Managed Enterprise Technologies Ltd

Security Information and Event Management (SIEM) as a Service

The CYBERShark Service utilises BlackStratus proven Security Incident Event Management (SIEM) technology to collect and analyse data generated from a Buyer’s IT infrastructure. True multi-tenancy delivers the ability to segregate log information contained in a single, shared database and report against; customer, region, division, department or user-groups.

Features

  • Efficient collection of logs using a single collector file
  • Encrypted transmission of logs to the cloud service
  • Logs are hashed and stored for 12 months for compliance
  • Real time threat analysis and incident notification
  • Elimination of false positives with notification of positive threats only
  • Step by step remediation instructions sent to customer for actioning
  • Customised portal to view processed data, reports and incident cases
  • Scheduled and ad hoc reporting; management operational and compliance
  • Case management module to view all incidents under investigation
  • 24x7x365 monitoring of customer networks by experienced security analysts

Benefits

  • No hardware cost or engineering visit required and no downtime
  • Customer data is secure in transit and at rest
  • Chain of custody: Proof that logs have not been modified
  • Fast and efficient remediation to reduce impact on business
  • Time is not wasted on actioning none threatening incidents
  • No requirement to investigate threats, only action the fix
  • Consolidated view of data, reports and incident cases
  • Customer's limited resource not spent on compiling and running reports
  • Easy incident management and audit with supporting data and remediation
  • No cost to customer for building its own SOC operation

Pricing

£259 per unit per month

  • Free trial available

Service documents

Framework

G-Cloud 11

Service ID

5 1 2 4 0 4 1 3 4 5 4 2 4 8 4

Contact

Managed Enterprise Technologies Ltd

Ian Vickers

0121 227 0730

ian.vickers@metcloud.com

Service scope

Service scope
Software add-on or extension No
Cloud deployment model Public cloud
Service constraints The CYBERShark service only requires the customer to install a single 1MB file on an existing Windows server in the network. Logs from the network are collected and sent to the cloud. There is no communication from the cloud to the customer's network. Logs are collected from all network connected devices. There is no required downtime for installation, configuration or maintenance. Logs are stored for 12 months and the customer has access to the log. Logs are analysed 24x7 and identified incidents are investigated by the cloud service analysts. Remediation instructions are sent to the customer to be actioned.
System requirements
  • Any Windows server can run the log collector file
  • Only one log collector file is required per domain
  • The log collector file is not licensed

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Incident remediation tickets are issued to the customer when a cyber incident is identified. The remediation ticket is sent as an email, to a ticketing system and is also viewable in the customer portal. The customer can communicate with the CYBERShark cloud service SOC team 24x7x365 with questions related to the incident case.
User can manage status and priority of support tickets Yes
Online ticketing support accessibility None or don’t know
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support No
Onsite support Yes, at extra cost
Support levels Support is available 24x7x365 and all support costs are included in the service subscription fee. There are two parts to support. The technical support team is responsible for the collection and flow of log data from the customer network into the cloud service. This includes any issues with the log collector file or the collection of logs from the network devices to the collector file. The second is the SOC team responsible for investigating the security incidents and issuing the remediation instructions. Customers can access either team depending on the nature of their support query. A Technical Account Manager is appointed to the customer for assistance with any queries regarding collection and transmission of data from the network to the cloud. A welcome letter is sent from the SOC team, to all customers, detailing contact information for any queries relating to security incidents and remediation instructions. Service Level Agreements for investigation and issuing of remediation instructions are not offered below 24 hour due to the unknown nature and complexity of advanced cyber attacks. There is a Service Level Objective to investigate all high severity incidents and produce a remediation ticket within one hour and four hours for low severity incidents.
Support available to third parties No

Onboarding and offboarding

Onboarding and offboarding
Getting started The CYBERShark Technical Account Management Team works with the customer, and any authorised partner, to onboard the customer into the service. The customer completes a service registration document detailing the devices that are to be monitored. Once the devices have been registered and the CYBERShark instance has been spun up in the cloud, the CYBERShark log collector file is sent to the customer. The Technical account Management Team works with the customer by phone, email or web meeting to configure the collector file and set up the communication ports. As soon as logs from all the registered devices are received into the cloud service, a web based training session is scheduled to teach the customer how to configure and navigate the customer portal that is provided to the customer as part of the service. Both the log collection process and the training session are relatively simple exercises with log collection taking a few hours depending on the size of the network and training lasting about 60 minutes. Once the onboarding process is completed the customer is handed over to the SOC team who will work with the customer on all identified security incidents and assist with remediation instructions.
Service documentation Yes
Documentation formats
  • PDF
  • Other
Other documentation formats Microsoft Office including Visio Diagrams
End-of-contract data extraction At the end of the contract, the customer's raw log data can be off loaded from the cloud to a suitable storage media as defined by the customer. All processed data is deleted from the customer's account and the account is closed down.
End-of-contract process The CYBERShark cloud service is a subscription service based on the number of devices in the customer's network that are being monitored. There are no other costs, only the monthly subscription. The contract has a minimum term of 12 months. The customer can terminate the contract with 30 days notice beyond the initial 12 month period. Within the initial 12 month period, the customer can cancel at any time, with 30 days notice, but is responsible for payment of the balance of the outstanding 12 month total, either monthly or a one off payment. At the end of the contract the customer's data can be exported to a customer owned storage media or deleted.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install Yes
Compatible operating systems
  • Linux or Unix
  • MacOS
  • Windows
Designed for use on mobile devices No
Service interface Yes
Description of service interface All aspects of the service: log storage, log searching, reporting, viewing processed data, incident case management and remediation instructions, are accessed through a web based customer portal. The portal is configurable to display data in dashboards that are customisable to meet the different requirements of users of the service. Reports can be viewed or scheduled to run from the portal. The portal can be used by the customer to drill into the data present in the portal, as required.
Accessibility standards None or don’t know
Description of accessibility Our service uses a web interface which is accessible to users of assistive technologies, such as screen readers by providing clear text descriptions for user input fields.
Accessibility testing None
API Yes
What users can and can't do using the API Customers can work with the CYBERShark development team to integrate devices and services that are not currently supported in the CYBERShark service. These can include commercially available services that have not yet been integrated or some bespoke integrations based on specific requirements. The API, once developed, is generally static and does not require any day to day changes. The API is used to collect log data that is generated from devices on the network, or other services, into the CYBERShark SIEM service. APIs are also used to connect remediation information into 3rd party platforms. These APIs can be bi-directional but these do not require the customer to make any changes.
API documentation Yes
API documentation formats PDF
API sandbox or test environment Yes
Customisation available Yes
Description of customisation Customers can request some customisation to the service to meet specific requirements. The customisation is carried out by the SOC team and the development team, as required.

