Customers may identify an unlimited number of subordinates/system administrators for the MSS for Security Event and Log Management - Standard service. c. Custom Access Custom access allows for granular assignment of access permissions to individual contacts. Such a capability allows for specific contacts to be granted access to individual features on a per device basis (e.g., security event query, export, and reporting). There is no limit to the number of custom access users within the MSS for Security Event and Log Management - Standard implementation. Security Event and Log Management Dashboard MSS for Security Event and Log Management - Standard provides an overview at a glance (called Dashboard ) to deliver a snapshot of the Customer s security event and log management status. The Dashboard provides administrators with a comprehensive overview of security event and log sources, total volumes of data, dates and times of last security event and log receipt, and other information relevant to the organization s implementation. Authorized Customer security contacts will have access to the entire Dashboard and all service features and functionality. Other Customer users (e.g., system administrators) will receive a more focused view that outlines security event and log sources to which they have been assigned. Security Event and Log Querying The Virtual-SOC allows online data to be queried directly through the Virtual-SOC for up to one year. Reports and queries for security event and log data can be issued on a per device basis or across userdefined groups. Devices sharing the same log format can all be queried simultaneously through a common interface for rapid analysis of potential security impacts. Retrieved security events and logs can be further sorted or filtered by using the robust, easy-to-use interface to select specific IP addresses, security event types, ports, and dates. Once data has been filtered to the desired level of detail, security events and logs may be exported for offline analysis. Customers who use MSS for Security Event and Log Management Standard in conjunction with other IBM fully-managed services, will have access to their security event and log data from both managed and unmanaged security devices through a common interface. An appropriate combination of services may allow for simultaneous querying of all devices across the enterprise, whether managed by IBM or the Customer. In most circumstances, normalized log data and raw log data will need to be queried separately. Data Retention and Restoration Following display on the Virtual-SOC, logs are migrated to a physical backup media such as tape or DVD. Backup media is archived in a secure, environmentally controlled facility. Archived data will be available for up to seven years from the date of log creation. At the Customer s request, IBM will submit a request for media location and retrieval. IBM will charge pre-negotiated fees for all time and materials utilized to restore and prepare data in the Customer s requested format. All specified retention times assume an active MSS for Security Event and Log Management - Standard or Select contract has been maintained for each unique event / log source. Security Event and Log Archival IBM will retain security event and log data for up to seven years from the date of creation. Customers must specify exact retention periods on a per device basis in one year increments. Devices for which retention times have not been specified will automatically default to one year of retention. Archived security events and logs are stored natively in a compressed format, preserving the original raw data. As each security event and log (or group of data) is written to disk, a unique hash is automatically generated to ensure the integrity of the unaltered data can be maintained. At the close of each 24 hour period, a checksum of all hashes generated over the course of the day is created, serving as a snapshot of the previous day s activity. INTC /2007 Page 6 of 13

7 Long term storage is provided by the X-Force Protection System. The X-Force Protection System provides a highly scalable architecture for organizing and retrieving security event and log data. It is also designed to maintain the safeguards required for the logical separation of data by device and by Customer. Reasonable business efforts will be made to implement security event and log archival and facilitate MSS for Security Event and Log Management - Standard data storage. However, IBM does not guarantee any domestic or international legal system will admit security event and log data from a given archival solution. Admissibility is based on the technologies involved and a Customer s ability to prove proper data handling and chain of custody for each set of data presented Incident Ticketing MSS for Security Event and Log Management - Standard provides Customers with the capability to document and record incidents of varying types. This capability can help Customers notify security teams of pending work, or track the progress of an incident remediation process. Generating Incident Tickets The Virtual-SOC provides capabilities to allow Incident tickets to be created by the Customer, based on manual research conducted either while querying security event and log data or while evaluating X-Force Protection System alerts. Once an incident ticket has been created, it can be viewed and updated by specific contacts (as defined by their roles and permissions) within the Customer security team. Each incident ticket includes, but is not limited to, the following information: issue description issue type and priority relevant dates and times issue owners relevant IP addresses and ports security event names device information detailed worklog of all actions taken Customer Ticketing System Integration (Optional) For Customers who wish to leverage existing trouble ticketing and case management investments, IBM will provide an application program interface ( API ) which allows for customized integration with external ticketing systems. The API will be provided by IBM to the customer, upon the Customer