Market Survey Request for Information Survey Request for Information . ... Agency staff directly...

NATO UNCLASSIFIED

N A T O U N C L A S S I F I E D

NCIA/ACQ/2017/1802

11 September 2017

Market Survey Request for Information

Replacement and Enhancement of CIS

NCI Agency Ref: MS-CO-14635-RECIS

The NATO Communications and Information Agency (NCI Agency) is seeking inputs from Nations and their Industry regarding the replacement and enhancement of existing Communication and Information Systems (CIS) security capabilities across the NATO Enterprise.

NCI Agency Principal Contracting Officer (PCO): Mr. Giacomo Piliego

E-mail: [email protected]

Market Survey Point of Contact: Ms. Sherrie Mendes

E-mail: [email protected]

To: See Distribution List Subject: NCI Agency Market Survey Request

Replacement and Enhancement of CIS

1. The NATO Communications and Information Agency (NCI Agency) is seeking inputs from Industry regarding the replacement and enhancement of existing Communication and Information Systems (CIS) security capabilities across the NATO Enterprise. The purpose of this Request for Information (RFI) is to describe the capabilities, identify the requested inputs, and provide instructions on how to reply.

2. In addition to the firms noted in Annex C of this letter, the broadest possible dissemination by Nations of this Market Survey Request to their qualified and interested industrial base above and beyond the Annex C list of firms is requested.

mailto:[email protected]


NATO UNCLASSIFIED


3. A summary of this emerging requirement is set forth in the Annex A attached hereto. Respondents are requested to reply via the questionnaires at Annex B. Annex B has two questionnaires B.1 – Part 1 and B.2 – Part 2. Other supporting information and documentation (technical data sheets, marketing brochures, catalogue price lists, descriptions of existing installations, etc.) are also desired.

4. The NCI Agency reference for this Market Survey Request is NCIA/ACQ/2017/1802, and all correspondence and submissions concerning this matter should reference this number.

5. Responses may be issued to NCI Agency directly from Nations or from their Industry. Respondents are invited to carefully review the requirements in Annex A.

6. Responses shall in all cases include the name of the firm, telephone number, e-mail address, designated Point of Contact, and a NATO UNCLASSIFIED description of the capability available and its functionalities. This shall include any restrictions (e.g. export controls) for direct procurement of the various capabilities by NCI Agency. Non-binding product pricing information is also requested as called out in Annex B.

7. Responses are due back to NCI Agency no later than close of business 11 October 2017.

8. Please send all responses via email to the CIS Enhancement and Replacement mailbox listed below:

NCIA CIS Enhancement Email:

[email protected]

For Attention Of: Mr. Giacomo Piliego Principal Contracting Officer &

Ms. Sherrie Mendes Sr. Contracting Support

Postal address: NATO Communications and Information Agency Boulevard Leopold III 1110 Brussels Belgium


NATO UNCLASSIFIED


Courier delivery address (e.g. DHL or FEDEX):

NATO Communications and Information Agency Bourgetlaan 140 1140 Evere Belgium

9. Product demonstrations or face-to-face briefings/meetings with industry are not foreseen during this initial stage. Respondents are requested to await further instructions after their submissions and are requested not to contact any NCI Agency staff directly other than the POC identified above in Para 8.

10. Any response to this request shall be provided on a voluntary basis. Negative responses shall not prejudice or cause the exclusion of companies from any future procurement that may arise from this Market Survey. Responses to this request, and any information provided within the context of this survey, including but not limited to pricing, quantities, capabilities, functionalities and requirements will be considered as indicative and informational only and will not be construed as binding on NATO for any future acquisition.

11. The NCI Agency is not liable for any expenses incurred by firms in conjunction with their responses to this Market Survey and this Survey shall not be regarded as a commitment of any kind concerning future procurement of the items described.

12. Your assistance in this Market Survey request is greatly appreciated.

FOR THE GENERAL MANAGER:

[Original Signed By] Giacomo Piliego Principal Contracting Officer

Attachment(s):

NATO UNCLASSIFIED


• Annex A – Market Survey RFI Requirements

• Annex B – o B.1 - Market Survey Questionnaire Pt 1 o B.2 - Market Survey Questionnaire Pt 2

• Annex C – Market Survey Industrial Recipients

Annex A – Market Survey RFI Requirements NATO UNCLASSIFIED

NATO UNCLASSIFIED 1

NCI Agency Request for Information (RFI) about Cyber Security Solutions 1 PURPOSE The NATO Communications and Information Agency (NCI Agency) is seeking inputs from Industry regarding the replacement and enhancement of existing Communication and Information Systems (CIS) security capabilities across the NATO Enterprise. The purpose of this Request for Information (RFI) is to describe the capabilities, identify the requested inputs, and provide instructions on how to reply. This effort is sponsored by the following programmes:

• The NATO Enterprise CIS Security Architecture development (a documentation effort run under the NATO C3 Board Programme of Work – not an acquisition project)

• NATO CIS Security Services Technology Refresh and Enhancements Capability Package (CP120) pre-planning

The Agency is requesting information on individual products, architectural solutions and recommendations addressing the requirements posed by the two programmes. This information should be captured in a manner highlighting current technology (available on the market) in addition to future technology catering for requirements which are foreseen. This information will be used by NATO subject matter experts and architects to support the definition of the project architecture and to estimate the costs in relation to implementation.

