Upload
others
View
20
Download
0
Embed Size (px)
Citation preview
Federal Aviation Administration Department of Management Services
Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services
Use or disclosure of data contained on this sheet is subject to the restriction on the title page of this proposal. 09/03/2015
Table of Contents
1 INTRODUCTION ............................................................................................................................................ 1
2 BACKGROUND .............................................................................................................................................. 1
3 CONTACT INFORMATION .............................................................................................................................. 1
4 RESPONSE ..................................................................................................................................................... 2
4.1 PRE-INCIDENT SERVICES .......................................................................................... ERROR! BOOKMARK NOT DEFINED. 4.2 POST-INCIDENT SERVICES......................................................................................... ERROR! BOOKMARK NOT DEFINED.
Federal Aviation Administration Department of Management Services
Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services
Volume 1 - Page 1 Use or disclosure of data contained on this sheet is subject to the restriction on the title page of this proposal. 02/18/2014
1 Introduction Atlantic Systems Group, Inc. (ASG), is a Service-Disabled Veteran-Owned
Small Business (SDVOSB) entity headquartered in Rockledge, Florida, with
satellite offices in Washington, DC. ASG is a premier information security
solutions provider in North America, dedicated to serving clients in the
Federal government, defense, telecommunications, and healthcare industries. ASG is a leader in
offering end-to-end information security solutions by building and managing security programs,
including Strategic Consulting Services, where we assist customers in meeting security
compliance requirements, from “hands-on” Execution or Deployment Services, including Design
and Engineering and Security Assessment; to Operational Services such as Support and Training.
Our core competencies include: Security Engineering Services, Security Risk Assessments,
Vulnerability Assessments, Penetration Testing, and Information Assurance.
Our security engineers and information assurance consultants are dedicated to assisting our
clients in managing and mitigating their information security risks through the implementation of
best practices and carefully tested security technologies, while ensuring compliance to Federal
regulations and mandates.
2 Background Incident response is a key component of an enterprise business continuity and resilience
program. The increasing number and diversity of information security threats can disrupt
enterprise business activities and damage enterprise information assets. A sound risk
management program can help reduce the number of incidents, but there are some incidents that
can neither be anticipated nor avoided. Therefore, the enterprise needs to have an incident
response capability to detect incidents quickly, contain them, mitigate impact, and restore and
reconstitute services in a trusted manner. The ASG Team will monitor systems and procedures.
If/when an information security event occurs; ASG personnel will assist the Computer Incident
Response Team (CIRT) in its mitigation and in the determination of an appropriate level of
security commensurate with the impact level of the event, develop and implement processes with
procedures for reporting, tracking, and resolving computer security incidents and ensure
availability of staff to support a 24x7 execution of security incident management as incidents are
reported.
3 Contact Information
Company Name Atlantic Systems Group Inc.
Company Address Atlantic Systems Group Inc. (SDVOSB)
4195 US HWY 1 STE 102
Rockledge, FL 32955
Federal Aviation Administration Department of Management Services
Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services
Volume 1 - Page 2 Use or disclosure of data contained on this sheet is subject to the restriction on the title page of this proposal. 02/18/2014
Company Representative Earnest Neal
cell: 301-502-3687
fax: 321 821-0409
Sources Sought Reference Number RFQ1021822
Sources Sought Issue Date August 14, 2015
Sources Sought Close Date August 31, 2015
NAICS Code 541511, 541512, 541519, 611420
DUNS Number 171384113
Cage Code 33XY0
Point of Contact for Submission Earnest Neal, COO
Sources Sought Response Prepared by Atlantic Systems Group Inc.
Contract Vehicles GSA IT 70 GS-35F-326CA
4 RESPONSE Our ASG ISSP Expertise Center staff is comprised of senior security professionals who have the
capabilities to protect the State of Florida (SoF) enterprise from cyber threats by providing
constant vigilance over security infrastructure and critical information assets. Our personnel have
the in-depth knowledge needed to identify and thwart malicious activity based on security log
review and monitoring activities, while balancing numerous ongoing operational and strategic
security tasks. We will develop and implement scalable processes to assist the SoF Network
Security Operations Center (SoF-NSOC) with implementing advanced analysis technologies that
effectively detect and respond to threats.
