Page 1 of 20 CNS Security and Network Monitoring Managed Services Description Author(s) Martin.Dipper@cnsuk.co.uk Date 16 th January,2012 Version V1.00
Page 2 of 20 INDEX 1 DOCUMENT CONTROL...3 1.1 ISSUER DETAILS... 3 1.2 DOCUMENT HISTORY... 3 1.3 NON-DISCLOSURE STATEMENT... 3 2 INTRODUCING SECURITY AND NETWORK MONITORING SERVICE...4 2.1 SECURITY AND NETWORK MONITORING SERVICE INTRODUCTION... 4 2.2 SECURITY AND NETWORK MONITORING SERVICE SUMMARY... 6 3 CLIENT QUICK START...7 3.1 KEY FACTS... 7 3.2 CLIENT RESPONSIBILITIES... 9 3.2.1 All Managed Services... 9 3.2.2 Security and Network Monitoring Service... 9 4 MANAGED SERVICES TEAM ENGAGEMENT... 11 4.1 CNS MANAGED SERVICES TEAM... 11 4.2 NOTIFICATIONS TO CLIENTS FROM SERVICE DESK... 11 5 OPERATION OF SECURITY AND NETWORK MONITORING SERVICE... 13 5.1 SERVICE INITIATION... 13 5.2 LOG WATCH MANAGEMENT CENTRE... 14 5.3 LOG ENGINE... 14 5.4 ADDING DEVICES... 14 5.5 ADDING USERS AND GROUPS... 15 5.6 LOG ENGINE INSPECTOR... 16 5.7 LOG ENGINE LIVE FEED... 17 5.8 LOG ENGINE RULE MANAGEMENT... 17 5.9 LOG ENGINE REPORTING... 18 5.10 LOGWATCH MANAGEMENT CENTRE MONITORING... 19 5.11 LOGWATCH MANAGEMENT CENTRE PORTAL... 19 5.12 CHANGE REQUEST... 19 5.13 SECURITY AND NETWORK MONITORING SERVICE - SUPPORTED VENDORS... 20
Page 3 of 20 1 DOCUMENT CONTROL 1.1 ISSUER DETAILS Issuer (Convergent Network Solutions Limited) Address 76 Cannon Street, London, EC4N 6AE Telephone 0207 213 0999 Fax 0207 213 0990 Author(s) Martin.Dipper@cnsuk.co.uk Reviewer(s) Jason.Moody@cnsuk.co.uk;Paul.Rose@cnsuk.co.uk 1.2 DOCUMENT HISTORY Date Issue Version Type/Change 16/01/2012 1.00 First Version 1.3 NON-DISCLOSURE STATEMENT This document contains intellectual property rights and copyright, which are proprietary to. The work and the information it contains are submitted for the purpose of advising on the operation of the Security and Network Monitoring Managed Service. It shall not be copied or disclosed to third parties in whole or in part without the prior written consent of.