2 BACKGROUND As highlighted during the NIAS Cyber Security Symposium 2016, NATO is continuously adapting and implementing changes to its CIS infrastructure, adopting new approaches and technologies in order to increase its efficiency and effectiveness. Such change is key in maintaining a high level of service to NATO stakeholders, while at the same time ensuring the cost of operating CIS infrastructure and supporting tools are within acceptable margins. The review and change in the infrastructure also allows NATO to adapt the architecture to accommodate future requirements and technology.

Evolving infrastructure and the continuous change in the threat landscape has the potential to impact NATO CIS architecture and the CIS Security capabilities, raising technical and operational challenges. Whilst NATO presents some unique characteristics, the challenges faced are similar among civilian and large enterprise organisations, many of which have been addressed by industry solutions currently available on the market. As a result, NATO is interested in obtaining input on potential solutions deployed in commercial companies and other public / international organisations that can be leveraged within the NATO enterprise context to help protect NATO assets, and in evolving solutions aimed at addressing emerging requirements.


NATO UNCLASSIFIED 2

3 BUSINESS ENVIRONMENT The context of this RFI is the NATO Enterprise. The following characteristics of the NATO Enterprise should be considered while providing input for this RFI:

1. Centralised infrastructure: most services will be provided from central Data Centres, following a “private cloud computing” approach; NATO is undergoing a complex restructure of its CIS infrastructure (“IT Modernization”, ITM).

2. Centralised management: CIS is managed from central Services Operation Centres, minimising local administration activities as much as possible.

3. The CIS architecture is composed of several generations (“legacy” systems): many physical sites with various levels of autonomy and local customizations, and a significant amount of legacy systems.

4. Complex organisational structure: CIS management responsibilities are being changed and centralized, resulting in challenges to integrate the CIS Security capabilities within the CIS infrastructure as well as to maintain them properly tuned over time.

5. Service orientation: services within the NATO Enterprise as well as to external users from the Nations are being provided based on a service oriented model. This results in a requirement for a high level of flexibility (capacity, scope, performance, etc.) of the CIS Security capabilities to adapt to the demand.

6. Increase in network bandwidth: changes in technology and added capabilities have resulted in higher bandwidth within NATO’s infrastructure (WAN, between the Data Centres, local LANs), increasing the complexity and need for network security monitoring.

7. Virtualized Infrastructure: services are being migrated to virtualized infrastructure, with redundant Active-Active Data Centres.

8. Increased Mobility: Large scale deployment of mobiles clients (laptops, smartphones, tablets), connected via VPN reach back to the core infrastructure.

9. Centralized computing: Large scale deployment of thin clients, the OS of the users being hosted on top of dedicated virtualised environments.

10. VoIP: Complete VoIP infrastructure, fully integrated as part of a Unified Communications and Collaboration (UCC) infrastructure.

11. Other constraints: a. Spread of encrypted applicative protocols (SSL/TLS), impacting boundary protection; b. Stringent availability requirements, in line with the operational criticality of the CIS

infrastructure.


NATO UNCLASSIFIED 3

c. Scarce skilled resources to operate the CIS Security capabilities, in a context of limited O&M costs and an increased focus on outsourcing.


NATO UNCLASSIFIED 4

4 RFI GUIDELINES 4.1 EXPECTED RESPONDENTS Responses are anticipated from any commercial organization or company within any NATO nation, who provide CIS security solutions, either broadly across many areas, or in specific fields as per the topics identified in this RFI.

4.2 DISCLAIMER The results of this RFI will solely be used by the NCI Agency to support architecture decisions, requirements and identify broad cost estimates for funding and affordability purposes. The information provided will not be used as a request for quotation or an invitation for bids. The results obtained from this RFI will not be used in any manner to select specific products or vendor solutions prior to any formal NATO procurement process.

Since this RFI covers a broad selection of CIS security capabilities, partial responses will be accepted, and are indeed expected. It is acknowledged that solutions available on the market cannot address all of the identified requirements and challenges.

Moreover, because the RFI results will be used to determine generic cost estimates for various functional requirements and not specific products, any cost information to be provided by vendors shall not take into account specific discounts that they may negotiate for an actual deployment.

4.3 RFI STRUCTURE This RFI is organized in two main parts:

1. Detailed information about products 2. Architecture questions and solutions

The scope of the RFI is considered broad: each vendor is only expected to answer the questions that are relevant to their proposed product(s) / solution(s) and their areas of expertise. Each question will request inputs regarding a specific issue; responses are expected to contain information from vendors about current and future solutions, including cost estimates for several deployment scenarios addressing NATO’s operational requirements.


NATO UNCLASSIFIED 5

5 PART 1: PRODUCT RELATED QUESTIONS The objective of this part of the RFI is to collect detailed information about a large range of cyber security products in order to shape the future cyber security architecture of the NATO Enterprise. An indicative cost model is also requested to support cost estimates for future NATO implementation projects.

