Proposal For Customer Name - Sample

Customer Name Proposal for <<Solution>>>
date
Request for Proposal

For
XXX Solution
1|Page
Confidential Document
Customer Name Proposal for <<Solution>>
Table of Contents
1 PREFACE.................................................................................................................. 4
1.1 BUSINESS CONTEXT....................................................................................................................4
1.2 OUR PROPOSAL........................................................................................................................4
2 WHY <COMPANY NAME>?......................................................................................... 6
2.1 CAPABILITY TO EXECUTE..............................................................................................................6
2.2 CAPABILITY TO ENVASION..........................................................................................................10
2.3 UNIQUE METHODOLOGY...........................................................................................................12
2.4 SIMILAR EXPERIENCE & CLIENT REFERENCES..................................................................................12
3 CLIENT REFERENCES................................................................................................. 19
4 TECHNICAL COMPLIANCE........................................................................................... 21
4.1 PLATFORM SUPPORT MATRIX.....................................................................................................46
5 ADDITIONAL INFORMATION/TECHNICAL DETAILS.............................................................48
5.1 <CUSTOMER NAME> REQUIREMENTS......................................................................................48
5.2 BRIEF SCOPE OF WORK.............................................................................................................48
5.3 SOLUTION DESCRIPTION............................................................................................................49
6 APPROACH & METHODOLOGY.................................................................................... 58
6.1 IMPLEMENTATION METHODOLOGY..............................................................................................58
6.2 UNIQUE 7-STEP METHODOLOGY FOR MONITORING........................................................................66
7 TRAINING.............................................................................................................. 71
8 PREREQUISITES........................................................................................................ 73
Submitted By
9 PROJECT PLAN........................................................................................................ 74
XXXXX
10 BILL OF MATERIALS............................................................................................... 77
11 ONSITE SUPPORT................................................................................................. 78
2|Page
12 PROJECT MANAGEMENT APPROACH.........................................................................79
13 RELATED DOCUMENTS........................................................................................... 85
13.1 ANNEXURE 1- NDA.................................................................................................................85
13.2 ANNEXURE 2- LIST OF REPORTS..................................................................................................85
3|Page
1 PREFACE
1.1 BUSINESS CONTEXT
The Central Bank of Kuwait (henceforth “<CUSTOMER NAME>” or “Client”) was established in 1969 with
a mission to lay the foundations and maintain a flexible and stable monetary financial system in the
State of Kuwait. <CUSTOMER NAME>'s objectives include:
 Issue the Kuwaiti Dinar on behalf of the State of Kuwait.

 Direct credit policy to assist social and economic progress.
 Assist the growth of the national income.
 Control the banking system in the country.
In order to strengthen their security posture, <CUSTOMER NAME> has come up with the requirement
for procuring a Security Information and Event Management solution. <CUSTOMER NAME>, through this
RFP titled “Request for Proposal for Security Information and Event Management (SIEM) Solution", is
evaluating different service providers who can offer the services best suited for <CUSTOMER NAME> and
this proposal is our response to <CUSTOMER NAME> requirements.
1.2 OUR PROPOSAL

<Company Name> Dubai is the Regional office of <Company Name>
Networks Private Limited (“<Company Name>”), a global firm specializing in
Information Risk Management Services & Solutions. <Company Name> has its
Head office and Security Operations Center (SOC) in Bangalore (India), Middle East Regional Office in
UAE and other global offices in USA, Malaysia, Saudi Arabia, Oman and Qatar. <Company Name> has
proven action-oriented methodology to provide information security solutions and services to its clients
that has evolved over 12 years of active security management experience, tested in leading
organizations across the globe. Our philosophy is providing practical, implementable and measurable
solutions to our clients that are in alignment with global standards and best practices.
Our services are backed by cast iron reputation-
 Recognized as a leading player in Gartner’s Marketscope Study for Managed Security Services
in Asia Pacific for 4 years in a row in 2008, 2009, 2010 and 2011.
 Globally acclaimed information security firm - we have been featured in Deloitte & Touche's
Annual Technology Fast 500 Ranking for Asia-Pacific and Fast 50 Award for India for 2006,
2007, 2008, 2009, 2010 and 2011
 <Company Name> was awarded the Best Banking Security Systems Project Award in the Asian
Banker IT Implementation Awards Program for 2008 and 2009.
4|Page
 <Company Name> is an Authorized ASV and QSA recognized by PCI-DSS Council to help clients
achieve PCI-DSS Compliance
 Global footprint with operations in 8 countries (UAE, Oman, Qatar, Saudi Arabia, Malaysia, UK,
US & India)
 575+ customers worldwide, spread over 17 countries, across various verticals including Banking
& Finance, Telecom, Manufacturing, Oil & Gas, IT & ITES, Government, Regulatory Bodies and
Aviation
 Global recognition as thought leader
 Presence in security research groups - Honeynet alliance, OWASP, Security focus
 Co-authored books- Know Your Enemy, Enhancing Computer Security, Application Security
in ISO 27001 Environment, Security Testing Handbook for Banking Applications
 Published more than 95 research papers on information security
We are pleased to submit this proposal in response to <CUSTOMER NAME>’s RFP for Security
Information and Event Management (SIEM) Solution.
5|Page
2 WHY <COMPANY NAME>?

<Company Name> has gathered rich experience
in providing managed security
services (MSS) to enterprise Capability to
customers across different Execute
geographies for over a period of 6
Capability to
years. We manage and monitor Envision
security operations for 45+
customers. Our MSS processes have Unique
Methodologies
matured with these advanced client
experiences and we are able to align
our technology expertise to meet
customer requirements. <Company
Name> value proposition is based on core parameters of Capability to Execute, Capability to Envision
and Unique Methodologies.
2.1 CAPABILITY TO EXECUTE

 <Company Name> has been providing Managed Security Services (MSS) for over 6 years for
over 45 customers worldwide. <Company Name> has its own SOC from where all managed
services are primarily driven. The SOC is ISO 27001 certified and
has been in existence for over 5 years.
 <Company Name> Managed Security Services have been rated
highly by industry analysts including Gartner. Gartner has
highlighted our innovative delivery model, high customer
satisfaction scores and highly skilled professional services staff
in the “Market Scope for Managed Security Services in the
Asia/Pacific Region” report for 2008, 2009, 2010 and 2011.
 <Company Name> has a large number of certified and skilled
resources. <Company Name> has a team of 100 dedicated
professionals for managed services. The team holds certifications
including product certifications such as CCNA, CCNP, MCSE,
Checkpoint Certified Security Analyst, ArcSight Certified System
Analyst (ACSA), ArcSight Certified Implementation Engineers
(ACIE), SANS GCIH, CISSP, CISA, ISO 27001, CBCP, and ISO 20000.
 Based on our extensive experience in managed services, we have developed a platform for
providing integrated security operations management to our customers. The platform, SOMP
(Security Operations Management Platform) in a unique platform that integrates 3 key pillars
6|Page
of managed services (threat management, vulnerability management and device

management) and provides intelligent information based on correlated data from all 3 pillars.
Device
Device
Management
Management
<Compa
ny
Name>
SOMP
Threat
Threat Vulnerability
Vulnerability
Manageme
Manageme Managemen
Managemen
nt
nt tt
The platform not only enables us to provide unified delivery but also enables us to provide value added
intelligent information based on data available from each service. The following diagram represents the
components of the 3 service lines.
7|Page
KEY BENEFITS OF <COMPANY NAME> SOMP PLATFORM

 Unified security operations for reduced exposure time – information from security services are
no more in silos.
 Higher visibility of potential risk and threat
 Comprehensive risk detection and mitigation
 Prioritize activities to reduce time and effort
 Reduced risks as better tracking & faster closing of open items is enabled
 Faster response to incidents
 Better security analytics and intelligence
<COMPANY NAME> SOMP OFFERS THE FOLLOWING ADVANTAGES:
<COMPANY NAME> SOMP ADVANTAGE #1: INTEGRATED VISIBILITY
<Company Name> will use security metrics to track meaningful trends & provide predictive intelligence.
Few sample dashboards and reports are:
 Reduction in age of vulnerabilities

 Average high risk vulnerabilities per asset – monthly trend
 Most targeted assets
 Number of assets with high risk vulnerabilities – monthly trend
 Repeat vulnerabilities – Quarterly trend
 % of Emergency & High alerts from internal IP addresses
 Average time for emergency & high alert response
 High alert IP, network segments, geographies
The <Company Name> SOMP platform dashboard offers a customizable dashboard where users can
pick and choose relevant dashboard graphs for over 50 readily available graphs.
Another unique visibility feature is Asset 360. This shows asset characteristics along with information
regarding to services that it is enrolled for.
Some of the information that will be available in the Asset 360 page will be:
8|Page
<COMPANY NAME> SOMP ADVANTAGE #2: SECURITY INTELLIGENCE AND INTEGRATION
9|Page
By providing multiple security services in an integrated fashion, the SOMP can provide intelligent
information by correlating data from these individual service output. Some examples are:
 Vulnerability scans report integration with SIEM. This will ensure that an attack on an open
vulnerability in an asset will trigger a higher priority alert
 Application assessment report integration with monitoring events from Server logs, WAF, HIDS,
NIPS. A detected vulnerability will be automatically provided higher rating if an attack event
corresponding to this vulnerability is seen.
 Initiation of scan by asset owners to check for existence of a vulnerability corresponding to the
attack event detected. This will enable faster mitigation
 Patch deployment based on detected security event corresponding to the missing patch. This
will enable faster mitigation
 Policy changes on security devices for a detected security event. This will enable fast response
to block attacks
 Integration of Dynamic Application Security Testing(Grey box application testing) and Static
Application Security Testing(Code Review)
<COMPANY NAME> SOMP ADVANTAGE #3: COLLABORATION
SOMP has rich collaboration features that allow users to interact with <Company Name> and other
users within the organization on any issue. Some key highlights of this feature are:
 Discuss vulnerability or threat information through the portal. All discussion is saved in a
conversation like view.
 Track vulnerabilities or issues using the online service desk. Assign ownership of issue to other
users and track progress of mitigation.
 View reports on tickets and track ageing
2.2 CAPABILITY TO ENVASION

<Company Name> has been innovating new ways of dealing with Managed Security Services. We have
launched new services that reflect our approach in continuously enhancing the business value provided
Managed Security Services. Some of our innovations include the following:
 Banking Fraud Management Services (2012)

 Integrated Security Operations Management for Enterprises (2011)
 Launch of Verity – Website Malware Monitoring Solution (2009)
 Data Leakage Monitoring Services (2009)
 Transaction Monitoring Services (2009)
 Business application monitoring services(2008)
 Proactive Phishing Monitoring using Website Watermarks (2008)
10 | P a g e
Example: How our innovative Banking Fraud Intelligence Services could benefit <CUSTOMER
NAME>?
Note: Fraud Intelligence Service is an Optional Offering that can be availed by <CUSTOMER NAME> as
a part of Managed Security Services at an extra cost based on mutual agreement. The above example
is only a sample illustration of how clients benefit from innovative service offerings and
enhancements when they engage with <Company Name> for Managed Security Services. Please refer
Annexure-3C For details of <Company Name>’s Fraud Intelligence Service.
<Company Name> has won several awards for MSS. Prominent industry forums have recognized our
innovative MSS model including:
 Asian Banker Award for the best IT security project in 2008, this was awarded for our managed
services at Kotak Mahindra Bank in India
<Company Name> proposes to
 FIIA Innovation in Service Award for Enterprise Security
replicate our innovative; award
Management(2009)
winning and Gartner recognized
 Red Herring Technology Top 100 Award for our managed
Model at <CUSTOMER NAME>.
services technologies(2008)
<Company Name> is a contributing member of leading security

forums including OWASP, Security focus, SANS. This enables us to better understand current and
emerging threats & vulnerabilities
<Company Name> has worked with over 575 customers for a variety of services including consulting,
security testing and managed services. This enables us to cross pollinate ideas and solutions. As a result,
our customers gain from our rich experience and are able to get comprehensive protection from threats
& vulnerabilities.
11 | P a g e
2.3 UNIQUE METHODOLOGY

