Technical Proposal SOC Build and Enablement Services PSD Document
SOC Build and Enablement Services PSD Document Copyright © 2022 Data Consult. All Rights Reserved. 2/32 Document Control Document Title SOC Build and Enablement Services Document Code Document Classification Confidential Revision 01 Date 2022 8 21
SOC Build and Enablement Services PSD Document Copyright © 2022 Data Consult. All Rights Reserved. 3/32 Table of Content Table of Content 3 1.Proposed Solution description 4 A.Service Description and Scope of Work 4 B.SOC Monitoring Solution Architecture provided to the customer 7 C.Data Consult Deployment Approach 9 1. SOC Implementation and Integration 9 2. SOC Operations 10 D.Project Deliverables 13 E. Roles and Responsibilities 14 F. Project Schedule and Timeline 16 G. Service Level Agreements and Responsibilities 17 H. Minimum Hardware Requirements for SOAR Solution 20 2.Project Management Principles 23 3.Client Engagement Process 25 A. Phase 1: Coordinate/Plan/Prepare 25 B. Phase 2: Kick off Meeting 25 C. Phase 3: Project Delivery 26 D. Phase 4: Results 27 E. Phase 5: On going Support 27 F. Managed SOC Services Period 27 G. Continuous Quality Assurance 27 H. Account Management 27 4. Bill of Quantities 29 5. Pricing 30 Payment Terms Error! Bookmark not defined. Payment Plan Error! Bookmark not defined. 6 Document Approval 32
1.SOC Implementation Package Data Consult engineering and security teams will work closely with the customer security and project management team to enable a smooth implementation of the components required for the delivery of the services. These components include a variety of technologies, and engineering activities, and we describe at a high-level here: Information gathering about the monitored environments, usage patterns, existing solutions placement, networks layouts, traffic flows, existing security integrations and monitoring capabilities.
SOC Build and Enablement Services PSD Document Copyright © 2022 Data Consult. All Rights Reserved. 4/32 1. Proposed Solution description A. Service Description and Scope of Work Data Consult is proposing a solution that entails the following components:
Configuration of SIEM solution for 3 months online logs retention and 12 months OnceOffline.complete, the material and documentation elaborated/reviewed will be passed to service delivery team and used by the security operations team for both SOC security operations, and engineering activities.
Enablement and Optimization of use cases and rules of detection on SIEM and EDR. Proposition of new use cases and detection rules to cover more attack vectors. Elaborating Security Operations Processes, and Incident Handling workflows for a better alignment with designated MSS services.
Alignment to requirements and expectations from Managed Security Services. Implementation of SIEM, Ticketing System and EDR. Implementation of SOAR platform that will act as a central fusion point for all technologies through integration with SOC solutions to augment the capabilities of the MSS operations. Integration of installed SOC Systems in place to achieve efficient interoperability.
The service wrapper will include the following: 8x5 Level 2 Cyber Defense Analyst Services. Classification and Prioritization of security incidents and generation of tickets. Triage and prioritization of detected incidents. Root cause analysis of detected incidents. Alarms and notifications via the Case Management System in general, and by phone for critical incidents.
The Incident Response retainer services include: Receipt of escalated incidents from L2 SOC analysts. Identification, and Advisory on Isolation and Containment procedures for occurring incidents in close collaboration with the customer team. Forensics and Root cause analysis of detected incidents. Conduction of real time and post mortem remote incident analysis and remediation. Reporting related to Cyber Security Incidents (occurring incidents, common causes, most exposed systems, analytics, solved/unsolved tickets, etc.).
SOC Build and Enablement Services PSD Document
In
5/32
Copyright © 2022 Data Consult. Rights Reserved. 2.8x5 SOC Monitoring Services (Level 2 Operations) using SIEM, SOAR and security technologies. We will carry out this service on an 8x5 basis remotely from the Data Consult Security Operations Center, using SOAR solution as a primary point for operations and going through customer network to reach SOC infrastructure. addition to the existing tools, Data Consult team will be relying on the EDR solution of the monitored environment(pre requisite) and will provide the installation of an on premises SOAR solution to act as a central hub for security investigations and case management.
Further augmentation can take place after having insights about the environments covered during monitoring 120 Hours/Year Remote Incident Response Retainer (Reactive Security Operations)
. 3.
