Managed Security Services RFP 2019 Q&A

Transcription

1 Managed Security Services RFP 2019 Q&A 1. EPS count. 150 EPS seems low (our minimum deal size is for 1,000 EPS). If we can get a detailed list of the equipment in scope for the SIEM, we can determine if we can be a fit here or not After re-evaluating our infrastructure and planning for an additional high-availability firewall we anticipate the EPS to increase to about 300 EPS. This number is relative to the devices we are planning to scope. SURS is currently monitoring 7 devices. Over the last 30 days the sum of the Maximum EPS for all devices was 428 EPS. The sum of the Average EPS for all devices was 44.4 EPS. Please contact the Procurement Officer if you require a more detailed breakdown and explanation. 2. RFP notes that there is an existing MSSP and SIEM service - will SURS maintain the existing SIEM hardware/software/platform? The solution from the winning vendor of this RFP would replace the existing hardware/software/platform. 3. What is the current platform that is noted as running at ~150 EPS currently? This is a combination of all devices being currently monitored. The 150 EPS will need to be increased (see question 1). The value was derived from estimating high while looking at the devices we currently monitor or want to monitor. The EPS value is not a peaktime value. 4. Outside the noted PAN firewalls, are there any other security tools or platforms in use within the environment? Endpoint, CASB, IAM, MFA, etc.? Not currently. 5. What model PAN firewalls in HA pair? Any other firewalls to be managed? At the time of this RFP, SURS utilizes 1 HA pair (PA-3020), there is a need to install an additional HA pair. If more information is needed, please contact the Procurement Officer. 6. What IDS/IPS platform is in use and how is it deployed? Is this separate from PAN firewalls? Most of the IDS/IPS events are caught by the PAN firewalls, however our current MSSP provider has an IDS/IPS device installed, which may go away. The idea of multiple IDS/IPS systems is a plus. 7. Is there any requirement or preference for on-prem vs cloud-based SIEM service? SURS will evaluate either solution, no preference. 8. Section 8 details Vulnerability Management - is SURS additionally requesting proposal of a vulnerability scanning/management platform, or is one already existing/in-use? This is currently contracted. SURS would like to know your capabilities in this area as a possible replacement for the existing vendor.

2 9. Please provide listing of current/existing log sources in the current SIEM environment, and please note any anticipated additions. Currently we are actively logging: - 4-IBM i-series - 1-H/A Firewall - 2-Exchange Servers - 1-Active Directory Server - 1-Web Server Anticipated sources are: - 1-H/A Firewall - 1-Exchange Server - 1-Active Directory Server - 3-Database Servers - 5-Switch Stacks 10. How much bandwidth is available/in-use at each facility? 200Mb/sec available and average about 80Mb/sec 11. How many endpoints exist in the environment to be scanned for vulnerabilities? Please include all endpoints; servers, workstations, Printers, IoT, etc. See # The RFP states there are 20 devices and provides a list of device types and the numbers of each? Not sure what the question is. 13. What features are enabled on your Palo Alto firewall? GlobalProtect, Threat Prevention, URL Filtering, Wildfire 14. What endpoint technologies are deployed? i.e. EDR, anti-virus? Traps 15. What critical applications does SURS anticipate/expect to be monitored? No applications at this time 16. For Office 365, how many mailboxes does/will SURS have deployed? What O365 Plan has SURS selected (depending on client industry G5 and/or G3, E5 and/or E3 or P3 and/or P1 are examples)? Mainly G3, but we do have a few G5 18. Has SURS moved or anticipate moving any of its applications to the cloud? Third Party Apps (SaaS like Sales Force) - SURS has a few cloud solutions such as Office 365, PureCloud phone solution We are also currently looking at a cloud HCM/FIS solution Internal Applications or DR solution to providers such as AWS, Azure, etc.? Which one(s)? - SURS current DR solution is cloud based.

