November 1, 2018, RP Provision of Managed Security Services on an Annual Contract ADDENDUM #2

Transcription

1 November 1, 2018, RP Provision of Managed Security Services on an Annual Contract ADDENDUM #2 Please see the below summation of the technical questions and answers that have been received regarding the above solicitation. Many of the answers below around log and traffic volumes are best effort estimations for price quoting purposes. Prior to award Gwinnett County will work with vendors to determine more accurate figures for final pricing negotiations as needed. 1. Are there any mandates in place that would prohibit management access and fault monitoring via TCP/2222 & TCP/443? Internally no, if the intent is for the provider to remotely connect to the GC network via these ports, please explain in detail in your proposal. Details will need to include how GC can expect this connection to be secure. 2. When do services need to be fully operational? Within 4-7 weeks of award, as stated in the RFP 3. Does Gwinnett County currently use a 3 rd party for Application and/or External Vulnerability Scanning? Gwinnett County is currently in the process of purchasing a vulnerability management solution. The service provider is not expected to interact with the solution, other than to consume the data for prioritization purposes. All PCI testing is done within PCI requirements. 4. What is the estimated EPS of Domain controller Security logs? EPS (Estimated) All other logs? <1 EPS (Estimated) 5. What is the estimated EPS of Tipping Points IPS devices? 4.7/sec (17061/day on a 7 day average) (Estimated) 6. What is the estimated EPS of Cisco Firepower 9300 Firewalls? 621/sec each (Estimated) 7. What is the estimated EPS of Cisco ASA 55xx series firewalls? 310/sec each (Estimated) 8. Does Gwinnet County expect service providers to leverage Gwinnet County s SIEM? The solution should not rely on an existing log collection/analysis tools.

2 Page Please provide NetScaler deployment sizes to include volumes of logging within an observed timeframe. 500 GB/Month 10. Please provide NetScaler log forwarding configuration. The NetScaler will be configured to send logs to the proposed solution. 11. If Gwinnet County expects the service provider to capture the logs from traffic traversing internet gateways, what is the volume of produced logs? Please provide volume and size metrics over a 30 day period. We estimate 15GB logs / day 12. Please provide generated log data volume and size (GB,TB,etc) within an observed timeframe to establish baseline for log storage requirements. Please indicate if volumes to be provided include security logs. Domain Controllers 4GB / day (Estimated); Other Servers 20MB / day (Estimated); Both including Security logs 13. Are the (2) Tipping Point IPS configured in an Active/Passive state (1 Pair) or are they (2) Standalone IPS? Standalone IPS 14. Are the (2) Cisco Firepower 9300 Firewalls configured in as a SINGLE Active/Passive pair, TWO Active/Passive pairs, or are they (2) Standalone Firewalls? Single Active / Passive pair 15. Confirming that the Cisco Firepower 9300 firewalls have the FirePower IPS/IDS built-in, correct? Yes all have FirePower licenses and Active/Passive 16. Are the (21) Cisco ASA 55xx firewalls all configured as Standalone Firewalls or (21) Active/Passive pairs? Active / Passive pairs 17. Confirming that the Cisco ASA 55xx firewalls have the FirePower IPS/IDS built-in, correct? 55xx do NOT have Firepower or any IDS/IPS functionality built-in and Active/Passive, or Standalone 18. Are all (23) Cisco firewalls (55xx and 9300) managed centrally with (1) Cisco Firepower Management Center? No 19. Within the AIX environment: How many AIX LPARs are in the environment? 42 How many VIOS are configured in the environment? Within the 1,000 physical and virtual servers: How many of the following: Windows Active Directory Servers: 4 Windows IIS Servers: Exchange Servers 10 (4 Client Access / 6 Database) Windows General Purpose Servers: 617 UNIX and Linux Servers 63 DNS / DHCP Servers: DNS: 4 / DHCP: 2 Antivirus Servers: 2 Database Servers: 90 Prod / 50 Dev = 140 (1,000 total SQL DBs) Proxy Servers 0 Application Server: 151

3 Page Is Gwinnett County running Content/Spam Filtering? This is addressed in the RFP. 22. How many egress points do you have? Internet traffic egresses from two physical locations, each of which as 2 circuits. 23. For each of these egress points, are you running your perimeter firewalls in Active/Passive or Active/Active HA? Active/Passive Are there any asynchronous routing at this capture point? Browsing Circuit = No, Hosted Circuits = Yes/no employs ebgp Are there any port bonding/channels being used at this capture point? Yes 24. For each of these egress points, what is your: Bandwidth is provisioned Browsing = 1Gbps (2 x 1Gbps circuits) Hosted = 200Mbps (2 x 100Mbps circuits) Utilization and peak burst Browsing 10-30% avg utilization, Peak = 500Mbps+ Hosted 60-70% avg Utilization, Peak = 180Mbps Physical connectivity (1G copper, 10G fiber, etc.) Fiber 1000BaseT 25. Please provide volume of traffic that traverses to the internet in a 7 day period. Average traffic sent to IPS 2880 GB/Day or 20,160GB/Week (Estimated) 26. Page 4 Section 1.1 Network Environment: Monitoring and Management is via Solar Winds and Cisco Prime Infrastructure: Does it mean Gwinnett County already has the required Network Monitoring tools? Is it currently managed by Gwinnett IT Staff or 3rd party service provider? As part of the new contract these tools will remain owned and managed by current provider or will it be transitioned to bid winner where the winner will be responsible to for the configuration and maintenance of these monitoring tools. No part of the existing Prime or Solarwinds infrastructure is expected to be maintained by the proposed solution. 27. For this component, is Gwinnett County open to a solution that provides more than just SSL decryption? Yes, SSH/SFTP connections would also be of value. 28. For this solution, it would be a single solution at the primary edge security device, correct? Not at multiple locations? There are multiple locations, see the environment section for more details. 29. Decryption Solution: Are there application based activities that the service provider will need to support through the SSL decryption solution? Or is the SSL decryption solution purely for security purposes to block malicious traffic? As mentioned in the RFP, the solution needs to make the decrypted traffic available to other products for analysis such as DLP. 30. Please provide a count or estimate of the number of County web servers (i.e., unique certificates) for which the solution needs to decrypt in-bound traffic. There are 25 externally facing SSL certificates