The questions cover the four following aspects:

1. General information about the product / solution and the company 2. Licensing model and costing information, for various deployment scenarios 3. Questions applying to all categories of products / solutions 4. Questions applying to specific categories of products / solutions

5.1 Categories of products and solutions You are invited to propose products related to the following subject areas:

• Firewall solutions • Log collection solutions • Security Information and Event Management solutions (SIEM) • Network-based Intrusion Detection and Prevention Systems (NIDPS) • Host-based Intrusion Detection and Prevention Systems (HIDPS) • Combined security analytics of logs, network packets, network flows and endpoint information • Threat Hunting solutions • Cyber Threat Intelligence (CTI) management solutions • Combined security systems (e.g. firewall with NIDPS) • VoIP infrastructure security monitoring and boundary protection • Data Leak Prevention (DLP) solutions • Endpoint monitoring and incident response solutions, Endpoint Detection and Response solutions

(EDR) • Network Taps and Aggregators • Full Packet Capture (FPC) and Network Forensics solutions • Standalone Vulnerability Assessment Scanning solutions • Distributed Vulnerability Assessment scanning solutions • Web Application Vulnerability Assessment scanning solutions • Penetration Testing solutions • Standalone Computer Forensics solutions • Remote / Distributed Computer Forensics solutions • Cyber Security Incident Management solutions • Orchestration / Automation solutions for Incident Response • Cyber Defence Situational Awareness (CDSA) solutions • Automated Sandbox / Detonation solutions for malware detection • Sandbox / Detonation solutions for malware analysis • Malware Analysis tools (reverse-engineering, debuggers, decompilers, static analysis, malware

collection management, etc.)


NATO UNCLASSIFIED 6

• Digital Forensics solutions (disk, mobile phones, memory forensics, timeline generation, evidence management)

• Distributed / Remote Digital Forensics solutions (disk and memory forensics) • Deception-based detection solutions (e.g. honeypots, honey tokens) • Network flows generation / collection solutions (e.g. NetFlow, IPFIX and similar) • SSL/TLS Decryption solutions • Anomaly Detection solutions • User and Entity Behaviour Analytics (UEBA) and Insider Threat Detection solutions • Website security monitoring and defacement detection solutions • Cyber Security Data Analytics and Machine Learning solutions

5.2 Guidance The list of questions is located in the attached Microsoft Excel file named “NU_Cyber_Security_Solutions_RFI_Part1_Answers.xlsx”, in the Questions tab. Please use that file as a template, and populate one answer column for each product or solution.

Please follow this guidance when answering questions:

1. Complete the general information about the product / solution and the company. 2. Make sure to select the relevant product category, or indicate it when several categories apply. 3. The most important part of this RFI is to indicate the licensing model and the costing information,

for various deployment scenarios. Select the proper set of questions matching the licensing model. That information is crucial to support the cost estimation of upcoming NATO acquisition projects.

a. The first set of costing questions is for the initial purchase of the solution. b. The second set of costing questions is for the annual cost to support the solution over

time. 4. The rest of the questions covers functional features of the solution:

a. Questions applying to all categories of products / solutions: Please answer at least the mandatory questions, and as much optional questions as possible.

b. Questions applying to specific categories of products / solutions: Please answer the questions matching the product category.

Important note: The answers to this RFI related to features of each product will not be used to select those products for future acquisitions. Their purpose is to check whether specific features are sufficiently supported in existing solutions on the market, to be used later on to refine project requirements.

The questions marked with an “M” are mandatory questions, which need to be answered for each product / solution. The questions marked with an “O” are optional, please answer as many as possible.


NATO UNCLASSIFIED 7

6 PART 2: ARCHITECTURE-RELATED QUESTIONS Organisations are invited to provide answers to one or multiple questions / capability areas depending on their proposed product / solution or subject matter expertise. The NCI Agency seeks input from industry partners who are able to provide information on proposed solutions and / or general information in any one of the following subject areas.

Guidelines: Please use the attached Microsoft Word file named “NU_Cyber_Security_Solutions_RFI_Part2_Answers.docx” as a template, and enter the answers below each question that is applicable.

Important note: Please make sure that all solutions mentioned in the answers to the questions below are also described in the answers to part 1 of this RFI, otherwise they cannot be taken into consideration for the architecture definition.

6.1 SSL Decryption for Monitoring and Filtering Network traffic within the internal networks and towards external networks is more and more encrypted at the application level, using protocols such as SSL/TLS. This evolution has a dramatic impact on the effectiveness of all security products that analyse the network traffic, such as application-level firewalls, network intrusion detection systems and full packet capture / network forensics.

Question: Which solutions do you propose to address that challenge, using existing products?

6.2 Internal E-mail Traffic Monitoring and Filtering Question: Which solutions do you propose to monitor and filter internal e-mail traffic (i.e. between internal employees of an organisation), using existing products? How do you propose to analyse encrypted e-mails (e.g. using S/MIME)?

6.3 Service-specific Monitoring Question: Which solutions do you propose to monitor and filter the following services specifically, in addition to generic security solutions using logs and network traffic capture (e.g. beyond SIEM and IDS), using existing dedicated products?