Page 4 of 20 2 INTRODUCING SECURITY AND NETWORK MONITORING SERVICE 2.1 SECURITY AND NETWORK MONITORING SERVICE INTRODUCTION Welcome to the CNS Security and Network Monitoring Services Description. Establishing and maintaining a secure infrastructure is a key business requirement for many organisations, often enforced by stringent regulation. In recent years there has been significant growth in regulatory mandate and best practice advice from many groups. However, the tools and services for cost effective monitoring for small and medium enterprises (SME) have not always been readily available or affordable. Many vendors will sell you a solution that is complex to operate and manage as well as requiring expensive hardware and software maintenance agreements. Coupled with this is the need to keep suitably qualified staff trained in the technology and the threats and very quickly the cost can become prohibitive. CNS MOSAIC (Managed Operations, Security, Assurance, InfoSec & Compliance) overcomes these problems for SME s by delivering a complete set of managed services that will protect your corporate assets wherever they are exposed to compromise or attack. Our services provide protection across your network estate safeguarding the perimeter, critical internal assets, corporate data, remote users, clients and partners alike. Our services provide insight and remedy to infrastructure events impacting your business operation whilst also offering key controls in line with regulations such as PCI. Security and Network Monitoring is part of the MOSAIC portfolio that delivers real time monitoring of the clients infrastructure linked to our 24x7 Service Desk located in London, UK. As a leading PCI DSS QSA and CESG accredited company, CNS fully appreciates the challenges faced by IT Departments, CIO s, CISO s and network managers in their need to access, interpret and map actionable intelligence in line with regulation and security best practice. The seemingly daunting task of logging, detecting and alerting on the millions of events occurring daily can be overwhelming. For those companies able to overcome the technical and aspects of deploying the necessary technology there is then the more challenging question of how to deliver the on-going daily management and response to alerts. With the launch of the Security and Network Monitoring Service CNS are positioned to deliver on-going monitoring, alerting and professional wrap around services that enable security best practice within our clients. The service is built and targeted towards small and medium enterprise clients
Page 5 of 20 without the bloat ware provided in many vendor solutions and services. CNS owns the logging and monitoring technology, are responsible for the service, maintaining availability and responding to alerts and events. Typically the process is as follows: o A CNS consultant scopes the client logging and monitoring needs and offers best practice guidance for log alerting and retention. o The CNS Service Desk build a hardened Log Watch Management Centre (LWMC) in our secure NOC that is customised to the needs of our client. No two needs are the same and each appliance is built for the client infrastructure, it is not one size fits all. o The CNS Service Desk will deploy the Log Watch Management Centre on the client site and deploy the rules engine to capture all security, network and IT events. o The CNS Service Desk will then tune the appliance over the next 30 days ensuring the appropriate level of logging and priorities are applied. With the launch of the Security and Network Monitoring Service CNS is able to offer extended benefit and cost savings beyond that of traditional standalone auditing tools and other complex SIEM appliances available in the market today, plus deliver intelligence for on-going protection against threats. The service is fully supported by CNS highly accredited understanding of secure design and security best practices. Our clients will receive a much extended level of benefit along with the extra level of IT assurance offered by qualified consultants.
Page 6 of 20 2.2 SECURITY AND NETWORK MONITORING SERVICE SUMMARY The table below illustrates s summary of the service offering. Service Features CNS Solutions Group CNS Managed Services Enablement Service design and installation LWMC appliance(s) build and delivered to site Reconfiguration of client network devices Configuration and deployment of appliance(s) Add client devices and applications into LWMC Configure user accounts and setup device portal Validate all users connected and operational Assistance with tuning requests first 30 days Tune service during the first 30 days Assistance with migration from a third party platform Management LWMC appliance(s) lifecycle management LWMC server appliance(s) fault and performance management LWMC server appliance(s) health monitoring LWMC client policy management User configuration assistance LWMC updates and additions to the service Administrator Portal with RBAC Service Features Near real time detection of defined events Customised alerting on events and incidents Intuitive Rules Engine for ease of use and visibility Business hours or 24x7 Service Desk support Technical assistance with updates Technical support with service issues SLA'd response to incidents Daily backup of logs to off-site storage Access to all logs on site through portal Ability to undertake filtered searches on logs Ticketing of all incidents Monthly reports Quarterly service reviews(2) Assistance with remediation of issues on site(1)