All
For the SOC augmentation Data Consult is proposing the following resources: 2x Level 2 Cyber Defense Analyst Full Time Employees (FTEs) from 8x5 1x Level 3 Lead Cyber Defense Analyst Full Time Employee (FTE) from 8x5
SOC Build and Enablement Services PSD Document Copyright © 2022 Data Consult. All Rights Reserved. 6/32 4.Security Engineering and Use Case Management: Data Consult team will be optimizing existing use cases and rules of detection. Moreover, the engineering team will be proposing newly required use cases and detection rules to allow coverage of more attack vectors. Service Coverage: 2 new use cases per quarter (8 tuned use cases per year). Location of Services Data Consult will deliver services remotely from its Security Operations Center facility in KSA. Further details about the approach, assumptions and responsibilities can be found in section “Data Consult Deployment Approach”.
SOC Build and Enablement Services PSD Document Copyright © 2022 Data Consult. All Rights Reserved. 7/32 B. SOC Monitoring Solution Architecture provided to the customer Data Consult will be relying on a VPN and a hypervisor at the customer end to connect to the Master SIEM, Master SOAR, Case Management, Ticketing System and EDR at the Costumer end
2. Audited Access: Monitoring should be enforced on the tunnels established from Data Consult KSA to designated monitored environment.
4. Thorough Monitoring of the MSS Supporting Infrastructure: Apart from the internally monitored Managed Security Infrastructure at Data Consult, all the nodes and systems between Data Consult Infrastructure, customer end and the designated monitored infrastructure will be thoroughly monitored with regular timely reporting on findings and security KPIs.
3. Encryption is always required: Encryption and any other supporting encryption mechanisms will be enforced to guarantee the minimal level or traffic exposure possible during network travel.
SOC Build and Enablement Services PSD Document
1. Secure VPN Tunnel from Data Consult KSA Tenant to the Customer location: A VPN tunnel should be implemented between Data Consult tenant in Azure and the Customer site, then from Customer site to designated monitored environment. The connectivity provided should be able to allow the SOC assets and analysts endpoints of Data Consult in KSA to communicate with designated monitored environment (SIEM, SOAR, Ticketing System, EDR).
Copyright © 2022 Data Consult. All Rights Reserved. 8/32 To enable the augmentation of Managed SOC services, the remote IR services, and the SIEM use cases engineering and reporting the following connections, integrations and controls are needed:
SOC Build and Enablement Services PSD Document Copyright © 2022 Data Consult. All Rights Reserved. 9/32 C. Data Consult Deployment Approach
Establish connectivity/policy requirements from the customer and designated environment. SOC Monitoring architecture and technology stack design.
The Data Consult SOC program includes two distinct capabilities we will deliver: SOC Implementation & Integration. SOC Operations. SOC Implementation and Integration
Customization and tailoring of above installed Security Technologies to cope with the needs and objectives of the project.
Deployment and Configuration of services needed for logs and flow collection of the monitored assets. Fine tuning of the production environment after the understanding of traffic normal patterns.
Commissioning and Testing of the configurations and actions executed for a one month pilot before launching the Managed Services into steady state operation. Alignment to SLAs and deliverables. Provide daily updates to the customer on mobilization of SOC Monitoring. Create / set up reports to measure SOC Monitoring.
Configuration of SOC use cases and correlation rules for specified kill chains. Creation of dashboard suggested by Data Consult SOC team. Assignment of playbooks for triage and escalation pre developed by Data Consult.
Remote Implementation of Security Technologies needed for the Managed Security Services. including SIEM solution (Splunk), SOAR solution (Palo Alto XSOAR), Endpoint Detection and Response (Carbon Black) and ticketing system (JIRA On Premise).
During the SOC Implementation phase, Data Consult will carry out the following tasks: IT infrastructure survey and detailed Information gathering from sites to be monitored which will allow the SOC team to understand the existing critical assets, network topologies, configurations and restrictions on any asset under the SOC scope of monitoring. Coordination with the customer security team to receive detailed list of critical assets to be monitored and included under the scope.
1.
SOC CapabilitiesOperations
Outputs Data Consult is creating meaningful client customized outputs, including automatic reporting and delivery and on demand reporting and delivery. Data Consult works directly with client stakeholders to understand the output needs and best address them in the most effective approach.
SOC Build and Enablement Services PSD Document Copyright © 2022 Data Consult. All Rights Reserved. 10/32 2. SOC Operations
SOAR Automated Tier 1 Data Consult Team will leverage the SOAR with created playbooks and automation to allow the SOC tier 1 activities to be completed in an automated fashion by the SOAR, allowing the SOC analysts to focus on more meaningful events and tasks.