• Operating Systems (servers, clients, all endpoints) • Network infrastructure (routers, switches) • Active Directory infrastructure • DNS Servers • DHCP Servers • Time Distribution (NTP/PTP Servers) • Virtualisation Infrastructure • Remote Access Services (VPN concentrators and clients) • SAN Infrastructure • File Servers (including NAS) • Backup & Archive Systems • Wireless Infrastructure • VoIP/VTC Infrastructure • Standard Desktop Applications


NATO UNCLASSIFIED 8

• Application Store • Printing and scanning services • Enterprise Portal Services (e.g. Microsoft SharePoint) • Enterprise Real-Time communication infrastructure (e.g. Microsoft Skype, Lync, Office

Communicator) • Internal Web Servers • Externally Facing Web Servers • Web Proxies • Reverse Proxies • Databases • Firewalls • Data diodes • Authentication and Access Management Infrastructure • NAC

6.4 Netflow generation, collection, analysis and archiving Question: Which solutions do you propose to generate, collect, analyse (e.g. for intrusion detection) and archive Netflow data (e.g. NetFlow, IPFIX or similar) corresponding to the network traffic, using existing products?

6.5 Windows Events Collection Question: Which solutions do you propose to collect, filter, enhance Windows event logs on each endpoint (client or server), and to centralize them into a single data store for further processing, using existing products?

6.6 VoIP Infrastructure Monitoring and Filtering VoIP infrastructures are more and more integrated with IT networks, exposing them to more threats.

Question: Which solutions do you propose to protect VoIP infrastructures specifically, in terms of filtering (e.g. firewalls), monitoring and intrusion detection? Is it possible to integrate those solutions with the generic cyber security solutions (e.g. SIEM)?

6.7 Log Storage Question: Which solutions do you propose to store and archive very large volumes of logs, so that third party products can query and access the data for further processing?

6.8 Security Effectiveness Monitoring Question: Which solutions do you propose to regularly check the effectiveness of all the detection and prevention solutions deployed enterprise-wide (e.g. by generating network traffic that should trigger intrusion detection systems, by sending e-mails with attachments that should be blocked by gateways, etc), in an automated or semi-automated way?

6.9 Data Analytics Question: Which solutions do you propose to perform large scale data analytics on all the data collected by security products (e.g. logs, alerts, netflows, packets) in order to complement a SIEM and to detect malicious activity that is difficult to catch with traditional tools?


NATO UNCLASSIFIED 9

6.10 Monitoring strategies on mobile and thin clients Question: Which solutions do you propose to monitor the security of mobile clients (e.g. laptops, smartphones, tablets) that connect to the enterprise network via a VPN, including the periods of time when they are used without being connected?

6.11 Vulnerability Detection Question: Which solutions do you propose to detect and identify vulnerabilities in software and configurations deployed throughout large enterprise networks, using various approaches such as active scanning through the network, passive scanning, endpoint agents, or connection to management systems (e.g. CMDB)?

6.12 Network Mapping Question: Which solutions do you propose to discover the detailed topology of large, distributed enterprise networks using various approaches such as active scanning through the network, passive scanning, endpoint agents, or connection to network management systems?

6.13 DLP Question: Which solutions do you propose to implement data leak detection and prevention (DLP)?


NATO UNCLASSIFIED 10

7 ABBREVIATIONS

CDSA Cyber Defence Situational Awareness CIS Communication and Information System CMDB Configuration Management Database CTI Cyber Threat Intelligence DHCP Dynamic Host Configuration Protocol DLP Data Loss Prevention DNS Domain Naming System EDR Endpoint Detection and Response FPC Full Packet Capture HIDPS Host Intrusion Detection and Prevention System IAM Identity and Access Management IDS Intrusion Detection System IEC International Electrotechnical Commission IPFIX IP Flow Information Export ISO International Standards Organization IT Information Technology ITM Information Technology Modernization IdM Identity Management MIME Multipurpose Internet Mail Extensions NAC Network Access Control NAS Network Attached Storage NATO North Atlantic Treaty Organization NCI NATO Communication Infrastructure NCIA NATO Communications and Information Agency NIAS NATO Information Assurance Symposium NIDPS Network Intrusion Detection/Prevention System NII Network and Information Infrastructure NTP Network Time Protocol O&M Operations and Maintenance OS Operative System PTP Precision Time Protocol RFI Request For Information SAN Storage Area Network SIEM Security Information and Event Management SSL Secure Sockets Layer TLS Transport Layer Security UCC Unified Communications and Collaboration UEBA User and Entity Behaviour Analytics VPN Virtual Private Network VTC Video Teleconference VoIP Voice over IP WAN Wide Area Network

Annex B.1 - Market Survey Questionnaire Pt 1 NATO UNCLASSIFIED

Category Section QuestionQuestion is

Mandatory (M) or Optional (O)

Answers for Product 1 Answers for Product 2 Answers for Product 3 Answers for Product 4 Answers for Product 5 Answers for Product 6 Answers for Product 7 Answers for Product 8 Answers for Product 9 Answers for Product 10

Company Name MProduct Name MCurrent Version or Model MMain Product Category MProduct Categories (if several or other) OFormer Company Name (if applicable) OFormer Product Name (if applicable) OCompany Headquarters Country MURL to product description webpage O

What is the main licensing model for the solution? MLicensing model description (if selected "per usage", "several" or "other") OLicense duration (e.g. 1, 2, 3 years) O

Cost Estimate Currency Currency for cost estimates M EUR EUR EUR EUR EUR EUR EUR EUR EUR EURCost Estimate to Purchase the

solution (once)Note: Please fill in the cells below that match the licensing model, and leave the others empty M

