Cyber Security Services (AWARE) · Our GPG-13 AWARE Protective Monitoring Services are aligned with...

Classification: Open

SERVICE DEFINITION

CYBER SECURITY SERVICES

(AWARE) G-CLOUD 8

Classification: Open ii

Lot 4 - Specialist Cloud Services

Service Definition: Cyber Security Services (AWARE), Issue: 2.0

Copyright: MDS Technologies Ltd 2016

© MDS Technologies Ltd 2016.

Other than for the sole purpose of evaluating this Response, no part of this material may be reproduced or transmitted in any form, or by any means, electronic, mechanical, photocopied, recorded or otherwise or stored in any retrieval system of any nature without the written permission of MDS Technologies Ltd.

MDS Technologies Ltd, 2 Methuen Park, Chippenham, Wiltshire, SN14 0GX

Telephone: 01225 816220, Fax: 01225 816281

CONTENTS

SUMMARY OF SERVICE FEATURES ................................................................................... 3

Falanx Cyber Defence Protective Monitoring Services ..................................................... 4

Service Highlights .................................................................................................................. 5

Service Description ................................................................................................................ 6

GPG-13 AWARE Protective Monitoring Service Levels ..................................................... 9

Service Deployment Model ................................................................................................. 13

Service On-Boarding ........................................................................................................... 14

Commercial ........................................................................................................................... 16

Annex A – Protective Monitoring AWARE Control Scope ............................................... 17




WHY MDS?

A privately owned, UK sovereign company

Connected to Internet, JANET, N3, PSN, RLI

Public, community and private cloud available

Security Cleared technical and customer service staff

We are Agile, Flexible, Open, Honest and Transparent

We deliver cost effective solutions on time and within budget

We are your One-Stop-Shop for secure assured Cloud services

A fully managed platform using our ITIL-aligned 24/7 Service Desk

Experienced at delivering small, large and complex Cloud solutions

We are an SME - large enough to deliver, small enough to care

PROFESSIONAL, PERSONALISED SOLUTIONS

SUMMARY OF SERVICE FEATURES

Specialist UK Cyber Security Operations Centre

Proactive monitoring of external and internal threats

Situational awareness data to help determine your overall Cyber Security posture

Service delivered using Security Cleared (SC) staff




Falanx Cyber Defence Protective Monitoring Services

Cyber risk is more pervasive and critical than almost any other risk currently facing government or

commercial organisations that hold valuable or sensitive data. Hacking attacks to steal, damage or

destroy data, plant malicious software or gain unauthorised access to personal information are

becoming more frequent. In addition, ‘insider’ attacks by disgruntled employees or unintentional

security breaches by staff can have serious consequences. All can result in serious financial and/or

reputational damage.

Falanx Cyber Defence Limited, created solely to deliver managed Cyber Security services provides a

range of Protective Monitoring Services that remotely monitor and analyse organisations’ IT

infrastructures for signs of improper activity. Our services provide continuous protection for both

legacy and cloud computing environments from cyber threats, failure of process or technology and

human error.

Our Protective Monitoring Services are designed for organisations that require:

Proactive monitoring of external and internal threats to Information Security and IT systems.

Effective Cyber Security services that need to be deployed and within a limited budget and would therefore benefit from a flexible and cost effective pricing model.

Situational awareness data to help determine their overall Cyber Security posture.

Confidence in the integrity of a UK-based service delivered by a UK company using a UK-owned and UK-developed monitoring toolset. Customer data remains entirely within the UK.

A forensic log management capability that allows the collection, recording and retention of log data in a manner that supports forensic investigations.

Demonstration of compliance with International and UK Government specific security standards, guidance and policies - in particular, the Security Policy Framework and CESG Good Practice Guide 13.

A robust, cost-effective solution offering peace of mind by providing auditability, accountability and governance.

Protective Monitoring from Falanx Cyber Defence greatly reduces an organisation's risk exposure by:

Rapidly identifying and communicating transactions within the enterprise that reflect misuse or compromise;

Decreasing the likelihood of a significant security event;

Enabling the impact of a security incident to be reduced through timely resolution.