3 19. Are you able to provide a network diagram? SURS does not want to publish a diagram on our website. If this information is required, please provide desired information needed in the diagram and send the request to the Procurement Officer and the information will be sent directly. 20. Vendor does not perform contract review/redlines at the RFP stage. Will partial/deferred acceptance of the Addendum to Contract, pending contract award, be acceptable to Illinois SURS at the RFP stage? Yes 21. In the Naperville office, is there a separate firewall to monitor and manage? Please describe how Naperville connects to Champaign. Our Naperville office is connected via VPN tunnel back to Champaign with no additional firewalls. 22. Please provide an estimate / breakdown of the number of Windows servers, workstations / laptops, and any other assets to be monitored outside the numbers provided in the RFP (20 network devices, 4 IBM iseries). See #9 23. What operating system is installed on the iseries servers? V7R2 24. What level / tier of Office 365 is SURS intending to license? Will the service provider be given access to the O365 audit log, cloud app security, and other O365 controls? See #17. SURS would prefer to forward the O365 events to the service provider. 25. To keep with our standard of not creating any persistent connections into customer environments, will SURS be capable of running the O365 logging agent to forward events to the service provider? SURS is new to the O365 environment, so we are unsure at this time, but would assume this is possible. 26. With the services SURS provides to its members, will there be monitoring for the applications and their application logs associated with these services? Not at this time 27. Does SURS currently use any other tools to aggregate data such as a syslog tool? If so, is the service provider expected to gather logs from a mirror of this data? Currently devices send logs to service providers equipment. 28. Under Threat Monitoring and Threat Protection, SURS requests protection and blocking of malicious activity. With respect to endpoints, does SURS expect the service provider will provide or sublicense endpoint protection tools such as host IDS/IPS, EDR, or other software? If so, please describe the expectations. If not, please list the endpoint security controls that SURS has in place that the service provider will monitor. Currently our PAN firewall does a good job in detection and prevention. However, we also utilize a network IPS/IDS solution from a provider. It is expected that the provider be able to inspect traffic entering and leaving and provide dual coverage for IDS/IPS

4 29. With respect to the network, does SURS expect the service provider will provide network protection tools such as network access control, network IDS/IPS, or similar tools? If so, please describe the expectations. If not, please list the network security controls that SURS has in place that the service provider will monitor. Network IDS/IPS systems are expected. See item # Does the 18 month retention of "incident details" require that all log events are kept for 18 months, or only logs related to valid security incidents? Only logs related to valid security incidents need to be kept for 18 months. 31. What are the expectations for retention of logs in an online and searchable format? Auditors may ask SURS to search through logs that could be 18 months old 32. What are the expectations for retention of logs in a non-searchable archive? Log files should be kept in a state where it can be made searchable. Files should be archived off of MSSP and made available to SURS. 33. What are the "critical applications" that will generate event logs? What standard method will the critical applications use to send log events to the service provider? Active Directory, DNS, Exchange, O365 and other critical cloud applications 34. Does SURS have a quantity of new firewalls to be deployed, provisioned or replaced during the contract period? Yes, potentially one HA pair will need to be purchased and provisioned, however this may be done by a business partner 35. Does SURS have a backup and recovery infrastructure for the firewalls? If not, does SURS expect that the service provider will provide backup and recovery tools and infrastructure for SURS firewalls? The service provider is not expected to provide backup and recovery infrastructure but should have backups of firewall configurations and be able to assist in the recovery. 36. Does SURS have specific service level expectations for log capture, retention and detection? For detection: Security Level Response Time Resolution Time 1 10 minutes 30 minutes 2 30 minutes 4 hours 3 2 hours 24 hours 4 1 day 1 week 37. Please describe some examples of what real-time analytics to which SURS would like to have access? The ability to see alerts as they happen, the ability to zoom into a sudden spike in traffic Real-time view into logs to view where specific traffic is going and coming from Past due tickets Active Alerts Events per sec and other metrics that would assist in trouble-shooting The time it takes for the analyst to respond to your query The time it takes the vendor to send an alert The number of false positives you receive

