Moortec’s SIEM Monitoring-as-a Service provides a powerful, scalable and secure platform for receiving, processing and analysing system and security events in real-time. Utilising Apache Metron and associated open source products, the service removes the complexity and burden of building a similar service offering on your own on-premise or cloud infrastructure.
- Powerful policy based custom rulesets to describe potentially suspicious activity
- High-speed data ingestion upwards of millions of messages per second
- Enrichment engine combines intelligence and context to raw event data
- Log monitoring and log collection
- Intelligent triage and alerting with integration into existing systems
- ElasticSearch and Kibana integration provides powerful query and insight
- Integration with popular data sources: including Snort/Bro, commercial firewalls
- Data Lake to efficiently store historical data that is queryable
- Protective monitoring
- Real-time intelligent message processing pipeline
- Platform for effective and innovative security event management
- Cloud hosted and managed, no need to manage complex infrastructure
- Increase security analysts’ efficiency by augmenting all available enrichment sources
- Drastically reduce detection to remediation time
- Reduce 'alert fatigue'
- Harness the power of the Apache Hadoop ecosystem
£10 to £100 per unit per month
Moortec Solutions Ltd
|Software add-on or extension||Yes|
|What software services is the service an extension to||The service provides a security and event monitoring to customer’s business systems and infrastructure that can be hosted on premises or in the cloud.|
|Cloud deployment model||Public cloud|
|Email or online ticketing support||Email or online ticketing|
|Support response times||Response times and the hours of support depends upon the level of support. The gold service level provides 1 hours response 24x365.|
|User can manage status and priority of support tickets||Yes|
|Online ticketing support accessibility||WCAG 2.0 AA or EN 301 549|
|Phone support availability||9 to 5 (UK time), 7 days a week|
|Web chat support||Yes, at an extra cost|
|Web chat support availability||9 to 5 (UK time), 7 days a week|
|Web chat support accessibility standard||WCAG 2.0 AA or EN 301 549 9: Web|
|Web chat accessibility testing||N/A|
|Onsite support||Yes, at extra cost|
Gold Service 24 x 375 Priority 1 incidents are responded to within 1 hour. Priority 2 within 4 hours. Priority 3 within 24 hours. Priority 4 within 48 hours.
Silver Service Mon-Fri 7am - 9pm Priority 1 incidents are responded to within 4 hours. Priority 2 within 12 hours. Priority 3 within 48 hours. Priority 4 within 5 working days.
Bronze Service Mon-Fri 9am - 5pm Priority 1 incidents are responded to within 8 hours. Priority 2 within 24 hours. Priority 3 within 72 hours. Priority 4 within 7 working days.
The support costs are included in service costs as per the pricing document.
|Support available to third parties||Yes|
Onboarding and offboarding
|Getting started||Onsite training and extensive user documentation is provided.|
|Other documentation formats||Google Docs|
|End-of-contract data extraction||
Customers can choose from one of several mechanisms for extracting the data.
(1) Data may be copied out using secure tools (such as ftps) at any time, subject to security controls.
Following termination or expiry of the relationship:
(2) Moortec will arrange for the Moortec AWS Account(s) containing data (and other AWS resources) to be transferred to either the customer or the customer's nominated representative.
(3) Moortec will transfer the data to alternative AWS storage nominated by the customer, or
(4) Moortec will extract the data onto suitably encrypted portable media and provide that to the customer.
In any event, the Supplier will not erase customer data for 30 days following an account termination. This allows customers to retrieve content from Supplier services so long as the customer has paid any charges for any post-termination use of the service offerings and all other amounts due.
Buyer may terminate the relationship with Supplier for any reason by (i) providing Supplier with notice and (ii) closing Buyers account for all services for which Supplier provide an account closing mechanism.
Buyers pay for the services they use to the point of account termination.
Supplier customers retain control and ownership of their data. Supplier will not erase customer data for 30 days following an account termination. This allows customers to retrieve content from Supplier services so long as the customer has paid any charges for any post-termination use of the service offerings and all other amounts due.
Using the service
|Web browser interface||Yes|
|Application to install||No|
|Designed for use on mobile devices||No|
|Accessibility standards||WCAG 2.0 AA or EN 301 549|
|Description of customisation||
The users can choose what events are or are not processed by the service, and a periodic of tuning is to be expected during the implementation phase to avoid unnecessary alerts (false positives).
Tools are provided to allow the customers’ security analysts to maintain this over the long term.
|Independence of resources||Customer environments are logically segregated to prevent users and customers from accessing resources not assigned to them.|
|Service usage metrics||Yes|
Standard reports are provided on numbers of:
- events processed over time
- alerts processed over time
- user activity
- numbers of components monitored
|Reporting types||Regular reports|
|Supplier type||Not a reseller|
|Staff security clearance||Other security clearance|
|Government security clearance||Up to Developed Vetting (DV)|
|Knowledge of data storage and processing locations||Yes|
|Data storage and processing locations||United Kingdom|
|User control over data storage and processing locations||Yes|
|Datacentre security standards||Complies with a recognised standard (for example CSA CCM version 3.0)|
|Penetration testing frequency||At least every 6 months|
|Penetration testing approach||Another external penetration testing organisation|
|Protecting data at rest||Physical access control, complying with CSA CCM v3.0|
|Data sanitisation process||Yes|
|Data sanitisation type||Deleted data can’t be directly accessed|
|Equipment disposal approach||Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001|
Data importing and exporting
|Data export approach||If required data can be extracted via the browser as reports, or formally exported via a service request.|
|Data export formats||
|Other data export formats||JSON|
|Data import formats||
|Other data import formats||JSON|
|Data protection between buyer and supplier networks||
|Data protection within supplier network||TLS (version 1.2 or above)|
Availability and resilience
Moortec relies upon the AWS SLAs for several services. Due to the rapidly evolving nature of AWS’s product offerings, these SLAs are best reviewed directly on our website via the links below:
• Amazon EC2 SLA: http://aws.amazon.com/ec2-sla/
• Amazon S3 SLA: http://aws.amazon.com/s3-sla
• Amazon CloudFront SLA: http://aws.amazon.com/cloudfront/sla/
• Amazon Route 53 SLA: http://aws.amazon.com/route53/sla/
• Amazon RDS SLA: http://aws.amazon.com/rds-sla/
• AWS Shield Advanced SLA: https://aws.amazon.com/shield/sla/
Well-architected solutions on AWS that leverage AWS Service SLA’s and unique AWS capabilities such as multiple Availability Zones, can ease the burden of achieving specific SLA requirements.