 <Company Name> follows a well streamline workflow for device management. We leverage
latest technologies such as Manage engine IT360 for unified delivery
 We leverage the best in class technology for various service such as vulnerability management,
log monitoring, phishing, device management and integrate them to provide intelligent
information
 <Company Name> has developed innovative seven step methodology for monitoring. We setup
this methodology for our customers as part of SOC implementation
 <Company Name> has evolved a mature implementation methodology that bundles SOC best
practices as part of setup. Our SOC best practices have evolved over a period of five years.
 We incorporate business risk and threat scenarios to derive higher value from monitoring.
 We integrate global threat monitoring.
 We enhance security & IT controls.
2.4 SIMILAR EXPERIENCE & CLIENT REFERENCES

<Company Name> has extensive experience of providing SIEM Implementation and offering advanced
SOC services for its customers in Middle East and Asia over long-term, multi-year engagements.
We detail below the list of some of our key client engagements for MSS Services.
2.
Client name Noor Islamic Bank

Location Dubai, UAE
Industry Banking
Technical Summary Managed Security Services including security log
monitoring, security devices management, etc.
 Asset Classification;
 Device Management;
 Risk Analysis and solution design;
 Asset Vulnerability Management;
 Asset Control Management;
 Application Security Management;
 Security Monitoring;
 External Threat Monitoring;
 Datacenter Security;
 Security Policy Management;
 Incident Management;
 Security Reporting for Management;
 Training & Awareness;
 Compliance;
 DR Audits;
 Third Party Audits;
12 | P a g e
Client name Kotak Mahindra Bank
Location India
Industry Banking
Technical Summary Information Security Assurance Program

under Managed Security Services.
The activities carries out as part of this project
are:-
 Asset Classification;
 Risk Analysis and solution design;
 Asset Vulnerability Management;
 Asset Control Management;
 Malicious Code Management;
 Application Security Management;
 Security Monitoring;
 External Threat Monitoring;
 Datacenter Security;
 Security Policy Management;
 Incident Management;
 Security Reporting for Management;
 Training & Awareness;
 Compliance;
 Security Product Implementation;
 DR Audits;
 Third Party Audits;
 Internet & email usage;
 File system integrity
Client name State Bank of India
Location India
Industry Banking
Technical Summary Security Operations Centre (SOC)
 24X7X365 log monitoring
 Incident Management
 Global Threat & Vulnerability Monitoring
Client name Yes Bank

Location India
Industry Banking
Technical Summary The activities that are carried out as part of this
project are:-
13 | P a g e
 System Study
 Risk Assessment
 Security Review
 Anti-Phishing
 Security Management
 Security Monitoring
 Ongoing Risk Assessment
 Global Threat Intelligence
Client name IDBI Bank

Location India
Industry Banking
Technical Summary The activities carried out as part of this project
are:-
 Managed Security Services from an offsite
location
 Vulnerability Assessment
 Penetration Testing
 Anti-Phishing Services
 Anti-Malware Services
 Security Intelligence Services
 Security Dashboard
 Hardening Checklist Documents
Client name Syndicate Bank

Location India
Industry Banking
Technical Summary  Implementation of Managed Security Services
 Implementation of Managed Security Services
Framework to monitor and manage Bank's
security devices, Security solutions and security
events from the network devices deployed at
Data Centre, DR Site and various branches
across the Bank.
Client name Genesys International

Location India
Industry IT
Technical Summary Managed Risk Services
 Security event monitoring
 Security device management
 Managed Vulnerability assessment per quarter:
14 | P a g e
This will also include recommendations to

address vulnerabilities, if any, and re-check
after applying patches/corrective measures.
 Penetration testing: This will also include
recommendations to address vulnerabilities, if
any, and re-check after applying
patches/corrective measures.
Client name Qatar Telecom

Location Qatar
Industry Telecom
Technical Summary  SIEM Security Information Management (SIM)
Solution for Security Devices and Servers and
perform associated services
Client name First Gulf Bank

Location Abu Dhabi, UAE
Industry Banking
Technical Summary FGB mandated us for log monitoring for supported
Operating Systems, Web servers, Databases,
infrastructure applications, network devices,
security devices at FGB Datacenter. It includes
design, implementation of log monitoring solution
and monitoring services thereafter.
Client name RAK BANK

Location UAE
Industry Banking
Technical Summary Log monitoring for supported Operating Systems,
Web servers, Databases, infrastructure
applications, network devices, security devices
and Incident Management.
Client name General Civil Aviation Authority, UAE

Location UAE
Industry Govt.
Technical Summary Supply & Implementation of SIEM Log Monitoring
Solution components to monitor bank's systems,
devices, databases, security solutions and security
events from the IT systems and applications
deployed at Data Centre, onsite 8/5 monitoring.
15 | P a g e
Client name Cairo Amman Bank

Location Jordan
Industry Banking
deployed at Data Centre, DR Site and various
branches across the Bank.
Client name Higher Colleges of Technology

Location UAE
Industry Education
deployed at Data Centre, DR Site.
Client name aeCERT

Location UAE
Industry Government
Technical Summary SIEM onsite support and license renewal
Client name Masraf Al Rayan

Location Qatar
Industry Bank
deployed at Data Centre, DR Site, remote 24/7
monitoring for security events.
Client name Qatar Islamic Bank

Location Qatar
Industry Bank
16 | P a g e

deployed at Data Centre, DR Site, remote 24/7
monitoring for security events.
Client name Arab National Bank, Saudi Arabia

Location Saudi Arabia
Industry Bank
events from the IT systems and applications.
Client name Qatar National Bank

Location Qatar
Industry Bank
Client name National Stock Exchange
Location India
Industry Stock Exchange
Technical Summary National Stock Exchange of India Ltd. desired to
procure SIEM products to be deployed for
monitoring existing internal network & security
devices.
 Scope of work includes implementation of
SIEM Security Information Management (SIM)
solution for infrastructure devices.
 Training for NSE team.
Client name Noor Islamic Bank

Location Dubai, UAE
Industry Banking
Technical Summary Managed Security Services including security log
monitoring, security devices management, etc.
Client name Arab Bank, Jordan

Location Jordan
Industry Bank
17 | P a g e

Client name Corporation Bank
Location India
Industry Banking
Technical Summary Implementation of Managed Security Services
Framework to monitor and manage Bank's
security devices, Security solutions and security
events from the network devices deployed at Data
Centre, DR Site and various branches across the
Bank.
<Company Name> has several references for SIEM implementation and Managed Security Services.
Recently, <Company Name> has been awarded a multi-million Euro multi-year contract for Managed
Security services for one of the top Banks in Europe. <Company Name> was selected after careful
evaluation by the Bank and in competition to 17 other vendors from various parts of the globe (most of
whom are currently submitting proposal to <CUSTOMER NAME>).
18 | P a g e
3 CLIENT REFERENCES
Company name
Project Title SIEM Implementation & Connector Development
Project Description / Deliverables Supply & Implementation of SIEM Log Monitoring Solution
components to monitor bank's systems, devices, databases,
security solutions and security events from the IT systems
and applications.
Month / Year contracted (Project Start
and End Date)
Contact Person name
Contact Person Phone & Fax numbers
Contact person email address
Contact details / Address
Bidder Engineer Involved in
implementation
Additional Comments
19 | P a g e
4 TECHNICAL COMPLIANCE
Alternate Solution Available /

Available in future version
Customization required
No/ Not Supported
Yes\Supported
Seq Requirement Notes / Reference to Proposal sections
Core Features
1 Solution should provide Log Yes\Supported The proposed solution provides for both log management
Management & Compliance and compliance reporting functionality.
Reporting (SIM) functionality
2 Solution should facilitates Real Yes\Supported The proposed solution provides for real time monitoring and
time monitoring and incident incident management. QRadar notifies analysts about
management ( SEM - Threat ‘offenses’ which are a correlated set of incidents with all the
Management) functionality details for investigation.
QRadar Offense management is a built-in workflow tool and a
3rd party incident management/ticketing tool integration is
also possible.
3 Ability to maintain asset Yes\Supported QRadar maintains asset inventory for all the assets which are
register or database for the integrated with the solution. QRadar supports a wide range
organization servers of auto discovery features that greatly simplify security
management tasks. Key auto discovery features include a
built in Asset Profile database that tracks assets and
associated Identity Data. The Asset Profile builds lists of
services running on a host based on how assets are
responding to network traffic through flow data. Also QRadar
provides automated classification of assets, called Sever
Discovery, which greatly improves the rule tuning and
deployment process. The Server Discover process can
automatically catorigize assets based on specific attributes
learned from collected data (i.e. events, flows, and
20 | P a g e
vulnerability data).
4 Ability to upload the asset Yes\Supported Manual asset upload from CSV file is possible with QRadar.
register manually from CSV file
5 Ability to integrate with Yes\Supported Macfee vulnerability manager integration with QRadar is
Mcafee vulnerability manager supported
at a minimum for the below
5.1 To gather asset details with risk Yes\Supported
level
5.2 To gather the vulnerability Yes\Supported
details related to assets
5.3 List any detected known Yes\Supported
vulnerability and able to notify
the other relevant server for
the same
6 Ability to integrate with Yes\Supported QRadar employs a number of threat and security sources to
external intelligence services to provide eternal security context and geographical context.
provide any malicious This is integrated into all views and capabilities within the
connection from external to product. Sources include but are not limited to:
<CUSTOMER NAME> or from Geographic: maxmind (http://www.maxmind.com)
<CUSTOMER NAME> to any Top Targeted Ports: D-Shield (http://www.dshield.org)
external Bot-net Service , Botnets: Emerging threats.
Malware communications, (http://www.emergingthreats.net/rules/emerging-
Virus propagations along with botcc.rules)
detailed threat information and Bogon IPs: http://www.cymru.com/Documents/bogon-bn-
mitigation guidelines nonagg.txt
Hostile Nets:
http://www.emergingthreats.net/rules/emerging-botcc.rules
Smurf: http://www.emergingthreats.net/rules/emerging-
botcc.rules
These services are updated and pushed out to our customers
through an auto-update service. This update service also
includes updates for event mappings, vulnerability mappings
(e.g. CVE, OSBDB ID), applications mappings, new Device
Support Modules and updates.
7 Ability to provide dash board Yes\Supported The QRadar solution provides the ability to deliver multiple
(visual notation) to display at dashboards that can be customized to meet the specific
top threats requirements of different users.
21 | P a g e
QRadar dashboards provide a high-level overview of the data
being collected and can be customized by user based on their
individual role. Each user can create their own unique
“workspaces” of the events and data types they would like to
be aware of. Over 75 dashboard templates are included by
default, ranging from security offenses to device statistics to
top attackers. In addition, it is possible to utilize any user
defined event or flow searches as a dashboard element.
QRadar provides sample dashboards that support various