Falanx Cyber Defence's GPG-13 AWARE Protective Monitoring Services are aligned with the

AWARE Segment (Recording Profiles A) of CESG’s Good Practice Guide (GPG) 13 - Protective

Monitoring for Government ICT Systems. This guide is recognised as an industry standard for security

monitoring. Both our Protective Monitoring offerings incorporate our high-integrity Forensic Log

Management Service that allows the collection, recording and retention of log data in a manner that

supports forensic investigations, allowing the logs to be used as evidence in a work tribunal or legal

case in a court of law.




Our Services provide organisations with assurance that their information systems and associated data

are being used appropriately and provide visibility on who is accessing the systems.

MDS partners with Falanx Assuria Cyber Defence to offer this service.

Service Highlights

Simple pricing model based on the number of devices that need to be monitored with prices starting at just £8 per device per month all inclusive (dependent upon quantity of devices).

Managed UK sovereign services provided by an organisation created solely for the purpose of delivering managed cyber security services.

Delivered remotely from a specialist UK Cyber Security Operations Centre (CSOC) using (as a minimum) UK Security Cleared (SC) Cyber Security Analysts, operating on a 24x7x52 basis.

Delivered from within an Integrated Management System (IMS) certified to ISO9001, ISO20000-1 and ISO27001.

Suitable for OFFICIAL environments.

Rapid on-boarding with options available for zero start-up costs.

Forensically sound log collection and storage solution providing data chain of custody.

Out-of-the-box, pre-defined GPG-13 deployments.

24x7x52 collection, alerting, recording and retention of monitored data.

Capture of a wide variety of data types from formally structured and normalised files, through to data captured from screen shots.

99.7% or 99.5% availability, dependent upon service level.

Flexible and adaptable – add, remove or change your monitored devices at any time.

Scalable solutions with proven collection capability up to 300 million events per day.

Monthly monitoring reporting summaries providing feedback on the risk and security status of the customer organisation.

ITIL aligned Service Desk providing Call Handling and Request Fulfilment.

Only two working days’ termination notice with options available for zero on-boarding and termination costs.

Digitally signed log store monitored for signs of addition, deletion or modification of data.

Variable data retention periods based on an organisation’s needs, with additional archiving available as a Service Catalogue item.




Service Description

GPG-13 AWARE Protective Monitoring

The Falanx Cyber Defence GPG-13 AWARE Protective Monitoring Services are managed services

suitable for monitored environments up to OFFICAL. These services provide Protective Monitoring

based on the controls defined in CESG’s Good Practice Guide 13 (GPG-13). We have developed our

Protective Monitoring Services using an appropriate treatment of GPG-13 policies, with suitable

architecture deployments and solid operating processes to deliver effective services to customers.

GPG-13 Protective Monitoring Controls (PMCs) define a set of alerts and reports that provide

feedback on the risk and security status of an organisation. They include control activities such as

inspecting firewall logs, investigating operating system security alerts and monitoring Intrusion

Detection Systems (IDS). Falanx Cyber Defence provides out-of-the-box, pre-defined, GPG-13

deployments.

Our GPG-13 AWARE Protective Monitoring Services are aligned with the AWARE Segment of GPG-

13. Annex A provides details of the specific PMCs in scope for each level of service. They use a

combination of automated tooling and specialist expertise. This ensures that any information captured

and analysed using software tools has human knowledge and experience applied which reduces the

number of false positives (non-relevant events) identified and aids remediation planning and action.

The Protective Monitoring Services are based on SIEM technology that delivers an enterprise wide

view of Information Security activity, from almost any system, application or device within the IT

infrastructure. The SIEM provides automated collection and management of audit logs from across

the whole enterprise, as well as security event analysis, alerting and reporting.

Falanx Cyber Defence Protective Monitoring Services generate security alerts following the ingestion

and analysis of Security Events sent by software agents from a customer’s monitored estate.

Supporting this process is a set of filtering, correlation and analysis rules within the toolset that link

individual Security Events together in order to help establish when a Security Alert needs to be

generated.