5 The time it takes to remediate an incident The vendor remediation success rate The number of security alerts received The average time to resolve a ticket 38. What reports are required to be provided by the service provider for SURS's compliance requirements? HIPAA, FISMA, GLBA, SOX, ISO 27001, SOC 1&2 39. The RFP requests a project start date of March 1, 2019 and anticipates an RFP completion date of March 31, Please clarify when RFP is anticipated to be awarded and when full coverage is expected to be operational by the selected service provider. It is expected the RFP will be awarded by February 25 and operational by April Please summarize the quantity and types of devices are in scope for the vulnerability management program if different from the threat monitoring portion. See #9 41. Does SURS expect authenticated vulnerability scans or is vulnerability management focused on network accessible services only (unauthenticated)? Unauthenticated See #8 42. Will any web application vulnerabilities be included in the vulnerability management? If so, please describe the web applications in scope for vulnerability management. See #8 43. Does SURS have an internal vulnerability rating system? Will the service provider be responsible for risk rating each vulnerability? Is a standard to be used, such as CVSS, to quantitatively rate each vulnerability? SURS rating is determined by the current provider. 44. Will the service provider be responsible for reporting deviations from a baseline? If possible 45. Is there a requirement by SURS for the vendor to use the services of an MBE business? No. It is not a requirement. However, SURS is committed to diversity and the use of diverse sub-contractors will be viewed favorably by the selection committee. 46. Does the MBE business need to be registered in the State of Illinois and approved by SURS to perform services for the Primary vendor? All diversity efforts will be favorably considered. There is no diversity registration requirement. However, all subcontractors must be licensed to do business in the state of Illinois and once a vendor is selected, SURS must pre-approve any and all subcontractors the selected vendor would like to use. 47. What is the evaluation criteria for the MBE business and the vendor using their services? All diversity efforts will be favorably considered. 48. How do you weigh the requirements for MBE? All diversity efforts will be favorably considered. 49. Do you have a preference for an on-premise or Cloud based SIEM? Are you looking to replace an existing SIEM or is this a greenfield implementation? SURS does not have a preference and will evaluate both solutions. Currently SURS has a hardware device provided by the vendor onsite.

6 50. What is your total amount of log data (measured in GB per day) for all of your reporting devices? If we assume 300 EPS X 100 bytes per log then our daily amount would be about 2GB. 51. Incident Response: Can you describe your requirements for vendor involvement? Would that include remote support, on-premise support, training and/or device mitigation? Vendor would include remote support, training and mitigation. SURS is not staffed 24X7 vendor would be responsible for notifying SURS personal and in critical cases acting to stop an incident. 52. Can you please define Co-monitor and Co-management of the Firewalls? Would you allow for SURS management of specific functions while the chosen vendor manages other functions? SURS is not staffed 24X7 vendor would be responsible for making sure firewall is available 24X7. With input from SURS make updates/upgrades to firewall. If needed create/modify rule set and or other policy changes. 53. Does implementation include the vendor performing Rack & Stack of hardware (on-site) or strictly configuration of the devices? No 54. Is there a Vulnerability Management program in place with periodic scans and Penetration tests? Are you willing to share the results with the chosen vendor? SURS does periodic scans and penetration testing. These are done both internally and externally. SURS would like to know what your capabilities are in this area. See #8 Yes, we would be willing to share with the chosen vendor 55. Can you share your current Security organization staffing model and roles? SURS Security Team Technical Security Team Internal Extended Team (Management, Legal, HR and Communications) Extended Technical Team (Applications Development, Operations and Tech Support) External Team (Law Enforcement, Consultants) 56. Do you have an established CERT (Computer Emergency Response Team) program? We have an established Security Response Team.