The ASG Team currently delivers proven and experienced network security and monitoring
support services to include real-time monitoring, correlation, and expert analysis of security
activity across the SoF enterprise 24 hours/day, 7 days/week, 365 days/year. Our enterprise
security operations center support services team has improved the effectiveness of the SoF
security infrastructure by actively analyzing the logs and alerts from network security and
enterprise operations devices in real time, 24x7x365. The ASG Team has detailed the NSOC
coverage in section 4.10.1. Our Security Monitoring service simplifies security and compliance
reporting to streamline audits. The ASG Team approach to managing and controlling the NSOC
is illustrated in Figure 1 below.
Federal Aviation Administration Department of Management Services
Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services
Volume 1 - Page 3 Use or disclosure of data contained on this sheet is subject to the restriction on the title page of this proposal. 02/18/2014
Figure 1. The Proposed ASG Team Approach to Provide NSOC Support
Objectives of the ISSP Security Operations and Security Incident
Handling
To support the NSOC/Computer Security Incident Response Capability (CSIRC), our approach
and our ISSP Expertise Center teams have been developed based on the functional areas detailed
in the SOW. These teams (Network Security and Monitoring Support Team, Incident Response
(IR) Analysis Team, IR Analysis Management, Intrusion Detection Team and Sensor
Management Team, and Vulnerability Assessment Team) will conduct the vital functions in each
designated area, as well as inform our approach to providing Network Defense Center
Documentation Support.
1. Network Security and Monitoring Support – Infrastructure monitoring support services will
be provided on a routine basis and serve as a proactive measure against potential malicious
attacks that may normally go undetected. These scans will be performed by seasoned Red
Teaming security engineers on at least a bi-weekly basis, but if necessary on an additional as-
needed basis. This service covers the SoF network devices, as well as all of the computers
connected to the SoF network. The normal expectation of this service is to have a high number of
potential security vulnerabilities, security risks, and incidents discovered in the beginning stages,
as many false positive findings are discovered, analyzed, and recorded as such. As we work with
our SoF-counterparts to properly tune security devices, the total volume of vulnerabilities and
false positives will decrease.
2. IR Analysis Support – The SoF-NSOC ISSP Expertise Center staff possesses broad and deep
technical capabilities to monitor, analyze, and report security incidents. The ASG Team
possesses experience identifying and implementing standard industry incident analysis tools,
including Encase Enterprise, Access Data Forensic Tool Suite, Paraben Forensic Suite, System
Internal Suite, and Registry Viewer. Based on our identified indicators, we will analyze key
registry and file system artifacts during the host-based analysis that will produce additional
indicators and detail adversarial tactics, techniques, and procedures. The ASG Team can also
provide event time line reconstruction and identify vectors of compromise, along with
supplemental incident analysis reporting.
Federal Aviation Administration Department of Management Services
Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services
Volume 1 - Page 4 Use or disclosure of data contained on this sheet is subject to the restriction on the title page of this proposal. 02/18/2014
3. IR Analysis Management Support – The IR Analysis Management Team will clearly
establish and enforce all policies and procedures. Our SoF-NSOC ISSP Expertise Center staff
will actively review all vulnerability information and data feeds, conduct trend or gap analysis on
those feeds, and then prioritize the identified threats and vulnerabilities. To more effectively
manage security incidents, we also plan on utilizing the ISSP’s existing change management
procedures to ensure SoF security devices, such as firewalls and authentication systems, are
properly configured. Additionally, our security personnel will develop and maintain policies and
procedures by thoroughly testing to ensure that they are practical and clearly provide the
appropriate level of security. The ASG Team will work with SoF to gain support for security
policies and incident handling and respond to events immediately.
