Professional Documents
Culture Documents
Proposal For Customer Name - Sample
Proposal For Customer Name - Sample
date
1|Page
Confidential Document
Customer Name Proposal for <<Solution>>
Table of Contents
1 PREFACE.................................................................................................................. 4
3 CLIENT REFERENCES................................................................................................. 19
4 TECHNICAL COMPLIANCE........................................................................................... 21
7 TRAINING.............................................................................................................. 71
8 PREREQUISITES........................................................................................................ 73
Submitted By
9 PROJECT PLAN........................................................................................................ 74
XXXXX
10 BILL OF MATERIALS............................................................................................... 77
11 ONSITE SUPPORT................................................................................................. 78
2|Page
Confidential Document
Customer Name Proposal for <<Solution>>
13 RELATED DOCUMENTS........................................................................................... 85
3|Page
Confidential Document
Customer Name Proposal for <<Solution>>
1 PREFACE
1.1 BUSINESS CONTEXT
The Central Bank of Kuwait (henceforth “<CUSTOMER NAME>” or “Client”) was established in 1969 with
a mission to lay the foundations and maintain a flexible and stable monetary financial system in the
State of Kuwait. <CUSTOMER NAME>'s objectives include:
In order to strengthen their security posture, <CUSTOMER NAME> has come up with the requirement
for procuring a Security Information and Event Management solution. <CUSTOMER NAME>, through this
RFP titled “Request for Proposal for Security Information and Event Management (SIEM) Solution", is
evaluating different service providers who can offer the services best suited for <CUSTOMER NAME> and
this proposal is our response to <CUSTOMER NAME> requirements.
Recognized as a leading player in Gartner’s Marketscope Study for Managed Security Services
in Asia Pacific for 4 years in a row in 2008, 2009, 2010 and 2011.
Globally acclaimed information security firm - we have been featured in Deloitte & Touche's
Annual Technology Fast 500 Ranking for Asia-Pacific and Fast 50 Award for India for 2006,
2007, 2008, 2009, 2010 and 2011
<Company Name> was awarded the Best Banking Security Systems Project Award in the Asian
Banker IT Implementation Awards Program for 2008 and 2009.
4|Page
Confidential Document
Customer Name Proposal for <<Solution>>
<Company Name> is an Authorized ASV and QSA recognized by PCI-DSS Council to help clients
achieve PCI-DSS Compliance
Global footprint with operations in 8 countries (UAE, Oman, Qatar, Saudi Arabia, Malaysia, UK,
US & India)
575+ customers worldwide, spread over 17 countries, across various verticals including Banking
& Finance, Telecom, Manufacturing, Oil & Gas, IT & ITES, Government, Regulatory Bodies and
Aviation
Global recognition as thought leader
Presence in security research groups - Honeynet alliance, OWASP, Security focus
Co-authored books- Know Your Enemy, Enhancing Computer Security, Application Security
in ISO 27001 Environment, Security Testing Handbook for Banking Applications
Published more than 95 research papers on information security
We are pleased to submit this proposal in response to <CUSTOMER NAME>’s RFP for Security
Information and Event Management (SIEM) Solution.
5|Page
Confidential Document
Customer Name Proposal for <<Solution>>
6|Page
Confidential Document
Customer Name Proposal for <<Solution>>
Device
Device
Management
Management
<Compa
ny
Name>
SOMP
Threat
Threat Vulnerability
Vulnerability
Manageme
Manageme Managemen
Managemen
nt
nt tt
The platform not only enables us to provide unified delivery but also enables us to provide value added
intelligent information based on data available from each service. The following diagram represents the
components of the 3 service lines.
7|Page
Confidential Document
Customer Name Proposal for <<Solution>>
<Company Name> will use security metrics to track meaningful trends & provide predictive intelligence.
Few sample dashboards and reports are:
The <Company Name> SOMP platform dashboard offers a customizable dashboard where users can
pick and choose relevant dashboard graphs for over 50 readily available graphs.
Another unique visibility feature is Asset 360. This shows asset characteristics along with information
regarding to services that it is enrolled for.
Some of the information that will be available in the Asset 360 page will be:
8|Page
Confidential Document
Customer Name Proposal for <<Solution>>
9|Page
Confidential Document
Customer Name Proposal for <<Solution>>
By providing multiple security services in an integrated fashion, the SOMP can provide intelligent
information by correlating data from these individual service output. Some examples are:
Vulnerability scans report integration with SIEM. This will ensure that an attack on an open
vulnerability in an asset will trigger a higher priority alert
Application assessment report integration with monitoring events from Server logs, WAF, HIDS,
NIPS. A detected vulnerability will be automatically provided higher rating if an attack event
corresponding to this vulnerability is seen.
Initiation of scan by asset owners to check for existence of a vulnerability corresponding to the
attack event detected. This will enable faster mitigation
Patch deployment based on detected security event corresponding to the missing patch. This
will enable faster mitigation
Policy changes on security devices for a detected security event. This will enable fast response
to block attacks
Integration of Dynamic Application Security Testing(Grey box application testing) and Static
Application Security Testing(Code Review)
SOMP has rich collaboration features that allow users to interact with <Company Name> and other
users within the organization on any issue. Some key highlights of this feature are:
Discuss vulnerability or threat information through the portal. All discussion is saved in a
conversation like view.
Track vulnerabilities or issues using the online service desk. Assign ownership of issue to other
users and track progress of mitigation.
View reports on tickets and track ageing
10 | P a g e
Confidential Document
Customer Name Proposal for <<Solution>>
Example: How our innovative Banking Fraud Intelligence Services could benefit <CUSTOMER
NAME>?
Note: Fraud Intelligence Service is an Optional Offering that can be availed by <CUSTOMER NAME> as
a part of Managed Security Services at an extra cost based on mutual agreement. The above example
is only a sample illustration of how clients benefit from innovative service offerings and
enhancements when they engage with <Company Name> for Managed Security Services. Please refer
Annexure-3C For details of <Company Name>’s Fraud Intelligence Service.
<Company Name> has won several awards for MSS. Prominent industry forums have recognized our
innovative MSS model including:
Asian Banker Award for the best IT security project in 2008, this was awarded for our managed
services at Kotak Mahindra Bank in India
<Company Name> proposes to
FIIA Innovation in Service Award for Enterprise Security
replicate our innovative; award
Management(2009)
winning and Gartner recognized
Red Herring Technology Top 100 Award for our managed
Model at <CUSTOMER NAME>.
services technologies(2008)
<Company Name> has worked with over 575 customers for a variety of services including consulting,
security testing and managed services. This enables us to cross pollinate ideas and solutions. As a result,
our customers gain from our rich experience and are able to get comprehensive protection from threats
& vulnerabilities.
11 | P a g e
Confidential Document
Customer Name Proposal for <<Solution>>
We detail below the list of some of our key client engagements for MSS Services.
2.
12 | P a g e
Confidential Document
Customer Name Proposal for <<Solution>>
Location India
Industry Banking
Location India
Industry Banking
Technical Summary Security Operations Centre (SOC)
24X7X365 log monitoring
Incident Management
Global Threat & Vulnerability Monitoring
13 | P a g e
Confidential Document
Customer Name Proposal for <<Solution>>
System Study
Risk Assessment
Security Review
Anti-Phishing
Security Management
Security Monitoring
Ongoing Risk Assessment
Global Threat Intelligence
14 | P a g e
Confidential Document
Customer Name Proposal for <<Solution>>
15 | P a g e
Confidential Document
Customer Name Proposal for <<Solution>>
16 | P a g e
Confidential Document
Customer Name Proposal for <<Solution>>
17 | P a g e
Confidential Document
Customer Name Proposal for <<Solution>>
<Company Name> has several references for SIEM implementation and Managed Security Services.
Recently, <Company Name> has been awarded a multi-million Euro multi-year contract for Managed
Security services for one of the top Banks in Europe. <Company Name> was selected after careful
evaluation by the Bank and in competition to 17 other vendors from various parts of the globe (most of
whom are currently submitting proposal to <CUSTOMER NAME>).
18 | P a g e
Confidential Document
Customer Name Proposal for <<Solution>>
3 CLIENT REFERENCES
Company name
Project Title SIEM Implementation & Connector Development
Project Description / Deliverables Supply & Implementation of SIEM Log Monitoring Solution
components to monitor bank's systems, devices, databases,
security solutions and security events from the IT systems
and applications.
Month / Year contracted (Project Start
and End Date)
Contact Person name
Contact Person Phone & Fax numbers
Contact person email address
Contact details / Address
Bidder Engineer Involved in
implementation
Additional Comments
19 | P a g e
Confidential Document
4 TECHNICAL COMPLIANCE
Customization required
No/ Not Supported
Yes\Supported
Seq Requirement Notes / Reference to Proposal sections
Core Features
1 Solution should provide Log Yes\Supported The proposed solution provides for both log management
Management & Compliance and compliance reporting functionality.