|Approach to resilience||
The AWS Business Continuity plan details the process that AWS follows in the case of an outage, from detection to deactivation. AWS has developed a three-phased approach: Activation and Notification Phase, Recovery Phase, and Reconstitution Phase. This approach ensures that AWS performs system recovery and reconstitution efforts in a methodical sequence, maximizing the effectiveness of the recovery and reconstitution efforts and minimizing system outage time due to errors and omissions.
AWS maintains a ubiquitous security control environment across all regions. Each data centre is built to physical, environmental, and security standards in an active-active configuration, employing an n+1 redundancy model, ensuring system availability in the event of component failure. Components (N) have at least one independent backup component. All data centres are online and serving traffic. In case of failure, there is sufficient capacity to enable traffic to be load-balanced to the remaining sites.
Customers are responsible for implementing contingency planning, training and testing for their systems hosted on AWS. AWS provides customers with the capability to implement a robust continuity plan, including the utilization of frequent server instance back-ups, data redundancy replication, and the flexibility to place instances and store data within multiple geographic regions across multiple Availability Zones.
Moortec will provide access to a customised dashboard for events; configurable alerting (email / SMS / messaging) that is based upon the AWS dashboard.
Moortec will report an PaaS service outages via email alerts and/or SMS.
Identity and authentication
|User authentication needed||Yes|
|User authentication||2-factor authentication|
|Access restrictions in management interfaces and support channels||Integrated Role-Based access controls.|
|Access restriction testing frequency||At least once a year|
|Management access authentication||2-factor authentication|
Audit information for users
|Access to user activity audit information||Users have access to real-time audit information|
|How long user audit data is stored for||At least 12 months|
|Access to supplier activity audit information||Users have access to real-time audit information|
|How long supplier audit data is stored for||At least 12 months|
|How long system logs are stored for||At least 12 months|
Standards and certifications
|ISO/IEC 27001 certification||No|
|ISO 28000:2007 certification||No|
|CSA STAR certification||No|
|Other security certifications||No|
|Named board-level person responsible for service security||Yes|
|Security governance certified||Yes|
|Security governance standards||ISO/IEC 27001|
|Information security policies and processes||Moortec relies upon the AWS ISO/IEC 27001 certificate for the AWS based services.|
|Configuration and change management standard||Supplier-defined controls|
|Configuration and change management approach||
Changes to AWS hosted services and features follow secure software development practices, including security risk reviews prior to launch. Developer access to production environments is via explicit access system requests, subject to owner review and authorisation.
Teams set bespoke change management standards per service, underpinned by standard AWS guidelines.
All production environment changes are reviewed, tested and approved. Stages include design, documentation, implementation (including rollback procedures), testing (non-production environment), peer to peer review (business impact/technical rigour/code), final approval by authorised party.
|Vulnerability management type||Supplier-defined controls|
|Vulnerability management approach||AWS Security performs vulnerability scans on the host operating system, web applications, and databases in the AWS environment. Approved 3rd party vendors conduct external assessments (minimum frequency: quarterly). Identified vulnerabilities are monitored and evaluated. Countermeasures are designed and implemented to neutralise known/newly identified vulnerabilities.|
|Protective monitoring type||Supplier-defined controls|
|Protective monitoring approach||
AWS deploys (pan-environmental) monitoring devices to collect information on unauthorized intrusion attempts, usage abuse, and network/application bandwidth usage. Devices monitor:
• Port scanning attacks
• Usage (CPU, processes, disk utilization, swap rates, software-error generated losses)
• Application metrics
• Unauthorized connection attempts
Near real-time alerts flag potential compromise incidents, based on AWS Service/Security Team- set thresholds.
Requests to AWS KMS are logged and visible via the account’s AWS CloudTrail Amazon S3 bucket. Logs provide request information, under which CMK, and identify the AWS resource protected through the CMK use. Log events are visible via AWS CloudTrail.
|Incident management type||Supplier-defined controls|
|Incident management approach||
Moortec adopts a three-phased approach to manage incidents:
1. Activation and Notification Phase
2. Recovery Phase
3. Reconstitution Phase
To ensure the effectiveness of the Incident Management plan, Moortec conducts incident response testing, providing excellent coverage for the discovery of defects and failure modes as well as testing the systems for potential customer impact.
The Incident Response Test Plan is executed annually, in conjunction with the Incident Response plan. It includes multiple scenarios, potential vectors of attack, the inclusion of the systems integrator in reporting and coordination and varying reporting/detection avenues.
|Approach to secure software development best practice||Conforms to a recognised standard, but self-assessed|
Public sector networks
|Connection to public sector networks||No|
|Price||£10 to £100 per unit per month|
|Discount for educational organisations||No|
|Free trial available||No|
|Pricing document||View uploaded document|
|Terms and conditions document||View uploaded document|