Statement of Work Security Information & Event Management (SIEM) December 20, 2012 Request for Proposal No

Transcription

1 Statement of Work Security Information & Event Management (SIEM) December 20, 2012 Request for Proposal No Introduction The Pacific Northwest National Laboratory (PNNL) is located in Richland Washington and is one of the U.S. Department of Energy's (DOE.) ten national laboratories, managed by DOE's Office of Science. PNNL performs research for other DOE offices as well as government agencies, universities, and industry to deliver breakthrough science and technology to meet today's key national needs. Project Description and Purpose PNNL Cyber Security Analytics Team is interested in receiving proposals for the next generation of Security Information & Event Management (SIEM) solutions. This Team will evaluate and rank by an internal scoring methodology the most favorable product after all technical criteria are met. After evaluations are completed a recommendation for award will be made. Assumptions and Constraints If the solution is put into virtual machines, the cost of the virtual environment will be added to the total cost of the price quoted. The solution should support at a bare minimum of one billion events per day. The log size is roughly 330 GB of data per day. Please calculate the total cost based on this information and project the cost if this information was doubled. The number of network devices, machines, switches, routers, etc will be sent upon request. Requirements Technical Requirements are grouped into categories listed below in order of importance: 1. Clients 2. Data Types 3. Appliance Features 4. User Interface 5. Compliance 6. Integration All these categories and their content listings must be met. Any item listed that cannot be met must be so noted as either an add-on with cost or other explanation. 1

2 Agentless Data capture Clients Capture data with client agents AIX client agent BSD client agent Linux client agent Solaris client agent OS X client agent Windows client agent HIDS agent IDS agent FIM (File Integrity Monitoring) WIDS (Wireless intrusion detection system) Transmission compression Data Types Allow syslog forwards (most common method for alerts and events) Normalize data Process netflow data Raw/unstructured events SDEE (Security Device Event Exchange) Capture SNMP traps Collection Health Monitoring (device offline) Firewall Logs Hypervisor Logs IDS Logs processing Includes all windows 7 logs IPS Logs 2

3 Parsed/structured events Reports on raw/unstructured data Router Logs Store and forward events Switch Logs Correlation Capability Appliance Features Event message stat monitoring (latency) Events per second (11,574 is ~ 1 billion per day) Retention period - months Scalable disk Scalable hardware Centralized Query Capability Archive and see source data Archive Metadata Can archive Events CLI option CPU Monitoring Max internal storage Queries across peers Raw data searches Storage compression Build in VMs Vulnerabilities correlation Appliance or Software/OS 3

4 Alerting - near to Real time User Interface Can export data Can save queries/filters Custom Rules Customizable access options per group Customizable reports Customizable dashboard Boolean Queries User privilege roles/groups Web interface Alerting - weighted Can create alerts Can schedule tasks Context-sensitive Graphs Device/host groups Regex Queries Graphical query builder Search Performance Unstructured Data, records searched in a minute Work flow to Maximo Minimum FISMA compliance Integration with Blue Coat Compliance Integration Integration with FireEye Integration with Forefront AV Integration with Ironport 4

5 Integration with Solera Integration with Symantec DLP integration Integration with Websense Integration with Nessus Open API Evaluation Criteria Technical 60% If all technical items listed above are met, either as standard or add-on items, those responsive, responsible Offerors will be invited for a Proof-of-Concept on-site demonstration. At the time, Offeror's product will be left on-site at the Lab for 90 days for testing within the Lab's environment for analysis by the technical evaluation team. System operations will be scored at that time using an internal ranking method. Scoring will include: - ease operation within the Lab s environment - speed of processing data - integration Price 40% Responsive and responsible Offerors who have met all the technical criteria will be evaluated on pricing of total product along with the on-site demonstration scoring. Price will affect the overall score and will impact the Best Overall Value for the Lab. Contract Award Battelle may evaluate proposals received in response to this solicitation without discussion (initial proposals should contain the Offeror's best price and technical terms). A Fixed Price contract award will be made to the responsive, responsible Offeror whose evaluated proposal provides the Best Overall Value of Price and Technical Merit after satisfying all the requirements of this solicitation. 5