Reporting (SIM) functionality
2 Solution should facilitates Real Yes\Supported The proposed solution provides for real time monitoring and
time monitoring and incident incident management. QRadar notifies analysts about
management ( SEM - Threat ‘offenses’ which are a correlated set of incidents with all the
Management) functionality details for investigation.
QRadar Offense management is a built-in workflow tool and a
3rd party incident management/ticketing tool integration is
also possible.
3 Ability to maintain asset Yes\Supported QRadar maintains asset inventory for all the assets which are
register or database for the integrated with the solution. QRadar supports a wide range
organization servers of auto discovery features that greatly simplify security
management tasks. Key auto discovery features include a
built in Asset Profile database that tracks assets and
associated Identity Data. The Asset Profile builds lists of
services running on a host based on how assets are
responding to network traffic through flow data. Also QRadar
provides automated classification of assets, called Sever
Discovery, which greatly improves the rule tuning and
deployment process. The Server Discover process can
automatically catorigize assets based on specific attributes
learned from collected data (i.e. events, flows, and
20 | P a g e
Confidential Document
vulnerability data).
4 Ability to upload the asset Yes\Supported Manual asset upload from CSV file is possible with QRadar.
register manually from CSV file
5 Ability to integrate with Yes\Supported Macfee vulnerability manager integration with QRadar is
Mcafee vulnerability manager supported
at a minimum for the below
5.1 To gather asset details with risk Yes\Supported
level
5.2 To gather the vulnerability Yes\Supported
details related to assets
5.3 List any detected known Yes\Supported
vulnerability and able to notify
the other relevant server for
the same
6 Ability to integrate with Yes\Supported QRadar employs a number of threat and security sources to
external intelligence services to provide eternal security context and geographical context.
provide any malicious This is integrated into all views and capabilities within the
connection from external to product. Sources include but are not limited to:
<CUSTOMER NAME> or from Geographic: maxmind (http://www.maxmind.com)
<CUSTOMER NAME> to any Top Targeted Ports: D-Shield (http://www.dshield.org)
external Bot-net Service , Botnets: Emerging threats.
Malware communications, (http://www.emergingthreats.net/rules/emerging-
Virus propagations along with botcc.rules)
detailed threat information and Bogon IPs: http://www.cymru.com/Documents/bogon-bn-
mitigation guidelines nonagg.txt
Hostile Nets:
http://www.emergingthreats.net/rules/emerging-botcc.rules
Smurf: http://www.emergingthreats.net/rules/emerging-
botcc.rules
These services are updated and pushed out to our customers
through an auto-update service. This update service also
includes updates for event mappings, vulnerability mappings
(e.g. CVE, OSBDB ID), applications mappings, new Device
Support Modules and updates.
7 Ability to provide dash board Yes\Supported The QRadar solution provides the ability to deliver multiple
(visual notation) to display at dashboards that can be customized to meet the specific
top threats requirements of different users.
21 | P a g e
Confidential Document
QRadar dashboards provide a high-level overview of the data
being collected and can be customized by user based on their
individual role. Each user can create their own unique
“workspaces” of the events and data types they would like to
be aware of. Over 75 dashboard templates are included by
default, ranging from security offenses to device statistics to
top attackers. In addition, it is possible to utilize any user
defined event or flow searches as a dashboard element.
22 | P a g e
Confidential Document
Consolidation, Management to all the event processor to receive datas.
and reporting) and should
provide flexibility in configuring
the layers (modules) along with
the support of secure protocols
for the communication
13 The solution should provide Yes\Supported QRadar provides broad support across a variety of collection
method of collecting the logs methods, including :
from the target Operating • Syslog (TCP/UDP)
Systems, Applications with the • SNMP (v.2 and v.3)
following method (Specify • JDBC
details in notes column) • OPSEC LEA
• SDEE
• WMI (Windows Agentless method of collecting Windows
Event Logs)
• ALE (Adaptive Log Exporter agent for windows, used to
collect logs not included in Windows Event Logs for
applications).
• Log File Protocol Source (Supports collection of log files via
FTP, SFTP, and SCP)
• NVP (This is a simple name value pair format that allows
users to send logs to QRadar in an efficient format)
• SourceFire eStreamer
23 | P a g e
Confidential Document
14 Solution should be manageable Yes\Supported Web based and Command line interface (CLI) is available to
by the following methods access the appliance using SSH console.
(Describe the requirements in
the notes column) in a secure
manner (AES, RSA, IDEA
encryption algorithms only)
14.1 Thin Client (web based) Yes\Supported
14.2 Thick Client (with client No/ Not
software) Supported
15 Solution should provide facility Yes\Supported
to archive the logs and should
utilize the below (<CUSTOMER
NAME> should be able to
select one or more from any of
the below)
15.1 Own Storage, list the details in Yes\Supported The proposed QRadar appliances support up to 6TB of
notes column (size, speed and storage.
type)
15.2 EMC SAN Storage (List Yes\Supported QRadar supports high speed external storage solutions such
Supported SAN connectivity as IP SANs or Fibre Channel SANs.
methods) for storing all
collected logs, reports and
other asset related details
15.3 Microsoft File Shares Yes\Supported
15.4 Secure FTP (certificate or Public No/ Not
Key authentication) Supported
16 Solution should support Yes\Supported QRadar has the ability to group the servers/ devices /
enforcement of Archival policy applications and enforce archival policy respectively. The
for collected Logs from the storage path / methods different time limits for archival
target systems / applications / policies can be set.
devices and should support at a
minimum of the below
16.1 Ability to group the servers / Yes\Supported
devices / applications and
enforce archival policy
16.2 Ability to support various Yes\Supported
storage paths / methods,
24 | P a g e
Confidential Document
different time limits for
different archival policies
17 The solution should record all Yes\Supported Audit trails is supported by QRadar.
the activities performed on
SIEM solution as audit trails.
The event that should be
audited includes but not
limited to the below
17.1 Identification of User Yes\Supported
perdormed the activates (who
did the activities)
17.2 Details of what activity was Yes\Supported
performed (what was
performed)
17.3 When the activity performed Yes\Supported
on object by User (When the
activity was performed)
17.4 Status of the activity (success Yes\Supported
or failure)
18 Ability to place the collection Yes\Supported
agent or system or service at
remote offices or different
locations, if required
19 Ability to backup Yes\Supported QRadar can be integrated with Symantec NetBackup to
Configuration / Collected logs backup all the datas.
from the solution directly or
ability to integrate with
Symantec NetBackup software
for Backup
20 Ability to enforce segregation Yes\Supported
of duties (e.g. Appliance
management, Account
creation, Log Monitoring, Log
Capturing / retention policies
etc). Specify the details in
notes column about how the
Solution provides the
25 | P a g e
Confidential Document
segregation
21 Ability to meet the future Yes\Supported
requirements (more target
devices, more number EPS,
more physical remote offices),
List the details in notes column
22 List the details of high- Yes\Supported The QRadar SIEM solution can be deployed in a high
availability features of the availability (HA) configuration. The QRadar HA architecture
solution (Active - Active / can leverage redundant active-active/active-passive
Active - Passive) appliance pairs for any distributed component for automated
failover (i.e. Console, Event Processors, All in One Solutions
etc.). The QRadar HA architecture is completely integrated
into QRadar’s core capabilities and does not require any
addtional 3rd party services or software.
23 How does the solution work in Yes\Supported The proposed solution is with high availability, incase of any
disaster situation, will the disaster an automatic switch over will happen to the HA
agents be configured appliance which ensures the solution will work without any
automatically send logs to interception.
backup site or manual switch
over needed ? Kindly list the
details with disaster scenarios
Enterprise Integration
24 Solution must integrate with Yes\Supported QRadar supports the integration with multiple 3rd party
Microsoft Active Directory as a directory systems for authentication. The following
primary authentication authentication method are supported:
• System Authentication
• RADIUS
• TACACS (+)
• LDAP
• Active Directory
25 Ability to integrate with Yes\Supported
following products for strong
factor authentication (Specify
the details of product
integration on the Notes
Column for each category
stated below)
26 | P a g e
Confidential Document
25.1 RADIUS Yes\Supported
25.2 PKI and smartcards (Gemsafe Yes\Supported
smartcards)
25.3 VASCO Tokens Yes\Supported
27 | P a g e
Confidential Document
column
33 Does the solution uses any No/ Not
third party software? if yes, Supported
QRadar doesn't use any 3rd party software.
kindly list the software and
licensing requirements
34 In case of third party software's No/ Not
are needed, kindly list any Supported
other options available to avoid
the installation of third-party
software
35 Does the license have any Yes\Supported The license in QRadar is depends up on the EPS count, once
expiry dates or its one time the EPS count crosses the limit, license upgrade is required
license (perpetual)
36 Is the licensing based on the No/ Not Licensing is based on the EPS count.
number of target systems / Supported
applications managed?