users roles including security administrator, compliance
officer, and network administrator
8 Ability to provide dash board Yes\Supported Supported, QRadar dashboard has the capability to provide
Graphical representation of graphical representation of servers and network connections.
servers and network
connections
9 Ability to notify the detected Yes\Supported Supported, the proposed solution provides for notifying the
attack or behavior with source detected attack or behaviour with source and targets.
and targets (Bot-net Service ,
Malware communications,
Virus propagations or other
types)
Type & Architecture
10 The solution must be appliance Yes\Supported The proposed solution is appliance based.
based? Provide the details in Please refer the Bill of Materials section of the proposal for
notes column details.
11 Does the solution run as Virtual Yes\Supported Appliance based model is always recommended by the OEM
appliance? Provide the details to provide effective and efficient solution to our customer.
in notes column For Virtual appliance OEM's concern is required, only after
evaluating and verifying the entire vm setup OEM will
recommend for virtual appliance, but it is possible on
demand.
12 Solution should support Yes\Supported QRadar supports multi-layer architecture in case of a
Multilayer (modular) distributed environment. QRadar's event processor can be
architecture (e.g. Log located in each location to collect, normalize, correlate and
Collection, Log Storage , Event analyse the events. The centralized console will have access
22 | P a g e
Consolidation, Management to all the event processor to receive datas.
and reporting) and should
provide flexibility in configuring
the layers (modules) along with
the support of secure protocols
for the communication
13 The solution should provide Yes\Supported QRadar provides broad support across a variety of collection
method of collecting the logs methods, including :
from the target Operating • Syslog (TCP/UDP)
Systems, Applications with the • SNMP (v.2 and v.3)
following method (Specify • JDBC
details in notes column) • OPSEC LEA
• SDEE
• WMI (Windows Agentless method of collecting Windows
Event Logs)
• ALE (Adaptive Log Exporter agent for windows, used to
collect logs not included in Windows Event Logs for
applications).
• Log File Protocol Source (Supports collection of log files via
FTP, SFTP, and SCP)
• NVP (This is a simple name value pair format that allows
users to send logs to QRadar in an efficient format)
• SourceFire eStreamer
QRadar provides agentless collection options wherever

possible. However, there are certain log sources for which
an agent is required, and in these cases QRadar’s agent can
be used.
13.1 With an Agent installed on Yes\Supported

target system
13.2 Without an Agent installed on Yes\Supported
target system
13.3 Describe other methods Yes\Supported
available for log collection (ex.
custom API, Logs from shared
area, Secure FTP etc.)
23 | P a g e
14 Solution should be manageable Yes\Supported Web based and Command line interface (CLI) is available to
by the following methods access the appliance using SSH console.
(Describe the requirements in
the notes column) in a secure
manner (AES, RSA, IDEA
encryption algorithms only)
14.1 Thin Client (web based) Yes\Supported
14.2 Thick Client (with client No/ Not
software) Supported
15 Solution should provide facility Yes\Supported
to archive the logs and should
utilize the below (<CUSTOMER
NAME> should be able to
select one or more from any of
the below)
15.1 Own Storage, list the details in Yes\Supported The proposed QRadar appliances support up to 6TB of
notes column (size, speed and storage.
type)
15.2 EMC SAN Storage (List Yes\Supported QRadar supports high speed external storage solutions such
Supported SAN connectivity as IP SANs or Fibre Channel SANs.
methods) for storing all
collected logs, reports and
other asset related details
15.3 Microsoft File Shares Yes\Supported
15.4 Secure FTP (certificate or Public No/ Not
Key authentication) Supported
16 Solution should support Yes\Supported QRadar has the ability to group the servers/ devices /
enforcement of Archival policy applications and enforce archival policy respectively. The
for collected Logs from the storage path / methods different time limits for archival
target systems / applications / policies can be set.
devices and should support at a
minimum of the below
16.1 Ability to group the servers / Yes\Supported
devices / applications and
enforce archival policy
16.2 Ability to support various Yes\Supported
storage paths / methods,
24 | P a g e
different time limits for
different archival policies
17 The solution should record all Yes\Supported Audit trails is supported by QRadar.
the activities performed on
SIEM solution as audit trails.
The event that should be
audited includes but not
limited to the below
17.1 Identification of User Yes\Supported
perdormed the activates (who
did the activities)
17.2 Details of what activity was Yes\Supported
performed (what was
performed)
17.3 When the activity performed Yes\Supported
on object by User (When the
activity was performed)
17.4 Status of the activity (success Yes\Supported
or failure)
18 Ability to place the collection Yes\Supported
agent or system or service at
remote offices or different
locations, if required
19 Ability to backup Yes\Supported QRadar can be integrated with Symantec NetBackup to
Configuration / Collected logs backup all the datas.
from the solution directly or
ability to integrate with
Symantec NetBackup software
for Backup
20 Ability to enforce segregation Yes\Supported
of duties (e.g. Appliance
management, Account
creation, Log Monitoring, Log
Capturing / retention policies
etc). Specify the details in
notes column about how the
Solution provides the
25 | P a g e
segregation
21 Ability to meet the future Yes\Supported
requirements (more target
devices, more number EPS,
more physical remote offices),
List the details in notes column
22 List the details of high- Yes\Supported The QRadar SIEM solution can be deployed in a high
availability features of the availability (HA) configuration. The QRadar HA architecture
solution (Active - Active / can leverage redundant active-active/active-passive
Active - Passive) appliance pairs for any distributed component for automated
failover (i.e. Console, Event Processors, All in One Solutions
etc.). The QRadar HA architecture is completely integrated
into QRadar’s core capabilities and does not require any
addtional 3rd party services or software.
23 How does the solution work in Yes\Supported The proposed solution is with high availability, incase of any
disaster situation, will the disaster an automatic switch over will happen to the HA
agents be configured appliance which ensures the solution will work without any
automatically send logs to interception.
backup site or manual switch
over needed ? Kindly list the
details with disaster scenarios
Enterprise Integration
24 Solution must integrate with Yes\Supported QRadar supports the integration with multiple 3rd party
Microsoft Active Directory as a directory systems for authentication. The following
primary authentication authentication method are supported:
• System Authentication
• RADIUS
• TACACS (+)
• LDAP
• Active Directory
25 Ability to integrate with Yes\Supported
following products for strong
factor authentication (Specify
the details of product
integration on the Notes
Column for each category
stated below)
26 | P a g e
25.1 RADIUS Yes\Supported
25.2 PKI and smartcards (Gemsafe Yes\Supported
smartcards)
25.3 VASCO Tokens Yes\Supported
26 Ability to integrate with the Yes\Supported

enterprise monitoring solution
(e.g. Microsoft SCOM)
Network Access
27 Ability to enforce Access Yes\Supported Supported
Controls for administration,
monitoring, reporting, auditing
etc. based on the below
categories
27.1 IP Based (Single IP , Multiple, Yes\Supported
Range of IP and entire Subnet)
27.2 User Based Yes\Supported
27.3 User Group Based Yes\Supported
28 Ability to enforce Idle session Yes\Supported
time-outs for
28.1 Admin Access Yes\Supported
28.2 User monitoring access Yes\Supported
29 Ability to display Legal Notice Yes\Supported
(customizable) when user tries
to log-on to SIEM solution
30 Ability to notify the user last Yes\Supported
log in time and date, success
and unsuccessful attempts, at
the time of log-on
Licensing
31 List the Core Modules licensing Yes\Supported Information available in the BOM, please refer the proposal.
requirements (mandatory)
32 Optional modules (if required). No/ Not No additional modules are required.
Please specify the purpose of Supported
each optional modules in notes
27 | P a g e
column
33 Does the solution uses any No/ Not
third party software? if yes, Supported
QRadar doesn't use any 3rd party software.
kindly list the software and
licensing requirements
34 In case of third party software's No/ Not
are needed, kindly list any Supported
other options available to avoid
the installation of third-party
software
35 Does the license have any Yes\Supported The license in QRadar is depends up on the EPS count, once
expiry dates or its one time the EPS count crosses the limit, license upgrade is required
license (perpetual)
36 Is the licensing based on the No/ Not Licensing is based on the EPS count.
number of target systems / Supported
applications managed?
37 Is the licensing based on Yes\Supported The license in QRadar is depends up on the EPS count, once
number of Events collected the EPS count crosses the limit, license upgrade is required
from various target systems?
Kindly list the details
38 Is the licensing based on the no/ Not Licensing is based on the EPS count.
number of administrative Supported
users? Kindly list the details
39 Is the licensing based on No/ Not Licensing is based on the EPS count.
number of concurrent Supported
connections (administration /
monitoring) to the solution?
40 Is separate license required for Customiz
integration with for CA Service ation is
desk ticketing system to create required.
incident tickets? Profession
al service
required
to be
engaged
to create
a custom
28 | P a g e
DSM to
integrate
it. (3 Man
days)
41 Is the solution require Yes\Supported License for High availability is required, the license will be
additional license for High bundled with the HA appliance. Please refer the BOM section
Availability? in the proposal for the proposed solution. If the eps count
exceeds the limit a license up gradation is required.
42 Is separate license required for Customiz
integration with ation is
a. Mcafee Vulnerability required.
Manager 7.0 Profession
b. IBM Rational Appscan al service
required
to be
engaged
to create
a custom
DSM to
integrate
it. (3 Man
days)
43 Other license requirements, No/ Not No other license is required other what is mentioned in the
kindly list in notes column Supported BOM
44 How the solution behaves Yes\Supported
when License violation occurs
for the below scenarios
44.1 Violation of events per second >> If the system is above the EPS license limit for 50% of an
(EPS) hour, a system notification will be sent to the console and
qradar.log that the license limits has been reached. This
allows for short spikes in events to be processed and still
notify a user if the incoming rate is above the license for a
Yes\Supported
sustained period of time.
>> If you are consistently over your license you will receive a
notification in the UI and qradar.log, check the license and
perform event searches grouped by log source type to see
which log sources are sending the most data.
29 | P a g e
44.1.1 For specific period (few hours)

44.1.2 Multiple times in a day

44.1.3 Multiple times in a week
44.1.4 Multiple times in a month (few

days)
44.2 Exceeds number of Admin / No/ Not Licensing is based on the EPS count
Monitoring concurrent sessions Supported
44.3 Exceeds number of Managed No/ Not
target devices Supported
Forensic quality data
45 Solution should maintain Yes\Supported
"chain of custody"
Solution Signature
Updates and Patches
46 How often the vendor releases Yes\Supported Q1 Labs has a well established and defined product
Patches / Hot fix versioning mechanism. The versioning shema has 3 levels:
Major.Minor-Patch. Q1 releases on average 1 major release
per year, 2 minor releases per year, and patches on a regular
interval (average is every 10-12 weeks).
47 How often the vendor releases Yes\Supported