Page 7 of 20 (1) Additional work outside the service which may require the purchase of Fault Management time or Solutions (Professional Services) time. (2) Quarterly Service Reviews will depend on the mix of services provided to the client and annual spend. 3 CLIENT QUICK START 3.1 KEY FACTS For prospects and new clients, it is important to understand some key helpful facts regarding the service, as follows: The Security and Network Monitoring Service is delivered using at a minimum, one device located on the client site: o Log Watch Management Centre contains the Log Engine, Rules Engine, Portal and Administration facilities that enables the retrieval, inspection and storage of client logs and events. o Depending on the location of the client devices to be monitored and the network architecture, more than one Log Watch Management Centre may be required. Business Take On (BTO) - CNS uses a structured BTO process to implement new clients or existing clients bringing on additional devices. The BTO approach is managed by a qualified project manager for a client that is new to the service. The project manager will contact the client as soon as possible after the contract is signed and arrange for an initial conference call to agree with the client the process for implementing the service. As part of the implementation, a CNS technician will work with the client to gather the necessary technical information (e.g. infrastructure auditing, server auditing etc) that allows CNS to enable the service. This information differs between clients, but your CNS contacts will be skilled in rolling out new services and guide you through every step of the process. Service Desk - This is the services support desk. It will be the main point of contact for all Security and Network Monitoring Service technical issues and queries. The contract will detail the hours of support but all clients can call during business hours for any issues relating to the service. The Service Desk will assist with and own the query, with the issue being ticketed and given a support reference number. Details on contacting the Service Desk are given further on in this document. Service Management - A service manager will be assigned to the client and visit at least once a quarter to conduct a service review. This will provide the client the opportunity to go through the reports
Page 8 of 20 on the services performance and discuss any issues of importance during the last quarter. We recommend the review as it helps clients get extra value from the service and provides feedback for CNS to help improve the service. Client Points of Contact (PoC) - We will ask for authorised points of contacts (PoC) for all services. The CNS Service Desk staff needs to know they are speaking with authorised and approved client contacts and the team will work with the client to build an authorised contact list which is stored securely in the CNS Service Desk. Escalation Contacts - Depending on provisioning, the Service Desk may also ask for client escalation contacts in the event of a specific incident occurring. As an example, if a specific event is seen that significantly affects the client s security posture, the CNS Service Desk will need to contact a specific resource within the company. Communication - Additional communication will occur when we see a specific event that matches a condition or alert which the Service Desk knows will impact the client business. Typical of these communications are: o A device becomes unavailable and we advise next actions. o The device operating parameters are outside of normal. o We have seen suspicious or unauthorised activity. o An event has occurred which will compromise your security posture or network operation. o A serious vulnerability has been discovered that could lead to a major compromise. The natures of the communications are manifold but the Service Desk role is to be the ears and eyes on your Security and Network Monitoring Service and to offer advice and assistance as appropriate. Client Portal The Log Watch Management Centre contains a client portal for authorised client contacts only. A Role Based Access Model (RBAC) is deployed on the portal and the CNS Service Desk will assist in defining the correct access for client users. The portal will contain at a minimum the following features o View logs and alerts generated from devices including a live feed. o Add, edit or remove a device (working with CNS Service Desk). o Administer the system by adding, editing and deleting users (if authorised). o Define logging rules, based on application event ID and specify whether to Alert, Acknowledge, Log or Drop (working with CNS Service Desk).
Page 9 of 20 3.2 CLIENT RESPONSIBILITIES While a majority of the tasks and responsibilities associated with the delivery of security services are handled by CNS Managed Services, the client still maintains the following responsibilities to ensure the successful delivery of services. 3.2.1 All Managed Services Clients are responsible for the following: Coordinating any changes to the network security architecture, that may impact the CNS detection ability in advance. These changes should be communicated 24 hours (during the business week) prior to the actual change window. At minimum, this includes: o Changes to systems that are logging and reporting to the CNS hosting centre. o Changes to network architecture and/or switch configurations that may impact the traffic presented to CNS. o Ensuring contact information for all authorized client POC(s) stays current. Out-of-date contact information impacts timely ticket notification and incident escalation. o Where appropriate, ensuring all client owned networks are registered with the Service Desk. This information can be critical when responding to an event. o Providing feedback to CNS on service delivery so that continuous improvements can be made. 3.2.2 Security and Network Monitoring Service Clients are responsible for the following: A secure site-to-site Virtual Private Network (VPN) tunnel between Convergent s Network Operating Centre (NOC) and the client target site. CNS will ensure remote access to the client site is only permitted via CNS on-site log agent. The VPN will be provided by utilising the client hardware and Internet connection. Encryption, hashing and Diffie Helman group algorithms to be agreed between CNS and client depending on client hardware capabilities. Ensure that the Log Watch Management Centre(s) are properly installed in a network rack, powered and connected to the client network environment. A CNS technician will assist with this. Allow the CNS Log Watch Management Centre access through switches and border security devices to transport events and device information. The following ports are required to be opened: o TCP 22 (SSH) Secure shell access to client devices.
