Moortec Solutions Ltd

Big Data Security Information & Event Monitoring (SIEM) Service

Moortec’s SIEM Monitoring-as-a Service provides a powerful, scalable and secure platform for receiving, processing and analysing system and security events in real-time. Utilising Apache Metron and associated open source products, the service removes the complexity and burden of building a similar service offering on your own on-premise or cloud infrastructure.

Features

  • Powerful policy based custom rulesets to describe potentially suspicious activity
  • High-speed data ingestion upwards of millions of messages per second
  • Enrichment engine combines intelligence and context to raw event data
  • Log monitoring and log collection
  • Intelligent triage and alerting with integration into existing systems
  • ElasticSearch and Kibana integration provides powerful query and insight
  • Integration with popular data sources: including Snort/Bro, commercial firewalls
  • Data Lake to efficiently store historical data that is queryable
  • Protective monitoring
  • Real-time intelligent message processing pipeline

Benefits

  • Platform for effective and innovative security event management
  • Cloud hosted and managed, no need to manage complex infrastructure
  • Increase security analysts’ efficiency by augmenting all available enrichment sources
  • Drastically reduce detection to remediation time
  • Reduce 'alert fatigue'
  • Harness the power of the Apache Hadoop ecosystem

Pricing

£10 to £100 per unit per month

Service documents

G-Cloud 10

305034963936733

Moortec Solutions Ltd

Peter Burke

07771 973310

peter.burke@moortecsolutions.com

Service scope

Service scope
Software add-on or extension Yes
What software services is the service an extension to The service provides a security and event monitoring to customer’s business systems and infrastructure that can be hosted on premises or in the cloud.
Cloud deployment model Public cloud
Service constraints N/A
System requirements
  • Probe deployment onto servers and infrastructure components.
  • AWS connectivity (either Internet or Connect Direct)

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Response times and the hours of support depends upon the level of support. The gold service level provides 1 hours response 24x365.
User can manage status and priority of support tickets Yes
Online ticketing support accessibility WCAG 2.0 AA or EN 301 549
Phone support Yes
Phone support availability 9 to 5 (UK time), 7 days a week
Web chat support Yes, at an extra cost
Web chat support availability 9 to 5 (UK time), 7 days a week
Web chat support accessibility standard WCAG 2.0 AA or EN 301 549 9: Web
Web chat accessibility testing N/A
Onsite support Yes, at extra cost
Support levels Support Levels:

Gold Service 24 x 375 Priority 1 incidents are responded to within 1 hour. Priority 2 within 4 hours. Priority 3 within 24 hours. Priority 4 within 48 hours.

Silver Service Mon-Fri 7am - 9pm Priority 1 incidents are responded to within 4 hours. Priority 2 within 12 hours. Priority 3 within 48 hours. Priority 4 within 5 working days.

Bronze Service Mon-Fri 9am - 5pm Priority 1 incidents are responded to within 8 hours. Priority 2 within 24 hours. Priority 3 within 72 hours. Priority 4 within 7 working days.

The support costs are included in service costs as per the pricing document.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Onsite training and extensive user documentation is provided.
Service documentation Yes
Documentation formats
  • HTML
  • ODF
  • PDF
  • Other
Other documentation formats Google Docs
End-of-contract data extraction Customers can choose from one of several mechanisms for extracting the data.

(1) Data may be copied out using secure tools (such as ftps) at any time, subject to security controls.

Following termination or expiry of the relationship:

(2) Moortec will arrange for the Moortec AWS Account(s) containing data (and other AWS resources) to be transferred to either the customer or the customer's nominated representative.

(3) Moortec will transfer the data to alternative AWS storage nominated by the customer, or

(4) Moortec will extract the data onto suitably encrypted portable media and provide that to the customer.

In any event, the Supplier will not erase customer data for 30 days following an account termination. This allows customers to retrieve content from Supplier services so long as the customer has paid any charges for any post-termination use of the service offerings and all other amounts due.
End-of-contract process Buyer may terminate the relationship with Supplier for any reason by (i) providing Supplier with notice and (ii) closing Buyers account for all services for which Supplier provide an account closing mechanism.

Buyers pay for the services they use to the point of account termination.

Supplier customers retain control and ownership of their data. Supplier will not erase customer data for 30 days following an account termination. This allows customers to retrieve content from Supplier services so long as the customer has paid any charges for any post-termination use of the service offerings and all other amounts due.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices No
Accessibility standards WCAG 2.0 AA or EN 301 549
Accessibility testing N/A
API No
Customisation available Yes
Description of customisation The users can choose what events are or are not processed by the service, and a periodic of tuning is to be expected during the implementation phase to avoid unnecessary alerts (false positives).

Tools are provided to allow the customers’ security analysts to maintain this over the long term.

Scaling

Scaling
Independence of resources Customer environments are logically segregated to prevent users and customers from accessing resources not assigned to them.

