Security Alliance Limited

ThreatMatch - Cyber Threat Intelligence Sharing Platform

The ThreatMatch Intelligence Portal / Platform is collaborative, purpose-built for intelligence sharing. ThreatMatch Community Subscription enables the development and operation of secure, trusted communities, based on sector, geography or collaborative efforts. Quickly share intelligence across the whole community and allow members of the community to share their own intelligence.

Features

• Threat Alerting (client bespoke, sector, global)
• Threat Profiles (Threat Actor, Operation, Malware, Incident, Country)
• Intelligence Reporting & Threat Assessments
• Attack Scenario planning
• Threat Intelligence Dashboard
• Threat Modeling & Assessment
• Intelligence Sharing, Communities & Trusted Groups
• TLP Controls

Benefits

• Share intelligence in trusted groups
• View new Threat alerts, profiles and reports
• Browse and view threat alerts, take action if necessary
• Browse and view comprehensive and relevant threat profiles
• View and download reports, profiles, alerts and attack scenarios
• Read organisational, industry, and global incidents
• Presentation of Threat Modeling and Threat Assessments
• Intelligence Led Cyber Operations
• Threat and Resiliency Dashboarding

£20,000 to £800,000 a licence a year

• Education pricing available

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at rob.dartnall@secalliance.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

818555290025336

Contact

Robert Dartnall
020 7148 7475
rob.dartnall@secalliance.com

Service scope

• Software add-on or extension: No
• Cloud deployment model:
  • Public cloud
  • Private cloud
  • Hybrid cloud
• Service constraints: N/A
• System requirements:
  • End user device that supports mainstream browsers:
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Within 24 hours Monday-Friday.
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), 7 days a week
• Web chat support: No
• Onsite support: Onsite support
• Support levels: Phone and email-based technical and intelligence support, addressing application availability, performance, usage, authentication, new user provisioning, user de-activation, intelligence support and training.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: We provide onsite training and initial set-up of the platform, as well as full video training for all modules and bespoke online training.
• Service documentation: Yes
• Documentation formats: HTML
• End-of-contract data extraction: The service offers an export function, providing the ability to download alerts, profiles, reports, etc.
• End-of-contract process: 30 days’ notice needs to be given, prior to the end of the subscription period. All client specific personal data, files/database info will be erased securely before end of contract.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: All functionality is provided to web and mobile devices.
• Service interface: No
• User support accessibility: None or don’t know
• API: Yes
• What users can and can't do using the API: ​Through the ThreatMatch Developer platform, users can securely push cyber threat intelligence from the ThreatMatch Intelligence Sharing Platform. The ThreatMatch Developer platform provides for easy integrations with other solutions using STIX 2.1 and MISP, as well as JSON.; ; Full API documentation is provided for all integrations.
• API documentation: Yes
• API documentation formats:
  • Open API (also known as Swagger)
  • HTML
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: ThreatMatch is both modular, and has granular access controls, enabling the intelligence delivered to each client to be completely bespoke. Intelligence is produced at global, sector and organisation-specific levels, resulting in targeted content being delivered to each client.; ; Each client defines the scope of the intelligence required, so to increase the relevance of the content.; ; ThreatMatch offers users the ability to view different information on their dashboard and in the other tabs. This includes the ability to view read/unread alerts, profiles, reports, etc. It also offers users the ability to filter certain elements by severity (for alerts), or capability (for threat actors) for example. ; ; The ability to share intelligence within trusted groups of users across multiple organisations is an integral feature of ThreatMatch, allowing clients to share intelligence selectively with one another, in a controlled and secure manner.

Scaling

• Independence of resources: We use microservices to balance the load on our server infrastructure. This includes elastic search functionality and content locking. We have server monitoring in place to warn of high loads and can increase capacity during busy periods where necessary.