SOC Management & Reporting Data Consult brought in recognized leaders into operational and technical roles to establish a solid foundation from which security operation is handed. These leaders understand the needs and have real world experience; this allows for enhanced client handling and reporting by creating meaningful client customized reporting and leadership engagements. Additionally, Data Consult produces regular (weekly, monthly and quarterly) SOC scorecard reports to demonstrate continuous improvement in the operation and to highlight any area that needs to be addressed by the client or Data Consult on an urgent basis. Detailed reporting scope is provided in deliverables section.
Data Consult seeks the brightest outside of the box thinkers and analytics focused security experts to work within the SOC across the different cells. We ensure that their skill sets are updated and in use with regular SANS training and certification. SOAR handles the time consuming and more mundane process and procedures with our internally developed playbooks giving our senior SOC analysts the needed resources and freedom to investigate enriched tickets and gather enough evidence to identify true positive abnormalities detected in the client’s environments.
Human based Tier 2Triage Analysis
Data Consult Advanced Cyber Fusion Center
During the SOC Operations phase, Data Consult will provide the following capabilities and technical services to the customer: 8x5 Security Monitoring: This service delivers real time monitoring, correlation, and expert analysis of security activity across your enterprise. The service improves the effectiveness of your security maturity by actively analyzing the logs and alerts from your infrastructure, 8x5. Our certified Security Analysts will have the context needed to eliminate false positives and respond to the true threats to your information assets.
Additionally, the retainer allows the customer to proactively prepare for cyber security incidents by conducting tabletop exercises or testing of the incident response plan
Incident Response Retainer (120 hours per year)
Data Consult will be rolling out an advanced malware and forensic lab from the KSA location. This lab will enable the IR cell and the malware analyst to support greater capacity and more complex artifacts collected from the client environment or research into threat landscapes. The lab will host a malware repository that will provide historical samples and allow for the creation of internal malware intelligence to be combined with our 3rd party malware intelligence.
Incident Response Retainer (120 hours per year)
Reactive Services: Incident Handling Data Consult Incident Response consultants provide remote incident handling roles. Our Incident responders act as an escalation point for the SOC analysts, provide guidance and support, and technical subject matter expertise. The cell works out of two hubs covering the Levant and GCC territories. Data Consult will also be rolling out an incident handling and forensic lab from the KSA location to support more complex IR needs.
Reactive Services: Forensics + Malware Analysis
This service allows the customer team to have a trusted partner on standby supporting incident investigations, digital forensics, and malware analysis.
Data Consult
Copyright © 2022 Data Consult. 11/32
All Rights Reserved.
Advanced Cyber Fusion Center
Build and Enablement Services PSD Document
Criteria
SOC
Criteria Data Consult Advanced Cyber Fusion Center
Incident Response Retainer – Remote Services (Costumer responsible for on-site tasks)
To deliver this successfully, Data Consult will allocate a Team Leader to the SOC Operations team to look after the customer and provide a single point of interface between Data Consult operations and the costumer. The Team Leader will have strong management experience in the SOC and will support other teams such as Consulting, Engineering, Product Development, Sales, and Presales teams. This role will act as a Trusted Advisor to the customer security management team and will also act as Data Consult’s Customer Services Manager. As we deliver the SOC Operations we will identify on an on going basis, areas for continuous improvement in the overall SOC design, build and operation, including areas for automation, process optimization, use case development, introduction of new services / solutions to the portfolio. This role will manage the following capabilities: Manage quality of SOC operations delivery by Data Consult SOC team. Manage Data Consult SOC metrics and reports and present them regularly to customer management team. Recommend improvements to SOC people, process and technologies to the customer senior management team. Manage training for Data Consult SOC team members, including time to take training and when to conduct the training.
