Addendum - Secureworks Services for Taegis ManagedXDR

Overview ⫘

Secureworks Services for Secureworks® Taegis™ ManagedXDR (the “Service”) provides Customer with Service Units to use for Proactive Services or Emergency Incident Response (“EIR”). All capitalized words and phrases shall have the meanings set forth herein, as defined in the Glossary, or within the Secureworks-applicable agreement, such as the Customer Relationship Agreement.

Customer can purchase Service Units upon initial ordering of a ManagedXDR subscription or at any time during Customer’s Services Term. There is no limit to the number of Service Units that can be purchased.

Service Units can be used for any of the Proactive Services listed in the Secureworks Services for ManagedXDR Catalog. For all Proactive Services, the Consulting Services Addendum applies. See the Secureworks Services Catalog for more information about this Service and each parties’ obligations with respect to this Service. The Secureworks Services Catalog is incorporated into this Addendum by reference.

Notes:

• Customer must already have, or simultaneously purchase, one of the following services: ManagedXDR, ManagedXDR Elite, ManagedXDR Essentials, or ManagedXDR Enhanced.
• This Service is not currently available in Japan or Australia.
• Access the following page to see the list of compatible browsers for viewing the Secureworks Services for ManagedXDR Catalog: Browser Requirements (Google Chrome is recommended for best results).
• Each Customer-approved request for EIR or a Proactive Service is referred to as an Engagement. For example, one (1) Threat Hunting Assessment (in the Secureworks Services Catalog) is a Proactive Service and is referred to as an Engagement.

Service Components ⫘

Proactive Services ⫘

Secureworks will provide Customer with Proactive Services available in the Secureworks Services Catalog. The scope for each Proactive Service in the catalog is fixed (standard Secureworks scope will be used); however, Secureworks can work with Customer to reasonably customize the scope. Any deviations from this Service Catalog shall require a change order signed by both parties. Each request for a Proactive Service will be scoped and the number of required Service Units will be determined prior to Engagement start.

Engagement-specific Deliverables ⫘

Upon completion of each Proactive Service, Customer will receive final Engagement-specific Deliverables (e.g., a Final Report) that will include information about the completed Proactive Service. See the Secureworks Services Catalog for details.

Secureworks Services Catalog ⫘

The Secureworks Services Catalog contains the Proactive Services available to Customer through use of the Service Units. If Customer does not have enough Service Units for a service in the catalog, then Customer will need to contact their Customer Success Manager or Secureworks Account Manager to purchase additional Service Units. If Customer purchased ManagedXDR through a Secureworks partner, then Customer must contact partner of choice for additional purchases of Service Units.

Below are descriptions of the categories of services listed in the Secureworks Services Catalog.

• Incident Readiness and Advisory Services — Secureworks will assess and/or design an incident response plan that enables effective and efficient response to a cyber incident. Cybersecurity assessments are available to help Customer strengthen its cybersecurity posture and align cybersecurity program efforts with strategic objectives.
• Testing and Validation Services — Secureworks will conduct testing to discover any previously unknown issues, vulnerabilities, or threats in Customer’s environment that could lead to a compromise.
• Threat Intelligence Services — Secureworks will provide threat and brand surveillance services such as an information brief for Enterprise Brand Surveillance.
• Workshops and Exercises — Secureworks will conduct or provide training modules that teach an incident responder core skills and key activities to perform during an incident. The workshops and exercises provide practical, hands-on experience in performing tactical incident response tasks, validate defined IR processes, and allow practice of the concepts outlined in Customer’s existing IR plan in real-world cyber event scenarios. The workshops and exercises can be customized based on Customer’s specific needs.
• Programs — Secureworks will work with you to identify the most appropriate path to maximize your readiness to respond to a ransomware attack and test your resilience.
• Technical Assistance Services — Secureworks will provide services for fixed scope technical requests such as conducting malware analysis.

Emergency Incident Response ⫘

In the event of a cybersecurity emergency or need for Emergency Incident Response services, Customer may use Service Units for an EIR Engagement. Only increments of one (1) Service Unit are acceptable (e.g., no partial Service Units can be used). One (1) Service Unit is equal to five (5) EIR hours.

Secureworks can provide EIR that can be conducted remotely or on-site. The activities conducted can include but are not limited to the following:

• Incident support and coordination
• Digital media handling guidance and support
• Deployment support for host-based, network-based, and log analysis technologies
• Network analysis services
• Incident response and digital forensic analysis of online and offline infrastructure and datasets from Customer’s on-premises and cloud assets
• Malware analysis and reverse engineering
• Containment planning guidance
• Negotiation with ransomware threat actor regarding return of data and potential ransom payment amount in the case of a ransomware incident based on Customer’s feedback and instructions
• Periodic Engagement Status Updates, in accordance with the mutually agreed-upon communication plan for each Engagement
• Engagement-specific Deliverables, in accordance with the mutually agreed-upon deliverables for each Engagement

To provide clarification, information about some of the above-listed items is provided in the subsections below.

