INFORMATION SECURITY

REQUEST FOR QUOTES: Security Operations Center

TEMPLATE OWNER: Rizwan.Mir@spartannash.com

TEMPLATE VERSION 1.0

DATE 23-Apr-20
TITLE: Procurement of Services for Security Operations Cetner

OBJECTIVE: SpartanNash is seeking a technology partner to provide

Services for a Security Operations Center. The services are to be rendered
in a Build, Operate and Transfer Mode.

Phase 1 TIMELINE:
June 4 - Final Vendor response
June 5-9- Vendor Presentations
June 12 - Decision Notification
June 22 - Discovery and Design of SOC
July 10 - Start of SOC Operations
Aug 1st - Training and Process Development
Sept 1st - Transfer of Operations to SpartNash @ location
GrandRapids Service Center in GrandRapids, MI USA
# SpartanNash Questions

1 How long has the vendor company been in Managed Security Services Domain ?
2 How many customers during calendar year 2018 and 2019 ?
3 Number of staff engaged in SOC services with the largest customer by resources ?
4 Number of total technical resources in North America ?
5 Number of technical resources offshore ?
6 Annual revenues for CY 2017, 2018 and 2019 ?
7 Any customers that can be reached for a reference ?
8 Any expreience with Build, Operate and Transfer model ?
9 Experience with PCI Compliance, SOX, HIPAA and similar regulatory requirements ?
10 Number of Fortune 500 Clients ?
Vendor Responses
 9
0
0

1LINK can be refernced

Yes
No (SOC Team) Yes (GRC Team)
 SpartanNash Questions

A 1 Provide Effort and Price to configure Alerts and log Ingestion on each of the following
1 Office365 ATP SaaS
2 Defender ATP Endpoint
3 Azure ATP Central
4 ZSCALAR
5 Palo Alto
6 Cisco Meraki
Infloblox
CloudFlare
9
B 2 Provide Strategy of Integrating the above alarms with Azure Sentinel/LogRhythm

C 3 Provide strategy for Organization Discovery effort for SOC setup

D 4 Provide
Security Pricing for Definining,
Operations Automation Implementing
- and Training on the following playbooks
1 Delivering
Incident an Incident
Detection Responder's workbench View with the ability to :
1. 7. For Service Requests from ITSM tools for URL Recategorization Request - parse
1. Block or allow
through multiple email addresses
submit to identified
Zscaler andasPANDB
malicious in the email
2 IncidenceURL field and
Respond automatically for recategorization.
protection
Then validatetechnologies. (e.g. PRoofpoint or O365 ATP)
when the categorization has been changed. If recategorization is
3 Incidence
2. Block or Recovery
allowthemultiple IPs close
in on-prem or Cloud
successful inform User and the ticket. UpdateSecurity
ITSM andControls e.g. Zscaler
Metrics Layer.
or Phishing
2. PAN Report submission - Monitor a phishing submission mailbox, Analyze the file,
E 3. BlockStrategy
5 attachment,
Provide or allow
URL on files
Domains in on-prem
PCI-DSSandand inform
HIPAAorthe
Cloud
userSecurity Controls e.g.
of itsmonitoring
compliance maliciousness Defender
rating, IdentifyATP.
how
4. Reset
many Passwords
other Users got it,forpull
multiple
email fromUsers in response
those mailboxestoandincidents.
update ITSM layer and
metrics layer.
F 6 5.
3.
Validate
Provide
Send
the reputation
strategy of monitoring
SMS/PAgerDuty
of IP,
Alertsand andDomain/URLs,
when alerting
specificon admin email domains, File Hashes using
accounts
open and paid threat feeds then offertypes of incidents
options to block,are received orreport
quarantine, any for
automation Use cases fail or reach a threshold.
recategorization in Zscaler, Palo, Defender ATP etc.
H 7 4.
6.
Ability to
Providing create ITSM
Submitstrategy
task, change,
for training
files to common fileand
Incidents,SOC
transferring
reputation
Problems from thetoIncident
servicesresponsibility
like Virustotal,SN
Responder
employees
ZULU and then
Workbench
allow options to allow or block in our technologies.
5. If offering an Incident Response Management platform, allow options for multiple
8 closure codes for alerts and incidents and populate metrics layer.
9 6. If offering Incident Response platform
10 Provide implementation plan for Dashboard controls (Refer to Dashboard Tab)
 Vendor Responses

- During the 1st phase, Ebryx Deployment Team would mainly focus on getting data into the
logging platform, setting up alerting and dashboards.
- During the 2nd phase, Ebryx Monitoring Team will take up the monitoring operations including
creation of playbooks and hold remote sessions with Spartan Nash Team to familiarize them with
different incidents and their analysis / remediation playbooks. Gradually the monitoring workload
will then be shifted over to the Spartan Nash Team.
 PRICE

ONE TIME RECURRING

PRICING
# ITEMS Frequency Pricing
1 Discovery & Build SOC Phase One Time
2 Operate and Train Phase Per Month
3 Dashboard One Time
4 Any new tools required One Time

NOTES
A Provide pricing seperatly as alacarte
B Provide any volume discounts seperately
C Provide any other dependencies that can change the pricing
Providing a custom built dashboard containing metrics that are helpful to various IT Security stakeholders:
1. CISO Dashboard View
2. Security Operations Dashboard view
3. IAM Security Operations Dashboard view
4. Server Security Operations view
For each technology
5. Endpoint in scope: View
Security Operations
Uncluttered
6. way to show
Network Security number
Operations of high medium and low Alerts and Incidents
View
7. Email Security Operations Dahboard
Ability to drill down on number to incidents/alerts and then move them to Incident Responders Workbench for action
8. PCI Compliance
Identify how manyDashboard.
of those alerts are connected to a PCI network based on a list of PCI network+connected systems
Asset
Using Inventory Stats -from
data combined Complaint
each ofAssets,
the in Most
scopevulnerable assets,
technologies fromPerimeter facing
which either logsassets, Webreceived
are being apps, Switches, Routers
or by pulling from V
relevant in
Cloud+On-Prem solutions including ITSM tools.
scanning tool
 SpartanNash Requirements

1 Provide Latest SOC 2, type II, along with Pen Test results with no critical findings.
2 Data at rest encryption (TDE) and Data at motion encryption (TLS 1.2 or higher) confirmation
3 Background Check policy for Employees and Contractors.
4 NDA policy for Employees and Contractors.
5 Provide Valid and Latest ISO 27001 or NIST 800-53 compliance and controls
6 Provide documentation on communications between cloud and on-prem AD
7 Provide references of customers consuming Managed Security Services
 Vendor Responses

Data at Rest: Microsoft encrypts all data stored at rest in the Azure Log Analytics Storage.Data in Motion: Log Analytics Agents that is mainly used for tra
Ebryx - P-011-HR Security Procedure, Ebryx -PL-008- Supplier
Security PolicyAppointment Letter
Ebryx-T-057-
Ebryx-T-002-Statement of Applicability v1.1