ACTIVEWATCH FOR THREAT MANAGER
SERVICE DEFINITION
CONTENTS
Service Description and Approach .......................................................................................................................................... 2
ActiveWatch – Managed Security Operations in the Cloud ................................................................................................ 2
Definitions ............................................................................................................................................................................ 2
The Expert System .............................................................................................................................................................. 2
ActiveWatch Service Deliverables .......................................................................................................................................... 3
Incident Response Commitment ......................................................................................................................................... 3
Data Storage Commitment .................................................................................................................................................. 3
Event / Incident Classification & Escalation Handling ......................................................................................................... 3
Customer Requested Services ............................................................................................................................................ 4
Limitations to Alert Logic Activity ......................................................................................................................................... 4
Customer Responsibilities and Interaction with Alert Logic .................................................................................................... 4
Alert Logic Threat Manager Is Installed and Configured ..................................................................................................... 4
Monitored Networks Are Running Properly ......................................................................................................................... 4
Monitored Systems Are Running Properly .......................................................................................................................... 4
Operational and Environment Changes .............................................................................................................................. 4
Contact Process .................................................................................................................................................................. 5
Reports Available to ActiveWatch Subscribers ....................................................................................................................... 5
Summary Reports ................................................................................................................................................................ 5
Report Categories ............................................................................................................................................................... 6
Compliance Coverage ............................................................................................................................................................. 6
Alert Logic, Inc.
1776 Yorktown, 7th Floor, Houston, TX 77056 | 877.484.8383 (toll free) | 713.484.8383 (main) | 713.660.7988 (fax) | www.alertlogic.com
Alert Logic and the Alert Logic logo are trademarks, registered trademarks, or service marks of Alert Logic Inc. All other trademarks listed in this document are the property of
their respective owners.
© 2012 Alert Logic, Inc. All rights reserved.
ACTIVEWATCH FOR THREAT MANAGER SERVICE DEFINITION
Service Description and Approach
ActiveWatch – Managed Security Operations in the Cloud
Alert Logic’s Threat Manager Intrusion Detection System (IDS) and ActiveWatch service are designed to monitor, detect
and respond to adverse security issues on behalf of our customers. Within this process there are a number of both
automated and manual processes which are supported by our SIEM software (‘The Expert System’) as well as our
Network Security Analysts in our Security Operations Center (SOC). This document outlines how the overall system /
service works and what our standard policy is with respect to handling security events, incidents, escalations and
response operations.
Definitions
Threat Manager is the Alert Logic IDS product. It includes the physical appliances and software tools used to analyze the
customer’s security infrastructure and provide the ActiveWatch Service.
An Event is an observable occurrence on a network that may imply harm or a potential compliance violation as detected
by our threat sensors deployed within the customers network environment.
An Incident is a correlation of event(s) that imply harm to an information system, violate acceptable use policies, or
circumvent standard security practices. Alert Logic classifies these Incidents into four risk levels; Low, Medium, High, and
Critical, as determined by the Expert System and/or the Network Security analyst.
An Escalation is a notification to a customer that there is increased activity that warrants closer monitoring and / or
response. In some cases, the Expert System will “auto-escalate” to customers via email simply for awareness, but in the
case of more serious activity, the Network Security Analyst will email or call the customer directly for follow up.
Response Operation(s) can be automated responses, such as the generation of blocking rules by the sensor to an
associated firewall or can be active response / support operations in which our Network Security Analysts work directly
with a customer during an incident.
The Expert System
Alert Logic’s Expert System identifies valid security events and suppresses false positives through a patented multifactor
correlation process. Every security event monitored by our global network of threat sensors is analyzed in real time. When
the Expert System determines that a set of events comprise a valid security threat, an incident is created and escalated
according to severity via email or through an Alert Logic Network Security Analyst. This approach dramatically reduces
false positives and keeps analysts and customers focused on real, actionable incidents.
In addition, Alert Logic’s security research team continuously monitors threat data and tunes the Expert System to
respond to the most current threats.
Page 2
ACTIVEWATCH FOR THREAT MANAGER SERVICE DEFINITION
ActiveWatch Service Deliverables
Incident Response Commitment
The ActiveWatch team will evaluate all incidents highlighted by the Expert System and escalate high-risk incidents within
30 minutes.
Data Storage Commitment
The Threat Manager product will maintain 6-months of rolling historic data for all events.
Event / Incident Classification & Escalation Handling
Low Priority correlated events are treated essentially the same as discrete event traffic, which are simply logged into the
data store. Sometimes referred to as “Internet noise”, these events are typically not viewed or acted upon in any way by
the Alert Logic Network Security Analysts. However, these events will be visible within the UI Threats tab and users can
generate reports showing the status and trending of these issues if desired. Common examples of Low Priority events
include;