37 Is the licensing based on Yes\Supported The license in QRadar is depends up on the EPS count, once
number of Events collected the EPS count crosses the limit, license upgrade is required
from various target systems?
Kindly list the details
38 Is the licensing based on the no/ Not Licensing is based on the EPS count.
number of administrative Supported
users? Kindly list the details
39 Is the licensing based on No/ Not Licensing is based on the EPS count.
number of concurrent Supported
connections (administration /
monitoring) to the solution?
40 Is separate license required for Customiz
integration with for CA Service ation is
desk ticketing system to create required.
incident tickets? Profession
al service
required
to be
engaged
to create
a custom
28 | P a g e
Confidential Document
DSM to
integrate
it. (3 Man
days)
41 Is the solution require Yes\Supported License for High availability is required, the license will be
additional license for High bundled with the HA appliance. Please refer the BOM section
Availability? in the proposal for the proposed solution. If the eps count
exceeds the limit a license up gradation is required.
42 Is separate license required for Customiz
integration with ation is
a. Mcafee Vulnerability required.
Manager 7.0 Profession
b. IBM Rational Appscan al service
required
to be
engaged
to create
a custom
DSM to
integrate
it. (3 Man
days)
43 Other license requirements, No/ Not No other license is required other what is mentioned in the
kindly list in notes column Supported BOM
44 How the solution behaves Yes\Supported
when License violation occurs
for the below scenarios
44.1 Violation of events per second >> If the system is above the EPS license limit for 50% of an
(EPS) hour, a system notification will be sent to the console and
qradar.log that the license limits has been reached. This
allows for short spikes in events to be processed and still
notify a user if the incoming rate is above the license for a
Yes\Supported
sustained period of time.
>> If you are consistently over your license you will receive a
notification in the UI and qradar.log, check the license and
perform event searches grouped by log source type to see
which log sources are sending the most data.
29 | P a g e
Confidential Document
44.1.1 For specific period (few hours)
30 | P a g e
Confidential Document
available
48.3 Intermediate server / service No/ Not No intermediate server / service is required to downlaod the
need to be built for automatic Supported patches.
download
49 In case of Direct internet Yes\Supported
connection update or
intermediate server / service
update, kindly provide the
details for the below
49.1 Can the updates be scheduled Yes\Supported Yes the updates can be scheduled and performed ad-hoc
basis.
49.2 Can be updates be performed Yes\Supported
on ad-hoc basis
49.3 Can the solution receive Yes\Supported QRadar can be integrated to receive updates/patches to go
updates/patches using through the proxy.
Microsoft ISA proxy with
NTLM/ NTLM v2 authentication
support.
System Support
50 Does the bidder provides 24X7 Yes\Supported
support for solution
51 Specify in notes column any Yes\Supported QRadar's escalation mechanism is guided by our SLA’s
special support services response time matrix based on issue categories. Depending
available for the below on the issue priority, our Issue Management System
automatically triggers notification and escalation based on
response time requirement. This escalation includes middle
and senior management and includes the customer account
team depending on issue priority.
Priority 1 Issues
• Response time 30 mins
• Progress time 4 hrs
• Restore time 1day
Priority 2 Issues
• Response time 1 day
• Progress time 2 days
• Restore time 30days
Priority 3 Issues
31 | P a g e
Confidential Document
• Response time 2 days
• Progress time 14 days
• Restore time Q1 Labs and the Customer will commit,
during business hours, resources required to provide updates
on the issue being monitored
51.1 Response times Yes\Supported
51.2 Resolution time Yes\Supported
51.3 Replacement time Yes\Supported
51.4 Closure time Yes\Supported
51.5 On-line (Email, Web, Phone) Yes\Supported
51.6 On-site Yes\Supported
51.7 On-demand Yes\Supported
52 How much time does it take to With the proposed premium support the appliance will be
replace the solution (if replaced in four business day in case of failure.
appliance or hardware if
supplied) in case of failure?
53 Does the bidder provides Dedicated team of technical resource is available in the
technical support from Kuwait region to support <CUSTOMER NAME> during any exigencies
office? or issues related to the proposed solution. Please refer the
54 If there is no support from proposal for details on the same.
Kuwait office? How would you
support <CUSTOMER NAME>?
Data storage, backup,
archival
55 Ability to gather audit events Yes\Supported QRadar has the ability to gather audit events generated from
generated by 50 devices the devices integrated.
(combination of Windows ,
Unix, Custom applications &
Networking devices)
concurrently
56 Ability to store collected Logs Yes\Supported On-Line and Near line logs can be directly on QRadar
(RAW + Correlated events + appliances which support up to 6TB of storage, or on high
Reports) in the EMC SAN speed external storage solutions. QRadar has the ability to
storage store the archived offline data in the external storage for
future analysis.
32 | P a g e
Confidential Document
57 Ability to store archived Logs Yes\Supported
(RAW + Correlated events +
Reports) in the EMC SAN
storage
58 Ability to store RAW logs in a Yes\Supported
Read-Only File System (EMC
Storage)
59 Solution should be able to work Yes\Supported Device integration in QRadar is very simply, out of the box
with more devices (Receiving, supported devices can be added to the system without any
Storing, Real-time correlation additional modules/hardwares components. Please refer link
and archival) seamlessly for the supported device list :
without changing or adding http://q1labs.com/products/supported-devices.aspx
more modules / hardware
components. Kindly list the
product support matrix in
notes column or add the
product documents
60 Solution should be able to Yes\Supported An external storage can be attached to QRadar and can be
fetch / query from archived configured to store and analyse all the events automatically
data off-line from a SAN or in the external storage. Querying off-line archived data is not
from an alternate data source possible.
without being restoring them
to the SIEM solution
61 Solution should have a facility Yes\Supported
to define different policies for Customer can define and set different retention policies for
data retention at a minimum of different groups.
the below
61.1 Test servers Yes\Supported
61.2 Production servers Yes\Supported
61.3 Database servers Yes\Supported
61.4 Custom application servers Yes\Supported
62 Solution should be able to Yes\Supported All communications between QRadar components are
encrypt the data while storing encrypted using the SSH protocol.
or archiving or exporting for
backup purposes
63 List the storage size based on Yes\Supported According to the proposed solution QRadar appliance comes
33 | P a g e
Confidential Document
the licenses requested with 6 TB of onboard storage
64 List the guidelines for Yes\Supported The storage is calculated based on EPS and the log size
calculating storage space based depending on the device type.
on the system types
65 Do you store the logs(RAW- Yes\Supported QRadar automatically compresses stored data on an on-
Normalized), events, reports in demand basis. The compression ratio is 10:1
compressed format? If yes,
indicate the compression ratio
Other Requirements
66 Is your solution been audited yes We are currently EAL 3 certified and FIPS Level 1 certified.
by any reputed third-party
security testing company for
vulnerabilities? If yes, kindly
attach the certificate and
sample report issued by third-
party company
67 Do you offer secure yes Secure implementation guidelines will be followed during
implementation guidance of implementation as part of our best practices, the details of
your solution? If yes, kindly the same will be discussed during kick off meeting.
provide the same as part of the
proposal and commit to follow
the same during
implementation
68 What is your vulnerability yes Our Solution is based on CentOS which is a stripped down
responses process? If the version of Linux where we removed unnecessary services.
vulnerability is identified by
anyone for your solution and
reported to you, what is the
process followed by you to
handle such vulnerability
69 If <CUSTOMER NAME> yes We have a dedicated team that will immediately work in
identifies any security fixing a weak point of bug in our appliances. Our dedicated
vulnerability in the solution, team constantly works on identifying vulnerabilities and the
then bidder is required to fix solution for the same.
such vulnerability with high
priority at no cost. Kindly
confirm your acceptance to this
34 | P a g e
Confidential Document
and indicate the time period
which you will commit to
provide a fix to remediate the
identified vulnerability
70 What process improvements yes
have you made as a result of
vulnerabilities reported in your
solution in the past?
71 Limitation of Concurrent Yes\Supported
Sessions: must not allow
multiple concurrent sessions
for the same user (i.e. single
session sign user)
72 The system should not store Yes\Supported
passwords hard-coded or QRadar performs hashing on all incoming log files. QRadar
unencrypted. This includes but supports SHA-1, SHA-2 and MD5. In addition, QRadar
is not limited to users provides a utility that allows the user to run integrity checks
passwords stored in databases, against searched data, which reports and warns if any files
flat files configuration files such were manipulated.
as ini, XML files etc
73 The system should support Yes\Supported
encryption of the password
during the transmission over All communications between QRadar components are
the network and preferably encrypted using the SSH protocol.
implement challenge/ response
mechanisms for authentication
74 The system should use Yes\Supported
standard and proven
algorithms such as AES, RSA,
and IDEA to encrypt
communication between
modules as well as with
external systems. No
proprietary algorithms should
be used.