Page 10 of 20 o TCP 25 (SMTP) For nodes to send alerts to central portal for CNS alerting. o TCP 80 (HTTP) Integrated Lights Out management of Log Watch Management Centre. o TCP 443 (HTTPS) - For Log Watch Management Centre to send alerts to central portal for CNS alerting. o TCP 3142 (Updates) How the Management Centre and portals update information. o TCP 6556 (Check_MKAgent) Log Watch Management Centre and portal network management. o UDP 53 (DNS) How the Log Watch Management Centre and portals resolve names. o UDP 123 (NTP) For Log Watch Management Centre and portal to sync against an atomic clock. Configure the following access list requirements on the firewall for access between devices and nodes: From To Service Explanation Client Devices That Client Push client device logs to either central UDP 514 Require to be Logged Portal client portal or separate logging node Allows client Log Watch Management All Client Log Watch CNS Update TCP 443 Centre to obtain updates from CNS Management Centres Server architecture Configure security devices and log collection servers to accept CNS access. Provide technical support for any network-related issues during service initiation.
Page 11 of 20 4 MANAGED SERVICES TEAM ENGAGEMENT 4.1 CNS MANAGED SERVICES TEAM The CNS Managed Services team operates from a secure Network Operations Centre in London and all client systems are hosted in a secure and resilient environment. The main contact for all Security and Network Monitoring Service client queries and issues is the CNS Service Desk which can be contacted as below: Name Email Address Direct Dial Details Service Desk servicedesk@cnsuk.co.uk +44 (845) 644 0991 When using email, clients should be aware that due to the lack of strong authentication and audit capabilities, this option may require verbal follow up and confirmation the Service Desk is communicating with a valid and authorised client contact. The Service Desk consists of: Technical Service Engineers who will answer the phone and resolve client queries. Service Manager responsible for all contracts and administration and performing service reviews to an agreed schedule. Service Desk Team Lead responsible for the Service Desk, client satisfaction and formal escalation point. Head of Managed Services responsible for the operation of the managed services and the Service Desk. 4.2 NOTIFICATIONS TO CLIENTS FROM SERVICE DESK The client will, based on the services subscribed to, receive the following notifications from the Service Desk. Ticket Notification - Authorised client contacts will receive notification of tickets by ensuring their contact details stored by CNS are accurate and up-to-date. A valid business e-mail address and a configured subscription to the relevant services are required to receive notifications sent based on the following conditions: o The ticket requestor always receives update notifications. o Tickets assigned to specific devices or events are sent only to POCs associated with the device/ event. o Tickets not assigned to specific devices or events are sent to all POCs subscribed to the specific service.