SOC Build and Enablement Services PSD Document Copyright © 2022 Data Consult. All Rights Reserved. 12/32 Security Use Cases Engineering Security Engineering and Use Case Management (2 use case per month) Criteria Data Consult Advanced Cyber Fusion Center Use Case Engineering Data Consult will provide Customer with SIEM Content Planning, Development and Tuning. As such, the focus of this activity is on the identification and implementation of use cases via the development of rules based on Data Consult proprietary threat intelligence and understanding of the customer environment. Observe rule operation, once implemented and review/monitor performance of the use case content; Tune content, as needed, and with Customer approval, to achieve a balance that will minimize “false positives” and maximize the detection of security threats;
Continuous Improvement
SOC Build and Enablement Services PSD Document Copyright © 2022 Data Consult. All Rights Reserved. 13/32 D. Project Deliverables The services to be delivered out of this project are the following: Augmentation of Managed Security Operations and Monitoring Services for designated monitored environment, on an 8x5 basis through SIEM, SOAR and other security monitoring relevant tools. L2 Analysts Capacity for identification and analysis of events Incident response capacities on an hourly retainer delivered remotely from KSA (120 hours per year) 2 New Use cases development per month As for the documents to be delivered out of this project: Detailed Project Plan after Project Kick-off Detailed Communications Plan after Project Kick off Weekly Status Report: gives summary of Security health, On going activities, completed tasks, risk maps, Risk identification and mitigation plan, Action items across different application areas, delivered at not less than seven calendar day intervals. Monthly Review Meeting and Status Report: Tracking any issues impacting the SLA, Update about risks and enhancements suggested, capturing agreements and disagreements and items needing escalation, delivered at monthly intervals and not less than two business days before scheduled review meeting Quarterly Review Meeting: Review overall project status, issues list, metrics reporting, supporting reasons for metrics deviation, and items that need adjustment within SLA, delivered at quarterly intervals and not less than five business days before scheduled review SLAs documents
SOC Build and Enablement Services PSD Document Copyright © 2022 Data Consult. All Rights Reserved. 14/32 E. Roles and Responsibilities General Assumptions
Data Consult willoptimize the configurationofthe existing SIEM,SOAR and EDR solutions as per the scope of work in this proposal. The extent of the optimization and enablement of existing solutions and operations will depend on the functionalities and features in the designated systems
The content packs (i.e., searches, reports and dashboards) for security monitoring and investigation will be implemented based on the availability of relevant data sources from the designated environment.
Data Consult will provide the customer with 8x5 alert monitoring, triage, analysis and investigation services under this SOW via a team of remote security analysts based in our Security Operation Center in KSA.
Data Consult is not responsible for managing and configuring the logging setup for each of the various data sources that are collecting logs and sending them to SIEM, but will advise the customer team on the best practices and procedures to apply needed data sources configuration.
Note: The Management and Administration of the data sources/devices that are, or will be, sending logs to SIEM is not included in this service, however Data Consult team will advise the customer on the appropriate configuration of the data sources.
Data Consult Responsibilities: Data Consult will configure the local SOAR solution within the designated monitored infrastructure. The capabilities of SOAR solution and operations will depend on the functionalities allow by the integration with SIEM solution. Data Consult will provide 8x5 Level 2 monitoring and security incident management. Data Consult will provide a well streamed and matured process and procedures for SOC operations and incident management. Data Consult will provide 8x5 Level 2 alerting and assistance for incident management to the customer. Data Consult will provide regular scheduled reports on security operations postures related as per the explained scope in deliverables section. Data Consult will create specific Business use cases and implement the same in the SOC offered as per the SOW in this proposal. Data Consult will provide Proactive and Reactive inputs to the customer for ensuring the best Cyber Security spectrum.
The customer will inform Data Consult within three calendar days (72 hours) of any change in Point of Contact (POC) information for this service to perform SOC monitoring services in scope.
The customer will identify and prioritize relevant data sources for the use case development based on the important of the assets, business associated risks, and operational impact of potential attacks
The customer team will be in charge of the solutions management, patching, health checks, backups, and other related security, performance and maintenance tasks on SOC solutions after deployment.
The customer will help Data Consult to coordinate with the appropriate data source owners within Customer organization, as needed.
The customer will inform Data Consult of any change within security technology and/or IT environment that are relevant to the Service.
The customer will provide Data Consult with the required administrative interfaces for monitoring event streams and log collection activities of all in scope components of security technology infrastructure, if required.
SOC Build and Enablement Services PSD Document Copyright © 2022 Data Consult. All Rights Reserved. 15/32 Throughout the engagement with the customer Department, Data Consult will ensure the confidentiality and integrity of the customer perceptiveness and properties.
The customer will configure data source instances (i.e., Firewalls, IDS/IPS devices, etc.) to collect logs and send the data to the SIEM.
The customer will review the Monthly service reports and provide Data Consult with any relevant feedback or questions pertaining to the report.
The customer will troubleshoot data sources that are not collecting the desired events/fields within the logs that the data sources are sending to SIEM. (For Example: If a firewall is not logging all desired events, the customer is responsible for editing the logging policy/configuration settings for that specific firewall).
The customer will provide necessary action, assistance and support in the installation and configuration of necessary infrastructure, network components and assets to guarantee achieving security, availability, and accessibility for SOC Monitoring team access to the designated monitored environment infrastructure to perform in scope services.