75 Ability to provide work-flow Yes\Supported we can generate SNMP traps when an offense occurs that
(minimum 2 to 3 levels) for can be used by other in-line devices to stop malicious traffic.
35 | P a g e
Confidential Document
remediating the identified We can also use SNMP traps directed to third part devices for
threats tickets as an example
Software & Hardware
details
76 Does the solution require No/ Not All hardward/software and licenses are bundled with the
special software to operate? if Supported product, no additional specialized hardware/softwares are
yes, list the details in notes required for this solution.
column
77 Does the solution require No/ Not
specialized hardware to Supported
operate? If yes, list the details
in notes column
78 Kindly provide the bench mark Will be provided upon request.
details of the solution
79 Does the solution provides fail Yes\Supported QRadar SIEM solution can be deployed in a high availability
safe or fail open in case of (HA) configuration. The QRadar HA architecture can leverage
solution or component failure redundant active/active, active/passive appliance pairs for
any distributed component for automated failover (i.e.
Console, Event Processors, All in One Solutions etc.).
80 Is the solution Operating Yes\Supported QRadar is a linux based solution it uses centOS.
System is open source or
custom built for this purpose
Collection
81 Ability to transmit encrypted Yes\Supported All the communications between QRadar components is
log data between solution encrypted, it uses SSH protocol.
device and the collection
system . Please specify
encryption techniques
supported by the solution
82 Ability to preserve RAW log Yes\Supported Raw logs will be deleted automatically once the retention
data until users delete it policy expires.
manually or content expired by
the policy
83 Ability to provide real time Yes\Supported
collection
84 Ability to provide at a Yes\Supported
36 | P a g e
Confidential Document
minimum, the following details
about the logged data from
each target devices while
performing the log collection
84.1 Host Name Yes\Supported All the fields that are a part of the raw log are normalized and
displayed in the appropriate field, which can be viewed using
the QRadar web console.
84.2 IP Address Yes\Supported
84.3 Date and time Yes\Supported
84.4 Number of audit events Yes\Supported
collected
84.5 Log Type Yes\Supported
85 Ability to correct Date and Yes\Supported All event timestamps in QRadar are translated to Coordinated
Time collected from wrongly Universal Time (UTC),
configured device as an extra
field (not to update the existing
date/time value)
86 Ability to alert if managed Yes\Supported
system ceases log transmission
87 Ability to provide evidences Yes\Supported QRadar’s offense management supports the ability to
and suggest recommendation annotate the offense. Notes are tagged by the user who
for remediating the threats created the notes, as well as the time which they were made,
identified providing a detailed timeline of the investigation.
88 List the solution specifications Yes\Supported QRadar event processor which is responsible for collecting
(hardware or software or both) events from different devices are bundled with the product
for the collection system no special hardware or software is required.
89 Ability to store data at Yes\Supported QRadar event processor has the ability to store the events for
collection system temporarily certain period in case of any communication failure
in case of loss of
communication to the Log
storage or event management
solution
90 If yes for the above, the system Yes\Supported
should protect from
administrator modifications
and notify these occurrences
37 | P a g e
Confidential Document
91 Ability to enforce queuing / log Yes\Supported The proposed QRadar solution is a single all-in-one appliance,
update from a collection there is no separate log collection, processing and storage is
system to log storage or event required, thus QRadar ensures very minimal bandwidth
management solution based on utilization in the network.
schedule time or based on the
bandwidth utilization with in
the network and prioritize and
over the WAN area
92 Ability to perform RAW log Yes\Supported QRadar has the capability to backup the raw logs
data backup
93 Ability to convert the RAW logs Yes\Supported QRadar performs hashing on all incoming log files. QRadar
into a form that is understood supports SHA-1, SHA-2 and MD5.
by the collection system only,
without tampering the RAW
log
94 Ability to add the custom fields Yes\Supported
to the logs collected and
appropriate audit trail to be
generated
95 Ability to support RDBMS for Yes\Supported QRadar uses custom built proprietary database
storing RAW log data, if not list
the storage options with
format details
96 Provide the list of supported Yes\Supported Please refer the link for supported device list :
platforms as requested in the http://q1labs.com/products/supported-devices.aspx
Platform matrix, if the target
system used by <CUSTOMER
NAME> is not the list (provided
by you), then provide the
details for the below
96.1 How difficult to customize the Yes\Supported Using QRadar's UDSM (Universal Device support modules), its
custom application logs very easy to create a log extension for the devices which is
not supported out of the box.
38 | P a g e
Confidential Document
professional service
97 Ability to collect from the Yes\Supported The proposed QRadar solution has the in built capability to
Netflow (Traffic Flow) collect Netflow and J-flow.
98 Ability to collect from J-flow Yes\Supported
(network Traffic flow Juniper)
Normalization
99 Ability to permit normalization Yes\Supported All the logs/flows collected will be normalized by QRadar
of log data (including Netflow solution
& J-flow traffic)
100 Ability to normalize data in real Yes\Supported
time environment and should
support the below
100.1 Time Yes\Supported Compliant
100.2 IP Address Yes\Supported
100.3 Host Name Yes\Supported
100.4 Event Type Yes\Supported
100.5 Device Yes\Supported
100.6 List the other categories Yes\Supported
101 Ability to reprocess data from Yes\Supported In case of disaster or failure of the primary solution, an
the last point of failure automatic switchover will happen to the secondary HA
solution all the events will be collected by the HA and the
process will continue immediately after some failure.
102 Ability to view built-in Yes\Supported
normalization rules
103 Ability to define and customize Yes\Supported
normalization rules
104 Ability to view RAW log data Yes\Supported The QRadar log viewer allows real-time views of both the
association with normalized original unmodified event, as well as the fully normalized
data version of the event.
105 Ability to store normalized data Yes\Supported Compliant
in defined storage areas
106 Ability to notify unprocessed Yes\Supported
logs
107 Ability to store unprocessed Yes\Supported QRadar can store the unprocessed logs
logs
39 | P a g e
Confidential Document
108 Ability to perform multiple Yes\Supported
normalization tasks
109 Ability to support data Yes\Supported
aggregation
110 Ability to transfer of Yes\Supported QRadar uses custom built proprietary database
normalized data to a RDBMS, if
not list the forma / storage
type details
Correlation
111 Ability to perform and support Yes\Supported QRadar supports real-time correlation and analysis of events.
correlation of real-time logs
112 Ability to support the Yes\Supported
Compliant
correlation using the following
112.1 Rule based (Signatures) Yes\Supported
112.2 Pattern matching? (Anomaly Yes\Supported
detection)
112.3 Vulnerability trends Yes\Supported
112.4 Behavior analysis Yes\Supported
112.5 Specify other methods support Yes\Supported
by the solution
113 Ability to create and customize Yes\Supported QRadar has the cability to create new correlation rules and
correlation rules customize the existing rules.
114 Ability to reprocess data from Yes\Supported In case of disaster or failure of the primary solution, an
last point of failure automatic switchover will happen to the secondary HA
solution all the events will be collected by the HA and the
process will continue immediately after some failure.
115 Ability to update correlation Yes\Supported Updates can be automatically pushed to the system or it can
rules from the vendor updates be downloaded manually.
(automatic or manual upload)
116 Ability to provide error log or Yes\Supported All the errors and the system notification will be logged in
debug log for itself qradar.log
117 Ability to identify and report Yes\Supported QRadar allows users to assign credibility ratings to individual
false positives log sources, allowing users to express the likelihood of false
positive or unreliable information from specific devices.
118 Ability to verify and perform No/ Not Archived off-line data's can be brought on-line and historical
correlation against historical Supported correlation/analysis can be carried out.
40 | P a g e
Confidential Document
data from a off-line storage
119 Ability to create multiple Yes\Supported
correlation rules/policies
120 Ability to correlate user Yes\Supported QRadar can integrate with the identity / access management
identity and access and correlate with network activity in real time.
management data with
network activity in real time
121 Ability to correlate User Yes\Supported
identity , System details and
visually showing any threat
detection with attack path
(source and targets)
122 Ability to initiate commands to yes\Supported QRadar Risk Manager can do the mitigation, which is a
a target device (configurable) separate applaince need to be purchased.
in case of threat identified
123 Ability to notify monitoring Yes\Supported QRadar will trigger offense incase of any threats identified,
personnel / administrator for notifications can be configured to send to the monitoring
the identified threats personnel / administrator. QRadar supports a number of
alert forwarding options including; Email, SNMP, syslog, and
IF-MAP publishing.