Acceptable Use Policy violations by the customers employees

Vendor Scans, or authorized internal scans which trigger IDS events

Untargeted up-host or port scans
Medium Priority incidents consist of activities requiring closer observation and continued monitoring, but don’t rise to the
level of a real-time response. These types of incidents are typically auto-escalated by default to all pertinent security
contacts via email notification. Common examples of Medium Priority incidents include;

Brute force dictionary attacks

Automated or drive-by malware infection attempts

More targeted reconnaissance behavior (simple exploit attempts)
o
This is an example that can escalate to high or critical very quickly dependent upon the attackers
behavior and is an area more closely scrutinized and monitored even though it’s initially classified as
medium

If and when the attackers behavior becomes more aggressive, the Expert System will change
the priority level and engage a Network Security Analyst directly for escalation to the customer
with potential response operations
High Priority incidents require Alert Logic Network Security Analysts to proactively notify customers using all provided
means of contact information available to us. High-priority escalations will result in phone calls and emails to the primary
contact; if the contact is not available, the remaining contacts will be notified in specified order until we successfully reach
a designated point of contact. Common examples of High Priority incidents include;

High severity (aggressive) penetration tests

Larger scale / duration brute force attacks

Initial Botnet/Command Control Activity

Targeted SQL tools (Havij, Mole, SQLMap)
Page 3
ACTIVEWATCH FOR THREAT MANAGER SERVICE DEFINITION
Critical incident escalations follow the same guidelines as High Priority Incidents except that they will typically incorporate
active defense blocking by the Network Security Analyst and ongoing direct support from the SOC for the customer for the
duration of the incident. Common examples of Critical incidents include;

Information leakage / data retrieval (successful SQL injection exploits)

Successful worm propagation

Problems requiring immediate defense remediation to reduce exposure

Post-compromise activity (outbound remote shell cmds, attack tool downloads)
Customer Requested Services
The ActiveWatch service provides additional services on an as-needed basis, at the customer’s request:

Vulnerability scan policy consultation – Set the appropriate frequency, scope, and depth of scanning for the
customer’s network environment.

Assistance with incident remediation – Provide advice on how to contain and remediate an incident.

Blocking policy consultation – Provide guidance on how to use Alert Logic Threat Manager to block malicious IPs.

Visibility review - Verify that monitored hosts match hosts configured in the defined Home Network to ensure proper
network coverage.

Traffic Analysis – Support ad-hoc requests to investigate suspicious activity.
Limitations to Alert Logic Activity
Alert Logic System Security Analysts will never directly access customer hosts or systems. Alert Logic activities are
limited to monitoring and analyzing network events as configured by the customer. Alert Logic may utilize non-invasive
techniques to analyze events that have occurred within the customer environment. Examples include reverse DNS
lookups that may query nameservers within the customer's environment.
Customer Responsibilities and Interaction with Alert Logic
Alert Logic Threat Manager Is Installed and Configured
The ActiveWatch service depends upon a functioning Threat Manager appliance. The appliance must have access
and proper configuration to all monitored networks.
Monitored Networks Are Running Properly
The ActiveWatch service depends upon a reliable connection between the appliance, the protected network and
the Security Operations Center. If the source network is unavailable for any reason then Alert Logic will not be
responsible for the SLA for that period.
Monitored Systems Are Running Properly
It is the customer’s responsibility to ensure that Threat Manager appliances are properly installed in the network
locations required for the desired level of network visibility.
Operational and Environment Changes
Alert Logic recommends that the customer communicate all changes to the customer environment as they may impact the
scope of monitoring. Changes include:
Page 4
ACTIVEWATCH FOR THREAT MANAGER SERVICE DEFINITION