updates to the application
(service packs , version ,
Intelligence, Correlation rules)
48 Kindly provide the below Yes\Supported
details related to obtaining
signature updates / patches
48.1 Does the solution require No/ Not Internet connection is not mandatory to receive updates /
direct connection to internet to Supported patches, the customer can directly download the patches
receive updates / patches from www.qmmunity.q1labs.com. If the system is connected
to the Internet then the automatic patch upadtes can be
configured. For major verion upgrades needs manual efforts.
48.2 Manual download facility Yes\Supported
30 | P a g e
available
48.3 Intermediate server / service No/ Not No intermediate server / service is required to downlaod the
need to be built for automatic Supported patches.
download
49 In case of Direct internet Yes\Supported
connection update or
intermediate server / service
update, kindly provide the
details for the below
49.1 Can the updates be scheduled Yes\Supported Yes the updates can be scheduled and performed ad-hoc
basis.
49.2 Can be updates be performed Yes\Supported
on ad-hoc basis
49.3 Can the solution receive Yes\Supported QRadar can be integrated to receive updates/patches to go
updates/patches using through the proxy.
Microsoft ISA proxy with
NTLM/ NTLM v2 authentication
support.
System Support
50 Does the bidder provides 24X7 Yes\Supported
support for solution
51 Specify in notes column any Yes\Supported QRadar's escalation mechanism is guided by our SLA’s
special support services response time matrix based on issue categories. Depending
available for the below on the issue priority, our Issue Management System
automatically triggers notification and escalation based on
response time requirement. This escalation includes middle
and senior management and includes the customer account
team depending on issue priority.
Priority 1 Issues
• Response time 30 mins
• Progress time 4 hrs
• Restore time 1day
Priority 2 Issues
• Response time 1 day
• Progress time 2 days
• Restore time 30days
Priority 3 Issues
31 | P a g e
• Response time 2 days
• Progress time 14 days
• Restore time Q1 Labs and the Customer will commit,
during business hours, resources required to provide updates
on the issue being monitored
51.1 Response times Yes\Supported
51.2 Resolution time Yes\Supported
51.3 Replacement time Yes\Supported
51.4 Closure time Yes\Supported
51.5 On-line (Email, Web, Phone) Yes\Supported
51.6 On-site Yes\Supported
51.7 On-demand Yes\Supported
52 How much time does it take to With the proposed premium support the appliance will be
replace the solution (if replaced in four business day in case of failure.
appliance or hardware if
supplied) in case of failure?
53 Does the bidder provides Dedicated team of technical resource is available in the
technical support from Kuwait region to support <CUSTOMER NAME> during any exigencies
office? or issues related to the proposed solution. Please refer the
54 If there is no support from proposal for details on the same.
Kuwait office? How would you
support <CUSTOMER NAME>?
Data storage, backup,
archival
55 Ability to gather audit events Yes\Supported QRadar has the ability to gather audit events generated from
generated by 50 devices the devices integrated.
(combination of Windows ,
Unix, Custom applications &
Networking devices)
concurrently
56 Ability to store collected Logs Yes\Supported On-Line and Near line logs can be directly on QRadar
(RAW + Correlated events + appliances which support up to 6TB of storage, or on high
Reports) in the EMC SAN speed external storage solutions. QRadar has the ability to
storage store the archived offline data in the external storage for
future analysis.
32 | P a g e
57 Ability to store archived Logs Yes\Supported
(RAW + Correlated events +
Reports) in the EMC SAN
storage
58 Ability to store RAW logs in a Yes\Supported
Read-Only File System (EMC
Storage)
59 Solution should be able to work Yes\Supported Device integration in QRadar is very simply, out of the box
with more devices (Receiving, supported devices can be added to the system without any
Storing, Real-time correlation additional modules/hardwares components. Please refer link
and archival) seamlessly for the supported device list :
without changing or adding http://q1labs.com/products/supported-devices.aspx
more modules / hardware
components. Kindly list the
product support matrix in
notes column or add the
product documents
60 Solution should be able to Yes\Supported An external storage can be attached to QRadar and can be
fetch / query from archived configured to store and analyse all the events automatically
data off-line from a SAN or in the external storage. Querying off-line archived data is not
from an alternate data source possible.
without being restoring them
to the SIEM solution
61 Solution should have a facility Yes\Supported
to define different policies for Customer can define and set different retention policies for
data retention at a minimum of different groups.
the below
61.1 Test servers Yes\Supported
61.2 Production servers Yes\Supported
61.3 Database servers Yes\Supported
61.4 Custom application servers Yes\Supported
62 Solution should be able to Yes\Supported All communications between QRadar components are
encrypt the data while storing encrypted using the SSH protocol.
or archiving or exporting for
backup purposes
63 List the storage size based on Yes\Supported According to the proposed solution QRadar appliance comes
33 | P a g e
the licenses requested with 6 TB of onboard storage
64 List the guidelines for Yes\Supported The storage is calculated based on EPS and the log size
calculating storage space based depending on the device type.
on the system types
65 Do you store the logs(RAW- Yes\Supported QRadar automatically compresses stored data on an on-
Normalized), events, reports in demand basis. The compression ratio is 10:1
compressed format? If yes,
indicate the compression ratio
Other Requirements
66 Is your solution been audited yes We are currently EAL 3 certified and FIPS Level 1 certified.
by any reputed third-party
security testing company for
vulnerabilities? If yes, kindly
attach the certificate and
sample report issued by third-
party company
67 Do you offer secure yes Secure implementation guidelines will be followed during
implementation guidance of implementation as part of our best practices, the details of
your solution? If yes, kindly the same will be discussed during kick off meeting.
provide the same as part of the
proposal and commit to follow
the same during
implementation
68 What is your vulnerability yes Our Solution is based on CentOS which is a stripped down
responses process? If the version of Linux where we removed unnecessary services.
vulnerability is identified by
anyone for your solution and
reported to you, what is the
process followed by you to
handle such vulnerability
69 If <CUSTOMER NAME> yes We have a dedicated team that will immediately work in
identifies any security fixing a weak point of bug in our appliances. Our dedicated
vulnerability in the solution, team constantly works on identifying vulnerabilities and the
then bidder is required to fix solution for the same.
such vulnerability with high
priority at no cost. Kindly
confirm your acceptance to this
34 | P a g e
and indicate the time period
which you will commit to
provide a fix to remediate the
identified vulnerability
70 What process improvements yes
have you made as a result of
vulnerabilities reported in your
solution in the past?
71 Limitation of Concurrent Yes\Supported
Sessions: must not allow
multiple concurrent sessions
for the same user (i.e. single
session sign user)
72 The system should not store Yes\Supported
passwords hard-coded or QRadar performs hashing on all incoming log files. QRadar
unencrypted. This includes but supports SHA-1, SHA-2 and MD5. In addition, QRadar
is not limited to users provides a utility that allows the user to run integrity checks
passwords stored in databases, against searched data, which reports and warns if any files
flat files configuration files such were manipulated.
as ini, XML files etc
73 The system should support Yes\Supported
encryption of the password
during the transmission over All communications between QRadar components are
the network and preferably encrypted using the SSH protocol.
implement challenge/ response
mechanisms for authentication
74 The system should use Yes\Supported
standard and proven
algorithms such as AES, RSA,
and IDEA to encrypt
communication between
modules as well as with
external systems. No
proprietary algorithms should
be used.
75 Ability to provide work-flow Yes\Supported we can generate SNMP traps when an offense occurs that
(minimum 2 to 3 levels) for can be used by other in-line devices to stop malicious traffic.
35 | P a g e
remediating the identified We can also use SNMP traps directed to third part devices for
threats tickets as an example
Software & Hardware
details
76 Does the solution require No/ Not All hardward/software and licenses are bundled with the
special software to operate? if Supported product, no additional specialized hardware/softwares are
yes, list the details in notes required for this solution.
column
77 Does the solution require No/ Not
specialized hardware to Supported
operate? If yes, list the details
in notes column
78 Kindly provide the bench mark Will be provided upon request.
details of the solution
79 Does the solution provides fail Yes\Supported QRadar SIEM solution can be deployed in a high availability
safe or fail open in case of (HA) configuration. The QRadar HA architecture can leverage
solution or component failure redundant active/active, active/passive appliance pairs for
any distributed component for automated failover (i.e.
Console, Event Processors, All in One Solutions etc.).
80 Is the solution Operating Yes\Supported QRadar is a linux based solution it uses centOS.
System is open source or
custom built for this purpose
Collection
81 Ability to transmit encrypted Yes\Supported All the communications between QRadar components is
log data between solution encrypted, it uses SSH protocol.
device and the collection
system . Please specify
encryption techniques
supported by the solution
82 Ability to preserve RAW log Yes\Supported Raw logs will be deleted automatically once the retention
data until users delete it policy expires.
manually or content expired by
the policy
83 Ability to provide real time Yes\Supported
collection
84 Ability to provide at a Yes\Supported
36 | P a g e
minimum, the following details
about the logged data from
each target devices while
performing the log collection
84.1 Host Name Yes\Supported All the fields that are a part of the raw log are normalized and
displayed in the appropriate field, which can be viewed using
the QRadar web console.
84.2 IP Address Yes\Supported
84.3 Date and time Yes\Supported
84.4 Number of audit events Yes\Supported
collected
84.5 Log Type Yes\Supported
85 Ability to correct Date and Yes\Supported All event timestamps in QRadar are translated to Coordinated
Time collected from wrongly Universal Time (UTC),
configured device as an extra
field (not to update the existing
date/time value)
86 Ability to alert if managed Yes\Supported
system ceases log transmission
87 Ability to provide evidences Yes\Supported QRadar’s offense management supports the ability to
and suggest recommendation annotate the offense. Notes are tagged by the user who
for remediating the threats created the notes, as well as the time which they were made,
identified providing a detailed timeline of the investigation.
88 List the solution specifications Yes\Supported QRadar event processor which is responsible for collecting
(hardware or software or both) events from different devices are bundled with the product
for the collection system no special hardware or software is required.
89 Ability to store data at Yes\Supported QRadar event processor has the ability to store the events for
collection system temporarily certain period in case of any communication failure
in case of loss of
communication to the Log
storage or event management
solution
90 If yes for the above, the system Yes\Supported
should protect from
administrator modifications
and notify these occurrences
37 | P a g e
91 Ability to enforce queuing / log Yes\Supported The proposed QRadar solution is a single all-in-one appliance,
update from a collection there is no separate log collection, processing and storage is
system to log storage or event required, thus QRadar ensures very minimal bandwidth
management solution based on utilization in the network.
schedule time or based on the
bandwidth utilization with in
the network and prioritize and
over the WAN area
92 Ability to perform RAW log Yes\Supported QRadar has the capability to backup the raw logs
data backup
93 Ability to convert the RAW logs Yes\Supported QRadar performs hashing on all incoming log files. QRadar
into a form that is understood supports SHA-1, SHA-2 and MD5.
by the collection system only,
without tampering the RAW
log
94 Ability to add the custom fields Yes\Supported
to the logs collected and
appropriate audit trail to be
generated
95 Ability to support RDBMS for Yes\Supported QRadar uses custom built proprietary database
storing RAW log data, if not list
the storage options with
format details
96 Provide the list of supported Yes\Supported Please refer the link for supported device list :
platforms as requested in the http://q1labs.com/products/supported-devices.aspx
Platform matrix, if the target
system used by <CUSTOMER
NAME> is not the list (provided
by you), then provide the
details for the below
96.1 How difficult to customize the Yes\Supported Using QRadar's UDSM (Universal Device support modules), its
custom application logs very easy to create a log extension for the devices which is
not supported out of the box.
96.2 Professional services needed Yes\Supported

for customization
96.3 Kindly list, which are the areas Yes\Supported
or function that needs
38 | P a g e
professional service
97 Ability to collect from the Yes\Supported The proposed QRadar solution has the in built capability to
Netflow (Traffic Flow) collect Netflow and J-flow.
98 Ability to collect from J-flow Yes\Supported
(network Traffic flow Juniper)
Normalization
99 Ability to permit normalization Yes\Supported All the logs/flows collected will be normalized by QRadar
of log data (including Netflow solution
& J-flow traffic)
100 Ability to normalize data in real Yes\Supported
time environment and should
support the below
100.1 Time Yes\Supported Compliant
100.2 IP Address Yes\Supported
100.3 Host Name Yes\Supported
100.4 Event Type Yes\Supported
100.5 Device Yes\Supported
100.6 List the other categories Yes\Supported
101 Ability to reprocess data from Yes\Supported In case of disaster or failure of the primary solution, an
the last point of failure automatic switchover will happen to the secondary HA
solution all the events will be collected by the HA and the
process will continue immediately after some failure.
102 Ability to view built-in Yes\Supported
normalization rules
103 Ability to define and customize Yes\Supported
normalization rules
104 Ability to view RAW log data Yes\Supported The QRadar log viewer allows real-time views of both the
association with normalized original unmodified event, as well as the fully normalized
data version of the event.
105 Ability to store normalized data Yes\Supported Compliant
in defined storage areas
106 Ability to notify unprocessed Yes\Supported
logs
107 Ability to store unprocessed Yes\Supported QRadar can store the unprocessed logs
logs
39 | P a g e
108 Ability to perform multiple Yes\Supported
normalization tasks
109 Ability to support data Yes\Supported
aggregation
110 Ability to transfer of Yes\Supported QRadar uses custom built proprietary database
normalized data to a RDBMS, if
not list the forma / storage
type details
Correlation
111 Ability to perform and support Yes\Supported QRadar supports real-time correlation and analysis of events.
correlation of real-time logs
112 Ability to support the Yes\Supported
Compliant
correlation using the following
112.1 Rule based (Signatures) Yes\Supported
112.2 Pattern matching? (Anomaly Yes\Supported

detection)
112.3 Vulnerability trends Yes\Supported
112.4 Behavior analysis Yes\Supported
112.5 Specify other methods support Yes\Supported

