ACTIVEWATCH FOR THREAT MANAGER SERVICE DEFINITION CONTENTS Service Description and Approach .......................................................................................................................................... 2 ActiveWatch – Managed Security Operations in the Cloud ................................................................................................ 2 Definitions ............................................................................................................................................................................ 2 The Expert System .............................................................................................................................................................. 2 ActiveWatch Service Deliverables .......................................................................................................................................... 3 Incident Response Commitment ......................................................................................................................................... 3 Data Storage Commitment .................................................................................................................................................. 3 Event / Incident Classification & Escalation Handling ......................................................................................................... 3 Customer Requested Services ............................................................................................................................................ 4 Limitations to Alert Logic Activity ......................................................................................................................................... 4 Customer Responsibilities and Interaction with Alert Logic .................................................................................................... 4 Alert Logic Threat Manager Is Installed and Configured ..................................................................................................... 4 Monitored Networks Are Running Properly ......................................................................................................................... 4 Monitored Systems Are Running Properly .......................................................................................................................... 4 Operational and Environment Changes .............................................................................................................................. 4 Contact Process .................................................................................................................................................................. 5 Reports Available to ActiveWatch Subscribers ....................................................................................................................... 5 Summary Reports ................................................................................................................................................................ 5 Report Categories ............................................................................................................................................................... 6 Compliance Coverage ............................................................................................................................................................. 6 Alert Logic, Inc. 1776 Yorktown, 7th Floor, Houston, TX 77056 | 877.484.8383 (toll free) | 713.484.8383 (main) | 713.660.7988 (fax) | www.alertlogic.com Alert Logic and the Alert Logic logo are trademarks, registered trademarks, or service marks of Alert Logic Inc. All other trademarks listed in this document are the property of their respective owners. © 2012 Alert Logic, Inc. All rights reserved. ACTIVEWATCH FOR THREAT MANAGER SERVICE DEFINITION Service Description and Approach ActiveWatch – Managed Security Operations in the Cloud Alert Logic’s Threat Manager Intrusion Detection System (IDS) and ActiveWatch service are designed to monitor, detect and respond to adverse security issues on behalf of our customers. Within this process there are a number of both automated and manual processes which are supported by our SIEM software (‘The Expert System’) as well as our Network Security Analysts in our Security Operations Center (SOC). This document outlines how the overall system / service works and what our standard policy is with respect to handling security events, incidents, escalations and response operations. Definitions Threat Manager is the Alert Logic IDS product. It includes the physical appliances and software tools used to analyze the customer’s security infrastructure and provide the ActiveWatch Service. An Event is an observable occurrence on a network that may imply harm or a potential compliance violation as detected by our threat sensors deployed within the customers network environment. An Incident is a correlation of event(s) that imply harm to an information system, violate acceptable use policies, or circumvent standard security practices. Alert Logic classifies these Incidents into four risk levels; Low, Medium, High, and Critical, as determined by the Expert System and/or the Network Security analyst. An Escalation is a notification to a customer that there is increased activity that warrants closer monitoring and / or response. In some cases, the Expert System will “auto-escalate” to customers via email simply for awareness, but in the case of more serious activity, the Network Security Analyst will email or call the customer directly for follow up. Response Operation(s) can be automated responses, such as the generation of blocking rules by the sensor to an associated firewall or can