s request, for an additional fee. Note: Because ticketing systems vary in design and complexity, IBM cannot provide detailed assistance or consulting for the Customer s ticket system integration. However, IBM will provide a neatly formatted ticket output that can be made available for push or pull access to import into the Customer s system Security Event and Log Delivery (Optional) Customers may elect to have their security events and logs placed on an encrypted DVD and delivered to a specific location. This option is available for an additional fee Service Decommission or Turn-Down If MSS for Security Event and Log Management - Standard is cancelled or the contract is not renewed, the Customer will have either 90 days from the date of cancellation or 90 days from the date of contract expiration, whichever comes first to request the receipt of archived data on removable media (i.e., CD/DVD). IBM will charge pre-negotiated fees for all time and material utilized to restore and prepare data in the Customer s requested format. Such request may be submitted through the Virtual-SOC or via telephone if access to the portal is no longer available. If a request is not received within the 90 day period, as stated above, IBM will permanently destroy all archived data pertaining to security devices no longer under a valid MSS for Security Event and Log Management - Standard contract. INTC /2007 Page 7 of 13

8 3. Customer Responsibilities While IBM will work with the Customer to deploy and implement the Agent, and IBM will manage the Agent, the Customer will be required to work with IBM in good faith and assist IBM in certain situations as requested by IBM. 3.1 Deployment and Initiation During deployment, the Customer will work with IBM to deploy an OA. The Customer must ensure that the OA Appliance meets IBM specifications, and must work to meet recommendations concerning the Customer s network and network access requirements, if changes are required to facilitate workable protection strategies. The Customer is responsible for supplying the IBM approved OS and antivirus for use on the OA Appliance and keeping current maintenance contracts for support and updates The Customer is responsible for shipping, racking and cabling of the OA appliance for all OA installations The Customer will participate in a scheduled kickoff call to introduce team members, set expectations and begin the assessment process. The Customer will be required to complete a form with detailed information about the network configuration (including applications and services for the Hosts on the protected network) and must work with IBM in good faith to accurately assess the Customer s network and environment. The Customer must provide contacts within the organization, and specify an escalation path through the organization in the event that IBM must contact the Customer. The Customer will be responsible for installing all required Agent software and configuring all log sources to properly send data, as instructed by IBM. At the Customer s request, physical installation may be provided by IBM Professional Security Services ( PSS ) for an additional fee. The Customer is responsible for updating any access control lists ( ACLs ) and firewall rules required to allow contracted devices to communicate with X-Force Protection System... The Customer is responsible for creating a Customer Inquiry ticket to notify IBM of any IP changes to the OA or contracted devices that could potentially disrupt event and log flow into the X-Force Protection System. 3.2 Ongoing Management and Support The Customer is responsible for maintaining current hardware, OS and antivirus agent maintenance contracts. The Customer is responsible for making agreed-to changes to the network environment based upon IBM recommendations. The Customer is required to maintain an active and fully functional Internet connection at all times. Configuration / Change Management The Customer acknowledges that IBM retains sole administrative access to the OA device and is responsible for all management and maintenance functions. The Customer is responsible for hardware and software-level configurations as well as overall health and availability monitoring of all contracted Security Event and Log Management Hosts. The Customer must work in good faith to allow IBM to upgrade its back-end infrastructure so as to improve service features, functionality, and reliability. The Customer is required to provide advance notice of any scheduled system reboots, maintenance, or power tests that may result in temporary cessation of receipt of security event and log data. The Customer is responsible for all activities associated with break-fix should a device fail that is not directly and completely managed by IBM. Server Environment Requirements Network infrastructure devices and applications sending security events and/ logs to IBM must meet the most current application minimum system requirements as outlined in the vendor s product documentation. The Customer is responsible for taking the appropriate measures to ensure all Hosts and OA Appliances are protected and installed in networks using appropriate security practices INTC /2007 Page 8 of 13