Customer Responsibilities:
The customer agrees to work collaboratively with Data Consult in defining the various user groups and roles and related incident handling and response procedures.
The customer will provide needed technical and human resources to achieve the integrations desired and connectivity between the existing SOC solutions and remote SOC when enabled
initiation and planning 1 Month 1st Month 2 Network, Systems and
The customer should provide valid licenses of the proposed systems (SIEM, EDR, SOAR, Ticketing System, Hypervisor, OS, etc.) for the duration of services contract, and the required infrastructure for storage and backups.
Prerequisites
Designated infrastructure to be monitored must have an active and functional Endpoint Detection and Response system.
The customer should install in place a suitable setup for the remote connection of Data Consult team, through a secure and monitored VPN tunnel with MFA allowing the SOC team to reach a hypervisor for central access (such as CITRIX).
The customer must already have prepared the required Hardware equipment to install the SOC systems to be provided as per the minimum requirements provided by Data Consult.
F. Project Schedule and Timeline Data Consult team has concluded from the identification of requirements that the following efforts and timeline will be needed for the execution of this project:
Description Duration Month (s) of Project 1
Design
SOC Build and Enablement Services PSD Document Copyright © 2022 Data Consult. All Rights Reserved. 16/32
The customer will provide needed assistance and support means, where required, to allow Data Consult to fulfill the service requirements as per the SOW in this proposal.
The customer should provide valid SIEM license for the duration of services contract, and the required infrastructure for tickets storage.
Stable Network Connectivity between the Data Consult Managed SOC, the customer and the designated infrastructure to be monitored.
For remote incident response services, the customer should provide and deploy, with the advice and guidance from Data Consult, Velociraptor master server with the SOC infrastructure (usually required a mid tier server for deployment. Velociraptor is an open source solution used for forensics and incident response at a scale. The master server will be connected to tenants on client premises whenever an incident response process and forensics activities are carried.
Milestone# Phase Project MSS
SOC Build and Enablement Services PSD Document Copyright © 2022 Data Consult. All Rights Reserved. 17/32 3 SOC Solution Implementation, Configuration and Commissioning 2 Months 2nd and 3rd Month 4 SOC Service Implementation and Transition 1 Month 3rd Month 5 SOC Operation and Improvement 12 Months 4th to 12th Month G. Service Level Agreements and Responsibilities Responsibilities: Data Consult will handle all the Security Events generated by the customer’s security controls and sent to the SIEM solution. After the Triage/Investigation/Classification performed by Data Consult’s analyst/Automated Systems, if required, the case will be escalated to the Customer’ Point of Contact as security incident or Policy Violation. Policy Violation Use Cases will be shared by the customer according to their internal Policies and Procedures.
SOC Build and Enablement Services PSD Document Copyright © 2022 Data Consult. All Rights Reserved. 18/32 Task ownership in scope of the Incident Response function is outlined below using a Model: Capability Customer Data Consult Security Events Detection by Customer Security Controls RA IC Security Events Detection by Data Consult Correlation Rules RA IC Initial Incident Identification & Analysis RA IC Initial Incident Investigation, Triage and Classification RA IC Incident Notification and Escalation RA IC Initial Incident Containment recommendations RA IC Recurrent Incident Mitigation Strategy recommendation I RAC Escalated Incident Response & Investigation I RAC Escalated Incident Forensic Analysis (IR & Forensics Investigation) I RAC Post Mortem Analysis (within the determined retainer period) I RAC
Escalation Matrix
ACFC. Detection (With the Customer L1 intervention) Distribution (With the Customer L1 intervention) Resolution Mitigation XSOAR RA RA CDA L2 IC RA CDA L3 IC RC Notice
SOC Build and Enablement Services PSD Document Copyright © 2022 Data Consult. All Rights Reserved. 19/32 Escalation Guidelines
and
and mitigations disciplines
The process of correcting incidents requires that detection, disruption, resolution, be established and practiced by all levels of the ACFC. This process can and should be mapped to the customer’s phases in their incident response plan, where applicable. A structured progression of recommended actions that directs individuals to perform the appropriate meaningful analysis actions troubleshooting is required. The ACFC staff must also have guidelines from the customer for referring incidents to the proper specialists when they cannot be resolved the the phases of the incident resolution process evolve from left to right and from Level 1 to Level 2. When activities at one skill level have been exhausted on an incident, the incident should be escalated to the next skill level for further action.
