Bramble Hub Limited

Bramble Hub Assuria - GPG13 Protective Monitoring AWARE

The GPG-13 Protective Monitoring Service helps your organisation meet HMG Security Policy Framework (SPF) requirements and CESG GPG-13 guidelines. We deliver as a managed cloud based Monitoring and Reporting Service, independent of your IT infrastructure provider to give a completely independent view of any security events and a security oversight.


  • Protective Monitoring (ProMon) for security controls, IT infrastructure and applications
  • Forensic log management in line with NPCC (ACPO) GPG
  • GPG-13 compliance and evidence to support DPA, ISO27001, PCI DSS
  • CESG CCTM accredited Security Incident and Event Management (SIEM)
  • Security Operation Centre (SOC)
  • IT Security analysis
  • Support for deep forensic investigations and incident response activities
  • Advanced Correlation across all network systems for Threat detection
  • Can collect from almost any source, including text, binary, image
  • British owned, developed and supported technology


  • Security event monitoring, analysis, reporting and alerting; GPG13 Protective Monitoring
  • File integrity monitoring to identify user threats
  • Enhanced Situational Awareness though ongoing trend analysis
  • Facilities for visualisation, analysis and reporting original stored log data
  • Real-time Event Alerting
  • Flexible analysis and reporting in HTML, PDF, XLS, XML, CSV
  • Daily monitoring and review of log outputs and reports
  • Provision of reports within a secure customer portal
  • Protective Monitoring is an expected control in PSN CoCo
  • Service delivered by an agile British company


£2000.00 per instance per month

  • Education pricing available
  • Free trial available

Service documents

G-Cloud 9


Bramble Hub Limited

Roland Cunningham

+44 (0) 2077350030

Service scope

Service scope
Service constraints No
System requirements
  • Lightweight software required on gateway machine
  • Optionally, agent software on monitored devices
  • Appropriate connectivity between service and monitored infrastructure

User support

User support
Email or online ticketing support Email or online ticketing
Support response times 2 hours for a P1 ticket
User can manage status and priority of support tickets No
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support Web chat
Web chat support availability 9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard WCAG 2.0 AAA
Web chat accessibility testing None
Onsite support Yes, at extra cost
Support levels Support service type
- Service desk
- Email
- Phone
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Onboarding services are provided where needed to assist on any or all of the following:
- risk assessment
- scoping
- installation
- configuration
- tuning
- documentation
Service documentation Yes
Documentation formats
  • HTML
  • ODF
  • PDF
End-of-contract data extraction Our service collects and securely stores log data in original and complete form (so for example Windows .evt log files are stored in that original form and can be viewed using MS Event Viewer), including essential meta data (such as date and time stamps) to allow deep forensic investigations on all log data at any point from when the service started. These data can be exported in this original and complete form at any time that the service ends, or even during the service if requested (for example to be used for other purposes). Also, form normalised and content normalised data can be exported to any external service at any time (even including external analytics services), subject to additional cost.
End-of-contract process Please see above point that all of the customer's log data are stored in original and complete form (not the same as 'raw' form as most vendors claim) which means that the customer still owns the data and these data can be exported to any other service. The data are stored in a secure Log Store that can be accessed via published interfaces and using credentials provided by the service provider. These critical features mean that there is very little transition work that has to be undertaken when the service terminates and that customer is not 'locked in' to our service in any way.

Using the service

Using the service
Web browser interface Yes
Using the web interface In the normal course of events, users receive reports and alerts either directly (if they choose this option) or via the built-in Help Desk service. These would include GPG13 control failures and other identified threats as appropriate. Users can also optionally receieve daily or weekly status reports which identify and quantify log data collection and processing stats, including the status of the collection subsystem. Users can request configuration changes to the service or additional features via the Help Desk service, including additional systems or devices to be included in the Protective Monitoring service, or new repots and alerts. These would ultimately all be configured by the service provider in ordet to protect the forensic integrity and GPG13 compliance aspects of the service.
Web interface accessibility standard None or don’t know
How the web interface is accessible It is not intended that this managed Protective Monitoring service would allow users to have any direct access into the control interfaces of the service, in order to protect the integrity of the service. Even approved service operations staff must access the service control and configuration features via well engineered Role Based Access Control (RBAC) services. The RBAC services present customised dashboards and control interfaces for credentialed operations staff at numerous levels of responsibility. RBAC controls the views, functionality, privileges and capabilities of each user, depending on the user's status and approvals.
Web interface accessibility testing None
What users can and can't do using the API Flexible API to fit customers' needs. Details on request
API automation tools
  • Ansible
  • Puppet
  • Other
Other API automation tools
  • GitHub
  • VMWare
  • Scripting
API documentation Yes
API documentation formats HTML
Command line interface No


Scaling available Yes
Scaling type Automatic
Independence of resources Independent provisioning of virtual platforms
Usage notifications Yes
Usage reporting
  • Email
  • Other