9 The Customer must provide a secure, physically controlled environment for servers on which the MSS ULA resides. MSS for Security Event and Log Management - Select MSS for Security Event and Log Management - Select provides additional value by providing an automated mechanism for analyzing security data anomalies using X-Force Protection System. In connection with the above, IBM will perform the responsibilities as set forth in the section entitled MSS for Security Event and Log Management Standard, subsection IBM Responsibilities. In addition, IBM will perform the responsibilities set forth in the section entitled MSS for Security Event and Log Management Select, subsection IBM Responsibilities below. You agree to perform all of the tasks set forth in the section entitled MSS for Security Event and Log Management Standard, subsection Customer Responsibilities above. In addition, you agree to perform the responsibilities set forth in the section entitled MSS for Security Event and Log Management Select, subsection Customer Responsibilities below. 4. IBM Responsibilities 4.1 Ongoing Management and Support Automated Analysis Following data collection, security events from supported systems and applications are forwarded to IBM for automated analysis. This analysis process evaluates security events for statistical deviations, anomalies, and suspicious activity through the application of sophisticated algorithmic analysis. If the system identifies activity warranting further investigation, an X-Force Protection System alert will be generated and stored within the Virtual-SOC for further evaluation by the Customer. communications may also be configured via the Virtual-SOC for users of the system to be notified when X-Force Protection System alerts are generated for specific systems and applications. Such alerts are subject to the X-Force Protection System alert notification guarantee as outlined in the section of this Service Description entitled Service Level Agreements. Examples of X-Force Protection System-based alert types include, but are not limited to: hot decodes alert notification of specific signatures or attacks in the security event stream; malicious code alert notification of worm-like activity propagating in the environment; and probes and scans alert notification of a substantial increase in reconnaissance activity. Automated analysis of security event data applies only to IBM-supported network Intrusion Detection and Intrusion Prevention devices and technologies. Automated analysis support for additional device types will be added periodically. X-Force Protection System alerts should be evaluated by a member of the Customer security team as quickly as possible. Certain X-Force Protection System alerts may indicate network attacks or system compromise. Evaluating an X-Force Protection System alert will typically involve examining the alert type and any snapshots of security event data (either raw or summarized) that may be included with the notification. If an X-Force Protection System alert is determined to require further action or investigation, a Security Incident ticket may be created by the Customer from within the X-Force Protection System alert for further tracking by the Customer security team. Events from supported IDS/IPS devices can be compared by the Customer to identify relationships between multivendor products and solutions. Research and Investigation User-friendly query tools allow for real-time research and analysis to quickly conduct investigations of suspicious IP addresses and suspected misuse. These tools augment the automated real-time analysis of network Intrusion Detection and Intrusion Prevention devices performed by the X-Force Protection System. X-Force Protection System Alert Review IBM security analysts are available to assist MSS for Security Event and Log Management - Select Customers by answering general questions regarding an X-Force Protection System alert or service capability. However, IBM does not provide a personalized review of X-Force Protection System alerts or a walk-through of potential incidents as a standard feature of the MSS for Security Event and Log INTC /2007 Page 9 of 13

10 Management Select service. At the Customer s request, such support may be provided by the IBM SOCs for an additional fee. Security Event Summary As part of MSS for Security Event and Log Management - Select, security events received from supported network Intrusion Detection and Intrusion Prevention devices are summarized by X-Force Protection System. This process allows for statistical reporting and analysis to be performed at a later time. Summarized data is stored in a security enhanced database within an IBM data center, and is physically separate from the storage mechanism for unaltered raw security event data. Maintaining both sets of data helps to provide the ability to perform analysis while maintaining the integrity of the original data stream SOC Event Monitoring (optional service) SOC Event Monitoring is designed to provide automated, real-time analysis of security events using algorithms created and maintained by IBM. Subsequent eyes-on scrutiny of associated alerts helps the SOC notify the Customer of potential security risks. Such monitoring is available to MSS for Security Event and Log Management Select Customers for an additional fee and will be performed by the SOC for supported network Intrusion Detection and Intrusion Prevention devices in an on-demand or regularly scheduled fashion. Customer event streams are analyzed using algorithms created and maintained by IBM. During or following live security event monitoring, IBM may request that Customers implement a modification to the then current IDS/IPS configuration if the current policy prevents the SOC from optimally processing event data satisfactorily. Requested policy changes must be implemented prior to the next monitoring period. If the Customer does not change the policy, the Security Incident response guarantee will be null and void. In the event malicious activity is detected, the SOC will review relevant alerts, and if determined necessary, generate a Security Incident ticket in the Virtual-SOC. Actionable, validated Security Incidents will be escalated to the Customer via , -based text messaging notification, or telephone, depending on declared event severity, as described in the section entitled SLA Remedies below. The Customer will be provided with a description of the Security Incident, the potential impact, and a recommended course of action. An containing the details of the Security Incident will be sent to the designated Customer contact. 