be active response / support operations in which our Network Security Analysts work directly with a customer during an incident. The Expert System Alert Logic’s Expert System identifies valid security events and suppresses false positives through a patented multifactor correlation process. Every security event monitored by our global network of threat sensors is analyzed in real time. When the Expert System determines that a set of events comprise a valid security threat, an incident is created and escalated according to severity via email or through an Alert Logic Network Security Analyst. This approach dramatically reduces false positives and keeps analysts and customers focused on real, actionable incidents. In addition, Alert Logic’s security research team continuously monitors threat data and tunes the Expert System to respond to the most current threats. Page 2 ACTIVEWATCH FOR THREAT MANAGER SERVICE DEFINITION ActiveWatch Service Deliverables Incident Response Commitment The ActiveWatch team will evaluate all incidents highlighted by the Expert System and escalate high-risk incidents within 30 minutes. Data Storage Commitment The Threat Manager product will maintain 6-months of rolling historic data for all events. Event / Incident Classification & Escalation Handling Low Priority correlated events are treated essentially the same as discrete event traffic, which are simply logged into the data store. Sometimes referred to as “Internet noise”, these events are typically not viewed or acted upon in any way by the Alert Logic Network Security Analysts. However, these events will be visible within the UI Threats tab and users can generate reports showing the status and trending of these issues if desired. Common examples of Low Priority events include; Acceptable Use Policy violations by the customers employees Vendor Scans, or authorized internal scans which trigger IDS events Untargeted up-host or port scans Medium Priority incidents consist of activities requiring closer observation and continued monitoring, but don’t rise to the level of a real-time response. These types of incidents are typically auto-escalated by default to all pertinent security contacts via email notification. Common examples of Medium Priority incidents include; Brute force dictionary attacks Automated or drive-by malware infection attempts More targeted reconnaissance behavior (simple exploit attempts) o This is an example that can escalate to high or critical very quickly dependent upon the attackers behavior and is an area more closely scrutinized and monitored even though it’s initially classified as medium If and when the attackers behavior becomes more aggressive, the Expert System will change the priority level and engage a Network Security Analyst directly for escalation to the customer with potential response operations High Priority incidents require Alert Logic Network Security Analysts to proactively notify customers using all provided means of contact information available to us. High-priority escalations will result in phone calls and emails to the primary contact; if the contact is not available, the remaining contacts will be notified in specified order until we successfully reach a designated point of contact. Common examples of High Priority incidents include; High severity (aggressive) penetration tests Larger scale / duration brute force attacks Initial Botnet/Command Control Activity Targeted SQL tools (Havij, Mole, SQLMap) Page 3 ACTIVEWATCH FOR THREAT MANAGER SERVICE DEFINITION Critical incident escalations follow the same guidelines as High Priority Incidents except that they will typically incorporate active defense blocking by the Network Security Analyst and ongoing direct support from the SOC for the customer for the duration of the incident. Common examples of Critical incidents include; Information leakage / data retrieval (successful SQL injection exploits) Successful worm propagation Problems requiring immediate defense remediation to reduce exposure Post-compromise activity (outbound remote shell cmds, attack tool downloads) Customer Requested Services The ActiveWatch service provides additional services on an as-needed basis, at the customer’s request: Vulnerability scan policy consultation – Set the appropriate frequency, scope, and depth of scanning for the customer’s network environment. Assistance with incident remediation – Provide advice on how to contain and remediate an incident. Blocking policy consultation – Provide guidance on how to use Alert Logic Threat Manager to block malicious IPs. Visibility review - Verify that monitored hosts match hosts configured in the defined Home Network to ensure proper network coverage. Traffic Analysis – Support ad-hoc requests to investigate suspicious activity. Limitations to Alert Logic Activity Alert Logic System Security Analysts will never directly access customer hosts or systems. Alert Logic activities are limited to monitoring and analyzing network events as configured by the customer. Alert Logic may utilize non-invasive techniques to analyze events that have occurred within the customer environment. Examples include reverse DNS lookups that may query nameservers within the customer's environment. Customer Responsibilities and Interaction with Alert Logic Alert Logic Threat Manager Is Installed and Configured The ActiveWatch service depends upon a functioning Threat Manager appliance. The appliance must have access and proper configuration to all monitored networks. Monitored Networks Are Running Properly The ActiveWatch service depends upon a reliable connection between the appliance, the protected network and the Security Operations Center. If the source network is unavailable for any reason then Alert Logic will not be responsible for the SLA for