Page 12 of 20 Incident Notification - Authorised client contacts may subscribe to receive notifications of specific incidents based on the following conditions: o The incident affects a device or an event belonging to the contacts company. o The incident or events assessed severity met or exceeded the thresholds set by the contact. Escalations to clients where there is a recurring incident activity tracked within a single open ticket, telephone escalations are attempted to authorised client contacts
Page 13 of 20 5 OPERATION OF SECURITY AND NETWORK MONITORING SERVICE This section outlines the elements of the managed service and what clients can expect to see in daily operation. 5.1 SERVICE INITIATION The following documents are required for CNS Managed Services to proceed with the provisioning of new or additional services: Signed Security and Network Monitoring Service Agreement. Signed Managed Services Terms & Conditions. Client Purchase Order. Sales Order Form. Upon receipt of these, CNS will begin the BTO process. The BTO process is detailed below and a PMO resource will contact the client to arrange the first conference call or meeting. At the first conference call or meeting the PMO will explain the process and introduce a draft project plan, along the lines of the below: A job sheet is raised to include services, resources, hardware and software required. Client actions identified and documented. Site survey and audit scheduled / reviewed. Log Watch Management Centre builds construction and send to site. CNS VPN connectivity established. Installation of device on client site(s) and final device configuration, including SNMP monitoring setup (for CNS monitoring). Client action contacts, configurations uploaded and deployed. Base lining tuning of all logging, monitoring and alerting features. Documentation completed and checked. Finalisation internal sign off, BTO sign off, contacts and documentation in CNS help desk. Go live fully functional service, supported by CNS Service Desk. It is during the baselining process that the client logs will be setup to alert for the event IDs and expressions being monitored. During this important phase a CNS resource will: Ensure that all devices are logging to the Log Watch Management Centre and logs are being successfully received. Ensure that the Log Watch Management Centre events catalogue is populated with the events and expressions required by the client. Setup the Log Watch Management Centre rules engine to parse the logs for the events and expressions.
Page 14 of 20 Ensure that all events and expressions are being captured and detailed in the Log Watch Management Centre portal. Agree logging and alerting response to specific events with the client and document. Transfer to live service by cutting email alerts across to the CNS Service Desk at the agreed time. 5.2 LOG WATCH MANAGEMENT CENTRE The Log Watch Management Centre (LWMC) is the purpose built hardened Linux appliance that sits on the client site. LWMC contains all the hardware and software components necessary to detect, log, monitor and alert to events on the client site. The appliance contains administration and portal functionality that allows local read only access to the events and also is linked to the CNS Service Desk for near real time alerting. 5.3 LOG ENGINE Log Engine is a component of the LWMC and collates information from multiple vendor devices and ensures logs are parsed, normalized, indexed and alerted on in real time. Once the logs are received, Log Engine uses a rules based engine and catalogue of events to allow the client to define the alerts required founded on specific requirements or internal business issues. The results are presented to a local portal where they can be accessed and retrieved by authorised client contacts. 5.4 ADDING DEVICES Devices are added to the service using the Administration Tab in the portal on the LWMC (Administration/Devices/Add New Devices). All new devices will be added by CNS Service Desk personnel, using the information below as part of the Business Take On (BTO) service.
Page 15 of 20 Additional devices installed once the service is live will go through the same BTO process. The client will also be able to see a list of devices installed on the service under the Devices tab in the portal. 5.5 ADDING USERS AND GROUPS It is possible to add and edit users in the LWMC portal as follows. Select Administration/Users and an authorised client contact will have the ability to add and edit users in the portal. Users will have read only access to the portal functions as this is a managed service, although it is possible for an authorised client administrator to add users.
Page 16 of 20 The Add Group function will only be available to the CNS Service Desk who control the RBAC model in the portal. The Service Desk will help setup and define groups for the client organisation. 5.6 LOG ENGINE INSPECTOR It is possible to view the logs received by going to Products/LogEngine/Inspector. From here logs are displayed and it is possible to search using filtered parameters. All logs can be interrogated and specific events queried and interrogated using the search engine provided. Multiple filters can be applied as per the image above. To the left of the main log display is a separate view of the devices logging with the ability to search the logs by year and then month.