At Falanx Cyber Defence we use a unique approach in our application of GPG-13 controls which is

beneficial to customer organisations. The approach has a pre-established template set of minimum

baseline controls and Alerts. Each Alert type defined in GPG-13 has an additional category of either

‘Standard’ or ‘Enhanced’ which ensures that the right information regarding an organisation’s IT

security status is provided in the right quantities, at the right time intervals and in the most useful

format possible.

Details of Standard Alerts are given to customers in Daily Alert Summaries generated once every 24

hours. Details of Enhanced Security Alerts are passed to Falanx Cyber Defence Cyber Security

Analysts who use a set of detailed guidance criteria documented in a KnowledgeBase to establish

whether or not the Security Alert is valid and can be notified to the customer (or is a False Positive). If

confirmed as ‘notifiable’, this is classed as a Potential Security Incident and the customer notified.

Potential Security Incidents are an indication that a Security Incident may have occurred on a

customer’s estate. An actual Security Incident can only be confirmed by the customer.

Potential Security Incidents are communicated to the organisation’s Named Contact within agreed

timescales by telephone and email. In some cases, further Security Alerts of the same type are then




suppressed by the SIEM for a defined period of time in order to prevent both the customer and Falanx

Cyber Defence Cyber Security Analysts from being swamped by large quantities of similar Alerts. This

approach has the benefit of reducing ‘Alert storms’ where certain Event types would naturally

generate large and overwhelming volumes of Alerts.

A False Positive is an Alert which analysis shows is not a Potential Security Incident and which should

not be notified to the customer,. it is a Security Alert which fails to meet the validation criteria for

notification. Whenever an Analyst deems that a False Positive has occurred the ‘Falanx Cyber

Defence - Tuning Process’ is invoked to ensure that similar False Positives are not generated.

If a customer confirms the validity of a Potential Security Incident of which they have been notified, it

is categorised as Confirmed Security Incident, if not, it is again deemed a False Positive and the

‘Falanx Cyber Defence - Tuning Process’ invoked.

Customers may select 10 Events for Enhanced Alerting irrespective of how they have been defined

by Falanx Cyber Defence or GPG-13 (for example, a logon event or warning message on a device

that would not otherwise raise an alert). In such cases the customer must provide Falanx Cyber

Defence with adequate information to allow such Events to be identified.

Accounting Data is collected 24x7x52. Alerting is undertaken during the respective service-level

operating times, be it 24x7x52 or otherwise.

A Service Catalogue item is available for periodic Critical Security Alert reviews to be performed by

Falanx Cyber Defence Cyber Security Analysts outside of Core Hours. Critical Alerts are then

reviewed and actioned on a 12 hourly basis (i.e. on non-normal working days, Analysts will perform

their review at 07:00 and 19:00). Alerts defined as Critical shall be agreed by both parties.

Service Resilience

Backup of customer raw log data is taken once every 24 hours. Backups are retained for 14 days.

Service availability for the Falanx Cyber Defence GPG-13 AWARE Protective Monitoring Service is

either 99.5% or 99.7% (dependent upon the service level selected).

Forensic Log Management

Falanx Cyber Defence’s Forensic Log Management Service uses a product that assures log data

integrity and forensic soundness. The service is specifically designed to meet the forensic log

management requirements of the UK Government and provides a high integrity solution for defence,

security and commercial organisations.

Our Forensic Log Management Services provide forensic soundness in the following areas:

1. Provision of logs in their original form;

2. Prevention of undetectable addition of log data;

3. Prevention of undetectable deletion of log data;

4. Prevention of undetectable modification of log data;

5. Demonstration of log data chain of custody.

Any log integrity issues identified by the service are notified to the CSOC for analysis and validation

and any subsequent incident handling.




3.4 Service Desk

All Falanx Cyber Defence services are supported by an ITIL aligned Service Desk providing Call

Handling and Request Fulfilment services. The Service Desk is also responsible for managing the

lifecycle of Service Incidents from identification through to successful resolution.