by the solution
113 Ability to create and customize Yes\Supported QRadar has the cability to create new correlation rules and
correlation rules customize the existing rules.
114 Ability to reprocess data from Yes\Supported In case of disaster or failure of the primary solution, an
last point of failure automatic switchover will happen to the secondary HA
solution all the events will be collected by the HA and the
process will continue immediately after some failure.
115 Ability to update correlation Yes\Supported Updates can be automatically pushed to the system or it can
rules from the vendor updates be downloaded manually.
(automatic or manual upload)
116 Ability to provide error log or Yes\Supported All the errors and the system notification will be logged in
debug log for itself qradar.log
117 Ability to identify and report Yes\Supported QRadar allows users to assign credibility ratings to individual
false positives log sources, allowing users to express the likelihood of false
positive or unreliable information from specific devices.
118 Ability to verify and perform No/ Not Archived off-line data's can be brought on-line and historical
correlation against historical Supported correlation/analysis can be carried out.
40 | P a g e
data from a off-line storage
119 Ability to create multiple Yes\Supported
correlation rules/policies
120 Ability to correlate user Yes\Supported QRadar can integrate with the identity / access management
identity and access and correlate with network activity in real time.
management data with
network activity in real time
121 Ability to correlate User Yes\Supported
identity , System details and
visually showing any threat
detection with attack path
(source and targets)
122 Ability to initiate commands to yes\Supported QRadar Risk Manager can do the mitigation, which is a
a target device (configurable) separate applaince need to be purchased.
in case of threat identified
123 Ability to notify monitoring Yes\Supported QRadar will trigger offense incase of any threats identified,
personnel / administrator for notifications can be configured to send to the monitoring
the identified threats personnel / administrator. QRadar supports a number of
alert forwarding options including; Email, SNMP, syslog, and
IF-MAP publishing.
123.1 Alarm on the console Yes\Supported
123.2 Email Yes\Supported
123.3 Text message (shot message Yes\Supported
service)
Reporting
124 Ability to generate reports Yes\Supported QRadar delivers out-of-the-box report templates for a wide
variety of compliance and operational needs.QRadar includes
over 1300 out-of-the-box report templates. Users can
leverage the pre-defined reporting templates or develop
their own customized reports using. All the mentioned
parameters for reporting is supported by QRadar.
125 Ability to provide custom Yes\Supported
report creation and generation
which included but not limited
to below parameters
125.1 Time Yes\Supported
41 | P a g e
125.2 Event Yes\Supported
125.3 Data Yes\Supported
125.4 2D or 3D charts Yes\Supported
125.5 Maps Yes\Supported
125.6 Facilities to define report Yes\Supported
layouts that make reports

appropriate for internal use or
external use
125.7 Systems, target system, service Yes\Supported

etc
125.8 Attack path vectors. Ex. Attack Yes\Supported
origination and attack paths or
targets
126 Ability to view / generates Yes\Supported QRadar's web console has the capability to view and
reports on a Web enabled generate reports.
service
127 Ability to export the reports to Yes\Supported Reports can be generated in the following formats: HTML,
the following formats PDF, XML, CSV/XLS, RTF
127.1 PDF Yes\Supported
127.2 MS Word Yes\Supported
127.3 Excel Yes\Supported
127.4 List other supported formats Yes\Supported
128 Ability to send reports to Yes\Supported Reports can be configured automatically to send to specific
specified email (automated or email address or the generated reports can be send manually
manual) to the specific emails
129 Ability to restrict report Yes\Supported QRadar has the capability to create users and set privileges to
viewing based on user profiles each user or a group can also be created and the specific
reports can be restricted to the particular user/group.
130 Ability to schedule reports Yes\Supported QRadar has the capability to scheduled reports based upon
bases on the following at a all the parameters mentioned.
minimum
130.1 Time Yes\Supported
130.2 Event Yes\Supported
130.3 Date Yes\Supported
131 Ability to add custom header, Yes\Supported Custom header, footer, logo can be added in the reports
42 | P a g e
footer , logo in all the reports
132 Solution should have executive Yes\Supported QRadar centralized web console has the capability to create,
Dashboard and drill-down modify and view dashboards. QRadar provides multiple out-
facility to present the Top of-the-box dashboards to provide default views for specific
Threats identified. For example roles including: security, compliance, and network staff.
if a threat is displayed in the QRadar offers comprehensive drill down capabilities, user can
dash board, upon click on the easily click on a data to drill into more detail.
dashboard solution should
display number of systems
affected by the threat, the
source of the threat, the raw
events related to this threat etc
133 How many predefined reports Yes\Supported QRadar solution has 1300 out-of-the-box reports. Please
does the solution have ? List refer the annexure for top 10 critical reports sample.
the top 10 critical reports with
the fields appearing in each
report as supporting
document.
4.1 PLATFORM SUPPORT MATRIX

Seq Requirement Notes
Available in future version
No/ Not Supported
Alternate Solution
Yes\Supported
43 | P a g e
requiredAvailable / Customization
1 Below is the summarized list of the
target operating systems , applications
to be supported by the solution
Operating Systems
2 Windows Server Operating Systems Yes\Supported
3 Solaris Yes\Supported
4 Suse Linux (Open Enterprise Server) Yes\Supported
5 VMware Infrastructure (ESX Server, Yes\Supported
Vsphere, workstation)
6 IBM Mainframe Zvse with CA Top- Yes\Supported Q1Labs’ QRadar supports mainframes and their applications by
Secret integrating with the most popular mainframe auditing and
applications. These include IBM RACF, CA Top Secret, CA ACF2.
Web Services
7 Apache Yes\Supported
8 IIS Yes\Supported
Databases
9 MS SQL 2005 & 2008 Yes\Supported

10 Oracle 10g, 11g Yes\Supported
Applications
11 Microsoft Exchange Yes\Supported
15 IBM - WebSphere Application Server Yes\Supported
44 | P a g e
17 Oracle Application Server & Related Yes\Supported
products
18 Tridion Content Management Solution
19 Firewall (e.x. Barracuda, Cyberguard, Yes\Supported
Checkpoint, Cisco, Juniper, Fortigate,
Palo-alto etc)
20 IPS (e.x. Snort, ISS, HP, Juniper etc) Yes\Supported
21 Devices compatibale with syslog Yes\Supported
22 Custom developed applications (Java Yes\Supported Can be supported through custom parser development
& .Net Based)
23 Cisco devices (routers, switches, Yes\Supported
fierewalls)
24 Non Ip devies (e.x. UPS, Aircondition, The proposed solution can be integrated with any kind of device
Motion detection) which generates logs, however the feasibility of the custom
development can only be confirmed after studying the logs.
25 Bidder must provide the full list of Please refer the following link for the supported device list:
supported platforms by the solution by http://q1labs.com/products/supported-devices.aspx
specifying the exact version of the
supported systems
45 | P a g e
5 ADDITIONAL INFORMATION/TECHNICAL DETAILS
5.1 <CUSTOMER NAME> REQUIREMENTS
<CUSTOMER NAME> is looking to acquire a SIEM to have a centralized Monitoring Solution.
5.2 BRIEF SCOPE OF WORK

 Implementation of QRadar SIEM - Primary and HA instance
 Integration of 53 devices - 32 at production/20 at DR/1 at Location 3
 3 custom connector development for 3 custom applications
 Periodic Maintenance & Onsite Support
 Knowledge transfer and training
Note:
 Since we do not have any information on the count or types of event sources, it has been
assumed that all 53 event sources are supported out of the box by the proposed solution. The
real amount with their model and exact versions will be shared by client at a later stage. This is
very important to ensure that all log sources are supported.
46 | P a g e
5.3 SOLUTION DESCRIPTION
<Company Name> is pleased to present the IBM Q1 Labs Security Intelligence Framework proposal to
<CUSTOMER NAME> to address your specific business objectives and security challenges.
Information and security professionals, tasked with keeping their organization secure, are continuously
challenged with improving their abilities to manage risk across an ever-growing spectrum of
vulnerabilities and compliance mandates, before a breach actually occurs.
Internet-based threats and fraud continue to proliferate in today’s complex networks. Compounding this
problem is a steady rise in insider theft of valuable corporate information. QRadar SIEM consolidates
siloed information to more effectively detect and manage complex threats. The information is
normalized and correlated to quickly deliver intelligence that allows organizations to detect, notify and
respond to threats missed by other security solutions with isolated visibility.
<Company Name> is proposing QRadar SIEM for <CUSTOMER NAME>'s requirements:
A single QRadar 3105 SIEM appliance including a license to support up to 5000 events per second (EPS).
The log, event, and flow data will be collected and stored centrally. The approximate number of event
sources is 50 (The exact number of events, log sources etc. will be determined as the project
progresses).
QRadar appliances are used for the collection, processing and storage of device log and event data, such
as from Intrusion Detection Systems, Firewalls, Operating Systems, applications and network
infrastructure.
QRadar integrates with hundreds of devices through DSMs (Device Support Modules) which can collect
data from devices using agent less and sometimes agent based methodologies. DSMs support a variety
of protocols used for collecting logs and events which include; syslog, SNMP, JDBC/ODBC for database
connections, and proprietary protocols such as SDEE.
For Windows environments a QRadar Adaptive Log Exporter agent can be used to collect logs and
monitor files on windows devices. QRadar also supports an agent less option, to collect logs from many
windows devices without being installed directly on the devices themselves via WMI/DCOM.
Not only do QRadar appliances collect and store logs, but they also start the correlation processes by
performing correlation of logs/flows/vulnerability data to determine when a sequence of activity
generates an “offense” (incident) on the QRadar console.
QRADAR SIEM
 Provides contextual and actionable surveillance across an entire IT infrastructure allowing

an organization to detect and remediate threats such as: inappropriate use of applications,
insider fraud, threats that could be lost in the noise of millions of events, and more.
47 | P a g e
 Delivers deep visibility into network, user and application activity providing organizations
with intelligence into potential and existing threats across their entire network.
 Brings the transparency, accountability and measurability critical to the success of meeting
regulatory mandates and reporting on compliance. QRadar SIEM’s unique correlation and
integration of all surveillance feeds yields:
o More complete metrics reporting around IT risks for auditors
o Thousands of reports and rules templates to address industry compliance
requirements
QRadar SIEM provides a next generation solution that can mature with an organization, scale to support
a growing infrastructure and deliver a common user experience to many groups across the organization.
With log management, advanced threat detection, and policy-aware compliance management all
combined in QRadar SIEM, organizations benefit with a tightly integrated solution that quickly and easily
delivers corporate-wide security intelligence.
QRADAR RISK MANAGER OPTIONAL
Regulations define specific traffic and firewall policies that must be deployed, monitored, audited, and
enforced. Yet many attacks on a network come from inconsistent network and security configuration
practices highlighting the need for automated network configuration audits and alerts of policy
breaches. Unfortunately, due to the silos created by traditional SIEM and log management solutions,
organizations often lack the ability to seamlessly assess when a network configuration allows traffic that
is “out of policy” by a regulation, corporate mandate, or industry best practice.
48 | P a g e
IBM will leverage QRadar® Risk Manager which extends the value of a SIEM deployment to provide
organizations with total security intelligence and greatly improves the ability to automate risk
management functions in mission critical areas, including network and security configuration,
compliance management, and vulnerability assessment.
QRadar Risk Manager integrates risk management, SIEM, log management and network behavior
analysis to automate risk management functions in mission critical areas. It greatly improves an
organization’s ability to access information security risk and is delivered in a single, integrated console.
The solution automates the assessment of security policies while leveraging the broadest range of risk
indicators, including network and security configuration data, network activity data, network and
security events, and vulnerability scan results.
Reporting
QRadar provides a wide variety of default reports as part of the solution with add-on charges, while also
providing layout capability using a Report Creation Wizard
Report Wizards provides you with the flexibility to create customized or user defined reports
Various reports are defined in QRadar by default to help satisfy common regulatory reporting
requirements as follows:
 PCI – Visa Payment Card Industry Data Security Standard
49 | P a g e
 COBIT – Control Objectives for Information and Related Technology
 SOX – Sarbanes-Oxley Public Company Accounting Reform and Investor Protection Act
 GLBA – Gramm-Leach-Bliley Privacy Act
 FISMA – Federal Information Security management Act
 NERC – The North American Electric Reliability Council
 GSX – Government Secure Extranet
 HIPAA – health Insurance Portability and Accountability
50 | P a g e
Available Report Formats:
 PDF
 RTF
 XML
 XLS
 HTML
Security, Backup and Operational Procedures
The QRadar architecture provides an automated backup/restore process for mission critical data
including both configuration and collected data (i.e. events and flows). Backup files are automatically
compressed and archived if needed for configuration and data restoration.
QRadar provides a log and flow storage lifecycle, which supports both on-line, near line and off line
storage requirements.
The solution supports 3 distinct phases:
 uncompressed,
 compressed, and
 Archived logs.
51 | P a g e
Both uncompressed and compressed storage can be “on-line” and readily available for use within
QRadar. On-Line and Near line logs can be directly on QRadar appliances which support up to 6TB of
storage, or on high speed external storage solutions such as IP SANs or Fibre Channel SANs. QRadar
uses GZIP compression algorithms and provides on average a 10 to 1 reduction in the storage of events
on disk.
Use of compressed on-line data in QRadar is transparent to the user. The user can specify how long
data is retained on-line for both the uncompressed and compressed phase.
Archived (backup) data is the final phase and provides the ability to store archived events off-line for
later use on external storage. Archives can be saved on any 3 rd party storage solution The
backup/archive process can include both the log, network activity and configuration data, and can be
scheduled as necessary. All backups are on-line and time-stamped. Backup data can be imported into
QRadar as necessary.
QRADAR SOLUTION ASSUMPTIONS
Due to the lack of clear visibility into log sources count, models, version as well as the critical application
and commercial ones, <Company Name> have set the below assumptions in order to scope the
<CUSTOMER NAME> SIEM Solution
 Up to 5000 Events Per Second