123.1 Alarm on the console Yes\Supported
123.2 Email Yes\Supported
123.3 Text message (shot message Yes\Supported
service)
Reporting
124 Ability to generate reports Yes\Supported QRadar delivers out-of-the-box report templates for a wide
variety of compliance and operational needs.QRadar includes
over 1300 out-of-the-box report templates. Users can
leverage the pre-defined reporting templates or develop
their own customized reports using. All the mentioned
parameters for reporting is supported by QRadar.
125 Ability to provide custom Yes\Supported
report creation and generation
which included but not limited
to below parameters
125.1 Time Yes\Supported
41 | P a g e
Confidential Document
125.2 Event Yes\Supported
125.3 Data Yes\Supported
125.4 2D or 3D charts Yes\Supported
125.5 Maps Yes\Supported
125.6 Facilities to define report Yes\Supported
layouts that make reports
appropriate for internal use or
external use
125.7 Systems, target system, service Yes\Supported
etc
125.8 Attack path vectors. Ex. Attack Yes\Supported
origination and attack paths or
targets
126 Ability to view / generates Yes\Supported QRadar's web console has the capability to view and
reports on a Web enabled generate reports.
service
127 Ability to export the reports to Yes\Supported Reports can be generated in the following formats: HTML,
the following formats PDF, XML, CSV/XLS, RTF
127.1 PDF Yes\Supported
127.2 MS Word Yes\Supported
127.3 Excel Yes\Supported
127.4 List other supported formats Yes\Supported
128 Ability to send reports to Yes\Supported Reports can be configured automatically to send to specific
specified email (automated or email address or the generated reports can be send manually
manual) to the specific emails
129 Ability to restrict report Yes\Supported QRadar has the capability to create users and set privileges to
viewing based on user profiles each user or a group can also be created and the specific
reports can be restricted to the particular user/group.
130 Ability to schedule reports Yes\Supported QRadar has the capability to scheduled reports based upon
bases on the following at a all the parameters mentioned.
minimum
130.1 Time Yes\Supported
130.2 Event Yes\Supported
130.3 Date Yes\Supported
131 Ability to add custom header, Yes\Supported Custom header, footer, logo can be added in the reports
42 | P a g e
Confidential Document
footer , logo in all the reports
132 Solution should have executive Yes\Supported QRadar centralized web console has the capability to create,
Dashboard and drill-down modify and view dashboards. QRadar provides multiple out-
facility to present the Top of-the-box dashboards to provide default views for specific
Threats identified. For example roles including: security, compliance, and network staff.
if a threat is displayed in the QRadar offers comprehensive drill down capabilities, user can
dash board, upon click on the easily click on a data to drill into more detail.
dashboard solution should
display number of systems
affected by the threat, the
source of the threat, the raw
events related to this threat etc
133 How many predefined reports Yes\Supported QRadar solution has 1300 out-of-the-box reports. Please
does the solution have ? List refer the annexure for top 10 critical reports sample.
the top 10 critical reports with
the fields appearing in each
report as supporting
document.
Alternate Solution
Yes\Supported
43 | P a g e
Confidential Document
requiredAvailable / Customization
1 Below is the summarized list of the
target operating systems , applications
to be supported by the solution
Operating Systems
2 Windows Server Operating Systems Yes\Supported
3 Solaris Yes\Supported
4 Suse Linux (Open Enterprise Server) Yes\Supported
5 VMware Infrastructure (ESX Server, Yes\Supported
Vsphere, workstation)
6 IBM Mainframe Zvse with CA Top- Yes\Supported Q1Labs’ QRadar supports mainframes and their applications by
Secret integrating with the most popular mainframe auditing and
applications. These include IBM RACF, CA Top Secret, CA ACF2.
Web Services
7 Apache Yes\Supported
8 IIS Yes\Supported
Databases
44 | P a g e
Confidential Document
17 Oracle Application Server & Related Yes\Supported
products
18 Tridion Content Management Solution
19 Firewall (e.x. Barracuda, Cyberguard, Yes\Supported
Checkpoint, Cisco, Juniper, Fortigate,
Palo-alto etc)
20 IPS (e.x. Snort, ISS, HP, Juniper etc) Yes\Supported
21 Devices compatibale with syslog Yes\Supported
22 Custom developed applications (Java Yes\Supported Can be supported through custom parser development
& .Net Based)
23 Cisco devices (routers, switches, Yes\Supported
fierewalls)
24 Non Ip devies (e.x. UPS, Aircondition, The proposed solution can be integrated with any kind of device
Motion detection) which generates logs, however the feasibility of the custom
development can only be confirmed after studying the logs.
25 Bidder must provide the full list of Please refer the following link for the supported device list:
supported platforms by the solution by http://q1labs.com/products/supported-devices.aspx
specifying the exact version of the
supported systems
45 | P a g e
Confidential Document
5 ADDITIONAL INFORMATION/TECHNICAL DETAILS
5.1 <CUSTOMER NAME> REQUIREMENTS
<CUSTOMER NAME> is looking to acquire a SIEM to have a centralized Monitoring Solution.
Note:
Since we do not have any information on the count or types of event sources, it has been
assumed that all 53 event sources are supported out of the box by the proposed solution. The
real amount with their model and exact versions will be shared by client at a later stage. This is
very important to ensure that all log sources are supported.
46 | P a g e
Confidential Document
5.3 SOLUTION DESCRIPTION
<Company Name> is pleased to present the IBM Q1 Labs Security Intelligence Framework proposal to
<CUSTOMER NAME> to address your specific business objectives and security challenges.
Information and security professionals, tasked with keeping their organization secure, are continuously
challenged with improving their abilities to manage risk across an ever-growing spectrum of
vulnerabilities and compliance mandates, before a breach actually occurs.
Internet-based threats and fraud continue to proliferate in today’s complex networks. Compounding this
problem is a steady rise in insider theft of valuable corporate information. QRadar SIEM consolidates
siloed information to more effectively detect and manage complex threats. The information is
normalized and correlated to quickly deliver intelligence that allows organizations to detect, notify and
respond to threats missed by other security solutions with isolated visibility.
A single QRadar 3105 SIEM appliance including a license to support up to 5000 events per second (EPS).
The log, event, and flow data will be collected and stored centrally. The approximate number of event
sources is 50 (The exact number of events, log sources etc. will be determined as the project
progresses).
QRadar appliances are used for the collection, processing and storage of device log and event data, such
as from Intrusion Detection Systems, Firewalls, Operating Systems, applications and network
infrastructure.
QRadar integrates with hundreds of devices through DSMs (Device Support Modules) which can collect
data from devices using agent less and sometimes agent based methodologies. DSMs support a variety
of protocols used for collecting logs and events which include; syslog, SNMP, JDBC/ODBC for database
connections, and proprietary protocols such as SDEE.
For Windows environments a QRadar Adaptive Log Exporter agent can be used to collect logs and
monitor files on windows devices. QRadar also supports an agent less option, to collect logs from many
windows devices without being installed directly on the devices themselves via WMI/DCOM.
Not only do QRadar appliances collect and store logs, but they also start the correlation processes by
performing correlation of logs/flows/vulnerability data to determine when a sequence of activity
generates an “offense” (incident) on the QRadar console.
QRADAR SIEM
47 | P a g e
Confidential Document
Delivers deep visibility into network, user and application activity providing organizations
with intelligence into potential and existing threats across their entire network.
Brings the transparency, accountability and measurability critical to the success of meeting
regulatory mandates and reporting on compliance. QRadar SIEM’s unique correlation and
integration of all surveillance feeds yields:
o More complete metrics reporting around IT risks for auditors
o Thousands of reports and rules templates to address industry compliance
requirements
QRadar SIEM provides a next generation solution that can mature with an organization, scale to support
a growing infrastructure and deliver a common user experience to many groups across the organization.
With log management, advanced threat detection, and policy-aware compliance management all
combined in QRadar SIEM, organizations benefit with a tightly integrated solution that quickly and easily
delivers corporate-wide security intelligence.
Regulations define specific traffic and firewall policies that must be deployed, monitored, audited, and
enforced. Yet many attacks on a network come from inconsistent network and security configuration
practices highlighting the need for automated network configuration audits and alerts of policy
breaches. Unfortunately, due to the silos created by traditional SIEM and log management solutions,
organizations often lack the ability to seamlessly assess when a network configuration allows traffic that
is “out of policy” by a regulation, corporate mandate, or industry best practice.
48 | P a g e
Confidential Document
IBM will leverage QRadar® Risk Manager which extends the value of a SIEM deployment to provide
organizations with total security intelligence and greatly improves the ability to automate risk
management functions in mission critical areas, including network and security configuration,
compliance management, and vulnerability assessment.
QRadar Risk Manager integrates risk management, SIEM, log management and network behavior
analysis to automate risk management functions in mission critical areas. It greatly improves an
organization’s ability to access information security risk and is delivered in a single, integrated console.
The solution automates the assessment of security policies while leveraging the broadest range of risk
indicators, including network and security configuration data, network activity data, network and
security events, and vulnerability scan results.