Purchase Cost Estimate for 1 unit (if applicable) - unit cost OPurchase Cost Estimate for 10 units (if applicable) OPurchase Cost Estimate for 100 units (if applicable) OPurchase Cost Estimate to protect 1000 end-users (if applicable) OPurchase Cost Estimate to protect 10000 end-users (if applicable) OPurchase Cost Estimate to protect 50000 end-users (if applicable) OPurchase Cost Estimate to protect 1000 endpoints (if applicable) OPurchase Cost Estimate to protect 10000 endpoints (if applicable) OPurchase Cost Estimate to protect 50000 endpoints (if applicable) OPurchase Cost Estimate to protect 10 servers (if applicable) OPurchase Cost Estimate to protect 100 servers (if applicable) OPurchase Cost Estimate to protect 1000 servers (if applicable) OPurchase Cost Estimate for 1 console/client user (if applicable) OPurchase Cost Estimate for 10 console/client users (if applicable) OPurchase Cost Estimate for 100 console/client users (if applicable) OPurchase Cost Estimate for 1 active console/client user session (if applicable) OPurchase Cost Estimate for 10 active console/client user sessions (if applicable) OPurchase Cost Estimate for 100 active console/client user sessions (if applicable) O

Based on Storage Capacity Purchase Cost Estimate based on storage capacity: please describe (if applicable) OBased on daily amount of

ingested dataPurchase Cost Estimate based on ingested data: please describe (if applicable) O

Based on Usage Purchase Cost Estimate based on usage: please describe (if applicable) O

Other ModelPlease provide any other description to explain the licensing/costing model for the purchase cost

O

Annual Cost Estimate to Maintain/Support the solution

(every year)Note: Please fill in the cells below that match the licensing model, and leave the others empty M

Annual Cost Estimate for 1 unit (if applicable) - unit cost OAnnual Cost Estimate for 10 units (if applicable) OAnnual Cost Estimate for 100 units (if applicable) OAnnual Cost Estimate to protect 1000 end-users (if applicable) OAnnual Cost Estimate to protect 10000 end-users (if applicable) OAnnual Cost Estimate to protect 50000 end-users (if applicable) OAnnual Cost Estimate to protect 1000 endpoints (if applicable) OAnnual Cost Estimate to protect 10000 endpoints (if applicable) OAnnual Cost Estimate to protect 50000 endpoints (if applicable) OAnnual Cost Estimate to protect 10 servers (if applicable) OAnnual Cost Estimate to protect 100 servers (if applicable) OAnnual Cost Estimate to protect 1000 servers (if applicable) OAnnual Cost Estimate for 1 console/client user (if applicable) OAnnual Cost Estimate for 10 console/client users (if applicable) OAnnual Cost Estimate for 100 console/client users (if applicable) OAnnual Cost Estimate for 1 active console/client user session (if applicable) OAnnual Cost Estimate for 10 active console/client user sessions (if applicable) OAnnual Cost Estimate for 100 active console/client user sessions (if applicable) O

Based on Storage Capacity Annual Cost Estimate based on storage capacity: please describe (if applicable) OBased on daily amount of

ingested dataAnnual Cost Estimate based on ingested data: please describe (if applicable) O

Based on Usage Annual Cost Estimate based on usage: please describe (if applicable) O

Other Model Please provide any other description to explain the licensing/costing model for the annual cost O

Can the solution be installed as software on an existing operating system, on a physical machine?

M

Can the solution be installed as software on an existing operating system, on a virtual machine? M

Can the solution be deployed as a virtual appliance? (i.e. as a virtual machine including its own operating system)

M

Can the solution be deployed as a hardware appliance? MCan the solution be deployed with another installation model? Please describe. O

Air-gapped networks supportCan the solution function without Internet connection (air-gapped networks), with manual updates?

M

What is the normal update frequency for detection/remediation data such as signatures, rules, hashes, indicators, etc?

O

How are customers informed of security updates of the product (website, email, online structured API, integrated in the product itself, ...) ?

O

Is the source code of the product available for security analysis/auditing, with or without an NDA?

O

Is there vendor specific documentation in relation to the hardening of the product? (if so, please provide the URL)

O

URL of web page providing the list of third-party products that can be integrated with the solution (may also be provided in a separate document)

M

Does the solution provide a supported and documented API to automate functionality, to push data into the solution?

M

Does the solution provide a supported and documented API to automate functionality, to pull data from the solution?

M

URL of web page containing the documentation of the product API (otherwise the documentation may be provided as a separate document)

M

Which cyber security standards (e.g. CVE, CPE, STIX, …) and de-facto industry standards (e.g. Snort rules, YARA rules, …) are supported by the solution?

O

Which format and/or standard does the solution use to generate and store its logs and events (single-line text, multiline text, json, syslog, ...)

O

Are logs from the solution exportable in real-time and/or at scheduled times? OFor agent/server based solutions, can data produced by the agents be sent to a third party data store in addition to the dedicated server of the solution?