4 Page If Gwinnet County expects the service provider to capture every packet traversing internet gateways, what are the sizes of the internet connections/pipes? What are the average and peak network traffic metrics over a 30 day period? Browsing 10-30% avg utilization, Peak = 500Mbps+, 2x 1Gbps circuits, Total Bandwidth with LB logic = 1Gbps Hosted 60-70% avg Utilization, Peak = 180Mbps, 2x 100Mbps circuits, Total Bandwidth with LB logic = 200 Mbps 32. Does Gwinnet County have plans to leverage TLS 1.3? If so, has Gwinnet County considered the implications with compliance and security posture regarding current challenges of SSL inspection vendors for TLS 1.3? Gwinnett County currently has not planned to upgrade to TLS 1.3, but may do so as technology progresses. The solution may propose how this issue will be addressed. 33. How many current Office365 accounts exist today (if any)? Gwinnett County is currently evaluating Office 365 / Exchange Online. If the decision is made to migrate to Office 365 there will be approximately 6000 accounts. 34. Does Gwinnett County currently have Symantec Endpoint Protection and Cisco FireAMP deployed to all endpoints? Or is it a mix? Most systems have both currently. If the solution assumes the presence of one or the other it should be noted in the proposal. The ideal solution offers flexibility in the choice of endpoint protection. 35. Confirming that the intention of this RFP is to leverage the current solutions and NOT to replace current Endpoint Protection Platforms, correct? Correct, that will not be considered. 36. Please find below a list of questions the County has chosen not to answer due the fact that incident response procedures are being defined. The on-site resident would assist in the creation of these plans. The proposed solution should provide a SIEM, and not manage an existing solution. a. How is Gwinnett County DOITS currently handling alerts from security controls? b. Is there an existing SIEM? If so, can you provide the platform name? c. Approximately how many investigations are performed by the current security staff weekly? d. To date, what have been the top 3 most prevalent threats responded to in your environment (e.g. Phishing to execute code, Phishing for Credential Harvesting, Ransomware, Data exfiltration, Bitcoin mining, insider threats, others) e. How many runbooks (if any) are in use today by event / ticket responders? Are they well documented and revised as necessary? f. Can you briefly describe how DoITS currently manages remediation of discovered threats (high level workflow)? Does Gwinnet County have runbooks established for incident response processes? 37. Page 7 Section Monitoring and Remediation: Will there be Level 1 24x7 Helpdesk from Gwinnett side for escalating these alerts for action/approval required to fix any alerts that are needs immediate attention. Yes. The point of escalation will be the Security team. However, some actions will be permitted by the proposed solution. 38. How many total geographic locations would data sources is sent from? How many data centers does Gwinnet County leverage? Are these owned by Gwinnet County? Gwinnett County has two primary data centers. 39. Is Gwinnet County open to the deployment of service provider infrastructure upon Gwinnet County premise enabling the delivery of services? Suggest submitting this as an alternate proposal.

5 Page What cloud environments is Gwinnett County wanting service providers to monitor? What applications are hosted within the cloud? Currently none, but Office 365 is under evaluation. The County would like to know the capabilities of the proposed solution, since more cloud services may come in the future. 41. What are the devices/technologies/platforms, of which, the service provider is expected to work within? Devices / technologies / platforms are covered in the RFP. 42. What are the devices/technologies/platforms, of which, the service provider is expected to take containment and remediation steps upon? Proposed solution should explain capabilities. The currently implemented technologies are detailed in the RFP. 43. Within the RFP, what is Gwinnet County s definition of forensics? Referencing Traffic storage requirement A.Is the service provider expected to propose a log forensics solution? The expectation is that the provider utilizes the traffic storage and the traffic decryption solution to further investigate events that are detected in order to reduce false positives. 44. Do all of the devices/technologies/platforms Gwinnet County expects the service provider to work within, operate on the same network? If not, please identify number of separate networks. All services will be on Gwinnett county owned networks, and appropriate access will be provided. 45. Please find below a list of questions the County declines to answer: Are any election systems included in the scope of these services? Does the Gwinnett County have any SSL decryption in place today? If so what? Does the county regularly audit compliance with CJIS encryption requirements? Please add to page 8 of the solicitation, under Service Requirements: x. Describe in detail how the Gwinnett County log will be encrypted both in transit and at rest as it is sent off site for analysis. Please add to page 12 of the solicitation under 2.5 Terms and Conditions: j. Awarded provider must be willing/able to sign the FBI CJIS addendum as part of the contract with Gwinnett County. Thank you Terri Shirley Purchasing Associate II This addendum should be signed in the space provided below and returned with your proposal. Failure to do so may result in your proposal being deemed non-responsive. Authorized Representative Company Name