HP Threat Central
Comprehensive, Global Threat Intelligence Collaboration
Threat Central Overview
Threat Central is a cloud-based open platform for threat intelligence sharing (“Service” or “Threat Central”). Threat Central enables security analysts to receive derived, relevant and actionable threat intelligence through the exchange of cyber threat information with other security experts worldwide. The application of insights gained through sharing are essential to disrupting the growing community of adversaries and minimizing potential business losses.
The Service includes:
1. Community input for threat intelligence sharing
The Service allows the sharing of information about the source and environment of attacks which enables organizations to learn about early attack sightings so they can determine their risk exposure. Information related to adversary attack patterns and compromised hosts can aid in quickly isolating threats. Better security intelligence can be gleaned by combining data from various organizations that sometimes cannot be derived from one single organization. Having access to shared intelligence about attacks enable organizations to focus on risk management and incident response. By getting advanced warning, members of the community can integrate the remediation steps to protect critical systems and IP. These intelligence feeds can be integrated via HP ArcSight ESM or via the STIX (Structured Threat Information eXpression) API to specifically block access to targeted ports or apply policies which can limit the damage of such attacks.
2. Portal to analyze the global threat landscape
Threat Central provides a secure, confidential platform that displays data from multiple organization and correlates it into intelligent threat feeds to a community with a common interest, such as a common industry, or geography. Threat Central enables security professionals to prioritize their efforts on remediating attacks that critical and specific to their company, industry or locale.
3. Subscription to Automated Updates
Having access to shared intelligence about attacks, enables the Customer to focus on risk management and incident response. Threat Central provides advanced warning with scored, relevant threat indicators that Customers can integrate into their remediation steps to protect their critical systems and IP. These intelligence feeds can be integrated via HP ArcSight ESM or via the STIX (Structured Threat Information eXpression) API to specifically block access to targeted ports or apply policies which can limit the damage of such attacks
HP analyzes information from a variety of sources, including original research, open source intelligence, as well as active data feeds from HP products and service engagements. The breadth and depth of HP’s security assets, installed base and security community uniquely positions HP Security Research via Threat Central to facilitate the sharing of intelligence for combating security threats.
Access to Threat Central
Customer will provide threat information (“Input Data”) to HP via HP ArcSight ESM or via the STIX (Structured Threat Information eXpression) API. Customer instructs HP to process the Input Data by removing specific Customer identifying information from the Input Data and including the remaining Input Data into the Threat Central information pool that will be enhanced with threat information from other participants (private and public sector, domestic and foreign) and other information collected by HP (collectively, “Output Data’) . Customer can access and interact with Threat Central in several ways:
Threat Central Web Portal
The Threat Central web portal user interface enables members of the Threat Central community to access, create, and share threat information and perform tasks interactively. Users inducted into the system are vetted by HP or through Peer Nomination. User accounts represent individual persons (Named Users) authorized to act on behalf of Customer’s behalf. In addition to password authentication, Two Factor Authentication is used to prevent unauthorized access. All communication with the portal is encrypted over HTTPS.
Integration with ESM enables ESM analysts to monitor their network activities for security threats, such as malware, spearphishing, intrusion and exfiltration activity. Integration with ESM is done by using the Model Import Connector (MIC). In turn, information on malicious IP addresses or domains can be brought into Threat Central from ESM.
Customers can use STIX APIs (over REST or TAXII) to transfer data to and from Threat Central automatically for machine-to-machine communication with third-party threat intelligence repositories. For example, to upload additional threat information or to download threat information as STIX documents. STIX is an open standard that is widely accepted by the threat intelligence community.
HP Threat Central Offerings
HP Threat Central is available in 1 year subscriptions. Customers can select from various Threat Central offerings that corresponds with the number of employees in their organization and the type of Threat Central Offering. The offerings also limited by Named Users which is defined as a specific individual authorized by you to access the software regardless of whether they are actively using the software.
Service Feature Highlights:
Installation and production configuration:
Based on the Tier of Service Plan purchased, the Customer will be provided with credentials (number of named users dependent on subscription plan) for accessing the Threat Central Web Portal and REST API. The Model Import Connector for HP ArcSight ESM 6.0c will be provided as part of subscriptions specific to ArcSight integration.
A minimum of (3) days’ advance notice will be provided for all scheduled downtime to perform system maintenance, backup and upgrade functions for SaaS (the “Scheduled Downtime”) if SaaS will be unavailable due to the performance of system maintenance, backup and upgrade functions. Scheduled Downtime will not exceed eight (8) hours per month and will be scheduled in advance during off-peak hours (based on ET). HP will notify Customer via email of any Scheduled Downtime that will exceed two (2) hours. The duration of Scheduled Downtime is measured, in minutes, as the amount of elapsed time from when SaaS is not available to perform operations to when the SaaS becomes available to perform operations. Daily system logs will be used to track
Scheduled Downtime and any other SaaS outages.
Upon purchasing a specific tier of service, the Customer may use the services included in their service tier plan throughout the subscription.