4. Intrusion Detection and Prevention Support – The ASG Team’s approach to detection and
prevention incorporates the identification of events through proactively monitoring indicators
such as network monitors, intrusion detection systems and cyber threat intelligence watch lists.
The incident management program determines any notable activity that might suggest malicious
behavior or identify risk and threats to the enterprise infrastructure by examining the data feeds
from US-CERT portals and vendor security portals (e.g., Microsoft Security Response Center,
Cisco Intelligence Center, etc). The Intrusion Detection and Prevention Support team consists of
highly trained staff with practical expertise in conducting Security Incident Event Manager
(SIEM) event correlation analysis and generating network security tool reports. Underpinning
our approach is our focus of extending network monitoring capabilities, under prescribed service
levels, by integrating security components such as firewalls, intrusion protection systems, system
access controls and Host-based Intrusion Detection Systems (HIPS) and Network Intrusion
Prevention Systems (NIPS).
5. Sensor Management Support – Sensor Management support and maintenance services will
be provided by both the 24x7x365 around-the-clock personnel of the Sensor Management
Support Team and additional normal business-hour security engineers. This service is founded
on establishing a baseline of regular and frequent scanning, and provides both short, mid, and
long-term assistance to the maintenance of SoF-NSOC security devices. Short-term support
includes 24 hour change request response that is revealed by US-CERT Vulnerability alerts and
Sourcefire Vulnerability Research Team, as well as potential vulnerabilities and security issues
discovered by ISSP scheduled bi-weekly vulnerability scans. Mid to long-term support includes
scheduled SoF-NSOC security device upgrades and new installs.
6. Vulnerability Assessment Support – Vulnerability Management (VM) will be carried out by
the Vulnerability Assessment Team (VAT) which is comprised of senior analysts within the
ASG ISSP Expertise Center. In accordance with NIST 800-40 v2, the VAT will utilize
established guidelines and processes to effectively identify and mitigate existing vulnerabilities
in the SoF environment. This team will be a formal subset of the Security Operations Center
within SoF/.
The solutions provided by our ISSP Expertise Center will be customized to meet SoF’s
individual requirements, ensuring accurate network defense center documentation, compliance
with security policy, and alignment with defined performance metrics. The ASG Team approach
will help to improve network uptime and performance and tighten network security controls at
SoF. As a result, security incidents will be effectively managed while protection, detection, and
IR capabilities will work as an integrated whole.
4.1.1.1 Scope
4.1.1.1.1 Network Security and Monitoring Support (NSMS)
Federal Aviation Administration Department of Management Services
Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services
Volume 1 - Page 5 Use or disclosure of data contained on this sheet is subject to the restriction on the title page of this proposal. 02/18/2014
Our ISSP Expertise Center staff will provide 24x7x365 vigilance over the SoF’s organization's
security activity. The ISSP will use their expertise to tune SoF’s SIEM tool to ensure relevant
security events are differentiated by utilizing behavioral analytics and correlation. This will
reduce the false positives and false negatives by creating rules that are not limited to just the
specific security event, but also the activity that is usually associated with an actual threat,
infection, or attack. This will be accomplished by associating events across all security and
network devices into single or multiple incidents. Our ISSP Expertise Center personnel will
analyze event data received from Network Security tools to eliminate false positives and serve as
technical experts and liaisons to external incident response personnel. Identified security
incidents will be carefully analyzed by our team of security experts to detect and validate any
signs of malicious activity.
The ASG Team’s personnel will coordinate with NSOC, Field Operations, and other SoF
Components to resolve security incidents within the enterprise to remediate security events,
determine the root cause, and to consult on the mitigation of potential future events/incidents as
well as to recommend refinements to event correlation rules for implementation on the SIEM.