7 57. Do you currently subscribe to any threat intelligence feeds and threat hunting service/s? We do have a Threat Prevention subscription and receive s from US-CERT Cyber Security Bulletin. 58. what products are currently being used for End-point protection? Traps 59. For remediation work for identified issues, do you need just guidance/recommendations from Vendor and have internal staff to do actual work or need a provision to engage Vendor s Professional services team through a SOW/Engagement letter, for actual implementation, campaign and training services? Most remediations should be done with internal staff with the guidance/recommendations from the vendor. 60. "The State Universities Retirement System (SURS) is requesting proposals for Managed Services Solutions to acquire, implement and co-monitor a solution that provides Threat Monitoring & Cyber-Attack Defense, SIEM & Log Management, Incident Response & Event Investigation, Threat Protection and Vulnerability Management. Co-management of our firewall is a requirement. The ability to provide incident response services is also a consideration." a. How are "co-monitor" and "co-management" defined by SURS? Can you please delineate the responsibilities between SURS and the vendor? a. Vendor will have an account on SURS systems and be responsible for: - Device Uptime Monitoring - Health Checks on managed/monitored systems - Security Event Monitoring - Upgrade and Patch Management of Firewalls - Firewall Device Backup b. Vendor may be asked to assist with - Change Management - VPN Configuration - Firewall rule changes b. It is assumed the cost of incident response services is not to be included within the pricing of this RFP? Please confirm. a. IDS and IPS is assumed to be part of this RFP. Major events that have a significant risk to SURS may require immediate notification and swift resolution by vendor. Out-of-scope technical support on a time and materials basis will be submitted via a separate SOW. Examples of such out-of-scope support include: - On-site installation and provisioning of device - Recovering from Data Breaches - Recovering from Network Attacks - Custom analysis and/or custom reports - Forensics 61. Are there any compliance requirements that any or all portions of this RFP are to be provided only by US citizens supported domestically? Yes

8 62. In order to answer multiple questions, we need a complete inventory of existing equipment, including software release levels, and service packs. Is any of the current equipment nearing end of life (EOL) or end of support (EOS)? We will work with the selected vendor regarding this type of information. None of the equipment should have and EOL that is less than 12 months. 63. In order for us to provide accurate pricing we will need to know the approximate events per second that the SURS environment currently experiences. What is the expected events per second required? If unknown, we need to know the quantities of: Data sources, Servers, Security devices currently deployed, Internet connections and speed of connections, Number of DMZs deployed, Wireless access points, Other devices that would contribute to the number of incidents per second See #1 and #9 64. Does this solution require HIPAA compliance services and reporting? This may a future requirement 65. Does this solution require PCI compliance services and reporting? Not at this time 66. Does this solution require any other regulatory compliance? Not at this time 67. Does SURS have a documented security incident and response process? Yes 68. How will SURS ticket incidents and events? SURS will utilize vendors ticketing system. If possible, SURS will work with vendor and have ticket imported into SURS ticketing system 69. Is extended retention of logs required? How long? See #30 and # What is the number of users whose traffic will be subject to IDS inspection? Total number of wireless controllers? Stand alone or HA. 2 Wireless Controllers 72. Number of high-volume firewalls in place? 1-H/A pair 73. Number of low volume firewalls in place? None 74. Number of internal security devices in place? Brand and model. If this information is required, please provide the Procurement Officer with the type of security devices you would like to inquire about.

9 75. Server infrastructure - - How many are virtual and how many are physical? - How many domain controllers? - servers (excludes cloud services i.e. Office 365)? - Quantity of public facing web servers? - Quantity of servers under regulatory scrutiny i.e. PCI? - Other general purpose servers? See #9 76. Are cloud servers such as AWS, Azure or Google used? To what extent? See # Is internet traffic centralized or distributed? Centralized 78. Number of internet access connections? Does SURS want to engage the services of a CISO (Chief Information Security Officer) services to oversee their security? No