Page 17 of 20 5.7 LOG ENGINE LIVE FEED It is possible to view a live feed by going to Products/LogEngine/LiveFeed. The Live Feed as the name implies displays the latest log entries as and when they come through to the LWMC portal. Clients should allow several minutes for the incident to appear in the portal based on the connectivity between the device on which the incident occurred and the portal. The Live feed will list events in the order they arrived with the newest on top. The top of the page displays the number of logs queued for review which should normally be zero, plus to the right of this a circle will appear every five seconds indicating the feed is operational and checking for new entries. 5.8 LOG ENGINE RULE MANAGEMENT The events to be logged and alerted are defined explicitly in the LWMC Portal - Service Catalogue, accessible from the GUI below at Products/Log Engine/Rule Management/Add. The GUI displays the event IDs and regular expression that the rules engine is able to search for. The Service Catalogue contains all the events, expression and strings listed by device/application and are updated frequently by CNS. Please note that the Service Catalogue on site may not contain all the currently available entries. The Service Desk will add, modify and delete Service Catalogue entries at the request of clients and ensure that all additions are made. New event IDs and expressions to be logged, alerted, acknowledged or dropped are selected using the GUI and added to the client rules. The GUI is illustrated below and clearly illustrates on the right hand side the items to be logged and alerted.
Page 18 of 20 Additionally, when first opened, the display at Products/LogEngine/Rule Management will display a list of the active rules and description as below: 5.9 LOG ENGINE REPORTING It is possible to access the logs in a reporting format by going to Products/LogEngine/Reporting. This will enable an alternate view as below:
Page 19 of 20 An additional function in this section is the ability to Acknowledge alerts, key for some regulations. By clicking the Acknowledge box, the system will record the date and time the event was acknowledged. In addition, it is possible to select and create reports by using the reports feature from the Administration tab and: Selecting a time period. Selecting one device or a range of devices. Selecting an event or range of events. Once the above are selected, the output will be delivered as a PDF report which can be saved or printed. 5.10 LOGWATCH MANAGEMENT CENTRE MONITORING The Service Desk will actively monitor the Log Watch Management Centre(s) for the following KPIs: Response Time >1000 milliseconds Uptime >99% CPU Utilisation >80% Memory Utilisation >80% Environmental Email alert Additional KPIs may be monitored based on individual and specific implementations. 5.11 LOGWATCH MANAGEMENT CENTRE PORTAL The LogWatch Management Centre Portal provides visibility into the managed service activities. Authorised client users will be given access to the portal form where they will be able to: Inspect a live log feed. Inspect the log events held in the system. Use a Search tool to filter for specific log events. Check logging events configured in the event catalogue. Inspect the rules defined for all log events. Modify local client users and their access rights. Run reports for selected devices and events. 5.12 CHANGE REQUEST Change Management encompasses any configuration change initiated by the client that may affect the operation of the Log Watch Management Centre. Internally CNS uses an ITIL based change control process supported by a Change Advisory Board (CAB) and we recommend all clients adopt the same internal approach. Change requests that could affect the service can include policy changes, gateway-to-gateway and remote-user-to-gateway Virtual
Page 20 of 20 Private Network (VPN) changes for firewalls and UTMs/ISAs, or configuration changes to client-to-gateway and gateway-to-gateway VPN connections plus any changes on servers and security devices that the client thinks will impact the service as follows: For networking and policy changes as described above, please contact the Service Desk who will initiate a change control process and agree a time with you to initiate the changes. For additions of new devices or new services, please contact the Service Desk in the first instance who may put you in touch with the service manager or your account manager. For deletions and modifications to devices or services, please contact the Service Desk who will be able to assist you. To initiate a change of service request or device add/modify/delete, only an authorised client PoC may contact the Service Desk. Based on the nature of the request, additional documentation may be required prior to completing the request. This may include: A new Security and Network Monitoring Service Agreement or additions to an existing agreement. Submitting a PO. Undergoing a Business Take On (BTO) process for the new device/service. 5.13 SECURITY AND NETWORK MONITORING SERVICE - SUPPORTED VENDORS For the latest update, please contact the CNS Service Desk direct. Log Engine All major vendors supported, contact CNS