Security and audit
The Service has undergone three (3) different penetration tests by three (3) different third-party vendors to evaluate code security. In addition, the development process has embedded security code scans defined within it. User action auditing is built into the product.
Availability service level
The Service is designed for an availability service level objective of 99.9%.
The Threat Central availability service level objective starts on the Go Live Date. “The Go Live Date” is the date at which point the Customer’s access credentials have been created and the end users may log into the Threat Central portal or API.
The Threat Central availability service level objective shall not apply to performance issues:
· caused by overall internet congestion, slowdown or unavailability
· caused by unavailability of generic internet services (e.g. DNS Servers) due to virus or hacker attacks, etc.
· caused by force majeure events as described in the Terms
· that resulted from actions or inactions of Customer (unless undertaken at the express direction of HP) or third parties beyond the control of HP that resulted from Customer equipment or third party computer hardware, software, or network infrastructure not within the sole control of HP
· that resulted from scheduled SaaS Infrastructure maintenance
· downtime to implement major version upgrades
HP’s exceeding, meeting or failing to meet the Threat Central Services Uptime Metric as measured over any quarter may be reflected in adjustments to the duration of the initial contract year for Threat Central pursuant to the following schedule (“Service Credits”):
Threat Central Uptime Ratings below 98% for a quarter shall be escalated by both parties to the vice president level (or equivalent), as outlined in this schedule.
Data Backup & Retention
The service database of threat intelligence is backed up in 2 different ways: 1. Live backup to a secondary ready-only node; 2. Daily data dump of the entire database. The daily dump is retained for 3 weeks and is transferred off-cloud to a secure location within the HP network.
Capacity and Performance
Several KPIs are continuously monitored to make sure that the performance is within the defined parameters. The capacity of the database is also monitored and we have the ability to add more storage at runtime to the running database.
Threat Central minor version upgrades and binary patches will be performed by HP as part of the service when an upgrade version is made generally available and has been validated in the SaaS environment.
Threat Central major version upgrades are offered by HP as part of the service when an upgrade version is made generally available and has been validated in the SaaS environment.
HP will install application service packs and patches as required. Periodic service pack installations may be mandated by HP to promote all Customer instances to the same patch level and to resolve critical product-related issues.
Response and Resolution Targets
Summary of the service-level objectives for the customer’s service requests is available at Threat Central SLOs.
These service-level objectives are subject to modifications in response to changes in support needs.
· The Customer is responsible for managing and maintaining a list of authorized personnel who are allowed to act on their behalf within the Threat Central system. This list and any changes to it due to attrition or net new additions on the part of the Customer must be communicated to HP in order to ensure congruence, accuracy and confidentiality.
· Individual specified by the Customer as authorized to receive accounts in the system to act on their behalf will be vetted by HP Security Research for being legitimate and well-intentioned by way of background check or through peer nomination from existing users. Named accounts observed as providing fraudulent or misleading information, or found to be associated with actors involved in cyberattacks will be removed at HP’s sole discretion.
· Individual user accounts are to be used exclusively by the individual for whom they were created. If a user is no longer associated with a Customer, that user’s account must be removed from the Customer’s list of authorized personnel; not transferred to another user taking over responsibility for duties associated with the service.
· The Customer must have internet activity and up to date, fully patched browsers of a recent iteration in order to access the HP Threat Central Portal and API.
· The Customer agrees to respond in a timely manner to any and all service related inquiries relevant to their use of the HP Threat Central Portal, APIs or threat feeds.
The Customer acknowledges that the Customer has the right to acquire HP services and HP products separately.
HP reserves the right to expire this data sheet according to the expiration date of the accompanying quote, or if unspecified, forty-five (45) days from the date this data sheet was delivered.
This data sheet is governed by the current SaaS Terms and all references to SaaS in the SaaS Terms means Services or Threat Central as described in this Datasheet. The following additional terms apply:
1) Customer authorizes HP to include in Output Data certain non-specific Customer identifiers (such as size, geographic scope, and industry).
2) Customer may use Threat Central and Output Data only for Customer’s internal business purposes and not for resale or commercialization.
3) Customer is and shall remain, the owner and/or controller of Input Data and is responsible for compliance with applicable laws related to the collection and provision of Input Data to HP and Customer’s instructions herein.
4) Customer instructs HP to share the Input Data portion of the Output Data with Customer as well as other participants of Threat Central, including HP, in the interest of further identification, reduction, and mitigation of threats and risks, which serves to assist Customer in protecting Customer’s sensitive information
5) Customer understands that Output Data is based on and includes intelligence, assessments, and judgments based on estimations, algorithms, and certain methods that inevitably result in a certain percentage of errors - “false positives” and “false negatives.” Customer agrees that Customer will treat Output Data accordingly and at Customer’s own risk, and not rely on Output Data or refer to it as evidence.
6) The automated updates provided as part of the Threat Central subscription are provided “AS IS”.
© 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.