within
while
SOC Build and Enablement Services PSD Document Copyright © 2022 Data Consult. All Rights Reserved. 20/32 Service Level Agreements (SLAs) within determined working hours IncidentPriority IncidentTitle Mean Time to (MTTD)Detect Mean Time to Investigate (MTTI) After escalation to L2 Mean Time to Respond(MTTR) P1 Critical Data Consult 10 min 90 min P2 High Data Consult 20 min 90 min P3 Medium Data Consult 30 min 120 min P4 Low Data Consult 24 hours 48 hours H. Minimum Hardware Requirements for SOAR Solution We provide below the minimal requirements for the suggested SOC setup. The setup below does not include physical or virtual high availability; If high availability is required the equipment count should be duplicated as mentioned in last slot of the below table. I. Minimum Technical Requirements Item Name Functional Aspect Minimum Specifications or Equivalent Quantity Master SIEM Server 1x VM for Splunk Master ES Search 1xHeadVM for Splunk License Master 1x VM for ESXI Hypervisor Computational Power: 2x18 Cores CPU 64 bit >2.0 GHz Memory: 6x32 GB RAM Network: 4x 10GbE Base T RJ45 Storage – Retention 365 days: 4x 3840GB SSD Hot Swap 2x 1920 GB SSD Hot Swap Raid Controller: Hardware Raid Controller Licensing: 1x Splunk MSS License (15 GB/Day to server customer SOC only, for any further expansion license requires upgrade) 1x ESXi Hypervisor License (Matching CPU number) Power Supply: 1
SOC Build and Enablement Services PSD Document Copyright © 2022 Data Consult. All Rights Reserved. 21/32 Hot Plug Dual Power Supply Master SOAR Server + Splunk Indexer XSOAR Solution + Splunk Indexer 1x VM for XSOAR 1xSolutionVM for Splunk 1xIndexerVM for ESXI Hypervisor Computational Power: 2x24 Cores CPU-64 bit->2.0 GHz Memory: 6x32 GB RAM Network: 4x 10GbE Base T RJ45 Storage – Retention 365 days: 6x 3840GB SSD Hot Swap 2x 960 GB SSD Hot Swap Raid Controller: Hardware Raid Controller Licensing: 1x Palo Alto XSOAR MSSP License (multi Tenant) 1x ESXI License (Matching CPU) Power Supply: Hot Plug Dual Power Supply 1 Additional SOC Systems Server Carbon Black EDR Ticketing System Syslog VCenterSever 1x VM for EDR 1xConsoleVM for Syslog 1xServerVM for ESXi 1xHypervisorVMfor JIRA Ticketing System 1x VM for Vcenter Computational Power: 2x24 Cores CPU-64 bit->2.0 GHz Memory: 8x32 GB RAM Network: 4x 10GbE Base T RJ45 Storage Retention 180 days: 8x 3840GB SSD Hot Swap Raid Controller: Hardware Raid Controller Licensing: Carbon Black EDR Server license covering 50 Endpoints 1x JIRA On Premise License 1x ESXi License 1x VCenter License 1
SOC Build and Enablement Services PSD Document Copyright © 2022 Data Consult. All Rights Reserved. 22/32 Power Supply: Hot Plug Dual Power Supply ServersRedundancyPhysical (for availability)high Splunk, Carbon Black and XSOAR Redundancy Computational Power: 2x24 Cores CPU 64 bit >2.0 GHz Memory: 8x32 GB RAM Network: 4x 10GbE Base T RJ45 Storage Retention 365 days: 8x 3840GB SSD Hot Swap Raid Controller: Hardware Raid Controller Licensing: ESXi Licenses Power Supply: Hot Plug Dual Power Supply 3
SOC Build and Enablement Services PSD Document Copyright © 2022 Data Consult. All Rights Reserved. 23/32 2. Project Management Principles 2.1 Service Description and Scope of Work Data Consult has developed a unique approach to security and risk consulting: the “FACTS” methodology. Based on our consulting years of experience, as well as research conducted by the Harvard Business School, FACTS focuses on what consistently leads to consulting success. The FACTS method emphasizes where your security program currently stands and what improvements are possible moving forward. Data Consult concentrates on your long term path to a more effective security posture: Figure 1 FACTS Project Methodology Flexible Our projects are always diligently scoped, but at times we uncover information that suggests some shift in focus or emphasis will be most helpful to you. We will confer with you and adjust our process accordingly. Align Our recommendations take into account your personnel, your current capabilities, the maturity of your security program and unique business objectives. Our job is to align our recommendations with what is possible for your organization. One year consumable chunks of progress, in our experience, are what work. We concentrate on effective progress that is aligned to your team and organization and can be accomplished within 12 months. Communicate A report is not enough; communication between consultant and customer must be interactive. As
It is practical; our consultants will meet with you at the end of every day. We want to review preliminary findings and recommendations to ensure our findings are accurate (this will be your opportunity to provide us with feedback and corrections). We can give you an evolving view of our opinions and recommendations; this way there are no surprises in the report. We also look for key issues that impede progress and discuss these in particular; that way we can break bottlenecks. Our objective is to communicate beyond report writing. By ensuring solid we can focus on remediation effectiveness and focus on your current capabilities, obstacles to progress and true needs.