Reporting
QRadar provides a wide variety of default reports as part of the solution with add-on charges, while also
providing layout capability using a Report Creation Wizard
Report Wizards provides you with the flexibility to create customized or user defined reports
Various reports are defined in QRadar by default to help satisfy common regulatory reporting
requirements as follows:
49 | P a g e
Confidential Document
COBIT – Control Objectives for Information and Related Technology
SOX – Sarbanes-Oxley Public Company Accounting Reform and Investor Protection Act
GLBA – Gramm-Leach-Bliley Privacy Act
FISMA – Federal Information Security management Act
NERC – The North American Electric Reliability Council
GSX – Government Secure Extranet
HIPAA – health Insurance Portability and Accountability
50 | P a g e
Confidential Document
Available Report Formats:
PDF
RTF
XML
XLS
HTML
The QRadar architecture provides an automated backup/restore process for mission critical data
including both configuration and collected data (i.e. events and flows). Backup files are automatically
compressed and archived if needed for configuration and data restoration.
QRadar provides a log and flow storage lifecycle, which supports both on-line, near line and off line
storage requirements.
uncompressed,
compressed, and
Archived logs.
51 | P a g e
Confidential Document
Both uncompressed and compressed storage can be “on-line” and readily available for use within
QRadar. On-Line and Near line logs can be directly on QRadar appliances which support up to 6TB of
storage, or on high speed external storage solutions such as IP SANs or Fibre Channel SANs. QRadar
uses GZIP compression algorithms and provides on average a 10 to 1 reduction in the storage of events
on disk.
Use of compressed on-line data in QRadar is transparent to the user. The user can specify how long
data is retained on-line for both the uncompressed and compressed phase.
Archived (backup) data is the final phase and provides the ability to store archived events off-line for
later use on external storage. Archives can be saved on any 3 rd party storage solution The
backup/archive process can include both the log, network activity and configuration data, and can be
scheduled as necessary. All backups are on-line and time-stamped. Backup data can be imported into
QRadar as necessary.
Due to the lack of clear visibility into log sources count, models, version as well as the critical application
and commercial ones, <Company Name> have set the below assumptions in order to scope the
<CUSTOMER NAME> SIEM Solution
<Company Name> will be more than happy to work closely with <CUSTOMER NAME> to further refine
the overall scope based on <Company Name> experience and intelligence.
52 | P a g e
Confidential Document
ARCHITECTURE
QRadar flexible three tiered architecture; which includes the collection, analysis and presentation of
security and network information allows for scalability and manageability of large enterprise networks.
Based on the scope defined by <CUSTOMER NAME>, the architecture recommended for <CUSTOMER
NAME> is a single QRadar appliance per site that supports logs, flows and on board storage.
The QRadar solution is made up of three components that are all delivered on easy to install and
manage appliances. QRadar’s database is purpose built and embedded as part of the solution hence
providing on-appliance data storage, as well as integrating with SAN/iSCSI storage networks.
The QRadar Console provides a multi-user secure web based global view into the entire network. The
QRadar Server Console combines analyses and correlates data from all Events and Flows to provide
highly prioritized actionable offenses, real time views and dashboards and robust reporting capabilities.
53 | P a g e
Confidential Document
QRadar Database
At the heart of the QRadar solution is a custom-designed database that supports the high speed
insertion, analysis, and storage of network flows and raw events that are required by large global
deployments. The database has been designed for simplicity and requires no advanced database
expertise or writing of database queries. A Postgres SQL RDBMS is used for storage of offenses, asset
profiles and configuration data. Information stored in either database can be extracted when necessary.
The database is included at no additional cost.
It is self-maintaining and efficient in storing logs and network activity data. It is also highly scalable and
supports a distributed model, allowing for distributed storage, while maintaining a centralized view of all
data.
DISASTER RECOVERY
QRadar appliances utilize dual redundant (auto sensing) power supplies as well as internal hardware
RAID 10 for storage of data to ensure no loss of data in the case of disk or power supply failure.
Additional redundant QRadar hardware appliances can be deployed for disaster recovery or high
availability solutions. QRadar has native capabilities for flow and event forwarding from all components
to redundant boxes to ensure that during a failure a redundant system is available, processing data, and
contains the previously stored data.
High Availability
Q1 Labs QRadar Security Information and Event Management (SIEM) solution is purposely built to
integrate log management with SIEM, delivering scalable log management without any compromise on
SIEM “Intelligence”.
QRadar easy-to-deploy high availability (HA) appliances provide fully automated failover and disk
synchronization for high availability of data collection and analysis capabilities without the need for
third-party fault management products.
Many network and security teams are overwhelmed collecting and analysing billions of network and
security logs produced each day.
For most SIEM vendors, the solution for managing such log volume, and offer high availability, has been
to invest in complex OS and database clustering, often combined with a spares solution for replacing
failed hardware. Other vendors simply rely on their built-in hardware capabilities such as hardware
RAID, but this does not provide true HA.
Automated Failover
• The QRadar HA solution supports seamless failover between the primary and HA
appliance in the event of primary appliance or network failures.
54 | P a g e
Confidential Document
• In addition, QRadar tests for connectivity to all appliances within its’ distributed
deployment, including network devices such as switches and routers, to determine
when or if a failover occurs.
Easy to deploy
• QRadar’s HA is plug-and-play and configured through a simple to use wizard-based user
interface.
• When an HA appliance is added to a primary appliance, QRadar automatically
synchronizes the data between the two systems, while continuing to perform real time
analysis and storage of log and flow data.
55 | P a g e
Confidential Document
6 APPROACH & METHODOLOGY
6.1 IMPLEMENTATION METHODOLOGY
<Company Name> has evolved a mature implementation methodology that bundles SOC best practices
as part of setup.
1. Customization of SIEM to deliver rules & reports for critical threat scenarios
2. Setup of log baseline, global threat integration to see more events & gain key insights
Develop
Develop
Asset
Asset Log
Log Customize
Customize
Product
Product installation
installation
Valuation
Valuation && Baseline
Baseline alerts,
alerts, Develop
Develop Knowledge
Knowledge
Implement
Implement and
and
Risk
Risk Developme
Developme rules,
rules, SLAs
SLAs Transfer
Transfer
ation
ation handover
handover
Profiling
Profiling nt
nt reports
reports documents
documents
During this phase, an asset inventory is built up of the servers & devices in scope. Asset valuation is
carried out. Assets are valued as high, medium or low value based on their criticality to business
processes, replacement cost and dependencies with other assets. Risk profiling involves network
modelling based on placement of assets in the network and corresponding exposure. Exposure of a
device varies based on its position in the network. The valuation carried out will be used to populate
asset database of SIEM. Combination of asset value and exposure of the device is an important criterion
in prioritizing the event.
56 | P a g e
Confidential Document
During this phase a log baseline is developed for assets in the scope of monitoring. A gap analysis will be
conducted to determine the logging capability of an asset, current logging enabled and the required
level of logging. We will coordinate with the relevant IT and security team to enable the additional level
of logs required across assets. In this phase, we achieve the following.
57 | P a g e
Confidential Document
58 | P a g e
Confidential Document
59 | P a g e
Confidential Document
60 | P a g e
Confidential Document
61 | P a g e
Confidential Document
62 | P a g e
Confidential Document
STEP 5 – DEVELOP INSTALLATION AND HANDOVER DOCUMENTS
Documentation lays the foundation for implementation of robust & scalable monitoring practices. Our
documentation framework encompasses all the critical processes required for SOC. During this phase,
we will develop Installation and handover documents.
It is a good practice to develop SLAs to deliver services to business units and also to measure
effectiveness. We will develop SLA metrics aligned with business requirements of the organization.
Processes to track measure and report SLAs will also be developed.
There will be consistent knowledge transfer across the implementation phase. We will train
<CUSTOMER NAME> team on configuring and using SIEM product. We will also train operations team on
processes and handover SOPs that have been developed. Along with this, best practices will be shared.
63 | P a g e
Confidential Document
6.2 UNIQUE 7-STEP METHODOLOGY FOR MONITORING
<Company Name> has devised a unique 7-step methodology that enables detection of more security
events but at the same time identify the correct event that can cause harm. Identifying the correct event
is like searching for needle in a haystack. Unless the right processes are deployed and the technology
customized, it is likely that an enterprise will not see critical events in the noise of normal events. This
methodology enables the enterprise to gain more insights through integration with global threat
database. This methodology also enables strengthening of other security/IT controls root cause analysis
leading to identification of security enhancements. The sections below describe the steps in our
methodology.
Log aggregation requires implementation of the right architecture and the enabling of relevant logs in
servers, network & security devices. We build multi-tier architectures that are scalable and enable
effective log management. We define log baselines for all the different platforms in an enterprise. The
log baselines clearly capture the events that need to be logged. This leads to relevant logs being
available for analysis.