that period. Monitored Systems Are Running Properly It is the customer’s responsibility to ensure that Threat Manager appliances are properly installed in the network locations required for the desired level of network visibility. Operational and Environment Changes Alert Logic recommends that the customer communicate all changes to the customer environment as they may impact the scope of monitoring. Changes include: Page 4 ACTIVEWATCH FOR THREAT MANAGER SERVICE DEFINITION Changes in utilized IP space Changes in network topology Changes in firewall rules or configuration Contact Process When customers are enrolled into an Alert Logic service, they must provide their Provisioning Coordinator with a prioritized list of at least 3 security contacts. The SOC can also accommodate specific escalation preferences for partners and customers to assist with service integration to existing processes defined by the client. These customized escalation preferences must be submitted in writing to the SOC for approval and clarification before they can be implemented in the escalation process. Otherwise, the processes and procedures outlined within this document apply. Authorized customer representatives may contact a System Security Analyst or Technical Account Manager to: Request further clarification or follow up on an open or closed incident case Change contact or escalation preferences Request assistance in providing evidence to an auditor Update network information Update administration contacts Other requests, such as product enhancement or sales requests will be referred to the appropriate Alert Logic staff Reports Available to ActiveWatch Subscribers Summary Reports Enterprise Report - Provides an overview of several security aspects, such as incidents, events, and vulnerabilities, for your enterprise. This report provides the Executive Summary information for several report categories. CIO Threat Report - Provides metrics to help you measure your security posture. This report includes vulnerability counts, related risk levels, monitored network areas experiencing attacks, and incidents being escalated. CIO Threat Trend Report - Provides a view of incidents and vulnerabilities over time to help you assess and track the security of your network. This report provides a valuable historical view to help you identify trends and associated risks. Blocked Hosts Report - Provides a detailed view of blocked hosts, including the hosts that are blocked most frequently with statistics related to blocks created by manual requests and automated policies. Executive Summary - Provides a high-level overview of several charts and graphs contained in the full report for that report category. The Executive Summary links to the Full Report to let you display more detailed information for each aspect identified in the Executive Summary. Full Report - Provides a comprehensive view that includes the information from all individual reports in the report category. Threat Manager provides a Full Report in several report categories. Each section of the Full Report provides the details from the individual report for that area, including detailed numbers and percentages. Page 5 ACTIVEWATCH FOR THREAT MANAGER SERVICE DEFINITION Report Categories Incident Reports - Provide information about incidents recorded and tracked through Threat Manager and Log Manager. You can view incidents by status, time, threat level, and other aspects. Event Reports - Provide information about threats and the related events identified by Threat Manager. You can view events by time, threat level, and other aspects. You can also analyze threats and related activities using the various reports in this category. Vulnerability Reports - Provide information about vulnerabilities identified by Threat Manager during vulnerability scans. You can view vulnerabilities by age, risk level, and other aspects. You can also analyze vulnerabilities and prioritize work using the various reports in this category. Compliance Reports - Provide compliance information collected by Threat Manager for the critical assets you identified with financial or medical information. You can view the Executive Summary for a compliance standard category, such as PCI Compliance, and then drill into the Full Report for detailed information about an aspect identified in the Executive Summary. Compliance Coverage ActiveWatch directly or indirectly addresses requirements for multiple compliance standards. The list below identifies the specific requirements, rules or guidelines for which ActiveWatch is applicable to some of the most popular standards. Details for each rule are available from the respective standards documents. Must provide a policy for Network Intrusion Detection Identify newly discovered security vulnerabilities Monitor for zero-day attacks not covered by Anti-virus Perform periodic network scans by an ASV Define Security Incident classification Document security incidents SOX HIPAA PCI ISO DS 5.10 164.308 (a)(5)(ii)(B) § 11.4 ¶ 8.2.2(2)(5),¶ 10.5.1 DS 5.9 164.308 (a)(1)(ii)(B) § 6.2 ¶ 8.1.5(6) ,¶ 8.2.2(2)(5) § 5.1.1 164.308 (a)(5)(ii)(A) § 11.2 DS 5.6 164.308 (a)(6)(iii) Mappings of other standards to the specific requirements are available upon request. Control Objectives for Information and Related Technology (CobiT) Federal Financial Institutions Examination Council (FFIEC) North American Electric Reliability Corporation – Critical Infrastructure Protection (NERC CIP) Federal Information Processing Standards (FIPS) Page 6 ACTIVEWATCH FOR THREAT MANAGER SERVICE DEFINITION Federal Risk and Authorization Management Program (FedRAMP) US Internal Revenue Service (IRS) National Institute of Standards and Technology (NIST) Federal Information Security Management Act (FISMA) International Guidance Page 7