SOC Build and Enablement Services PSD Document Copyright © 2022 Data Consult. All Rights Reserved. 24/32
Transfer Knowledge transfer will help expedite progress. Although this part of our methodology is optional, we encourage your team to shadow and work closely with our consultants. We will share with your tools and techniques, how we interpret results and other tips to help you realize ongoing value. In our experience, the more you understand about security, the more improvements you will make in your security efforts.
Support After we deliver the final report, you are likely to have follow-up questions. Problems may arise or new options may present themselves as you begin your remediation. Please contact us. Our consultants can provide support for your report related questions even after the engagement is over and at no additional cost to you.
communication,
A. Phase 1: Coordinate/Plan/Prepare
Data Consult security consultant or project lead will contact you before your project commences. This ensures that we address any additional questions or concerns you may have, determine if the schedule is still appropriate, facilitate document or knowledge transfer, and confirm your project can proceed as planned. At this time, key stakeholders are identified, and appropriate meetings are tentatively scheduled, and any travel plans confirmed.
SOC Build and Enablement Services PSD Document Copyright © 2022 Data Consult. All Rights Reserved. 25/32 3. Client Engagement Process
Data Consult consulting leadership will discuss the project at a high level with your organization. We will review the contract and clarify requirements and expectations. We will match a consultant or team of consultants to you, based on qualifications, timing requirements and personality. We will establish secure communication channels and provide contact information and associated notification processes.
Data Consult Consulting engagement is unique. The following diagram illustrates our typical engagement process, followed by detailed descriptions: Figure 2 Our Client Engagement Approach in Consulting
B. Phase 2: Kick-off Meeting
All consulting engagements begin with a project kick-off meeting. Key personnel and teams are introduced. A primary focus of the meeting is to gain alignment and agreement between both sides on the direction and goals of the engagement. This allows Data Consult security consultants to discuss your expectations and inputs and address any pre engagement questions. During this meeting, we will address:
SOC Build and Enablement Services PSD Document Copyright © 2022 Data Consult. All Rights Reserved. 26/32 Stated goals of the project Project scope, methodology and rules of engagement Escalation procedures on each side Expectations for timeline, scheduling, coordination needs, milestones and deliverables Areas of special focus or interest Information specific to your organization or industry Clarification or changes in scope or needs Document exchange Personnel and team roles and responsibilities Organizational risk and security practices, tolerances and requirements C. Phase 3: Project Delivery Data Consult consultants gathers and analyses data in order to draw conclusions about the security of your environment and any risks to your organization. We will work closely with your team and give you regular updates on our progress. We encourage you to shadow our consultants to facilitate knowledge transfer. This approach makes customers more comfortable with the results, removing potential surprises at the end of the engagement as well as improving your ability to interpret and act upon the findings. If we find a critical issue, we will notify you immediately.
H. Account Management Account management refers to your relationship with your sales representative and the process around your interactions with them. Your Account Manager is your
Copyright © 2022 Data Consult. 27/32 D. Phase 4: Results
We view our relationship as on going and want to ensure you get the most out of our engagement. We are available for advice on what actions to take, questions about a particular product or vendor, or time with a security professional. Please contact your Data Consult account representative for more information and support options.
All Rights Reserved.
We will review with you the scope and requirements, methods and activities, and our findings and recommendations. This information will be presented formally in a draft report, and upon concurrence and resolution of any comments, we will prepare and distribute a final report.
E. Phase 5: On-going Support
F. Managed SOC Services Period After the implementation and commissioning of the required infrastructure for the Managed SOC services, we provide high quality delivery of SOC monitoring, forensics investigations and IR retainer, SIEM engineering and other services as defined in the scope of work of the proposal.