Analytics

• Service usage metrics: Yes
• Metrics types: Usage metrics and logs can be provided to clients through a service desk request
• Reporting types: Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
• User control over data storage and processing locations: Yes
• Datacentre security standards: Managed by a third party
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
• Protecting data at rest: Other
• Other data at rest protection approach: All sensitive data is being encrypted at rest. For security reasons, further details are available upon request.
• Data sanitisation process: Yes
• Data sanitisation type: Deleted data can’t be directly accessed
• Equipment disposal approach: A third-party destruction service

Data importing and exporting

• Data export approach: ThreatMatch offers an export function, allowing profiles, alerts, reports, and other datasets to be exported in PDF format.; ; ThreatMatch Developer Platform also supports data export in STIX 2.1, MISP and JSON formats.
• Data export formats: Other
• Other data export formats:
  • PDF
  • STIX 2.1
  • MISP
  • JSON
• Data import formats: Other
• Other data import formats:
  • Users can input data manually into ThreatMatch
  • PDF

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: Third party provides a 99.99% Uptime SLA for both Droplet and Block Storage. Lost time is refunded at the hourly rate incurred.; ; We are responsible for application uptime under your application support contract. Priority 1 fixes (application not accessible) has a target fix time of under 1 hour. Priority 2 fixes (accessible site with core functionality issue) has a target fix time of 4 hours and Priority 3 (small issues) 24 hours.
• Approach to resilience: Available on request
• Outage reporting: Public status page.; SMS notification.; Email notification.; ; Application Issue:; Uptime Monitor email alerts

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Username or password
• Access restrictions in management interfaces and support channels: Relevant managers at Security Alliance are provided with administrative access to create, approve, and remove content. They are also responsible for granting appropriate access levels for different users.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Username or password

Audit information for users

• Access to user activity audit information: Users contact the support team to get audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: User-defined
• How long system logs are stored for: Between 1 month and 6 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: British Assessment Bureau
• ISO/IEC 27001 accreditation date: 05/06/2013
• What the ISO/IEC 27001 doesn’t cover: It covers the full scope of our service
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: Yes
• Any other security certifications: Cyber Essentials PLUS

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: Current Security Alliance accreditations relating to Information Security include ISO27001 and Cyber Essentials PLUS.; Security Alliance has adopted a risk based information security framework and has maintained ISO 27001 certification continuously across the whole organisation (with no exclusions to the scope) for the past six years.; ; Security Alliance considers itself to be in a position of elevated threat at all times, and so treats the requirements of ISO 27001 as a minimum, applying additional security controls to mitigate real and anticipated threats.; ; Assets that form part of Security Alliance’s Information Security Management System include: ISMS Policy, Information Security Policy, Statement of Applicability, Asset register, Risk assessment, Risk register, CAPA tracker, Incident logs, Management Review Minutes, Information Security Awareness Training, BCP Plan. ; ; Policies that are documented within the Information Security Policy include Change Management, Backup, Information Disposal and Destruction, Access Control, Password Management, Information Classification, Incident Management, Acceptable Use, Business Continuity, Cryptographic Controls, Network Security, Supplier Management and Mobile Device & BYOD.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: Application updates are tested locally, then uploaded into a development environment for QA. Once approved changes are then uploaded into a live environment. A secure repository is used for versioning control.
• Vulnerability management type: Undisclosed
• Vulnerability management approach: We use independent penetration testers to assess the security of the platform and identify vulnerabilities that could lead to security incidents. Immediate steps are taken to patch vulnerable technologies and to deploy additional security fixes where necessary.
• Protective monitoring type: Undisclosed
• Protective monitoring approach: Security Alliance uses a third party provided solution for protective monitoring. This includes the collection of multiple log sets in order to identify suspicious events and correlate these to either known threats or suspicious behaviour.; Potential threats are responded to within 2 hours of being identified with all alerts going directly to the domain administrators for triage. Relevant information and logs are captured as escalation paths and levels decided from there.
• Incident management type: Undisclosed
• Incident management approach: Security Alliance has a Security Incident process that is broken down by type of event. Each type of event has its own documented procedure to follow. For unknown events, events outside of scope or events that need additional technical expertise, Security Alliance uses an external Incident Response provider.; Where a user identifies an incident, they can raise an alert through their CTI contact who will launch an internal security incident within 2 hours. Incident reporting is ad-hoc and appropriate to the type of incident.

Secure development

• Approach to secure software development best practice: Supplier-defined process

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  Tackling economic inequality

  Tackling economic inequality

  Our Threat Intelligence Services help our clients identify and manage cyber security risks, including in the supply chain.

Pricing

• Price: £20,000 to £800,000 a licence a year
• Discount for educational organisations: Yes
• Free trial available: No

Service documents

• Pricing document

  PDF

• Skills Framework for the Information Age rate card

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at rob.dartnall@secalliance.com. Tell them what format you need. It will help if you say what assistive technology you use.