3.5 Service Management and Reporting

All Falanx Cyber Defence processes related to the management, support and maintenance of our

Protective Monitoring Services have been developed in accordance with ITIL best practice including:

Service Level Management;

Event Management;

Availability Management;

Capacity Management;

IT Service Continuity Management;

Information Security Management;

Supplier Management;

Incident Management;

Problem Management;

Service Asset and Configuration Management;

Change Management and Release and Deployment Management;

Continual Service Improvement.

Our Service Desk acts as the primary point of contact for handling Service Incidents and Service

Requests, it also provides an interface to other IT Service Management activities. Service related

Incidents are notified to customer organisations within two hours during Core Hours.

Monthly summary reports are issued to customers, providing feedback on the performance and

effectiveness of the Service during the period. The monthly report contains a summary of Security

Incident information against the customer’s relevant monitoring controls. Additionally, Service

performance management information is included summarising the following:

All Security Incidents raised in period;

Status of any Service Incidents raised in the period;

General cyber security information considered relevant to customers of the Protective Monitoring Services.

An initial Service Review is held with the customer organisation within two months of service

commencement. Further Service Reviews are held annually.




3.6 Quality Processes

Falanx Cyber Defence operate an Integrated Management System (IMS) certified to ISO9001,

ISO20000-1 and ISO27001, and the principles for security within our IMS are aligned with those of the

HMG Security Policy Framework (SPF).

Our Protective Monitoring Services support the cyber security requirements of government

organisations as prescribed by the HMG SPF, most specifically in terms of the security outcomes

relating to:

Technology and Services requirements for risk-informed security controls,

Information requirements to maintain the confidentiality, integrity and availability of information, and,

Preparation for and response to Security Incidents to reduce vulnerability to cyber-attack, leaks, and insider attacks.

Falanx Assuia’s Protective Monitoring Services have been designed specifically around the GPG-13

guidance from CESG, which is the UK’s National Technical Authority for Information Assurance in this

area. Falanx Cyber Defence’s services are aligned to the latest Security Operations and Management

guidance published by CESG, and our services are continuously reviewed and adapted to reflect

changes in best practice guidance issued by CESG.

GPG-13 AWARE Protective Monitoring Service Levels

Item AWARE (Standard Service

Level)

AWARE (Enhanced Service

Level)

Alerting Hours

0700-1900

Mon-Fri

Excluding UK Bank Holidays

24x7x52

Core Hours 0700-1900

Mon-Fri





Level)


Level)

Excluding UK Bank Holidays

Collection, Recording and

Retention of Event Data 24x7x52

Analysis and Validation Of

Potential Security Incidents.

Alerting of Security Alerts and

Incident Support

Alerting Hours

Collection, Storage and

Management of Digitally Signed

Logs

24x7x52

Call Handling and Request

Fulfilment Core Hours

Availability of the FAL Protective

Monitoring Tool

Target 99.5% Target 99.7%

Security Alert Notification

4 Hours

(Alerting Hours Only)

Target 95%

Service Outage Notification

2 Hours

(Alerting Hours Only)

Target 95%

Service Reviews Annually

Initial Response To Changes In

Monitored Device Set

3 Working Days

Initial Response To Customer

Change Requests

5 Working Days





Level)


Level)

Initial Response To Customer

Service Requests

3 Working Days

Maximum Security Classification OFFICIAL

Maximum GPG-13 Recording

Profile A

Price (Per Device / Per Month) From £8.00 From £11.00

Termination Notice 2 Working Days

Data Retention Variable data retention periods.

Backups Backup of log data taken once every 24 Hours.

Backups retained for 14 Days.

Planned Maintenance Between the hours of 00:00 and 06:00 (UK local time) Monday

to Sunday and/or between the hours of 08:00 and 12:00 (UK

local time) on a Saturday and/or Sunday.

‘Planned Maintenance” means any pre-planned maintenance of

any infrastructure relating to the Service. FAL shall provide the

customer with at least twenty four (24) hours’ advance notice of

any such planned maintenance.