Analytics

Analytics
Service usage metrics Yes
Metrics types Standard reports are provided on numbers of:
- events processed over time
- alerts processed over time
- user activity
- numbers of components monitored
- availability
Reporting types Regular reports

Resellers

Resellers
Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations Yes
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least every 6 months
Penetration testing approach Another external penetration testing organisation
Protecting data at rest Physical access control, complying with CSA CCM v3.0
Data sanitisation process Yes
Data sanitisation type Deleted data can’t be directly accessed
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach If required data can be extracted via the browser as reports, or formally exported via a service request.
Data export formats
  • CSV
  • Other
Other data export formats JSON
Data import formats
  • CSV
  • Other
Other data import formats JSON

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability Moortec relies upon the AWS SLAs for several services. Due to the rapidly evolving nature of AWS’s product offerings, these SLAs are best reviewed directly on our website via the links below:

• Amazon EC2 SLA: http://aws.amazon.com/ec2-sla/
• Amazon S3 SLA: http://aws.amazon.com/s3-sla
• Amazon CloudFront SLA: http://aws.amazon.com/cloudfront/sla/
• Amazon Route 53 SLA: http://aws.amazon.com/route53/sla/
• Amazon RDS SLA: http://aws.amazon.com/rds-sla/
• AWS Shield Advanced SLA: https://aws.amazon.com/shield/sla/

Well-architected solutions on AWS that leverage AWS Service SLA’s and unique AWS capabilities such as multiple Availability Zones, can ease the burden of achieving specific SLA requirements.
Approach to resilience The AWS Business Continuity plan details the process that AWS follows in the case of an outage, from detection to deactivation. AWS has developed a three-phased approach: Activation and Notification Phase, Recovery Phase, and Reconstitution Phase. This approach ensures that AWS performs system recovery and reconstitution efforts in a methodical sequence, maximizing the effectiveness of the recovery and reconstitution efforts and minimizing system outage time due to errors and omissions.

AWS maintains a ubiquitous security control environment across all regions. Each data centre is built to physical, environmental, and security standards in an active-active configuration, employing an n+1 redundancy model, ensuring system availability in the event of component failure. Components (N) have at least one independent backup component. All data centres are online and serving traffic. In case of failure, there is sufficient capacity to enable traffic to be load-balanced to the remaining sites.

Customers are responsible for implementing contingency planning, training and testing for their systems hosted on AWS. AWS provides customers with the capability to implement a robust continuity plan, including the utilization of frequent server instance back-ups, data redundancy replication, and the flexibility to place instances and store data within multiple geographic regions across multiple Availability Zones.
Outage reporting Moortec will provide access to a customised dashboard for events; configurable alerting (email / SMS / messaging) that is based upon the AWS dashboard.

Moortec will report an PaaS service outages via email alerts and/or SMS.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication 2-factor authentication
Access restrictions in management interfaces and support channels Integrated Role-Based access controls.
Access restriction testing frequency At least once a year
Management access authentication 2-factor authentication

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users have access to real-time audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes Moortec relies upon the AWS ISO/IEC 27001 certificate for the AWS based services.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach Changes to AWS hosted services and features follow secure software development practices, including security risk reviews prior to launch. Developer access to production environments is via explicit access system requests, subject to owner review and authorisation.

Teams set bespoke change management standards per service, underpinned by standard AWS guidelines.

All production environment changes are reviewed, tested and approved. Stages include design, documentation, implementation (including rollback procedures), testing (non-production environment), peer to peer review (business impact/technical rigour/code), final approval by authorised party.
Vulnerability management type Supplier-defined controls
Vulnerability management approach AWS Security performs vulnerability scans on the host operating system, web applications, and databases in the AWS environment. Approved 3rd party vendors conduct external assessments (minimum frequency: quarterly). Identified vulnerabilities are monitored and evaluated. Countermeasures are designed and implemented to neutralise known/newly identified vulnerabilities.
Protective monitoring type Supplier-defined controls
Protective monitoring approach AWS deploys (pan-environmental) monitoring devices to collect information on unauthorized intrusion attempts, usage abuse, and network/application bandwidth usage. Devices monitor:

• Port scanning attacks
• Usage (CPU, processes, disk utilization, swap rates, software-error generated losses)
• Application metrics
• Unauthorized connection attempts

Near real-time alerts flag potential compromise incidents, based on AWS Service/Security Team- set thresholds.

Requests to AWS KMS are logged and visible via the account’s AWS CloudTrail Amazon S3 bucket. Logs provide request information, under which CMK, and identify the AWS resource protected through the CMK use. Log events are visible via AWS CloudTrail.
Incident management type Supplier-defined controls
Incident management approach Moortec adopts a three-phased approach to manage incidents:

1. Activation and Notification Phase
2. Recovery Phase
3. Reconstitution Phase

To ensure the effectiveness of the Incident Management plan, Moortec conducts incident response testing, providing excellent coverage for the discovery of defects and failure modes as well as testing the systems for potential customer impact.

The Incident Response Test Plan is executed annually, in conjunction with the Incident Response plan. It includes multiple scenarios, potential vectors of attack, the inclusion of the systems integrator in reporting and coordination and varying reporting/detection avenues.

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Public sector networks

Public sector networks
Connection to public sector networks No

Pricing

Pricing
Price £10 to £100 per unit per month
Discount for educational organisations No
Free trial available No

Documents

Documents
Pricing document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