Detection rules, reporting, interface layout and logos are all customisable.

Scaling

Scaling
Independence of resources Each customer has their own silo for storing their own raw log data that operates independently of other customers. Processing of the log data is carried out in high performance correlation engines that operate at 100 million checks per second per engine. If an engine reaches capacity then inherent 'high availability' feature of the correlation engines balance the work load across multiple engines to maintain performance regardless of any demand on service by individual customers.

Analytics

Analytics
Service usage metrics Yes
Metrics types Service usage metrics are contained in the range of reports that are generated in the CYBERShark service. There are currently 60 general security reports that provide service metrics.
Reporting types
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

Resellers
Supplier type Reseller providing extra features and support
Organisation whose services are being resold BlackStratus

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
User control over data storage and processing locations Yes
Datacentre security standards Supplier-defined controls
Penetration testing frequency At least once a year
Penetration testing approach In-house
Protecting data at rest Other
Other data at rest protection approach The data at rest is digitally signed using a SHA-512 digest and a 4096-bit RSA key, and encrypted via an AES-256 key (randomly generated at the time of onboarding).
Data sanitisation process No
Equipment disposal approach A third-party destruction service

Data importing and exporting

Data importing and exporting
Data export approach Data can be exported in CSV and PDF format from the reports available in the service. At the end of each 12 month period the raw log data that is stored as part of the service can be transferred to the customer depending on preference (SCP/SFTP, download link, etc.).
Data export formats CSV
Data import formats Other
Other data import formats Bespoke 1MB MSI file that collects and forwards logs

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Legacy SSL and TLS (under version 1.2)
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway

Availability and resilience

Availability and resilience
Guaranteed availability 100% availability in a 30-day period. Should availability be less than 97.5% during any 30-day period the Customer may terminate the Agreement giving 60 days written notice.
Approach to resilience Available upon request.
Outage reporting Email alerts are generated and sent to the customer or any authorised partner automatically should client side components become unavailable. The CyberSHARK TAM team will inform both the customer and any authorised partner of an outage within 4 hours of the outage occurring. Regular status updates (at least one update every two hours) will also be provided until the issue is resolved.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication Username or password
Access restrictions in management interfaces and support channels Access to the web management interface is restricted to user accounts with relevant privileges.

When logging on to the management portal users will only see tenant information relevant to their service.
Access restriction testing frequency At least once a year
Management access authentication Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users have access to real-time audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users have access to real-time audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for At least 12 months

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification Yes
Who accredited the ISO/IEC 27001 ACM Limited
ISO/IEC 27001 accreditation date 09/07/2018
What the ISO/IEC 27001 doesn’t cover Software Development
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications Cyber Essentials

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards ISO/IEC 27001
Information security policies and processes Organisation wide ISMS with Overarching Information Security Policy and supporting sub-policies including:

BYOD, Acceptable Use Policy (Internet, Email & Equipment), Incident Handling & Reporting, Passwords, Physical & Environmental Security, Anti-Virus/Malware, Information Classification, Protective Marking, Asset Handling, Clean Desk/Screen, Application Source Code.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach Documentation is maintained throughout the project lifecycle. Customer contacts support to request changes which are then recorded and tracked using an internal servicedesk.
Vulnerability management type Undisclosed
Vulnerability management approach CVSS Scores, patches applied within 30days of release, threat information is from public sources and Proofpoint.
Protective monitoring type Undisclosed
Protective monitoring approach We employ a defensive in depth approach to security which includes monitoring for compromises. System logs are centralised and monitored using custom built rulesets unique for each technology. Incidents are investigated by a team of security analysts and remediation is performed as required. Cyber incidents are classed as P1 and therefore have a response time of 20mins.
Incident management type Undisclosed
Incident management approach We use runbooks and documented processes to handle common/known vulnerabilities and/or threats. Incidents can be reported by email to servicedesk.

Secure development

Secure development
Approach to secure software development best practice Supplier-defined process

Public sector networks

Public sector networks
Connection to public sector networks No

Pricing

Pricing
Price £259 per unit per month
Discount for educational organisations No
Free trial available Yes
Description of free trial Connectivity into the CYBERShark cloud service for up to 30 network devices for 30 days. The free trial includes all the features of the CYBERShark service including incident remediation instructions and portal access. Please email to request.

Service documents

Return to top ↑