G. Continuous Quality Assurance
As a part of our commitment to delivering the highest level of service, Data Consult has established formal processes for managing quality through survey metrics, lessons learned, feedback and escalation processes, and deliverable reviews. This provides us with a continual stream of feedback regarding our project management, methodologies and customer handling procedures. In addition, all Data Consult deliverables are reviewed for style, content and grammar before delivery. Our consultants are evaluated on and part of their compensation is tied to customer satisfaction. Customers have an opportunity to voice satisfaction and suggestions through a survey sent at the completion of an engagement. We review every survey and incorporate the feedback into our process to further improve our consulting efforts.
SOC Build and Enablement Services PSD Document
Data Consult has a formal, documented process for feedback and escalation before, during and after an engagement. Customers are encouraged to contact us with comments, questions or concerns about process, timelines, deliverables, scope or other topics.
SOC Build and Enablement Services PSD Document Copyright © 2022 Data Consult. All Rights Reserved. 28/32 single point of contact for billing, agreements or sales questions that may arise. However, for any issues with service or delivery, we encourage you to use our consulting feedback and escalation process. Your Data Consult Account Manager will be in touch with you after the engagement has been completed and all deliverables provided. He or she will follow up with you to discuss any additional services we may be able to provide you either because of findings and recommendations, or just as a matter of securing your Theorganization.information we have learned about you is a vital part of determining the scope of your environment for these future projects and allows us to tailor future engagements better to you. In addition, any follow up work is much more cost effective since there is a far less steep learning curve in getting to know your organization.
SOC Build and Enablement Services PSD Document Copyright © 2022 Data Consult. All Rights Reserved. 29/32 A. The proposed bill of Quantities for Customer is as per the below: 4. Bill of Quantities Item No. Service Scoping 1 SOC Implementation Package 40 Man Days (One Off) 2 L2 CDA SOC Services 8x5 Basis 2 Full Time Employees 3 L3 SOC Services 1 Full Time Employee 4 Incident Response & Forensics 120 hours per year Investigations (retainer hours) 5 Security Engineering and Use Case 2 Use Case per quarter 5 Customized Reports per monthManagement 6 MSSP License for Splunk Enterprise 15 GB/Day (just covering SOC environment)+ Enterprise Security License7 Palo Alto XSOAR MSSP Multi 1 Tenant License 8 Carbon Black EDR License 50 Agents (1 server) 9 JIRA Ticketing System 1x On Premises License (Users covering SOC count)(customer facing System)Ticketing 10 ESXI License + Vcenter License As describe in Minimum Requirements Section 11 Optional L1 On Call Services To be provided by data consult (Outside 8x5)
SOC Build and Enablement Services PSD Document Copyright © 2022 Data Consult. All Rights Reserved. 30/32 A. The proposed bill of Quantities for customer is as per the below: No.Item Service assumptionsScoping Yearly Pricing in USD 1 SOC Implementation Package 40 Man-Days (OneOff) 44,000 2 L2 CDA SOC Services 8x5 Basis 2 Full Time Employees 430,000 3 L3 SOC Services 1 Full Time Employee 298,000 4 Incident Response & Forensics Investigations (retainer hours) 120 hours per year 24,600 5 Security Engineering and Use Case Management 2 Use Case per quarter 5 Customized Reports per month 15,896 6 MSSP License for Splunk Enterprise + Enterprise Security License 15 JustGB/Daycovering SOC environment 110,000 7 Palo Alto XSOAR MSSP Multi Tenant License 1 83,000 8 Carbon Black EDR License 50 Agents (1 server) 1,500 9 JIRA Ticketing System 1x On Premises License (Users covering SOC count) 10 ESXI License + Vcenter License As describe in RequirementsMinimum Section 11 Optional L1 On-Call Services (Outside 8x5) To be provided by Customer 5. Pricing
SOC Build and Enablement Services PSD Document Copyright © 2022 Data Consult. All Rights Reserved. 31/32 Payment Terms All prices are in USD Prices exclude VAT or any additional Taxes The proposed fees are valid for 60 days. Payment Plan Technology: payment upfront upon contract signature Services: Monthly payments that start from contract signature for 12 months duration
SOC Build and Enablement Services PSD Document Copyright © 2022 Data Consult. All Rights Reserved. 32/32 Version: 1.0 Date: 2022 8 21 The undersigned has reviewed and agreed the information contained in this action plan Namedocument. Name Title Title Company Company Signature Signature Date Date Name Name Title Title Company Company Signature Signature Date Date Name Name Title Title Company Company Signature Signature Date Date 6. Document Approval