O

How many resources are required to maintain and manage the solution? (FTEs) MHow many resources are required to operate the solution on a daily basis? (FTEs) M

Performance What is the maximal network throughput supported by the solution? (if applicable) O

Can the solution be distributed on several geographical sites, and can it be centrally managed as a single solution? (if applicable)

M

What product features does your solution have which make it appropriate for low bandwidth, limited connectivity and/or low QoS environments?

O

Features Which unique features does the solution provide, compared to its competitors? O

Please indicate which features are supported by the product in the list below:Application Awareness (detect an application protocol on any port) ODedicated Network Interface for Management ODifferent routing instances OCentralized Management of distributed devices with a graphical user interface OCentralized Management of filtering policies OCentralized Management of upgrades ONetwork troubleshooting / Packet Capture OEAL4+ evaluation OEncrypted traffic decryption (SSL decryption) OOption for integrated Network Intrusion Prevention (NIPS) O

Please indicate which features are supported by the product in the list below:Network Intrusion Detection ONetwork Intrusion Prevention OCentralized Management OHierarchical policy for detection signatures OCompatible with Snort rules OInline bandwidth up to 10GbE OIntegration with Active Directory O

Questions for Network

Questions for Firewall

products onlyFeatures

Distributed Deployment

Updates

Security

Per protected server

Per unit / installed instance

Cost Estimate to Purchase the

solution (once)

Costing

Generic Questions (all

products)

Manpower

Installation models

Integration

Product Information

Per unit / installed instance

Per protected end-user

Per protected endpoint

Per protected server

Per console/client user

Per active console/client user session

Per console/client user

Per active console/client user session

Annual Cost Estimate to

Maintain/Support the solution

(every year)

Licensing Model

Per protected end-user

Per protected endpoint


Integration with SIEM OFail Safe when deployed inline OEncrypted traffic decryption (SSL decryption) ORogue Detection (detection of unknown/new endpoints) OAnomaly Detection (record network traffic baseline, detect deviations) OPassive application layer network traffic log generation (passive http, dns, smtp, ssl/tls cert-info...)

O

Detailed application layer session context information available in alert (eg: http headers extracted if a part of the body matches a rule)

O

Features to help configuration and tuning of the detection policies (e.g. discovery mode) O

Please indicate which features are supported by the product in the list below:Host Intrusion Detection OHost Intrusion Prevention OCentralized Management OHierarchical policy for detection signatures OSupport for YARA rules OSupport for OpenIOC rules OIntegration with Active Directory OIntegration with SIEM OEncrypted traffic decryption (SSL decryption) ORogue Detection (detection of unknown/new endpoints) OAnomaly Detection (record network traffic baseline, detect deviations) OMemory dump capability OIs it possible to define and deploy custom rules from a central management server to all the endpoints?

O

Which concepts and combinations can be used in custom rules? (file, process, imported libraries, network sockets, mutexes, memory strings, ...)

O

Is it possible to run a query on all the endpoints from a central management server? Or on groups of endpoints based on their characteristics?

O

Does the solution require a software agent to be deployed on every protected endpoint? O

Does the analysis for detection happen on the endpoint itself (i.e. using the endpoint's CPU), on a central server of the solution, or a mix of both?

O

Features to help configuration and tuning of the detection policies (e.g. discovery mode) O

Please indicate which features are supported by the product in the list below:URL of web page providing the list of third-party products that can be integrated as log/event sources (may also be provided in a separate document)

O

Integration with custom event sources (with configuration or scripting) OSupport for network flow data sources (NetFlow, IPFIX, JFlow, sFlow, …) OSimple correlation rules (e.g. simple tests such as "if event A and event B with same destination IP address then ...")

O

Elaborate correlation rules with intermediate results (e.g. combining several simple rules and keeping track of previous results)

O

Flexible visualization and dashboards OScalability (distributed system) - Can the solution be distributed over several hardware instances in order to improve scalability and performance over time?

O

User interface performance: can the user interface (and the corresponding application server if applicable) run separately from the correlation engine, in order to avoid any impact on the UI responsiveness when the correlation engine is heavily loaded?

O

Extensible data model: is it possible to create custom objects and attributes to store additional data, and to use it for correlation and visualization?

O

Can the solution be deployed with a hierarchy of several SIEM systems? (e.g. several layers) O

Does the system support data enrichment (adding external data to an “event” after it has been collected to make it more relevant)

O

Does the system support IP geo location enrichment ODoes the system allow to map the IP/hostnames with an internal network architecture (associating a subnet or an asset type to an IP/hostname for instance, it is a specific data enrichment type)

O

Is the system limited in the maximum amount of information it can ingest or is it fully scalable (meaning you can extend it indefinitely assuming you increase the number of servers)

O

Does the system allows load balancing between the data repository O

Does the system allow for data redundancy and servers redundancy allowing to lose one or several of the components to become unavailable without impacting the access to the data. If it does, is the data redundancy counted in the license model (ie: if the same event appears 2 or 3 times, is that event counted as 2 or 3 events in the licensing model or only as a single event )

O

Can all the data , all the content and all the configuration files be easily backed up without having to stop a database or an application server? How easy is it to restore data ?

O

Is the SIEM working with a fixed database schema for each event (for instance one field for the source address) or is there no fixed schema (a given event could for instance have multiple source IP addresses)

O

Does the system allow to run advanced analytical queries? (e.g. does it allow to manipulate data in a nearly unlimited way, using a query language)

O

Can the data be sent to another system and does it impact the license model ? OIs there a native event source monitoring mechanism in the solution, to detect when event sources are failing to send data?