Planned Maintenance shall be excluded from any availability

calculation in regard to service credits but shall be included in

the monthly service reporting.

Service Credits - Service

Availability

Credit calculated as a percentage of the fees for the affected

Services measured quarterly.

(E.g. An Actual Service Availability of 98% against a Target

Service Availability of 99.7% produces a Service Credit of 1.7%

of Charges measured Quarterly).

Excludes Planned Maintenance periods.





Level)


Level)

Service Credits - Security Alert

Notification

Credit of 0.5 days of Charges for each Failure

Minimum Contract Term /

On-Boarding and Termination

Charges

Option 1 – Zero On-Boarding Charges

Zero On-Boarding Charges

Minimum 12 Month Contract

£5,000 Termination Charges in First 12 months

Option 2 – Zero Termination Charges

£10,000 On-Boarding Charge

No Minimum Contract Term

Zero Termination Charges

Billing Monthly in Advance

Minimum Number of Devices 20

(POA for deployments of fewer devices)

Table 1 Falanx Cyber Defence GPG-13 AWARE Protective Monitoring Service Levels




Service Deployment Model

The standard Falanx Cyber Defence deployment for Protective Monitoring Services is depicted in

Figure-1. Software agents are deployed on customers’ systems and interact with local database,

application and device / host operating systems’ logging capabilities to capture the accounting data

necessary for GPG-13 in its original form. This data is digitally signed by each agent before onward

secure transmission (encrypted and mutually

authenticated). The agents are configured to route

their collected data to a proxy service residing within a

security zone in the customer environment. This

service then forwards collected log data to Falanx

Cyber Defence, again using a secure transmission

method.

For resilience, agents are capable of spooling the

accounting data until a successful onward

transmission. Multiple proxies can be deployed to offer

security traffic segregation and management. The

standard service provides a single proxy instance

included in the price with other instances being

available from the Service Catalogue.

The software agents support most common operating

environments and capture a wide variety of data types

from formally structured and normalised files, through

to data captured from screen shots. The agents can

be easily installed by customers using the installation

guides and remote support provided by Falanx Cyber

Defence. As a Service Catalogue item, our support

team can be contracted under the consulting rates to attend site and assist in the agent and proxy

installations.

Data within our Protective Monitoring Service is processed and stored using controls commensurate

with the data’s Government Security Classification (GSC).

As part of the standard service provision, organisations are allocated one Terabyte (1TB) of storage

space which is usually sufficient to retain up to 180 days of accounting data in raw form and up to 60

days of normalised data. Should the volume of accounting data being captured be likely to exceed

this 1TB volume, additional storage can be requested as a Service Catalogue Item.

At the end of a retention period the data is deleted using an appropriate mechanism for the data’s

GSC.

Other deployment design options are available through Falanx Cyber Defence’s consultancy services.

Figure 1 Standard Deployment Model




Service On-Boarding

The Falanx Cyber Defence Protective Monitoring Service is easy for customer organisations to on-

board. Upon submission of an order, the customer is provided with a Welcome Pack detailing what

happens next and how to enable the Service.

Figure-2 shows typical on-boarding timescales for the Falanx Protective Monitoring service.

Following the Welcome Pack, Falanx Cyber Defence will:

Configure a monitoring instance for the customer organisation.

Provide the customer with access to the required software including details of how to install and configure agents on the customer’s systems. This includes support on installation where required.

Advise the customer on the changes required to their systems to configure secure communications between the customer and Falanx Cyber Defence networks.

Test the Service to ensure log collection is correctly configured and that reports and alerts are working as expected.

Billing for Falanx Cyber Defence Protective Monitoring Services is monthly in advance and charges

commence 10 working days after the agreed commencement date submitted on the order form.