 <Company Name> has assumed that Event Processor or Console will not exceed 750
devices. A Device license upgrade will be required in case 750 devices are exceeded.
 It is extremely important once the project is awarded to get the exact list of log sources with
their model and version to ensure that Q1 Labs support them out of the box
<Company Name> will be more than happy to work closely with <CUSTOMER NAME> to further refine
the overall scope based on <Company Name> experience and intelligence.
52 | P a g e
ARCHITECTURE
QRadar flexible three tiered architecture; which includes the collection, analysis and presentation of
security and network information allows for scalability and manageability of large enterprise networks.
Based on the scope defined by <CUSTOMER NAME>, the architecture recommended for <CUSTOMER
NAME> is a single QRadar appliance per site that supports logs, flows and on board storage.
The QRadar solution is made up of three components that are all delivered on easy to install and
manage appliances. QRadar’s database is purpose built and embedded as part of the solution hence
providing on-appliance data storage, as well as integrating with SAN/iSCSI storage networks.
The QRadar Console provides a multi-user secure web based global view into the entire network. The
QRadar Server Console combines analyses and correlates data from all Events and Flows to provide
highly prioritized actionable offenses, real time views and dashboards and robust reporting capabilities.
53 | P a g e
QRadar Database
At the heart of the QRadar solution is a custom-designed database that supports the high speed
insertion, analysis, and storage of network flows and raw events that are required by large global
deployments. The database has been designed for simplicity and requires no advanced database
expertise or writing of database queries. A Postgres SQL RDBMS is used for storage of offenses, asset
profiles and configuration data. Information stored in either database can be extracted when necessary.
The database is included at no additional cost.
It is self-maintaining and efficient in storing logs and network activity data. It is also highly scalable and
supports a distributed model, allowing for distributed storage, while maintaining a centralized view of all
data.
DISASTER RECOVERY
QRadar appliances utilize dual redundant (auto sensing) power supplies as well as internal hardware
RAID 10 for storage of data to ensure no loss of data in the case of disk or power supply failure.
Additional redundant QRadar hardware appliances can be deployed for disaster recovery or high
availability solutions. QRadar has native capabilities for flow and event forwarding from all components
to redundant boxes to ensure that during a failure a redundant system is available, processing data, and
contains the previously stored data.
High Availability
Q1 Labs QRadar Security Information and Event Management (SIEM) solution is purposely built to
integrate log management with SIEM, delivering scalable log management without any compromise on
SIEM “Intelligence”.
QRadar easy-to-deploy high availability (HA) appliances provide fully automated failover and disk
synchronization for high availability of data collection and analysis capabilities without the need for
third-party fault management products.
Many network and security teams are overwhelmed collecting and analysing billions of network and
security logs produced each day.
For most SIEM vendors, the solution for managing such log volume, and offer high availability, has been
to invest in complex OS and database clustering, often combined with a spares solution for replacing
failed hardware. Other vendors simply rely on their built-in hardware capabilities such as hardware
RAID, but this does not provide true HA.
 Automated Failover
• The QRadar HA solution supports seamless failover between the primary and HA
appliance in the event of primary appliance or network failures.
54 | P a g e
• In addition, QRadar tests for connectivity to all appliances within its’ distributed
deployment, including network devices such as switches and routers, to determine
when or if a failover occurs.
 Built in Disk Synchronization

• Replicates all data such as configuration, logs, flows and reports from the primary
appliance to the secondary HA appliance.
• This is a unique capability to QRadar; other solutions require database clustering, or can
only replicate configuration data between systems, resulting in a major gap in the
availability of security and compliance data.
 Reduced Cost of Ownership and downtime

• QRadar’s HA solution reduces cost of ownership over solutions that require complex
database clustering and third-party failover management products.
• QRadar’s HA appliances also inherit the IP of the primary appliance, allowing all log
sources that were feeding QRadar logs to automatically be routed to the new HA
appliance without costly device configuration changes.
 Easy to deploy
• QRadar’s HA is plug-and-play and configured through a simple to use wizard-based user
interface.
• When an HA appliance is added to a primary appliance, QRadar automatically
synchronizes the data between the two systems, while continuing to perform real time
analysis and storage of log and flow data.
55 | P a g e
6 APPROACH & METHODOLOGY
6.1 IMPLEMENTATION METHODOLOGY
<Company Name> has evolved a mature implementation methodology that bundles SOC best practices
as part of setup.
<Company Name> offers a comprehensive implementation methodology to setup an integrated,

continuous and holistic system for security monitoring. Using our repository of tools, we implement
technology and processes for security monitoring quickly but effectively. Salient features of our
implementation methodology are:-
1. Customization of SIEM to deliver rules & reports for critical threat scenarios
2. Setup of log baseline, global threat integration to see more events & gain key insights
The detail of steps involved in our implementation methodology is given below:
Develop
Develop
Asset
Asset Log
Log Customize
Customize
Product
Product installation
installation
Valuation
Valuation && Baseline
Baseline alerts,
alerts, Develop
Develop Knowledge
Knowledge
Implement
Implement and
and
Risk
Risk Developme
Developme rules,
rules, SLAs
SLAs Transfer
Transfer
ation
ation handover
handover
Profiling
Profiling nt
nt reports
reports documents
documents
STEP 1 - ASSET VALUATION & RISK PROFILING
During this phase, an asset inventory is built up of the servers & devices in scope. Asset valuation is
carried out. Assets are valued as high, medium or low value based on their criticality to business
processes, replacement cost and dependencies with other assets. Risk profiling involves network
modelling based on placement of assets in the network and corresponding exposure. Exposure of a
device varies based on its position in the network. The valuation carried out will be used to populate
asset database of SIEM. Combination of asset value and exposure of the device is an important criterion
in prioritizing the event.
STEP 2 - LOG BASELINE DEVELOPMENT
56 | P a g e
During this phase a log baseline is developed for assets in the scope of monitoring. A gap analysis will be
conducted to determine the logging capability of an asset, current logging enabled and the required
level of logging. We will coordinate with the relevant IT and security team to enable the additional level
of logs required across assets. In this phase, we achieve the following.
 Configure devices to generate security essential events

 Stop or reduce noise events
 Optimized event collection increases detection capability and reduces consumption of log
monitoring system’s resources
The snapshot below is an example for an Oracle database.
STEP 3 - PRODUCT IMPLEMENTATION

Implementation phase will involve installation of SIEM product modules in coordination with IT team at
<CUSTOMER NAME>.
STEP 4 - CUSTOMIZE RULES, REPORTS, DASHBOARDS