Digital Forensic Analysis ⫘

As part of EIR, Secureworks may acquire and analyze a variety of formats for forensic analysis of digital media and artifacts to assess compromise activity, including but not limited to the following:

• Disk images
• Memory images
• Mobile devices
• Network packet captures
• Plain text log files

Malware Analysis and Reverse Engineering ⫘

As part of EIR, Secureworks may perform static, dynamic, and reverse engineering analysis to assist in understanding the function of Customer-supplied files.

Secureworks will provide analysis results, to include cyber threat intelligence based on correlation across Secureworks datasets and will advise on mitigation actions to reduce the impact of the sample on Customer’s infrastructure.

Ransomware Negotiation ⫘

As part of EIR, Secureworks may negotiate on behalf of Customer with a ransomware threat actor regarding return or deletion of stolen data and potential payment of a ransom amount. The primary objective of ransomware negotiation is to negotiate a reduced price from the original ransom demand for the return or deletion of any stolen data to minimize Customer’s risk pertaining to data leakage or further extortion.

Scheduling ⫘

Secureworks will contact a Customer-designated representative within five (5) business days after the execution of the Transaction Document to validate scoping and schedule Proactive Services. For each Engagement, Secureworks will provide a work order to Customer for review. Prior to scheduling and commencing work for each Engagement, Customer must provide written approval of the work order to Secureworks. Below is information about scheduling and re-scheduling EIR and Proactive Services Engagements.

• EIR: Customer will request EIR using the Incident Response Hotline or the XDR in-application chat. These communication methods are available to Customer 24 hours a day, 7 days a week.
• Proactive Services: The Proactive Services listed in the Secureworks Services Catalog require a minimum of four (4) weeks advance notification to schedule and complete within the Services Term. Secureworks will use commercially reasonable efforts to meet Customer’s requests for dates and times to deliver the Service(s), taking into consideration Customer-designated maintenance interval, Customer deliverable deadlines, and other Customer scheduling requests. Written confirmation of an agreed-upon schedule shall constitute formal acceptance of such schedule. If Customer requests multiple Proactive Services simultaneously, then Secureworks will schedule the first request as described above, with additional requests scheduled as best-effort based on resource and personnel availability.

Delivery Coordination ⫘

Secureworks will provide coordination for the Service(s) with appropriate communication and updates to the stakeholder community. The coordinator will oversee logistics for people, processes, and tools as well as timeline and meeting facilitation.

The scope of delivery coordination includes the following:

• Develop delivery timeline with Customer and with Secureworks personnel
• Work with Customer to identify and address issues or concerns that impact service delivery
• Periodic, high-level updates on progress
• Confirm delivery and procure project sign-off

Services will be delivered from Customer’s site(s) and/or remotely from a secure location. Secureworks and Customer will determine the location of the service(s) to be performed herein.

Secureworks solely reserves the right to refuse to travel to locations deemed unsafe by Secureworks or locations that would require a forced intellectual property transfer by Secureworks. Secureworks solely reserves the right to require a physical security escort at additional Customer expense to locations that are deemed unsafe by Secureworks. Customer will be notified at the time that services are requested if Secureworks refuses to travel or if additional physical security is required, and Customer must approve the additional expense before Secureworks travel is arranged. In the event any quarantines, restrictions, or measures imposed by governmental authority or Secureworks restricts travel to any location, Secureworks may at its election (i) deliver the Services remotely or (ii) postpone the Services until travel is permitted. If neither option (i) nor (ii) in the preceding sentence is feasible, Secureworks may terminate the affected Services and provide Customer with a refund of any unused, prepaid fees.

Service Fees and Related Information ⫘

Services Fees are based on the number of Service Units purchased. Total Fees for Service Units are billable in totality upon execution of the Transaction Document. See Customer’s MSA or CRA (as applicable), and Transaction Document for details, including the following:

• Billing and Invoicing
• Out-of-Pocket Expenses
• Services Term

Billable effort for Engagements will be calculated using Service Units. Customer may stop an Engagement by providing 24-hour advance notice to stop all work against the Transaction Document. Notice for stop of an Engagement must be sent by email to irservices@secureworks.com.

Notwithstanding the foregoing, Service Units will not be refunded and are not transferable to any other Secureworks services not listed in the Secureworks Services Catalog. Any Service Units specified for any twelve-month period beginning on the Effective Date of the Service Order and each anniversary thereof (each twelve-month period, a “Contract Year”) that are not used within such Contract Year shall be forfeited.

Invoice Commencement ⫘

See the Service-specific Addendum or Transaction Document for information about invoice commencement.