64 | P a g e
Confidential Document
STEP 2 - EVENT NORMALIZATION
Log formats across multiple platforms and products vary in format, length, fields, content. Normalization
of these formats in to a standard format is critical for further analysis. In order to productively store this
diverse data in a common database, SIEM event manager evaluates which fields are relevant and
arranges them in a common schema. SIEM as a technology has support for normalizing a rich set of
fields from device logs. This provides the flexibility required for analysis & reporting of events. Diagram
below provides an example of how Cisco PIX log content is normalized.
<Company Name> has developed customized set of rules for multiple platforms to ensure that
meaningful set of events are filtered from millions of logs that get generated from devices and servers.
We build these rules in to SIEM event manager as part of our setup process. Filtering enables
elimination of noise events. As an example, enabling Microsoft audit logs can enable many different
types of events, it is important that we filter in the security events that are important. We have a rich
set of filtering rules across many different platforms. We build the filter rules as part of the
65 | P a g e
Confidential Document
implementation phase. The diagram below shows an example of filtering rules for Microsoft Windows
platform.
The priority formula, also sometimes referred to as the Threat Level Formula, is a series of criteria that
each event is evaluated against to determine its relative importance, or priority, to your network.
Priority evaluation is a feature that is always “on," and is applied to all the events received by the SIEM
Manager. The point of calculating an event’s priority is to signal to security operations personnel
whether this is an event that warrants further notice. Priority of an event is arrived at by also correlating
for multiple factors. The diagram below provides the multiple criteria considered for arriving at final
event priority. Criteria includes agent severity, asset criticality or business value of the asset, history of
attacker or target, vulnerability information, global monitoring feed, mapping of the assets, attack
signatures. We have integrated multiple components to ensure that false positives and negatives are
reduced. This level of customization & correlation ensures that appropriate priorities are allocated for
events and corresponding alert mechanisms are triggered.
66 | P a g e
Confidential Document
We have also developed readymade correlation rules for a variety of threat scenarios that can affect an
organization. These correlation rules and threat scenario detection is implemented during our setup
phase. A sample set of threat scenarios are given below:
Database admin access outside office hours and from non-authorized location
Privilege misuse/escalation
67 | P a g e
Confidential Document
o Tying a person, as identified through AD or HR application, to his multiple login IDs in
different application
Detecting SQL injection, Cross Site scripting and Google hacking by looking at web server logs
Robust alert & incident management processes are critical for detection and response to security
incidents. We implement the processes for alerting and incident management as part of the setup
phase. We also integrate these processes with other relevant IT processes including change
management. The process flow is different based on criticality of an alert. The flow chart below is a
sample process that highlights the process flow for a critical alert.
68 | P a g e
Confidential Document
7 TRAINING
Duration: 3 days
Course Overview: Basic User & Administering QRadar is a foundation to QRadar's Next-Generation
SIEM platform. This course is designed to provide an Individual with a basic understanding of
features and skills necessary to deploy and configure QRadar in the network, configure events and
flows, search for data and generate reports. The participant will have a working knowledge in the
operation and administration of QRadar.
Target audience: The class is designed for Security/Network Administrators who have at least
working knowledge of networking and network security and are using QRadar to manage their
network and security programs.
Lab Exercises: In-class, hands-on lab exercises are designed to reinforce the material and ensure
basic understanding. A laptop is required. The class can be delivered using QRadar either in a
customer deployment or using standardized lab server(s).
Prerequisites: Basic networking knowledge, understand TCP/IP operations, experience in network
security.
Course Objectives: Upon completion of this course, the client team will learn:
QRadar’s technology and the various problems it solves
To configure QRadar to fit your and other individual requirements
How to monitor specific information quickly within the QRadar interface
How to navigating the QRadar interface
Using the Log and Network Activity Interfaces
To create advanced event and flow filters
Fast searching techniques
Assets and vulnerability assessment
How to manage Offenses
How to create/modify rules
Tuning techniques
How to generate reports
Understand DSM integrations.
How to communicating with Q1 Labs technical support team
How to access/navigate Qmmunity support site
69 | P a g e
Confidential Document
70 | P a g e
Confidential Document
Course Modules:
Day 1
1. Introduction to QRadar
2. Common QRadar Menus and Options
3. The Admin Interface
4. QRadar Log Activity
5. QRadar Network Activity
6. Advanced Event and Flow Filters
7. EOD Review
Day 2
1. Assets and Vulnerability Assessment
2. Offenses
3. Working an Offense
4. Rules and Building Blocks
5. Case Studies
6. EOD Review
Day 3
1. Tuning
2. Case Studies
3. Dashboards
4. Reporting
5. Support Information
6. EOD Review
7. Course Review
71 | P a g e
Confidential Document
8 PREREQUISITES
The specs for prerequisites of a PC to access web interface of Q1
72 | P a g e
Confidential Document
9 PROJECT PLAN
Duration (in man
Activity
days)
Phase 1
Planning and Design Discussion
Framework Workshop
Basic Configuration of the Appliance. For E.G. Ip address configuration
and email server configuration
Testing the connectivity of the appliance to the network
Phase 2
Updating the appliance
Applying the Patches
Updating the DSMs
Updating the Vulnerabilities Scanners Database
Creating the Network Architecture – Derived from the meeting in
Phase 1
Adding the Firewall Log Sources
Phase 3
Testing the Data and Reports of the Firewall Log Sources
Adding the remaining Log Sources
Adding Unsupported Log Sources
Testing the Data and Reports of the new Log Sources
Configuring the Backup of the appliance 10
Configuring The Alert settings
Configure data to conform to data retention requirements
Phase 4
Fine Tuning
Knowledge Transfer
How to access system
How to add and configure new logging sources (servers, firewalls,
switches)
How to keep system tuned (after adding systems, or to account for
additional logging on existing servers)
How to manage and support system
How to access technical support
How to troubleshoot issues
How to back up data for archive and/or recovery
How to access pre-defined reports
How to Setup, customize and produce pre-defined or canned reports
How to print and save reports
How to export reports to different formats
How to create scheduled reports
73 | P a g e
Confidential Document
Note:
• The total number of event sources that are in scope of integration is 53 and custom parser
development for 3 custom applications.
• If consultancy and/or Installation takes longer than the number of days quoted as a result of
insufficient or incorrect information, additional time will be charged at the daily rate.
• If consultancy and/or Installation take longer than the number of days quoted as a result of
missing software, network or hardware not ready/not pre-configured, additional time will be
charged at the daily rate.
• If the consultant qualifying the work feels that a pre-implementation meeting is needed (due
to lack of information available from the end customer, network issues etc.), this needs to
arranged well in advance before the actual implementation dates.
• If a pre-qualification meeting has taken place between the end customer and the consultant,
the number of days quoted for the work is then guaranteed.
• It is assumed that all the 53 event sources in scope of integration are out of the box Q1
supported event sources and versions and the above project plan is applicable only for the
same.
• Only QRadar supported logs will be collected from end device/event sources (53 event
sources).
• <Company Name> will follow QRadar recommended procedure for log enabling and log
collection.
• Custom parser development for 3 applications is in scope of the project. However, the
feasibility of parser development can only be confirmed after studying the logs.
• It is assumed that all event sources in scope of integration are accessible from a single
location and travel outside the primary site is not in scope, travelling if required will incur
additional cost.
• Client will provide logistic support to <Company Name> while conducting discussions,
meetings, rolling out training programs etc. relevant to this project.
APPLIANCE INSTALLATION
74 | P a g e
Confidential Document
Identify appliance network settings: Hostname, IP Address, Subnet mask, Default gateway,
NTP/DNS/Mail servers (See Install Guide for details)
PREPARATION
Note:
75 | P a g e
Confidential Document
10 BILL OF MATERIALS
SKU Q1Labs - Qradar Qty
High Capacity Base 3124 Appliance and License. 1
Flows/Minute=25,000 (50,000 NetFlows), EPS=1000, Log
Sources = 750, Network Objects = 1000. Requires QFlow
Collector(s) for layer 7 network activity monitoring. Includes 16 TB
of onboard storage.
QR-5KEPS-UPG Upgrades Base 31XX from 1000 EPS to 5000 EPS 1
QR-3124-HA-XS 3124 High Availability Appliance 1
Support One Year
QR-3124-XS-PM Premium Maintenance for QR-3124-XS - 1 Year 1
QR-5KEPS-UPG- 1
Premium Maintenance for QR-5KEPS-UPG - 1 Year
PM
QR-3124-HA-XS- 1
Premium Maintenance for QR-3124-HA-XS - 1 Year
PM
Professional Services
CL-CX-1D-ME QRadar SIEM Training 3
<Company Name> PS for implementation - 53 event sources 10
QR-Remday-PS-1 Remote Professional Services - 1 Day Increment UDSM creation 9
Bidder On-site Periodic support & maintenance for Two (2) Years 2 years
76 | P a g e
Confidential Document
11 ONSITE SUPPORT
77 | P a g e
Confidential Document
12 PROJECT MANAGEMENT APPROACH
High quality of deliverables requires a strong project management. The key elements in our project
management that improves quality of project are-
Project Plan Development, which defines the scope,
deliverables and tasks to be carried out in detailed manner Project
and allocate responsibilities for each task. Manageme
nt Process
Project
Project Plan Execution, which is achieved through right skills Integration
of the team member and right methodologies / tools Managemen
employed in the project. t
Quality
Project Overall Change Control, which is achieved through a
Manageme
defined process and templates for change management
nt Process
involving both the client and project team.