4.2 Customer Responsibilities The Customer is responsible for remediation of any X-Force Protection System alerts and SOC escalations they receive. The Customer is responsible for patching systems and implementing associated policy changes to remediate potential security risks as identified by either X-Force Protection System alerts or the SOC. 5. Service Level Agreements for MSS for Security Event and Log Management - Standard and Select Service Levels IBM SLAs establish response time objectives for the MSS for Security Event and Log Management service. The SLAs become effective when the deployment process has been completed, the device has been set to live, and support and management of the OA Appliance has been successfully transitioned to the SOC. The SLA remedies are available provided the Customer meets its obligations as defined in this Service Description. The following definition is provided for purpose of clarity. Failed event - a device is considered to have failed reporting event data when no data of any kind has been received during 24 consecutive hours SLA Guarantees The SLA guarantees described below comprise the measured metrics for delivery of MSS for Security Event and Log Management - Standard and Select service levels. Unless explicitly stated below, no additional guarantees or warranties of any kind shall apply to services delivered under MSS for Security Event and Log Management. The remedies for failure to meet the SLA guarantees are specified in the section entitled SLA Remedies, below. a. Proactive system monitoring guarantee: INTC /2007 Page 10 of 13

11 (1) Standard level IBM will attempt to contact the Customer within 30 minutes after IBM determines the OA is unreachable via standard in-band connectivity. (2) Select level - IBM will attempt to contact the Customer within 15 minutes after IBM determines the OA is unreachable via standard in-band connectivity. IBM will contact the designated Customer contact by a method elected by IBM. During an outage escalation, IBM will continue attempting to notify the designated Customer contact until such contact is reached or all escalation contacts have been exhausted. b. Failed event receipt notification guarantee if a contracted device fails to transmit data to the X- Force Protection System over a single twenty-four (24) consecutive hour period, the designated Customer contact(s) for the affected device, will be sent an notification within 15 minutes. A ticket will be generated to track the failed event condition and an will be sent to the designated contact. IBM only guarantees the initial sending of the failed event notification; not the confirmed delivery to the end recipient(s). c. Event restoration guarantee IBM will restore offline security event data to removable media within the timeframes specified below: (1) up to 30 days of consecutive event data will be restored within two full business days; (2) up to six months of consecutive event data will be restored within five full business days; and (3) more than six months of event data each request will be individually evaluated by IBM and an estimated time to restore will be provided. The event restoration guarantee applies only to the restoration of offline security event data to removable media. It does not reflect required shipping time or shipping dates. Such dates will be mutually agreed upon at the time of the occurrence. IBM will charge pre-negotiated fees for all time and material utilized to restore and prepare data in the Customer s requested format d. Security Incident response guarantee (available only for MSS for SELM Select Customers who have contracted for the optional SOC Event Monitoring service) During the SOC monitoring period, IBM will respond to all identified Security Incidents within 15 minutes of identification. The Customer s designated Security Incident contact will be notified by telephone for Priority 1 Security Incidents and via for Priority 2 and 3 Security Incidents. During a Priority 1 Security Incident escalation, IBM will continue attempting to contact the designated Customer contact until such contact is reached or all escalation contacts have been exhausted. Operational activities related to Security Incidents and responses are documented and timestamped within the IBM trouble ticketing system, which shall be used as the sole authoritative information source for purposes of this SLA guarantee. Table 3 SLA Summary Service Level Agreement Standard Select Proactive system monitoring guarantee Failed event receipt notification guarantee Event restoration guarantee For OA Appliance only within 30 minutes notification within 30 minutes As specified in the section entitled SLA Guarantees, above For OA Appliance only within 15 minutes notification within 15 minutes As specified in the section entitled SLA Guarantees, above Security Incident response Not available Available with purchase of SOC Event Monitoring for Response within 15 minutes 5.2 SLA Remedies As the sole remedy for failure to meet any of the guarantees described in the section entitled SLA Guarantees, IBM will credit the Customer s account if IBM fails to meet the SLA guarantees during any given calendar month. For all SLAs, the Customer may obtain no more than one credit for each SLA per day, not to exceed a total for all SLAs of U.S. $25,000 (or equivalent in local currency) or the contracted INTC /2007 Page 11 of 13

12 value of the service in a given calendar month, as stated in the section entitled SLA Exclusions and Stipulations below. Specific SLA remedies are listed below: a. Proactive System Monitoring remedy If IBM fails to meet this guarantee the Customer s account shall be credited the applicable charges for one day of the specific device s Monthly Monitoring Fee, and if applicable specific managed security platform for which the respective guarantee was not met. b. Failed event receipt notification remedy if the guarantee is not met for any given calendar month, the Customer s account shall be credited the applicable charges for one day of the total invoice Security Event and Log Management fee at the time of failure. c. Event restoration remedy if IBM fails to meet this guarantee for any given calendar month, the Customer account will be credited for one full week (7/30ths) of the total invoiced MSS for Security Event and Log Management fee for the device at the time of failure. d. Security incident response remedy (available only for MSS for SELM Select Customers who have contracted for the optional SOC