Changes in utilized IP space

Changes in network topology

Changes in firewall rules or configuration
Contact Process
When customers are enrolled into an Alert Logic service, they must provide their Provisioning Coordinator with a
prioritized list of at least 3 security contacts. The SOC can also accommodate specific escalation preferences for partners
and customers to assist with service integration to existing processes defined by the client. These customized escalation
preferences must be submitted in writing to the SOC for approval and clarification before they can be implemented in the
escalation process. Otherwise, the processes and procedures outlined within this document apply.
Authorized customer representatives may contact a System Security Analyst or Technical Account Manager to:

Request further clarification or follow up on an open or closed incident case

Change contact or escalation preferences

Request assistance in providing evidence to an auditor

Update network information

Update administration contacts

Other requests, such as product enhancement or sales requests will be referred to the appropriate Alert Logic staff
Reports Available to ActiveWatch Subscribers
Summary Reports
Enterprise Report - Provides an overview of several security aspects, such as incidents, events, and vulnerabilities, for
your enterprise. This report provides the Executive Summary information for several report categories.
CIO Threat Report - Provides metrics to help you measure your security posture. This report includes vulnerability
counts, related risk levels, monitored network areas experiencing attacks, and incidents being escalated.
CIO Threat Trend Report - Provides a view of incidents and vulnerabilities over time to help you assess and track the
security of your network. This report provides a valuable historical view to help you identify trends and associated risks.
Blocked Hosts Report - Provides a detailed view of blocked hosts, including the hosts that are blocked most frequently
with statistics related to blocks created by manual requests and automated policies.
Executive Summary - Provides a high-level overview of several charts and graphs contained in the full report for that
report category. The Executive Summary links to the Full Report to let you display more detailed information for each
aspect identified in the Executive Summary.
Full Report - Provides a comprehensive view that includes the information from all individual reports in the report
category. Threat Manager provides a Full Report in several report categories. Each section of the Full Report provides the
details from the individual report for that area, including detailed numbers and percentages.
Page 5
ACTIVEWATCH FOR THREAT MANAGER SERVICE DEFINITION
Report Categories
Incident Reports - Provide information about incidents recorded and tracked through Threat Manager and Log Manager.
You can view incidents by status, time, threat level, and other aspects.
Event Reports - Provide information about threats and the related events identified by Threat Manager. You can view
events by time, threat level, and other aspects. You can also analyze threats and related activities using the various
reports in this category.
Vulnerability Reports - Provide information about vulnerabilities identified by Threat Manager during vulnerability scans.
You can view vulnerabilities by age, risk level, and other aspects. You can also analyze vulnerabilities and prioritize work
using the various reports in this category.
Compliance Reports - Provide compliance information collected by Threat Manager for the critical assets you identified
with financial or medical information. You can view the Executive Summary for a compliance standard category, such as
PCI Compliance, and then drill into the Full Report for detailed information about an aspect identified in the Executive
Summary.
Compliance Coverage
ActiveWatch directly or indirectly addresses requirements for multiple compliance standards. The list below identifies the
specific requirements, rules or guidelines for which ActiveWatch is applicable to some of the most popular standards.
Details for each rule are available from the respective standards documents.
Must provide a policy for
Network Intrusion Detection
Identify newly discovered
security vulnerabilities
Monitor for zero-day attacks not
covered by Anti-virus
Perform periodic network scans
by an ASV
Define Security Incident
classification
Document security incidents
SOX
HIPAA
PCI
ISO
DS 5.10
164.308 (a)(5)(ii)(B)
§ 11.4
¶ 8.2.2(2)(5),¶ 10.5.1
DS 5.9
164.308 (a)(1)(ii)(B)
§ 6.2
¶ 8.1.5(6) ,¶ 8.2.2(2)(5)
§ 5.1.1
164.308 (a)(5)(ii)(A)
§ 11.2
DS 5.6
164.308 (a)(6)(iii)
Mappings of other standards to the specific requirements are available upon request.

Control Objectives for Information and Related Technology (CobiT)

Federal Financial Institutions Examination Council (FFIEC)

North American Electric Reliability Corporation – Critical Infrastructure Protection (NERC CIP)

Federal Information Processing Standards (FIPS)
Page 6
ACTIVEWATCH FOR THREAT MANAGER SERVICE DEFINITION

Federal Risk and Authorization Management Program (FedRAMP)

US Internal Revenue Service (IRS)

National Institute of Standards and Technology (NIST)

Federal Information Security Management Act (FISMA)

International Guidance
Page 7