78 | P a g e
Confidential Document
PROJECT ORGANIZATION
Successful completion of project requires formal structure to be established for reporting, coordinating
and performing the project tasks. We will set up the following project organization-
Our Team
Project team will be headed by a senior resource designated as Project Lead (or Project Manager), who
will be responsible for successful project execution
including project management activities.
Our Team Client
Project Lead will be the prime contact person between Team
Client and <Company Name>. He will have sufficient
authority to take final decisions on behalf of the Project
Sponso
company within the contracted terms and agreed r
scope of the project. Proje
ct
Project Lead will report to ‘<Company Name> Project Direct
or
Director’, which will provide guidance as well as
Project
measure the performance of the project. The Project Coordinat
Project or
Director will also act as the final escalation point for Lead
<Company Name>.
Team
Project team will comprise technical resources as per Member
s
the tasks/ activities in each phase that will be
committed to the phase throughout its duration, unless
otherwise agreed in advance with Client.
Client Team
Client will provide a Project Sponsor, who owns the project. He should have appropriate authority to
resolve issues, provide resources and approve project plan & project changes. He will also provide the
overall direction and decision making for the project.
A Project Coordinator will work with the project team to facilitate information collection, interaction
within the client organization and coordinating the activities to be performed by client as mentioned in
this proposal or as identified in the project plan .
PROJECT PLAN
<Company Name> will prepare a project plan at the beginning of project that will list set of tasks for
successful completion of project. The plan will be used for tracking the project status. The plan will
contain the following-
• Project Objectives (where applicable, phase-wise objectives) and Client expectations
• Implementation plan with milestones
• Resources with roles & responsibilities
79 | P a g e
Confidential Document
• Dependencies with other tasks/ entities
Project plan will be updated throughout the project lifetime to reflect changes or additional information
obtained during the project. The initial plan will be developed immediately after the project kick-off
meeting with Client, where the objectives and expectations will be captured in detail through ‘PDE’ form
(project deliverables and expectations).
RISK MANAGEMENT
Project risk management recognizes a formal approach to the process as opposed to an intuitive
approach. Risks, once identified, assessed and allocated should be managed in order to minimize or
completely mitigate their effect on a project. This may be achieved by developing either immediate or
contingency responses to the identified risks. We will employ the following formal process -
Issue management – Project Lead will prepare & maintain an ‘issue log’ document that will record all
issues impacting the project. It will be the responsibility of Project Lead to foresee the issues as well as
to draw out issues from project team members at early stage. Action plan will be developed for each
issue after evaluating its impact and possible course of corrections. All issues will be actively monitored
for closure and escalated to project sponsor/ project director as per requirement.
Formal periodic internal review with Project Director- Project Lead will conduct a periodic project review
meeting with <Company Name> Project Director, where any risks to project quality and timeliness will
be proactively identified and mitigation measures suggested. The first review will be before the
commencement of project and will identify risks related to:
Clarity of scope, deliverables & client expectation
Availability of tools, methodology, documentation and skills
Dependencies on external entities/ tasks for project completion
Additional controls for mitigating risks of non-completion of project
CHANGE MANAGEMENT
Our change management process is defined for addressing any changes to the project and ensuring that
its impact is considered in a formal documented manner. Changes can be in scope of project, in
completion time frame or in resource profiles employed in the project. Our process for change
management involves the following:
Change initiation – All changes will be initiated through a formal change request form, which captures
change requester, description of change and reasons for change.
Change impact – Project Lead documents the impact of the change on project schedule and cost. He
also recommends the alternatives for managing the change.
Change approval- All changes have to be approved by Project Sponsor before any action is taken.
80 | P a g e
Confidential Document
Change incorporation- Post approval, Project Lead updates the project plan and communicates the new
responsibilities, task and timelines to all project members. All relevant documents are also revised to
new version incorporating the change.
INFORMATION MANAGEMENT
Document management- The project team will set up document library system to facilitate collection,
organization and retrieval of project documents. Documents will be named and labeled using a standard
nomenclature. The documents will also have the controls over version and distribution. As far as
possible, all project activities and project deliverables will be fully documented and controlled.
Client communication-
81 | P a g e
Confidential Document
PROJECT COMPLETION
Projects are formally closed to ensure that all deliverables were met to client’s satisfaction and the
expectations elicited during the projects have been achieved. The processes involved are-
Project sign-off - The formal sign-off is obtained from client as per ‘PDE’ form, which captures the
objectives, expectations and timelines of project execution.
Project feedback form – Experience of Client in interacting with project team and the quality of
deliverables is formally measured through the form ‘PFF’ (project feedback form).
Review by <Company Name> Project Director – The Project Director will formally review the project
completion and client satisfaction to ensure that project has been completed as per client’s
expectations. This review acts as an internal control for Project Lead for successful execution of project.
PROJECT REVIEW/TRACKING
Initiation
Initiation &
& Get
Get Pre-
Pre- Onsite kick-
Kick-off
Kick-off call
call requisites
requisites off meeting
Delays Periodic
escalated status
updates
Milestone
based
tracking
Submit Draft
Deliverables
Project Sign
Off Submit Final Review Draft
Deliverables Deliverables
82 | P a g e
Confidential Document
QUALITY ASSURANCE
Our quality assurance activities focus on the processes being used to manage and deliver the solution,
and is performed by our Project Director or in some cases jointly with client. The Project Director
primarily looks at following under quality assurance-
Quality initiation- At the initiation of project, project Lead reviews with Project Director on the exact set
of tools, methodology & documented checklists to be used for the project. It also ensures existence of
documented process for each activity to be undertaken in the project plan. During the project, team
members will follow the documents to ensure consistency in delivery.
Compliance to methodologies- All our project deliverables are based on tested methodologies
developed by us over a period of time. They are backed with work instructions, checklists and tools
wherever required. Project Director reviews whether the methodology was accurately followed by the
project team to ensure high quality deliverable.
Compliance to process- Project Director also reviews whether the project management process, as
described in earlier section, was followed by the project team. However, they should be able to tell if
the deliverable seems acceptable based on the process used to create it. They can determine, for
instance, whether deliverables and expectations were captured, reviews were performed, whether it
was tested adequately, whether the customer approved the work, etc.
Quality may also be checked by Project Director through sample substantive audit to ensure that the
activity implementation matches the documented process.
QUALITY PLAN
For large project, we also develop a quality plan along with project plan at the project initiation stage.
Our Quality Plan identifies the major deliverables, completeness and correctness criteria, quality control
activities and quality assurance activities. The Quality Plan allows you to understand when the
deliverables are completed, as well as how to show they are correct. It also describes the processes and
activities that will be put into place to ensure that quality deliverables are produced. Quality plan is
prepared by project lead, ratified by project director and then approved from our client .
CONTINUOUS IMPROVEMENT
At the end of each project, project Lead provides feedback to Project Director on the quality process and
the metrics captured. These can be leveraged by the organization for an organization wide metrics
program and provide input into best practices that can be used again.
At the completion of project, key project learnings are documented to ensure efficiency of such projects
are enhanced in future. In this manner all our past learnings from large projects are passed on to future
projects and new clients.
83 | P a g e
Confidential Document
13 RELATED DOCUMENTS
13.1 ANNEXURE 1- NDA
84 | P a g e
Confidential Document
1.7.
Regional Offices:
INDIA:
<Company Name> Networks
Mumbai
Technocity, A – Wing, 6th Floor,
Mahapae - 400 709
Phone: +91-22 -41615151
Fax: +91 -22 -41615161
LONDON, UK
<Company Name> Networks
City Point, 1 Rope maker Street
London EC2Y 9HT
Phone: +44 (0)845 2270 777
Fax: +44 (0)845 2805 333
USA
<Company Name> Networks
Virginia
12801 Worldgate Drive
Suite 500 Herndon,VA 20170,
USA
Phone: +1-703-871-3934
Fax: +1-703-871-3936
MALAYSIA
Kuala Lumpur
F313, Phileo Damansarai
46350 Petaling Jaya, Malaysia
Phone: +60-3-7960-4275
Fax: +60-3-7660-4273
85 | P a g e
Confidential Document