O

Is there a query optimization or query analyser mechanism in the solution, which can be used to analyse the performance impact of each query on the system and assist optimizing those?

O

Is there an advanced monitoring mechanism in the solution allowing to measure the potential performance bottlenecks and to give clear information about what should be done to fix the limitation?

O

Is there a way to centrally manage all components from the events collector to the main SIEM servers?

O

Can the data collection mechanism be updated remotely without having to access the server where the data is standing ?

O

For the reports and dashboards, is it possible to do advanced customization ? Can the reports be scheduled ? Can the dashboards be automatically refreshed on a regular interval basis ?

O

Please indicate which features are supported by the product in the list below:Integration with custom event sources (with configuration or scripting) OFlexible visualization and dashboards OScalability (distributed system) OUser interface performance OCentralized Management and Configuration OLocal search per site, from central server O

Global search from central server - Is a search on the central interface distributed to all remote instances and results centrally aggregated in the management interface?

O

Powerful query language OURL of web page providing the list of third-party products that can be integrated as log/event sources (may also be provided in a separate document)

O

Please indicate which features are supported by the product in the list below:Flexible visualization and dashboards OScalability (distributed system) OUser interface performance OLocal search per site OGlobal search from central server OPowerful query language OIntegration with SIEM OEncrypted traffic decryption (SSL decryption) ONetwork flows generation from network traffic (NetFlow, IPFIX, JFlow, sFlow, …) OCentralized Management and Configuration Ometadata and file extraction O

application layer based indexed search O

can custom protocols be described and imported (custom protocol parsers) OPassive application layer network traffic log generation (passive http, dns, smtp, ssl/tls cert-info...)

O

real-time push-based data (and/or file) extraction based on pre-defined rules (example: extract all files of type X or containing Y to a folder or remote system)

O

Please indicate which features are supported by the product in the list below:

Questions for SIEM products

onlyFeatures

Features

Intrusion Detection products

(NIDPS) only

Features

Questions for Host Intrusion

Detection products

(HIDPS) and Endpoint

Detection and Response (EDR)

only

Questions for Log Aggregation

products onlyFeatures

Questions for Full Packet

Capture (FPC) and Network

Forensics products only

Features


Provided with a library of reusable playbooks corresponding to cyber security processes, including incident response processes

O

Playbooks support a mix of automated and manual tasks OFully customizable playbooks OURL of web page providing the list of third-party products that can be integrated for orchestration / automation (may also be provided in a separate document)

O

Can the solution record metrics on time savings, how often playbooks are triggered, and which aspects of playbooks are triggered?

O

Please indicate which features are supported by the product in the list below:Network flows generation from network traffic (NetFlow, IPFIX, JFlow, sFlow, …) OEncrypted traffic decryption (SSL decryption) OTraffic aggregation (several ports into one) OTraffic filtering (for example to discard encrypted traffic) OTraffic splitting (one port into several) ORemote management and configuration OFail safe O

Support for "virtual inline" deployment of NIDPS (e.g. using software configuration of the aggregator to force network traffic to go through a NIDPS, as opposed to physical cables)

O

Integration with virtual infrastructures (e.g. virtual taps) O

Questions for Orchestration /

Automation products only

Features

Features

Questions for Network

Aggregator and Tap products

only

Product Categories License Models CurrenciesFirewall solutions Per unit / installed instance (unit cost) EURLog collection solutions Per protected end-user USDSecurity Information and Event Management solutions (SIEM) Per console/client user GBPNetwork-based Intrusion Detection and Prevention Systems (NIDPS) Per active user session Other (please describe below)Host-based Intrusion Detection and Prevention Systems (HIDPS) Per protected endpoint/deviceCombined security analytics of logs, network packets, network flows and endpoint information Based on storage capacityThreat Hunting solutions Based on daily amount of ingested dataCyber Threat Intelligence (CTI) management solutions Per usage (please describe below)Combined security systems (e.g. firewall with NIDPS) Several (please describe below)VoIP infrastructure security monitoring and boundary protection Other (please describe below)Data Leak Prevention solutions (DLP)

Endpoint monitoring and incident response solutions, Endpoint Detection and Response solutions (EDR)Network Taps and AggregatorsFull Packet Capture (FPC) and Network Forensics solutionsStandalone Vulnerability Assessment Scanning solutionsDistributed Vulnerability Assessment scanning solutionsWeb Application Vulnerability Assessment scanning solutionsPenetration Testing solutions

Standalone Computer Forensics solutionsRemote/Distributed Computer Forensics solutionsCyber Security Incident Management solutionsOrchestration/Automation solutions for Incident ResponseCyber Defence Situational Awareness solutions (CDSA)Automated Sandbox/Detonation solutions for malware detectionSandbox/Detonation solutions for malware analysisMalware Analysis tools (reverse-engineering, debuggers, decompilers, static analysis, malware collection management, etc)Standalone Digital Forensics solutions (disk, mobile phones, memory forensics, timeline generation, evidence management)

Distributed/Remote Digital Forensics solutions (disk and memory forensics)

Deception-based detection solutions (e.g. honeypots, honeytokens)