Customer On-boarding Responsibilities

Customer organisations are responsible for:

Contract Award

Build

•High Level Design

•SIEM instance provision and deployment

•Configure Customer Service Details

•TLS Proxy provision

•TLS Proxy deployment

•Agent provision

•Agent deployment

•Test and Acceptance

IOC

Baseline

•Service Provision

•Pipe Clean

•Establish normal profile

•Onboard Tranche 1



FOC

Service Level Delivery

•Service Level Management

•SLA and KPI monitoring

•Service Reporting

EOL

10 working days 60 calendar days Remainder of term

Figure 2 Typical On-Boarding Timescales




Providing a unique telephone number and email address for the escalation of Security Alerts;

Ensuring that only appropriate data (e.g. up to OFFICIAL) is accessible within the platform;

Advising Users that the system is being monitored;

Installing software agents and proxies as per Falanx Cyber Defence’s instructions and enabling communications to the Falanx Cyber Defence monitoring instance. This includes providing a Virtual Machine (VM) in their data centre(s) for each proxy they require. The VMs are to be deployed in a network remotely accessible by Falanx Cyber Defence staff and the Falanx Cyber Defence data centre;

Configuring their systems to generate logs in-line with the recommendations of GPG-13;

Configuring their internal security systems to allow secure communications between agents and proxies and externally between proxies and Falanx Cyber Defence data centre(s);

Providing basic configuration information on log sources in-scope for the service;

Providing Falanx Cyber Defence with communications on changes to their information systems which may have an impact upon the monitoring service;

Managing any remediation activity associated with a Security Alert.

Scope of Supply

Protective Monitoring

Deployment of monitoring solution.

Initial baseline tuning.

Log Collection, Recording and Retention.

Analysis and Validation.

Alerting and Reporting.

Incident Support.

Forensic Log Management

Deployment of Forensic Log Management solution.

Digital signing of logs at source.

Monitoring of log store for signs of addition, deletion or modification.

Demonstrable log data chain of custody.

Service Management

Service Desk.

Ongoing tuning, patching and update of monitoring systems.

Capacity and Availability monitoring of delivered Service.




Commercial

Pricing, Minimum Contract Term and Termination Conditions

Our Protective Monitoring Services can be terminated at any time with no additional costs if an on-

boarding charge of £10,000 is paid by the customer. Should customers prefer the option of zero on-

boarding charges then a minimum contract term of 12 months applies with a fee of £5,000 payable if

the contract is terminated within this period. No termination fees apply outside of the minimum

contract term. In all cases the Protective Monitoring Services can be terminated with two working

days’ notice. Upon termination all customer log data is permanently and irretrievable deleted. As part

of the Service Catalogue, customers have the option of transferring data out of the Service prior to

deletion.

For full pricing details, please refer to the Falanx Cyber Defence commercial document: Falanx Cyber

Defence G-Cloud 8 Pricing.

Ordering Process

Please contact [email protected] or phone 01225 816280 with any questions or to receive a draft

Service Order Form. Please reference “G-Cloud 8 Cyber Services” to ensure your query is routed to

an appropriate member of our team.




Annex A – Protective Monitoring AWARE Control Scope

The following GPG-13 Protective Monitoring Controls are in scope for the Falanx Cyber Defence

GPG-13 AWARE Protective Monitoring Service:

Existence of Simple Timestamps

Timestamps of Referenced Events

Malware Detection at the Boundary

Changes to Boundary Anti-Malware Signatures

Packets Dropped By Boundary Firewall

Critical Host Messages at Critical

Host Malware Detection

Critical Host Messages at Error

Changes to Host Anti-Malware Signatures

Packets Dropped By Internal Firewalls

Remote Access User Authentication Failures

Unsuccessful VPN Registrations

Change of Status of Dynamic IP Address Assignments

Remote Access User Sessions

Change in Status of VPN Node Registrations

Node, VPN and Connection Status

Changes to Status of User Network Accounts

Changes to Network User Privileges and User Group Statuses

Use of Application or Database Administration Facilities

Security Manager Console Alerts

Resets, Errors, Failures and Threshold Exceptions

Query of Status of Active Logs

Cyber Security Services (AWARE) · Our GPG-13 AWARE Protective Monitoring Services are aligned with...

Documents

Transcript of Cyber Security Services (AWARE) · Our GPG-13 AWARE Protective Monitoring Services are aligned with...