Infrastructure or application metrics Yes
Metrics types
  • Number of active instances
  • Other
Other metrics
  • Log monitor reports on operational status
  • Operational status of log data collection infrastructure
  • Operational status of monitoring agents and other monitoring infrastructure
Reporting types Regular reports


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations No
Datacentre security standards Supplier-defined controls
Penetration testing frequency At least once a year
Penetration testing approach Another external penetration testing organisation
Protecting data at rest Encryption of all physical media
Data sanitisation process No
Equipment disposal approach A third-party destruction service

Backup and recovery

Backup and recovery
Backup and recovery Yes
What’s backed up
  • All operational data
  • All service configuration data
  • All log data files
  • All report templates
  • All service templates
  • All analysis rules and alerts
Backup controls These are internally managed services, agreed with the customer prior to service establishment.
Datacentre setup Single datacentre with multiple copies
Scheduling backups Supplier controls the whole backup schedule
Backup recovery Users contact the support team

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Bonded fibre optic connections
Data protection within supplier network
  • TLS (version 1.2 or above)
  • Other
Other protection within supplier network Our network and protective monitoring services are in themselves protected and monitored services, with comprehensive audit trails and status reporting.

Availability and resilience

Availability and resilience
Guaranteed availability SLAs are dependent on options chosen and service credits will be applied
Approach to resilience Available on request
Outage reporting Via various means as agreed with the customer

Identity and authentication

Identity and authentication
User authentication Public key authentication (including by TLS client certificate)
Access restrictions in management interfaces and support channels Our SIEM technology has comprehensive Role Based Access Control (RBAC) features built-in to provide fine grained control over user access and privileges. It is also a fully Protectively Monitored service itself and full audit logs of all administration and analyst activity are recorded and securely stored.
Access restriction testing frequency At least once a year
Management access authentication Public key authentication (including by TLS client certificate)
Devices users manage the service through Directly from any device which may also be used for normal business (for example web browsing or viewing external email)

Audit information for users

Audit information for users
Access to user activity audit information Users receive audit information on a regular basis
How long user audit data is stored for User-defined
Access to supplier activity audit information Users receive audit information on a regular basis
How long supplier audit data is stored for User-defined
How long system logs are stored for User-defined

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security accreditations No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance accreditation No
Security governance approach Working towards ISO 27001
Information security policies and processes Our service is heavily geared towards compliance with GPG-13 Guidelines, as well as to other industry standards, including ISO27001 and PCI-DSS standards.

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach Our protective monitoring services are configured through heavily automated and secure configuration processes, with as little human intervention as possible, and where the parameters which drive the automated configuration processes are themselves secured and easily repeatable and verifiable. This makes requested configuration changes extremely simple, failsafe and repeatable, with little chance for human error. Full audit trails of configuration changes are also recorded.
Vulnerability management type Supplier-defined controls
Vulnerability management approach Vulnerability management of the service infrastructure is achieved in three ways, including periodic external penetration testing, patch checking through the use of OpenVAS security check content and finally using Assuria's own commercial server hardening and configuration assurance technology as used by end customer organisations worldwide.
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach This service is designed around the 12 Protective Monitoring Controls (PMC's) built into the GPG-13 Guidelines and is optimised to detect failures of these controls, reporting and alerting on failures to analysts via a ticketing system as they are discovered. The service is built upon a powerful SIEM technology that has this threat intelligence built-in so that as much as possible of the threat detection is automated and rapidly reported. This service also provides comprehensive forensic investigation services to allow deep investigations going back to the very start of the service. Many potential and actual compromises are discovered this way.
Incident management type Undisclosed
Incident management approach This Protective Monitoring service is primarily aimed at raising awareness of potential compromise and undesirable activity within the end customer's infrastructure and providing detailed supporting information/evidence for Incident response and incident management. The process of incident response and management depends on who or which organisation is responsible for management and operation of the infrastructure being monitored. This will often be a third party hosted service or cloud service provider. Our service would liaise with the relevant provider to manage incidents, usually under the third party's change control mechanisms.

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Separation between users

Separation between users
Virtualisation technology used to keep applications and users sharing the same infrastructure apart Yes
Who implements virtualisation Supplier
Virtualisation technologies used Hyper-V
How shared infrastructure is kept separate Probably uniquely within our service, each of our user organisations is monitored via a complete and entirely separate 'virtual SOC' infrastructure, including separate SIEM, Database and Ticketing services, rather than with most service suppliers where all users are actually sharing a single SOC infrastructure that has been configured as far as possible as a multi-tenant SOC.

Energy efficiency

Energy efficiency
Energy-efficient datacentres No


Price £2000.00 per instance per month
Discount for educational organisations Yes
Free trial available Yes
Description of free trial Full version. No restrictions other than a limited period (normally 15 days) and on up to 10 systems or devices only.


Pricing document View uploaded document
Skills Framework for the Information Age rate card View uploaded document
Service definition document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