CASSIDIAN CYBERSECURITY SECURITY OPERATIONS CENTRE SERVICES PROTECTIVE MONITORING SERVICE In a world where cyber threats are emerging daily, often from unknown sources, information security is something that no organisation can afford to take for granted. Cassidian CyberSecurity has the expertise to take on the security challenges facing today s organisations, providing services and systems that work tirelessly to stem the tide of cyber threats.
Protective Monitoring Overview An understanding of user and systems behaviour is fundamental to planning and constructing the defence of an organisation s business infrastructure against the cyber threat. Traditional security technologies such as firewalls, anti-virus and intrusion prevention systems are designed to detect or prevent specific types of known exploitation such as the execution of malicious software, the connection to prohibited services or the infiltration of a system from unauthorised external entities. Protective monitoring services capture information from system and user actions that may not necessarily be deemed as malicious or unauthorised in isolation by security tools, but may still introduce unmanaged risk into the organisation nonetheless. Protective monitoring and analysis may also identify a new threat (eg: zero day) that has not previously been categorised by the security vendor and therefore not detected by their predefined technical policies. Security Information and Event Management Cassidian Limited (hereon referred to as Cassidian, and incorporating Cassidian UK, Cassidian CyberSecurity and Regency IT Consulting) utilise Security Information & Event Management (SIEM) technology to deliver Protective Monitoring services. The SIEM acts as a central repository for security related events from a broad range of system sources such as network routing devices, operating systems, and applications as well as the traditional security technologies. In addition to the collection of security related events, the SIEM technology is used to correlate, filter and normalise the data to provide a comprehensive near real-time and historical view of the system security posture. In its native format, the vast array of event data that is collected from reporting systems and devices is difficult to interpret and associate with a potential cyber attack. Using specialist tools and expertise, Cassidian analysts are able to translate this data into useable information and meaningful reports that can be understood by business management. These security reports are associated with current relevant threat data to ensure that the organisation is presented with a global information assurance picture to support safe business operations. 2
Business Benefits The benefits of Protective Monitoring are far reaching, not only in providing information to support business operations in the face of the cyber threat, but also to meet with the compliance needs of organisations in a range of business domains. This includes the data recording, system monitoring and log storage requirements associated with best practice policy and standards such as GPG13, ISO27000 and PCI DSS. Cassidian specialists have an excellent understanding of the fundamental security requirements in these publications, as well as the systems and networks under their jurisdiction and are best placed to design and deliver a protective monitoring policy to meet with the requirements of a modern networked business environment. Providing a filtered informational view ensures that suspicious or unusual network activity is immediately visible and not obscured by authorised systems and network activity. Our specialists achieve the optimal security view by applying specific technical security policies to the SIEM and to the associated reporting devices and sensors. These technical policies are based on the individual customer s threat profile and their specific compliance requirements. The technical security policies are further enhanced using advanced aggregation, correlation and analysis skills to determine event relevance and criticality. Cassidian Expertise and Experience Cassidian also provides expert advice to ensure that all relevant reporting devices are configured to report pertinent events and that any specialist security sensors are strategically positioned to deliver the optimal protection to critical business assets. Cassidian leverages an extensive library of mature ITIL based processes aligned with best practice to support the incident response process and a range of support functions such as updating logging requirement and maintaining system software levels. Additional processes to manage change and configuration have also been developed in partnership with our customers to ensure that the risk of service disruption is minimised and that the security posture is maintained. Cassidian Protective Monitoring Service provides: Real-time collection, filtering, normalisation and aggregation of log data from all capable devices, computers and applications defined within the enterprise network 3
Secure long-term storage and archiving of the log data. Real-time and historical analysis of log data Flexible searching of the log data in response to ad-hoc queries Production of reports Incident analysis and management by the Cassidian Security Operations Centre (SOC) through near real-time event correlation. This enables focused use of resources to respond to serious issues in a timely fashion. Incident management and handling aligned with CUSTOMER security policy and industry best practices. Event correlation and evaluation against known vulnerabilities, current attacks and other specialist threat intelligence sources such as the Cassidian Warning Advice and Reporting Portal (WARP). System tuning to reduce false positive alerts thus providing a more focussed and accurate threat picture. Reporting of key incident metrics to facilitate: o Development of security policies and procedures o Fine tuning and focusing of technical detection policies o Detection of historical trend based threats Cassidian Protective Monitoring services may be offered as a stand-alone service component or as part of a comprehensive cyber defence solution. Training Developing services that are intuitive and require minimal amounts of training has always been a primary goal of Cassidian. However, it is inevitable that some training will be needed, as ensuring our customers are fully comfortable in using our services is essential. Cassidian work closely with customers to understand the training needs to develop the most cost effective training solution. Trial Services Cassidian offers services on a trial basis, prices can be provided upon request. 4