In this phase, customization of rules to filter in required events will be configured. Rules for alerting will
be developed based on threat scenarios, this also includes correlation rules. Report formats will be
developed and finalized based on feedback from <CUSTOMER NAME>. Report formats will include
operational daily, weekly and monthly MIS reports. Reports will also include threat scenario based value
add reports based on threat profiles, trend analysis. Security dashboards will also be configured based
on business requirements. <Company Name> has also developed management level heat map reports
to track & identify improvements in IT areas based on monitoring.
A few sample reports, dashboards are shown below:
57 | P a g e
58 | P a g e
59 | P a g e
60 | P a g e
61 | P a g e
62 | P a g e
STEP 5 – DEVELOP INSTALLATION AND HANDOVER DOCUMENTS
Documentation lays the foundation for implementation of robust & scalable monitoring practices. Our
documentation framework encompasses all the critical processes required for SOC. During this phase,
we will develop Installation and handover documents.
STEP 6 - DEVELOP SLA
It is a good practice to develop SLAs to deliver services to business units and also to measure
effectiveness. We will develop SLA metrics aligned with business requirements of the organization.
Processes to track measure and report SLAs will also be developed.
STEP 7 - KNOWLEDGE TRANSFER
There will be consistent knowledge transfer across the implementation phase. We will train
<CUSTOMER NAME> team on configuring and using SIEM product. We will also train operations team on
processes and handover SOPs that have been developed. Along with this, best practices will be shared.
63 | P a g e
6.2 UNIQUE 7-STEP METHODOLOGY FOR MONITORING
<Company Name> has devised a unique 7-step methodology that enables detection of more security
events but at the same time identify the correct event that can cause harm. Identifying the correct event
is like searching for needle in a haystack. Unless the right processes are deployed and the technology
customized, it is likely that an enterprise will not see critical events in the noise of normal events. This
methodology enables the enterprise to gain more insights through integration with global threat
database. This methodology also enables strengthening of other security/IT controls root cause analysis
leading to identification of security enhancements. The sections below describe the steps in our
methodology.
STEP 1 - LOG AGGREGATION
Log aggregation requires implementation of the right architecture and the enabling of relevant logs in
servers, network & security devices. We build multi-tier architectures that are scalable and enable
effective log management. We define log baselines for all the different platforms in an enterprise. The
log baselines clearly capture the events that need to be logged. This leads to relevant logs being
available for analysis.
64 | P a g e
STEP 2 - EVENT NORMALIZATION
Log formats across multiple platforms and products vary in format, length, fields, content. Normalization
of these formats in to a standard format is critical for further analysis. In order to productively store this
diverse data in a common database, SIEM event manager evaluates which fields are relevant and
arranges them in a common schema. SIEM as a technology has support for normalizing a rich set of
fields from device logs. This provides the flexibility required for analysis & reporting of events. Diagram
below provides an example of how Cisco PIX log content is normalized.
STEP 3 - FILTERING AND RULE DATABASE
<Company Name> has developed customized set of rules for multiple platforms to ensure that
meaningful set of events are filtered from millions of logs that get generated from devices and servers.
We build these rules in to SIEM event manager as part of our setup process. Filtering enables
elimination of noise events. As an example, enabling Microsoft audit logs can enable many different
types of events, it is important that we filter in the security events that are important. We have a rich
set of filtering rules across many different platforms. We build the filter rules as part of the
65 | P a g e
implementation phase. The diagram below shows an example of filtering rules for Microsoft Windows
platform.
STEP 4 & 5 - PRIORITIZATION AND CORRELATION
The priority formula, also sometimes referred to as the Threat Level Formula, is a series of criteria that
each event is evaluated against to determine its relative importance, or priority, to your network.
Priority evaluation is a feature that is always “on," and is applied to all the events received by the SIEM
Manager. The point of calculating an event’s priority is to signal to security operations personnel
whether this is an event that warrants further notice. Priority of an event is arrived at by also correlating
for multiple factors. The diagram below provides the multiple criteria considered for arriving at final
event priority. Criteria includes agent severity, asset criticality or business value of the asset, history of
attacker or target, vulnerability information, global monitoring feed, mapping of the assets, attack
signatures. We have integrated multiple components to ensure that false positives and negatives are
reduced. This level of customization & correlation ensures that appropriate priorities are allocated for
events and corresponding alert mechanisms are triggered.
66 | P a g e
We have also developed readymade correlation rules for a variety of threat scenarios that can affect an
organization. These correlation rules and threat scenario detection is implemented during our setup
phase. A sample set of threat scenarios are given below:
 Database admin access outside office hours and from non-authorized location
 Development teams' access to production systems
 Virus/Worm propagation in the network
o Internal network scans on a single port
o Multiple AD account logins
 Malware injections taking place on web servers
 Internet Banking access from suspicious geographies
 Night time traffic anomalies
o Significant traffic on trading servers
 VPN connections established in the middle of the night
 Remote vendors connecting using unauthorized tools
 Privilege misuse/escalation
 Identity based correlation
67 | P a g e
o Tying a person, as identified through AD or HR application, to his multiple login IDs in
different application
 Logins using IDs of ex-employees
 Correlating physical access logs with application/OS logins
 Detecting brand misuse using Referral log analysis
 Detecting SQL injection, Cross Site scripting and Google hacking by looking at web server logs
STEP 6 & 7 - ALERT AND INCIDENT MANAGEMENT
Robust alert & incident management processes are critical for detection and response to security
incidents. We implement the processes for alerting and incident management as part of the setup
phase. We also integrate these processes with other relevant IT processes including change
management. The process flow is different based on criticality of an alert. The flow chart below is a
sample process that highlights the process flow for a critical alert.
68 | P a g e
7 TRAINING
Duration: 3 days
Course Overview: Basic User & Administering QRadar is a foundation to QRadar's Next-Generation
SIEM platform. This course is designed to provide an Individual with a basic understanding of
features and skills necessary to deploy and configure QRadar in the network, configure events and
flows, search for data and generate reports. The participant will have a working knowledge in the
operation and administration of QRadar.
Target audience: The class is designed for Security/Network Administrators who have at least
working knowledge of networking and network security and are using QRadar to manage their
network and security programs.
Lab Exercises: In-class, hands-on lab exercises are designed to reinforce the material and ensure
basic understanding. A laptop is required. The class can be delivered using QRadar either in a
customer deployment or using standardized lab server(s).
Prerequisites: Basic networking knowledge, understand TCP/IP operations, experience in network
security.
Course Objectives: Upon completion of this course, the client team will learn:
 QRadar’s technology and the various problems it solves
 To configure QRadar to fit your and other individual requirements
 How to monitor specific information quickly within the QRadar interface
 How to navigating the QRadar interface
 Using the Log and Network Activity Interfaces
 To create advanced event and flow filters
 Fast searching techniques
 Assets and vulnerability assessment
 How to manage Offenses
 How to create/modify rules
 Tuning techniques
 How to generate reports
 Understand DSM integrations.
 How to communicating with Q1 Labs technical support team
 How to access/navigate Qmmunity support site
69 | P a g e
70 | P a g e
Course Modules:
Day 1
1. Introduction to QRadar
2. Common QRadar Menus and Options
3. The Admin Interface
4. QRadar Log Activity
5. QRadar Network Activity
6. Advanced Event and Flow Filters
7. EOD Review
Day 2
1. Assets and Vulnerability Assessment
2. Offenses
3. Working an Offense
4. Rules and Building Blocks
5. Case Studies
6. EOD Review
Day 3
1. Tuning
2. Case Studies
3. Dashboards
4. Reporting
5. Support Information
6. EOD Review
7. Course Review
71 | P a g e
8 PREREQUISITES
The specs for prerequisites of a PC to access web interface of Q1
CPU Single CPU 2.0 GHz+

RAM 6-8 GB
Explorer Mozilla or IE
OS Windows XP/7/2008 Server
72 | P a g e
9 PROJECT PLAN
Duration (in man
Activity
days)
Phase 1
 Planning and Design Discussion
 Framework Workshop
 Basic Configuration of the Appliance. For E.G. Ip address configuration
and email server configuration
 Testing the connectivity of the appliance to the network
Phase 2
 Updating the appliance
 Applying the Patches
 Updating the DSMs
 Updating the Vulnerabilities Scanners Database
 Creating the Network Architecture – Derived from the meeting in
Phase 1
 Adding the Firewall Log Sources
Phase 3
 Testing the Data and Reports of the Firewall Log Sources
 Adding the remaining Log Sources
 Adding Unsupported Log Sources
 Testing the Data and Reports of the new Log Sources
 Configuring the Backup of the appliance 10
 Configuring The Alert settings
 Configure data to conform to data retention requirements
Phase 4
 Fine Tuning
 Knowledge Transfer
 How to access system
 How to add and configure new logging sources (servers, firewalls,
switches)
 How to keep system tuned (after adding systems, or to account for
additional logging on existing servers)
 How to manage and support system
 How to access technical support
 How to troubleshoot issues
 How to back up data for archive and/or recovery
 How to access pre-defined reports
 How to Setup, customize and produce pre-defined or canned reports
 How to print and save reports
 How to export reports to different formats
 How to create scheduled reports
73 | P a g e
Note:
• The total number of event sources that are in scope of integration is 53 and custom parser
development for 3 custom applications.
• If consultancy and/or Installation takes longer than the number of days quoted as a result of
insufficient or incorrect information, additional time will be charged at the daily rate.
• If consultancy and/or Installation take longer than the number of days quoted as a result of
missing software, network or hardware not ready/not pre-configured, additional time will be
charged at the daily rate.
• If the consultant qualifying the work feels that a pre-implementation meeting is needed (due
to lack of information available from the end customer, network issues etc.), this needs to
arranged well in advance before the actual implementation dates.
• If a pre-qualification meeting has taken place between the end customer and the consultant,
the number of days quoted for the work is then guaranteed.
• It is assumed that all the 53 event sources in scope of integration are out of the box Q1
supported event sources and versions and the above project plan is applicable only for the
same.
• Only QRadar supported logs will be collected from end device/event sources (53 event
sources).
• <Company Name> will follow QRadar recommended procedure for log enabling and log
collection.
• Custom parser development for 3 applications is in scope of the project. However, the
feasibility of parser development can only be confirmed after studying the logs.
• It is assumed that all event sources in scope of integration are accessible from a single
location and travel outside the primary site is not in scope, travelling if required will incur
additional cost.
• Client will provide logistic support to <Company Name> while conducting discussions,
meetings, rolling out training programs etc. relevant to this project.
PRE ENGAGEMENT CHECKLIST

The following must be completed by customer prior to the beginning of the engagement.
APPLIANCE INSTALLATION
 Request Qmmunity/Customer Support access

 Request license keys from Q1 Labs Support (see documentation with appliance) Record
installation key(s) located on appliance(s) (sticker placed on top of appliance or
 located with shipping documentation) Rack and power appliance(s)
 Attach monitor & keyboard (or provide KVM/DRAC equivalent) to all appliances
 Provide hot network connectivity to all appliances
74 | P a g e
 Identify appliance network settings: Hostname, IP Address, Subnet mask, Default gateway,
NTP/DNS/Mail servers (See Install Guide for details)
PREPARATION
 A workstation must be provided for connecting to the QRadar console.

 Access to the QRadar console on TCP ports 22, 10000, 80 and 443 must be provided from
the workstation provided. Firewalls between the workstation and the QRadar console must
allow the specified connections.
Note:
 Consult documentation or Q1 Labs Support for required port(s) for appliances

communicating across firewalls and/or specific DSM requirements.
 Operational secure shell (SSH) and secure copy (SCP/SFTP) programs must be installed on
the workstation used to access the QRadar console.
 The following must be installed on the workstation provided:
 A recent version of Mozilla Firefox (preferred), or Internet Explorer 8.0 or 9.0 with
Compatibility View enabled.
 Java Runtime Environment version 1.6 or above
 Adobe Flash 10.x
 Identify Log Sources, type, and numbers for log collection
 Identify Network Hierarchy: Subnet Name, Description, IP/CIDR values, Risk weight (see
Install Guide and/or Admin Guide for additional information)
 Identify Critical Assets: Hostname, IP address(s), type (domain controller, mail, web, DNS,
scanners, firewalls, etc.)
75 | P a g e
10 BILL OF MATERIALS
SKU Q1Labs - Qradar Qty
High Capacity Base 3124 Appliance and License. 1
Flows/Minute=25,000 (50,000 NetFlows), EPS=1000, Log
Sources = 750, Network Objects = 1000. Requires QFlow
Collector(s) for layer 7 network activity monitoring. Includes 16 TB
of onboard storage.
QR-5KEPS-UPG Upgrades Base 31XX from 1000 EPS to 5000 EPS 1
QR-3124-HA-XS 3124 High Availability Appliance 1
Support One Year
QR-3124-XS-PM Premium Maintenance for QR-3124-XS - 1 Year 1
QR-5KEPS-UPG- 1
Premium Maintenance for QR-5KEPS-UPG - 1 Year
PM
QR-3124-HA-XS- 1
Premium Maintenance for QR-3124-HA-XS - 1 Year
PM
Professional Services
CL-CX-1D-ME QRadar SIEM Training 3
<Company Name> PS for implementation - 53 event sources 10
QR-Remday-PS-1 Remote Professional Services - 1 Day Increment UDSM creation 9
Bidder On-site Periodic support & maintenance for Two (2) Years 2 years
Bidder on-site support on-need basis 50 Man days
76 | P a g e
11 ONSITE SUPPORT
77 | P a g e
12 PROJECT MANAGEMENT APPROACH
High quality of deliverables requires a strong project management. The key elements in our project
management that improves quality of project are-
 Project Plan Development, which defines the scope,
deliverables and tasks to be carried out in detailed manner Project
and allocate responsibilities for each task. Manageme
nt Process
Project
 Project Plan Execution, which is achieved through right skills Integration
of the team member and right methodologies / tools Managemen
employed in the project. t
Quality
 Project Overall Change Control, which is achieved through a
Manageme
defined process and templates for change management
nt Process
involving both the client and project team.
 Project Configuration Management, which is managed Project

through document library, document version management, Measureme
software/ tool configuration management. nt
Managemen
Quality
 Project Control, which is achieved through performance Controlt
metrics for task and people during the project and Quality
communication management within and outside the project Assurance
Continuous
team.
Improvement
These processes enable us to understand your requirements and
expectations from the project completely and deliver them within time and budget. Our methodology
for achieving all these is described in our project management process below .
PROJECT MANAGEMENT PROCESS
Our Project Management methodology covers the following areas:

o Set up project organization structure
o Develop and track project plan
o Manage project risks
o Manage project changes
o Manage project information and communication
o Project Completion & sign-off
o Quality Assurance Measures
The activities under each are described below .
78 | P a g e
PROJECT ORGANIZATION
Successful completion of project requires formal structure to be established for reporting, coordinating
and performing the project tasks. We will set up the following project organization-
Our Team
Project team will be headed by a senior resource designated as Project Lead (or Project Manager), who
will be responsible for successful project execution
including project management activities.
Our Team Client
Project Lead will be the prime contact person between Team
Client and <Company Name>. He will have sufficient
authority to take final decisions on behalf of the Project
Sponso
company within the contracted terms and agreed r
scope of the project. Proje
ct
Project Lead will report to ‘<Company Name> Project Direct
or
Director’, which will provide guidance as well as
Project
measure the performance of the project. The Project Coordinat
Project or
Director will also act as the final escalation point for Lead
<Company Name>.
Team
Project team will comprise technical resources as per Member
s
the tasks/ activities in each phase that will be
committed to the phase throughout its duration, unless
otherwise agreed in advance with Client.
Client Team
Client will provide a Project Sponsor, who owns the project. He should have appropriate authority to
resolve issues, provide resources and approve project plan & project changes. He will also provide the
overall direction and decision making for the project.
A Project Coordinator will work with the project team to facilitate information collection, interaction
within the client organization and coordinating the activities to be performed by client as mentioned in
this proposal or as identified in the project plan .
PROJECT PLAN
<Company Name> will prepare a project plan at the beginning of project that will list set of tasks for
successful completion of project. The plan will be used for tracking the project status. The plan will
contain the following-
• Project Objectives (where applicable, phase-wise objectives) and Client expectations
• Implementation plan with milestones
• Resources with roles & responsibilities
79 | P a g e
• Dependencies with other tasks/ entities
Project plan will be updated throughout the project lifetime to reflect changes or additional information
obtained during the project. The initial plan will be developed immediately after the project kick-off
meeting with Client, where the objectives and expectations will be captured in detail through ‘PDE’ form
(project deliverables and expectations).
RISK MANAGEMENT
Project risk management recognizes a formal approach to the process as opposed to an intuitive
approach. Risks, once identified, assessed and allocated should be managed in order to minimize or
completely mitigate their effect on a project. This may be achieved by developing either immediate or
contingency responses to the identified risks. We will employ the following formal process -
Issue management – Project Lead will prepare & maintain an ‘issue log’ document that will record all
issues impacting the project. It will be the responsibility of Project Lead to foresee the issues as well as
to draw out issues from project team members at early stage. Action plan will be developed for each
issue after evaluating its impact and possible course of corrections. All issues will be actively monitored
for closure and escalated to project sponsor/ project director as per requirement.
Formal periodic internal review with Project Director- Project Lead will conduct a periodic project review
meeting with <Company Name> Project Director, where any risks to project quality and timeliness will
be proactively identified and mitigation measures suggested. The first review will be before the
commencement of project and will identify risks related to:
 Clarity of scope, deliverables & client expectation
 Availability of tools, methodology, documentation and skills
 Dependencies on external entities/ tasks for project completion
 Additional controls for mitigating risks of non-completion of project
CHANGE MANAGEMENT
Our change management process is defined for addressing any changes to the project and ensuring that
its impact is considered in a formal documented manner. Changes can be in scope of project, in
completion time frame or in resource profiles employed in the project. Our process for change
management involves the following:
Change initiation – All changes will be initiated through a formal change request form, which captures
change requester, description of change and reasons for change.
Change impact – Project Lead documents the impact of the change on project schedule and cost. He
also recommends the alternatives for managing the change.
Change approval- All changes have to be approved by Project Sponsor before any action is taken.
80 | P a g e
Change incorporation- Post approval, Project Lead updates the project plan and communicates the new
responsibilities, task and timelines to all project members. All relevant documents are also revised to
new version incorporating the change.
INFORMATION MANAGEMENT
Our Information management process will cover the following aspects-

Project Information Flow- To manage information to and from the project team, a common project
email-id will be set up which will act as central point for requesting information, collecting and storing
data. Information sharing between project team will formally be facilitated through periodic team
briefings by Project Lead, wherein project status and individual activities will be discussed. The first of
such meetings will be after formalization of plan and project management process and the purpose of
this meeting will be to communicate such plan & process to team members and assign appropriate
responsibilities.
Document management- The project team will set up document library system to facilitate collection,
organization and retrieval of project documents. Documents will be named and labeled using a standard
nomenclature. The documents will also have the controls over version and distribution. As far as
possible, all project activities and project deliverables will be fully documented and controlled.
Client communication-
Formal project communication will consists of:

 Progress report – <Company Name> will write and deliver progress report for Client’s management
on agreed upon schedules (weekly/ fortnightly) through out the life of the project. The report will
contain a summary of project status (planned vs. actual), reasons for deviations and highlight issues
& actions to resolve issues.
 Progress meeting – <Company Name> will conduct fortnightly (or weekly) progress meetings with
Client project sponsor either in person or over telephone. The meeting will update on status, discuss
agenda for next fortnight (week) and to resolve issues related to project
81 | P a g e
PROJECT COMPLETION
Projects are formally closed to ensure that all deliverables were met to client’s satisfaction and the
expectations elicited during the projects have been achieved. The processes involved are-
Project sign-off - The formal sign-off is obtained from client as per ‘PDE’ form, which captures the
objectives, expectations and timelines of project execution.
Project feedback form – Experience of Client in interacting with project team and the quality of
deliverables is formally measured through the form ‘PFF’ (project feedback form).
Review by <Company Name> Project Director – The Project Director will formally review the project
completion and client satisfaction to ensure that project has been completed as per client’s
expectations. This review acts as an internal control for Project Lead for successful execution of project.
PROJECT REVIEW/TRACKING
Initiation
Initiation &
& Get
Get Pre-
Pre- Onsite kick-
Kick-off
Kick-off call
call requisites
requisites off meeting
Delays Periodic
escalated status
updates
Milestone
based
tracking
Submit Draft
Deliverables
Project Sign
Off Submit Final Review Draft
Deliverables Deliverables
82 | P a g e
QUALITY ASSURANCE
Our quality assurance activities focus on the processes being used to manage and deliver the solution,
and is performed by our Project Director or in some cases jointly with client. The Project Director
primarily looks at following under quality assurance-
Quality initiation- At the initiation of project, project Lead reviews with Project Director on the exact set
of tools, methodology & documented checklists to be used for the project. It also ensures existence of
documented process for each activity to be undertaken in the project plan. During the project, team
members will follow the documents to ensure consistency in delivery.
Compliance to methodologies- All our project deliverables are based on tested methodologies
developed by us over a period of time. They are backed with work instructions, checklists and tools
wherever required. Project Director reviews whether the methodology was accurately followed by the
project team to ensure high quality deliverable.
Compliance to process- Project Director also reviews whether the project management process, as
described in earlier section, was followed by the project team. However, they should be able to tell if
the deliverable seems acceptable based on the process used to create it. They can determine, for
instance, whether deliverables and expectations were captured, reviews were performed, whether it
was tested adequately, whether the customer approved the work, etc.
Quality may also be checked by Project Director through sample substantive audit to ensure that the
activity implementation matches the documented process.
QUALITY PLAN
For large project, we also develop a quality plan along with project plan at the project initiation stage.
Our Quality Plan identifies the major deliverables, completeness and correctness criteria, quality control
activities and quality assurance activities. The Quality Plan allows you to understand when the
deliverables are completed, as well as how to show they are correct. It also describes the processes and
activities that will be put into place to ensure that quality deliverables are produced. Quality plan is
prepared by project lead, ratified by project director and then approved from our client .
CONTINUOUS IMPROVEMENT
At the end of each project, project Lead provides feedback to Project Director on the quality process and
the metrics captured. These can be leveraged by the organization for an organization wide metrics
program and provide input into best practices that can be used again.
At the completion of project, key project learnings are documented to ensure efficiency of such projects
are enhanced in future. In this manner all our past learnings from large projects are passed on to future
projects and new clients.
83 | P a g e
13 RELATED DOCUMENTS
13.1 ANNEXURE 1- NDA
13.2 ANNEXURE 2- LIST OF REPORTS
84 | P a g e
1.7.
Regional Offices:
INDIA:
<Company Name> Networks
Mumbai
Technocity, A – Wing, 6th Floor,
Mahapae - 400 709
Phone: +91-22 -41615151
Fax: +91 -22 -41615161
Head Office: MIDDLE EAST

<Company Name> Networks Private Limited <Company Name> Networks
Shilpa Vidya 49, 1st Main, Sharjah
3rd Phase, JP Nagar, Executive Suite, Saif Zone
Bangalore- 560078 PO Box 120398, Sharjah
Phone: +91-80-42543444 Phone: +971-50-8344863
LONDON, UK
City Point, 1 Rope maker Street
London EC2Y 9HT
Phone: +44 (0)845 2270 777
Fax: +44 (0)845 2805 333
USA
Virginia
12801 Worldgate Drive
Suite 500 Herndon,VA 20170,
USA
Phone: +1-703-871-3934
Fax: +1-703-871-3936
MALAYSIA
Kuala Lumpur
F313, Phileo Damansarai
46350 Petaling Jaya, Malaysia
Phone: +60-3-7960-4275
Fax: +60-3-7660-4273
85 | P a g e

Proposal For Customer Name - Sample

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Proposal For Customer Name - Sample

Uploaded by

Copyright:

Available Formats

Customer Name Proposal for <<Solution>>>

Request for Proposal

1.1 BUSINESS CONTEXT....................................................................................................................4

1.2 OUR PROPOSAL........................................................................................................................4

2 WHY <COMPANY NAME>?......................................................................................... 6

2.1 CAPABILITY TO EXECUTE..............................................................................................................6

2.2 CAPABILITY TO ENVASION..........................................................................................................10

2.3 UNIQUE METHODOLOGY...........................................................................................................12

2.4 SIMILAR EXPERIENCE & CLIENT REFERENCES..................................................................................12

4.1 PLATFORM SUPPORT MATRIX.....................................................................................................46

5 ADDITIONAL INFORMATION/TECHNICAL DETAILS.............................................................48

5.1 <CUSTOMER NAME> REQUIREMENTS......................................................................................48

5.2 BRIEF SCOPE OF WORK.............................................................................................................48

5.3 SOLUTION DESCRIPTION............................................................................................................49

6 APPROACH & METHODOLOGY.................................................................................... 58

6.1 IMPLEMENTATION METHODOLOGY..............................................................................................58

6.2 UNIQUE 7-STEP METHODOLOGY FOR MONITORING........................................................................66

12 PROJECT MANAGEMENT APPROACH.........................................................................79

13.1 ANNEXURE 1- NDA.................................................................................................................85

13.2 ANNEXURE 2- LIST OF REPORTS..................................................................................................85

 Issue the Kuwaiti Dinar on behalf of the State of Kuwait.

1.2 OUR PROPOSAL

2 WHY <COMPANY NAME>?

2.1 CAPABILITY TO EXECUTE

of managed services (threat management, vulnerability management and device

KEY BENEFITS OF <COMPANY NAME> SOMP PLATFORM

<COMPANY NAME> SOMP OFFERS THE FOLLOWING ADVANTAGES:

<COMPANY NAME> SOMP ADVANTAGE #1: INTEGRATED VISIBILITY

 Reduction in age of vulnerabilities

<COMPANY NAME> SOMP ADVANTAGE #2: SECURITY INTELLIGENCE AND INTEGRATION

<COMPANY NAME> SOMP ADVANTAGE #3: COLLABORATION

2.2 CAPABILITY TO ENVASION

 Banking Fraud Management Services (2012)

<Company Name> is a contributing member of leading security

2.3 UNIQUE METHODOLOGY

2.4 SIMILAR EXPERIENCE & CLIENT REFERENCES

Client name Noor Islamic Bank

Client name Kotak Mahindra Bank

Technical Summary Information Security Assurance Program

Client name State Bank of India

Client name Yes Bank

Client name IDBI Bank

Client name Syndicate Bank

Client name Genesys International

This will also include recommendations to

Client name Qatar Telecom

Client name First Gulf Bank

Client name RAK BANK

Client name General Civil Aviation Authority, UAE

Client name Cairo Amman Bank

Client name Higher Colleges of Technology

Client name aeCERT

Client name Masraf Al Rayan

Client name Qatar Islamic Bank

devices, databases, security solutions and security

Client name Arab National Bank, Saudi Arabia

Client name Qatar National Bank

Client name Noor Islamic Bank

Client name Arab Bank, Jordan

Technical Summary Supply & Implementation of SIEM Log Monitoring

Alternate Solution Available /

QRadar provides sample dashboards that support various

QRadar provides agentless collection options wherever