Additional Service Fees and Other Information ⫘

Customer can purchase additional Service Units at any time during the Services Term if desired. To purchase additional Service Units, Customer may contact their Customer Success Manager or Secureworks Account Manager. If Customer purchased ManagedXDR through a Secureworks partner, then Customer must contact partner of choice for additional purchases of Service Units.

If Customer previously purchased Service Units directly from Secureworks, then Customer may purchase additional Service Units at the previously agreed rate in the most recent Transaction Document. Customer’s approval for Service Units shall be sent through email to secureworks_services@secureworks.com. Customer acknowledges and agrees that receipt of such email will be from a Customer representative authorized to commit Customer to the purchase of additional Service Units and email notification is binding upon Customer. Total Fees for Service Units are 100% billable upon Customer’s approval through email.

Customer acknowledges and agrees that if Purchase Orders (P.O.s) are required for the transaction with Secureworks to extend or add to the originally purchased Service(s), then an updated P.O. will be issued to Secureworks for the extended/added Service(s) specified in the Transaction Document. Secureworks may terminate the Service(s) and/or Engagement as applicable and, notwithstanding the foregoing, Customer acknowledges and agrees that it remains responsible for any additional work performed by Secureworks until such P.O. is received.

Expenses ⫘

Customer agrees to reimburse Secureworks for all reasonable and actual expenses incurred in conjunction with delivery of the Service.

These expenses include but are not limited to the following:

• Travel fees related to transportation, meals, and lodging to perform the Services, including travel to Customer location(s)—e.g., traveling for Engagements and the performance of optional on-site planning workshops
• Digital media storage, Engagement-specific equipment, or licensing necessary for tailored digital forensic analysis work.
• Monthly fees for other purchased infrastructure to support service delivery (e.g., public cloud computing services) may apply, if Customer and Secureworks agree that usage is necessary to complete the Engagement.

Customer Obligations ⫘

Customer will perform the obligations listed below, and acknowledges and agrees that the ability of Secureworks to perform the Service is contingent upon the following:

• Customer personnel are scheduled and available to assist as required for the Service.
• Customer will have obtained consent and authorization from the applicable third party, in form and substance satisfactory to Secureworks, to permit Secureworks to provide the Service if Customer does not own network resources such as IP addresses, Hosts, facilities or web applications.
• For on-site activities, Customer will provide a suitable workspace for Secureworks personnel, and necessary access to systems, network, and devices.
• Replies to all requests are prompt and in accordance with the delivery dates established between the parties.
• Customer’s scheduled interruptions and maintenance intervals allow adequate time for Secureworks to perform the Service.
• Customer will promptly inform Customer personnel and third parties of Secureworks testing activities as needed, to prevent disruption to Secureworks business and performance of the Service (e.g., takedown requests, ISP deny list).
• Customer will provide to Secureworks all required information (key personnel contact information, credentials, and related information) at least two (2) weeks before an Engagement for a Proactive Service or prior to on-site arrival for Emergency Incident Response.

Communications ⫘

To initiate a request for an EIR Engagement, Customer will submit a request through the Incident Response Hotline or the XDR in-application chat. These communication methods are available to Customer 24 hours a day, 7 days a week. To initiate a request for a Proactive Service, Customer will send an email to irservices@secureworks.com.

Ransomware Negotiation ⫘

• Customer will provide Secureworks with access to personnel authorized to make decisions regarding Customer’s position with respect to ransomware payments and instructions with respect to negotiation strategy. Customer will provide prompt feedback to any inquiries regarding ransomware by Secureworks’ negotiators.
• In the event that Customer decides to pay any demanded ransomware payment, Customer must conduct independent due diligence on the threat actor based upon any information that Secureworks and Customer are able to ascertain during the performance of the Service. This information may be derived from data and information that is or will become available to Secureworks and Customer during delivery of the Service. Customer agrees that Secureworks is unable to provide recommendations or advice to Customer regarding its legal or regulatory compliance obligations with regard to any export or economic sanctions or other laws or regulations that would apply to either Secureworks or Customer.
• Customer agrees that it shall indemnify, defend, and hold harmless Secureworks, its Affiliates and subcontractors, and each of their respective directors, officers, employees, contractors, and agents from any damages, costs and liabilities, civil or criminal fines, and expenses (including reasonable and actual attorney’s fees) actually incurred or finally adjudicated as to any claim, action, or allegation by a national government regarding alleged violations of export or economic sanctions regulations whereby Secureworks is or was asked by Customer to perform or not to perform certain actions in connection with this Service.

Warranty Exclusion ⫘

While this Service is intended to reduce risk, it is impossible to completely eliminate risk, and therefore Secureworks makes no guarantee that intrusion, compromises, or any other unauthorized activity will not occur on Customer’s network.

Glossary ⫘

Term	Definition
Services Term	Period of time identified in the Transaction Document during which Services will be delivered to Customer.