Network flows generation/collection solutions (e.g. NetFlow, IPFIX and similar)SSL/TLS Decryption solutionsAnomaly Detection solutions

User and Entity Behavior Analytics (UEBA) and Insider Threat Detection solutions Website security monitoring and defacement detection solutionsCyber Security Data Analytics and Machine Learning solutionsSeveral (please describe)Other (please describe)

Annex B.2 – Market Survey Q&A Pt 2 NATO UNCLASSIFIED

Cyber Security Solutions RFI Part 2 Answer Sheet - Architecture 1 Company Information

Questions Answers Company Name Former Company Name (if applicable)

Company Headquarters Country

URL to company main webpage

Company Logo (small picture)

2 Architecture Questions Important note: Please make sure that all solutions mentioned in the answers to the questions below are also described in the answers to part 1 of this RFI, otherwise they cannot be taken into consideration for the architecture definition.

2.1 SSL Decryption for Monitoring and Filtering Network traffic within the internal networks and towards external networks is more and more encrypted at the application level, using protocols such as SSL/TLS. This evolution has a dramatic impact on the effectiveness of all security products that analyse the network traffic, such as application-level firewalls, network intrusion detection systems and full packet capture / network forensics.

Question: Which solutions do you propose to address that challenge, using existing products?

Answer:

2.2 Internal E-mail Traffic Monitoring and Filtering Question: Which solutions do you propose to monitor and filter internal e-mail traffic (i.e. between internal employees of an organisation), using existing products? How do you propose to analyse encrypted e-mails (e.g. using S/MIME)?

Answer:

2.3 Service-specific Monitoring Question: Which solutions do you propose to monitor and filter the following services specifically, in addition to generic security solutions using logs and network traffic capture (e.g. beyond SIEM and IDS), using existing dedicated products?

• Operating Systems (servers, clients, all endpoints) • Network infrastructure (routers, switches) • Active Directory infrastructure


• DNS Servers • DHCP Servers • Time Distribution (NTP/PTP Servers) • Virtualisation Infrastructure • Remote Access Services (VPN concentrators and clients) • SAN Infrastructure • File Servers (including NAS) • Backup & Archive Systems • Wireless Infrastructure • VoIP/VTC Infrastructure • Standard Desktop Applications • Application Store • Printing and scanning services • Enterprise Portal Services (e.g. Microsoft SharePoint) • Enterprise Real-Time communication infrastructure (e.g. MS Skype, Lync, Office

Communicator) • Internal Web Servers • Externally Facing Web Servers • Web Proxies • Reverse Proxies • Databases • Firewalls • Data diodes • Authentication and Access Management Infrastructure • NAC

Answer:

2.4 Netflow generation, collection, analysis and archiving Question: Which solutions do you propose to generate, collect, analyse (e.g. for intrusion detection) and archive Netflow data (e.g. NetFlow, IPFIX or similar) corresponding to the network traffic, using existing products?

Answer:

2.5 Windows Events Collection Question: Which solutions do you propose to collect, filter, enhance Windows event logs on each endpoint (client or server), and to centralize them into a single data store for further processing, using existing products?

Answer:

2.6 VoIP Infrastructure Monitoring and Filtering VoIP infrastructures are more and more integrated with IT networks, exposing them to more threats.


Question: Which solutions do you propose to protect VoIP infrastructures specifically, in terms of filtering (e.g. firewalls), monitoring and intrusion detection? Is it possible to integrate those solutions with the generic cyber security solutions (e.g. SIEM)?

Answer:

2.7 Log Storage Question: Which solutions do you propose to store and archive very large volumes of logs, so that third party products can query and access the data for further processing?

Answer:

2.8 Security Effectiveness Monitoring Question: Which solutions do you propose to regularly check the effectiveness of all the detection and prevention solutions deployed enterprise-wide (e.g. by generating network traffic that should trigger intrusion detection systems, by sending e-mails with attachments that should be blocked by gateways, etc), in an automated or semi-automated way?

Answer:

2.9 Data Analytics Question: Which solutions do you propose to perform large scale data analytics on all the data collected by security products (e.g. logs, alerts, netflows, packets) in order to complement a SIEM and to detect malicious activity that is difficult to catch with traditional tools?

Answer:

2.10 Monitoring strategies on mobile and thin clients Question: Which solutions do you propose to monitor the security of mobile clients (e.g. laptops, smartphones, tablets) that connect to the enterprise network via a VPN, including the periods of time when they are used without being connected?

Answer:

2.11 Vulnerability Detection Question: Which solutions do you propose to detect and identify vulnerabilities in software and configurations deployed throughout large enterprise networks, using various approaches such as active scanning through the network, passive scanning, endpoint agents, or connection to management systems (e.g. CMDB)?

Answer:


2.12 Network Mapping Question: Which solutions do you propose to discover the detailed topology of large, distributed enterprise networks using various approaches such as active scanning through the network, passive scanning, endpoint agents, or connection to network management systems?

Answer:

2.13 DLP Question: Which solutions do you propose to implement data leak detection and prevention (DLP)?

Answer:

Market Survey Request for Information Survey Request for Information . ... Agency staff directly...

Documents

Transcript of Market Survey Request for Information Survey Request for Information . ... Agency staff directly...