Event Monitoring service) if the guarantee is not met for any given calendar month, the Customer account will be credited the prorated charges as specified below: (1) Priority 1 Security Incidents: Failure to identify the security event(s) as a Security Incident will result in a one month credit for the initial device that reported the event(s). (2) Priority 2 Security Incidents: Failure to identify the security event(s) as a Security Incident will result in a one week credit for the initial device that reported the event(s). (3) Priority 3 Security Incidents: Failure to identify the security event(s) as a Security Incident will result in a one day credit for the initial device that reported the event(s). Table 4 - SLAs and Remedies Summary Service Level Agreements Proactive system monitoring guarantee Remedies for MSS for SELM Credit of 1 day of the OA Management fee Failed event receipt notification guarantee Credit of 1 day of the MSS for Security Event and Log Management fee for the affected device Event restoration guarantee Security Incident response guarantee Credit of 1 week of the MSS for Security Event and Log Management fee for the affected device Credit of 1 day of the affected device s monthly SOC Event Monitoring fee 5.3 SLA Exclusions and Stipulations Customer Contact Information Multiple SLAs require IBM to provide notification to the designated Customer contact after certain security events occur. To ensure the accuracy of IBM s notifications, the Customer is solely responsible for providing IBM with accurate and current contact information for the designated contact(s). The current contact information on record is available to authorized contacts through the Virtual-SOC. IBM will be relieved of its obligations under these SLAs if the Customer contact information provided to IBM is out of date or inaccurate due to Customer action or omission Customer Network/Server Change Notifications The Customer is responsible for providing IBM advance notice regarding any network or server changes to the environment for contracted Hosts. If the event advance notice cannot be provided, the Customer is required to provide IBM with notification of changes within seven calendar days of said network or server changes. Notification is completed by the submission or update of a critical server ticket through the Virtual-SOC. If the Customer fails to notify IBM as stated above, all SLA remedies are considered null and void. INTC /2007 Page 12 of 13

13 5.3.3 Maximum Penalties/Remedies Payable to Customer The total SLA credits (called remedies ) provided by MSS for Security Event and Log Management Standard and Select service levels described in the sections entitled SLA Guarantees and SLA Remedies above, will not exceed a total of U.S. $25,000 (or the equivalent in local currency) in one calendar month SLA Compliance and Reporting SLA compliance and the associated remedies are based on fully functional network environments, Internet and circuit connectivity, and properly configured servers. If SLA compliance failure is caused by reasons other than those directly within IBM s control, such as failure of customer owned hardware or software, all SLA remedies are considered null and void. IBM will provide SLA compliance reporting through the Virtual-SOC Event Restoration Each request for the restoration of security event and log data to removable media for data volumes in excess of six months in duration or size will be evaluated by IBM and an estimated time to restore will be provided. Due to a variety of technical variables involved in restoring data volumes of this size, IBM is unable to provide an SLA at this time. 6. Service Level Objectives IBM service level objectives (called SLOs ) establish nonbinding objectives for the provision of certain features of MSS for Security Event and Log Management Standard and Select service levels. The SLOs become effective when the deployment process has been completed, the device has been set to live, and support and management of the device have been successfully transitioned to the SOC. IBM reserves the right to modify these SLOs with 30 days prior written ( or Virtual-SOC) notice. a. Virtual-SOC Accessibility Objective - IBM will provide a 99.9% accessibility objective for the Virtual- SOC outside of the times detailed in the section entitled Scheduled and Emergency Portal Maintenance. b. Internet Emergency Customer Notification Objective - In the event IBM declares an Internet emergency, it is IBM s objective to notify the Customer s specified points of contact via within 15 minutes of emergency declaration. This notification will include an incident tracking number, telephone bridge number, and the time that IBM will conduct a situation briefing. During declared Internet emergencies, IBM will provide a live telephone-conference situation briefing and summarized designed to provide information that the Customer can use to protect their organization. Situation briefings following the onset of an Internet emergency will supersede any requirement for IBM to provide Customer-specific escalations for security events directly related to the declared Internet emergency. IBM will communicate other priority level incidents, during an Internet emergency, via automated systems such as , pager and voice mail. Standard escalation practices will resume upon conclusion of the stated Internet emergency. Termination of an emergency state is marked by a decrease in the AlertCon level to AlertCon 2, or an notification delivered to an authorized Customer security contact. c. X-Force Protection System Alert Notification Objective IBM will send an notification to the designated Customer contact for the affected device, within 15 minutes after generation of an X- Force Protection System alert. IBM only guarantees the initial sending of the X-Force Protection System alert notification; not the confirmed delivery to the end recipient(s). 7. Other Terms and Conditions IBM reserves the right to modify the terms of this Service Description, including the SLAs, with 30 days prior written ( or Virtual-SOC) notice. INTC /2007 Page 13 of 13