Backup/Restore and Disaster Recovery Business Continuity (BC) and Disaster Recovery (DR) are firmly embedded within our organisation and our BC Team have designed, implemented and tested Business Continuity Plans (BCP) and Disaster Recovery Plans (DRP) for our customers. Using processes such as Major Incident Management, Risk Analysis, Business Impact Analysis and Critical Activity Analysis, Cassidian provides duplicated infrastructure, alternative location facilities, mirrored data centres and diverse power and connectivity solutions to achieve BC requirements for the MOD, Emergency Services and Private sector. Information Assurance Cassidian are recognised for their knowledge and experience in the field of information assurance. This has been accumulated through the provision, evaluation and accreditation of many system solutions for Government departments and MoD contracts. These solutions have been created to cater for business impact levels IL0-2, IL3, IL4 and IL5. Cassidian has extensive experience in the creation and auditing of security solutions, and are designed to ISO27001 and accredited under HMG standards (IS1 and IS2). Financial Recompense Specific requirements for financial recompense will be negotiated and agreed on an individual contract basis. Termination Terms Termination terms for this service are specified in the accompanying terms and conditions. Pricing The price quoted for Protective Monitoring on the G Cloud catalogue is 62.60 per log source per month, for a GPG13 recording profile B (assuming a 3 year contract). This is subject to the following parameters, on an IL3 network: Log Source Category Threshold measure G Cloud Price Parameter Security Enforcing Network Device Maximum Bandwidth (Mbps) 0 250 5
Non Security Enforcing Network Device Base Windows Server OS Base Linux Server OS Specialist Security Appliances Workstation (Desktop/Laptop) Printer/Scanner/Fax Web Server Database Middleware Email Server General Purpose Apps (File Server) Authentication / Directory server NIDS Sensor (owned and managed by Protective Monitoring Provider) HIDS Sensor (owned and managed by Protective Monitoring Provider) Web filtering gateways and proxy server Antivirus Product Source Maximum Bandwidth (Mbps) Internal or externally facing server Internal or externally facing server Maximum Bandwidth (Mbps) Number of working hours Average number of prints per month Average number unique visits per day Average number of transaction per day Internal or externally facing server Average number of emails per day Internal or externally facing server Total numbers of enrolled users Maximum Bandwidth (Mbps) Internal or externally facing server Maximum Bandwidth (Mbps) Per number of hosts monitored 0 250 Internal systems only Internal systems only 0 250 0 30 0 1000 0 1000 0 1000 Internal 0 2000 Internal 0 1000 0 250 Internal Server 0 250 0 1000 The Protective Monitoring Service will also be subject to core infrastructure and core management charges. 6
However, Protective Monitoring services are bespoke in nature and therefore Cassidian will tailor its pricing accordingly. Upon receipt of an enquiry, Cassidian will work with the potential customer to provide a specific proposal, with a service offering that delivers maximum value against the customer s business objectives. Service Levels Service Availability and Performance metrics will be detailed, post mutual agreement, and captured in a formal SLA between Cassidian and the Customer. Each Service Performance Level is categorised as either a Key Performance Indicator (KPI) or a Performance Indicator (PI). A KPI will be subject to the Service Credit regime. A PI will be measured and reported to the Service Consumer but will not be subject to the Service Credit calculation. PI s are measured so that the Cassidian can make reasonable efforts to improve reported performance as part of the Continuous Service Improvement process. Service Constraints & Dependencies For the successful delivery of these services Cassidian and the customer will need to establish and agree the constraints and dependencies that affect the service. These constraints and dependencies will be established during the initial engagement with the customer. Ordering Process Cassidian will utilise the G Cloud catalogue ordering process. On-Boarding Cassidian employs a standard service introduction approach to deliver against proposals. Cassidian s Take On Service Plan (TOSP) is used to manage the on-boarding process that transitions Service users from their existing Service to the new Service (and off again at the Service off-boarding point). 7
Technical Requirements and Consumer Responsibilities Cassidian s Protective Monitoring offering is designed to give potential customers maximum flexibility. This allows the service to be tailored to meet individual needs, with technical requirements and consumer responsibilities being agreed on a case by case basis. 8
Cassidian Cybersecurity Limited intends sub-contracting part of the service to Cassidian Limited. Cassidian Limited is a company incorporated in England and Wales (company number 04191036) and its registered office is at Quadrant House, Celtic Springs, Coedkernew, Newport, NP10 8FZ. Cassidian Cybersecurity Limited is a wholly owned subsidiary of Cassidian Limited. Cassidian Limited has the following capabilities and experiences in the provision of the service. Copyright This document and its content are the property of Cassidian Limited and must not be duplicated and /or disclosed without authorisation. Any use other than that for which it was intended is prohibited. Cassidian Limited 2013 All rights reserved. Point of Contact Enquiries regarding the content of this document should be addressed to: Chantelle Walkden Email: opportunities@regencyitc.co.uk Regency IT Consulting is a Business Unit of Cassidian CyberSecurity Limited Unit 1.1, Montpellier House, Montpellier Drive, Cheltenham, Glos, GL50 1TY Tel.: 01242 225 692 9