Purchasing and Property Services AOC 200 4202 East Fowler Avenue Tampa, Florida 33620 (813) 974-2481 Web Address: http://usfweb2.usf.edu/purchasing/purch2.htm December 13, 2013 Invitation to Bid No. Entitled: Opening Date: 14-12-MH SIEM Solution for USF Health I.S. January 06, 2013 at 3:00 p.m. Addendum No. 1 Please review the following changes/additions to Invitation to Negotiate (ITN) No. 14-12-MH SIEM Solution for USF Health I.S. to be addressed in submitted proposals: Vendor Questions for ITN 14-12-MH SIEM Solution for USF Health 1. My question is will USF Health also consider a Managed Services Security Solution hosted at our SOC and managed by the vendor, instead of an on-premise SIEM software solution? Our firm uses a SIEM solution which is in upper right quadrant of Gartner s Magic Quadrant and it is managed and monitored by trained Presidio engineers 24x7x365. Would this type of SIEM manage services offering be considered? No 2. What is the total number of catch points in the USF system? Not sure what is meant by catch point, USF Health has 13 locations that firewall and IPS logs will come from. Server logs will not come from all locations. 1
3. What is the (Flow Per Second) FPS desired for the system? 4. How many (Events Per Second) EPS is needed on the back-end? 5. Please provide the volume of logs (Events per Second) for each of your geographic locations. Please also provide the number and type of each device at each location including more granular detail on the network devices (i.e. X Firewalls, Y IPS devices, Z Routers, per location) The System Identification and Estimated Events per Second Table (re page 5), lists totals for the information requested, over 90% of the equipment listed exists in our main location. Events from most of the locations will consist of syslog from Cisco router, firewall logs, and IPS logs from Check Point firewalls only. 3 locations will also have Windows 2008 Domain Controllers as well. 6. Does USF desire to separate parsed event data and raw logs? If so, are there specific compliance requirements for raw logs? Are there different retention policies for raw vs. parsed logs? This is not a requirement. 7. Is a VMWare infrastructure available for running SIEM components? If so, is it available at each of the geographic locations? USF Health does have a VMWare deployment but I would prefer not to run this system on VMWare. Since VMWare is not available at all locations 8. Does USF desire the RFP Respondent to provide redundancy at any layer for the SIEM? There is no requirement for redundancy at this point 9. Do you want respondents to include the storage infrastructure necessary to meet those archive retention requirements OR will USF utilize their own existing storage infrastructure (SAN, NAS, etc.)? If SAN is available is it 4GB or 8GB? USF Health will utilize existing SAN infrastructure. Existing SAN infrastructure is 8 GB. 2
10. Does USF desire database session logging to be part of the response? Are native audit logs being collected today? USF Health does desire database session logging. Native audit logs are not being collected at this point. 11. Please provide information on the anticipated volume of netflow data. Roughly 250 GB/month. 12. How many personnel will require training? If training is available as online course there will be 4 people to train, if training is at Vendor s site outside of Florida then there will be 2 people to train. 13. Are you able to estimate how much data will be indexed daily based solely on your SIEM use case? Alternatively, how many servers/devices/applications are a part of your Security infrastructure and are you able to share what some of those are? At this time USF Health is not able to estimate how much data will be indexed daily. Refer to the System Identification and Estimated Events per Second Table, on the last page of the Addendum. 14. Are there any specific hardware requirements that the Vendor will have to provide? Or can the software be put on your own commodity hardware? If USF Health is to supply the hardware to run software on vendor needs to submit recommended hardware specifications so USF Health can gather costs of hardware for comparing proposals 15. FIM: How many servers / devices do you want to monitor / put it on? We estimate 300 servers. a. Does USF Health currently have a FIM solution like TripWire or Imperva in your IT environment? No. 16. How many of USF staff do you wish us to include in our proposal for formal training? If training is available as online course there will be 4 people to train, if training is at Vendor s site outside of Florida then there will be 2 people to train. 3
17. Can you please clarify Microsoft Windows Based? USF Health would prefer the SIEM solution use Microsoft Windows as the underlying operating system. 18. Can a Value Added Re-seller submit a proposal or does it have to come directly from the software manufacturer? We are looking to engage directly with software manufactures only. 19. The ITN mentions that a proof of concept evaluation will need to take place prior to a purchase. How long will that proof of concept take? When will that proof of concept take place? For any products proposed USF Health IS would like to have 2 weeks to test the product in our environment. This POC would run on an agreed schedule with the vendor. 20. Our solution is priced per device. How many devices is USF looking to cover with this project? The way that devices are defined are below. Servers: Applications: Layer 3 devices (Routers, switches, firewalls, etc) : Desktops (If applicable): 4
System Identification and Estimated Events per Second Table The initial deployment is expected to support the following: Device Type Product Version / Model Quantity FIM Agents 1 - Operating Systems 1 Est. Per /Device Volume MPD Est.Volume - MPS Windows Server Windows 2003/2008 500 0 32,500 188 Windows Domain Controller Windows 2003/2008 18 0 325,000 68 *NIX Server RedHat 0 70 0 13,000 11 2 - Applications 1 Email Microsoft Exchange Exchange 2010 15 0 65,000 11 Database Other Various 34 0 1,300,000 512 Web Server Other Various 44 0 650,000 331 Antivirus/Security Application Symantec 3 - Network Devices 1 Symantec & Check Point 2 0 130,000 3 Firewall Check Point R75.40 20 0 10,000,000 2,315 Router Cisco C6509E 2 0 13,000 0 IDS/IPS Check Point R75.40 20 0 260,000 60 VPN Appliance Check Point R65 20 0 13,000 3 Load Balancer F5 Big IP 6 0 65,000 5 1 MPS Volume Based (ONLY) 1 0 0 1 12,866,500 3,506 Est. Total 1 Note: Please note receipt of this addendum by signing and returning with your proposal response Authorized Signature & Date Print Name Company Name 5