There are two options available for the installation of Police CyberAlarm;

• VMWare Virtual Appliance - simply copy and paste the provided URL into VMWare's management console.
• As a software installation on a Linux device - requires CentOS 7 Minimal on either a physical or virtual device.

Full instructions are provided once you receive your code to join Police CyberAlarm.

Police CyberAlarm collects metadata (logs) relating to the suspicious activity from internet facing gateways such as Firewalls. They are simply logs about how data was sent/received through your internet gateway (IP Addresses for external connections, amount of data transferred and the port used to process the data, date and time).

For full details on how data which is collected by the tool is handled, please see our CyberAlarm Tool Privacy Policy.

These messages do not contain any of your organisation’s data. The system is designed to protect personal data, trade secrets and intellectual property.

Police CyberAlarm identifies suspicious activity as network traffic which is blocked by the member organisations firewall or that is believed to be unwanted. This will include activity where the suspect is attempting to scan for vulnerable ports or making repeated attempts to gain access to an organisation’s system using known attack methods.

The data collected by Police CyberAlarm is viewable only by Police and may be shared with other law enforcement agencies including the NCA (National Crime Agency) and partners including the NCSC (National Cyber Security Centre).

Data received by the CyberAlarm sever is used to create regular reports on suspicious and potential malicious activity seen by individual members, as well as reports identifying threat trends seen across the member network. Members can use this reported intelligence to update their defences to better protect themselves from cyber threats.

For full details on how data which is collected by the tool is handled, please see our CyberAlarm Tool Privacy Policy.

This data is also used to evaluate and track trends in cybercrime. Helping Police to; Prepare and Protect Organisations, Pursue and Prosecute cyber criminals. Making the UK secure and resilient to cyber threats, prosperous and confident in the digital world.

Only communications data pertaining to suspicious activity will be collected and, to the extent that any data is mis-identified, this will not be stored and will be erased as soon as possible. Restrictions will be imposed in relation to the use of data collected to ensure compliance with legal obligations.

For full details on how data which is collected by the tool is handled, please see our CyberAlarm Tool Privacy Policy.

Police CyberAlarm reports summarise suspicious traffic and potential attacks, visible to your organisation, from the Internet. Details include the top sources of suspicious traffic and the ports that malicious users are trying to use for their attacks against your systems.

The data is split into two categories, suspicious activity originating from within the UK and suspicious activity from outside the UK.

Police CyberAlarm reports show member organisations how they are being attacked, and where from, so they can better protect themselves. We aim to work with member organisations to ensure they are making the most of the data collected.

Logs collected by Police CyberAlarm are analysed by the collector as they are received, to remove any obviously non-malicious logs, these events are not sent to the central server. Once logs arrive at the central server, they are analysed within minutes (even seconds) of the event being received by the collector to determine if these logs are malicious. 

For example, a log which is a request to connect using port 3389 may be deemed as non-malicious. However, if the central server correlates that the same IP address made rejected requests to port 3388, 3387, 3386, etc. then this would become part of a potentially malicious port scan.

Any log which, following analysis, at both the CyberAlarm Virtual Server and the Central Server is still deemed to be non-malicious within a maximum of 24 hours (system up time) within arrival at the Central Server will be removed.

If a log file which has been deemed as suspicious has no further linked activity within a 9 month period the relevance of the data is reduced and its retention is no longer considered to be necessary or proportionate and as such is deleted.

For full details on how data which is collected by the tool is handled, please see our CyberAlarm Tool Privacy Policy.

The log messages from internet facing devices are not encrypted. To ensure security Police CyberAlarm system installs a small collector on your network. Typically this would be installed within your DMZ to gather the data from suspicious and /or malicious traffic. The data is then encrypted and compressed before being securely transmitted to the CyberAlarm central processing servers.

No, Police CyberAlarm is a stand-alone system which sits in its own server environment. The collector gathers and encrypts the suspicious data from your internet gateway before sending it back to the central Police CyberAlarm processing servers. No software need be installed on any other devices and multiple gateways can feed data to a single Police CyberAlarm collector.

As Police CyberAlarm does not collect the any of the transmitted data, encrypted data and VPN traffic has no impact on the ability of the Police CyberAlarm system to collect the Metadata of suspicious traffic.

Police CyberAlarm is a monitoring system and as such does not interfere with any of the traffic on your internet gateways.

Police CyberAlarm does not take any automated action against any identified suspicious activity. It is a reporting and alerting system only, which enables UK Police to identify and take action against cyber threats and allows member organisation to better inform their cyber security posture.

Responsibility for decisions on how to action any reported data is solely owned by the member organisation.

Data on the Police CyberAlarm data collector is compressed and encrypted on the collector (256bit AES), then uploaded to the Police CyberAlarm servers over HTTPS, an encrypted web connection.

Member organisations do NOT require a static IP address. There is no requirement for communication from the Police CyberAlarm server to the Police CyberAlarm Collector and therefore no static IP address is required. 

When the Police CyberAlarm collector connects to the Police CyberAlarm servers the software updates itself automatically.

If updates are required to the operating system of the device the Police CyberAlarm collector runs on, an email is sent to the Member administrator with full instructions.

Most recent business PCs are more than capable of independently running a Police CyberAlarm data collector. The most frequently used method is to install the Police CyberAlarm Data collector using a VMWare virtual appliance.

(Hardware spec for the appliance - 2 CPU Cores, 2GB RAM and 25GB Disk space)