Frequently Asked Questions
Who is providing the Threat2Alert service?
Threat2Alert is a managed service provided by a dedicated division within the Nettitude Group. It is powered by LogRhythm, market leaders within the SIEM product space. Threat2Alert provides much more than simply a technical solution for capturing logs and events. It is a managed service platform, which is designed and managed by trained and experienced cyber security consultants from one of the world’s leading cyber security and risk management consultancies. By partnering with Threat2Alert you also have technology, testing, incident response, governance, risk and compliance expertise at your fingertips.
I have a compliance need. How can this service deliver what I need?
If it is the Payment Card Industry (PCI) or HIPAA, or any other regulatory requirements that need to be met, Threat2Alert can provide the reporting and alerting controls simply and easily. As security consultants actively working in these areas, we understand exactly what you need, and what you will be audited on. We can, therefore, ensure that the service meets these requirements.
What is the managed service element?
Threat2Alert gives you 24 x 7 alerting and event management, through a cloud based service. However, dedicated cyber security consultants provide you with a pro-active managed service to investigate and escalate issues during 9 to 5, Monday to Friday (or 24×7 for the premium service). This will not only provide you with the confidence that you have someone with eyes on the screens, but also the ability to pro-actively investigate and escalate issues/areas for concern to our dedicated incident response team as they occur.
How does the service secure my data?
All log data is compressed before being sent over the internet to the Threat2Alert analysis service. This is done via an outbound encrypted SSL session from your network. Threat2Alert is hosted in a PCI DSS compliant environment. It has been fully penetration tested and is regularly scanned for vulnerabilities in line with industry standards. Customer data is managed though the multi-tenanted platform provided by LogRhythm and strict access controls are in place for all Threat2Alert NOC staff when accessing your data.
How is the Threat2Alert cloud service connected to my network?
The Threat2Alert cloud platform has no direct access to your environments. Collector agents will poll in for updates from time to time, but no direct access to your network can be made by our staff or the Threat2Alert cloud platform.
Can the service identify specific users on my network?
As part of the service you will also get an additional agent to install on your active directory server (if required). This will allow much more detailed user level reporting and control over the groups, users and privilege controls in place on your network. The initial workshop will also ensure that the right controls and level of log data is being provided to meet your objectives.
Can I capture local events on individual workstations?
Local events on workstations can be captured either by the use of an agent, or via Windows event viewer services. Older versions, or others, can use free tools to convert the local events into syslog data. This will all be discussed with you prior to the service going live.
How is log data captured from my systems?
Log data from log sources is either received by the collector agent using an industry standard protocol (such as syslog), received from vendor specific services (such as Cisco SDEE for IPS), or is collected from agents installed on specific servers/systems.
What changes will I need to make on my environment for Threat2Alert to work?
You will provide an OS to run the collector agent on (spec can be provided). You will need to ensure that all your log sources are sending their log data to the collector. This may require some changes on your firewalls and systems to permit, depending on your environment. Collector agents may also be installed on additional servers where more detailed reporting is required or additional services (such as FIM) are needed.
How will I get billed for the service, should it change?
The service is billed on messages per second (MPS) sent from your environment(s). However, this scale is deliberately loose and is not enforced. In other words should you suddenly send a lot more data (either a monthly backup process, or even an attack (such as DOS)), the service will not drop log data. Review points in the service will look at the average level of MPS and the following periods pricing will be based upon that. You can also track this through weekly alerts. You can simply add log sources to the service, by setting them up to send their data to the collector agent and letting us know. To bring a new environment on board, a local collector agent is required to be installed. Log sources will send their data to this collector and as long as outbound internet access to our platform is available, log data will be analyzed. However, we do strongly advise you to talk to us first to ensure that your objectives are being met and any acceptance criteria can be fully tested.