The ASG Team’s security experts perform extensive research and search global security
intelligence sites and forums. They will use this knowledge to ensure that emerging threats and
advanced attack methodologies are identified to further enhance the customers SIEM analysis
and device signature content to thwart attacks before damage is done. The ASG Team’s security
experts also identify signs of potential insider threats, such as unauthorized access or policy
compliance issues.
The ASG Team’s knowledge of the SoF’s IT security controls is unmatched by any other
contractor, as the ASG Team has performed hundreds of security control assessments across all
the control families in the NIST SP 800-53 series at . With this real world experience, the ASG
Team’s ISSP Expertise Center personnel not only understand what NIST special publications are
trying to convey, but how these controls are deployed at . The security experts will also use their
extensive knowledge when reviewing SoF’s current network security posture and when any
change requests are submitted to prevent any unnecessary risk or exposure to SoF’s network.
The ASG Team will also ensure all processes and procedures around change management will
meet SoF’s needs to ensure unnecessary operational outages are avoided.
To ensure the highest level of customer service and continual uptime for SLA bearing
infrastructure, the ISSP Expertise Center will implement a process for change control and
maintenance window management that aligns with SoF change management policies. This
process will ensure that all access and work activity performed on NSOC production systems
occurs in a scheduled, documented, and controlled environment. In addition, these procedures
enable NSOC to fulfill the requirements of external process and procedural audits pursuant to
maintaining best practice certifications.
Access to production devices for maintenance must receive prior authorization by the NSOC
Change Control Board, will be documented fully, and must occur during one of the NSOC
standard maintenance windows.
Informational changes must be documented for all changes to NSOC. This includes, but is not
limited to, upgrading patches and service packs, changing IP addresses, making interface
changes, adding scripts, renaming devices, performing database updates, and updating
signatures.
An emergency change control can be performed outside of standard maintenance windows
providing that the NSOC Change Control Board authorizes the change and the proposed
Federal Aviation Administration Department of Management Services
Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services
Volume 1 - Page 6 Use or disclosure of data contained on this sheet is subject to the restriction on the title page of this proposal. 02/18/2014
provisional maintenance window. Emergency Change Control Board requests should be
presented to SoF.
Change controls for SoF devices can be performed outside of standard maintenance windows
providing that the change control has been authorized by the SoF Change Control Board, and
SoF has agreed to the provisional maintenance window.
Maintenance Window Objective:
Facilitate preparation, planning, and scheduling of changes
Establish an approval process for all changes
Provide timely communication of planned changes to NSOC customers (internal and
external)
Provide a central repository for tracking changes to improve service quality to customers
and document changes for auditing purposes
The ASG Team’s ISSP Expertise Center takes a practical approach to security solutions,
focusing on operational needs, associated risks, and potential cost to devise an optimal strategy
that offers the best value with an acceptable level of risk. We will follow a focused process from
assessment, mitigation, test, and certification through ongoing maintenance and support as part
of our managed security capability to ensure continued secure operations in the face of newly
identified risks. The ASG Team’s personnel will support SoF in designing, building, certifying,
and operating IT security infrastructures and networks, including but not limited to:
Firewalls
Network and host intrusion detection systems
Remote access systems
Virtual Private Networks (VPNs)
Antivirus systems
Compliance and patching activities
URL Filtering/SPAM Blocking
Cryptographic Systems
Multi-factor identification/credential management, including: tokens, biometrics, and
Public Key Infrastructure
Multi-security level systems
Our personnel also understand the policies that support the Incident Response Plan (IRP) and
define the plan’s authority and scope to establish specific requirements for incident response or
incident response planning in Federal information systems. Some of the Federal laws, regulatory
guidance, and directives that drive the information security programs including the development
of an IRP are listed below:
Federal Information Security Management Act (FISMA) of 2002
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Computer Fraud and Abuse Act of 1986, as amended.
OMB Circular No. A 130, Appendix III “Security of Federal Automated Information
Systems”
Federal Information Processing Standard (FIPS) 199 “Standards for Security
Categorization of Federal Information and Information Systems” February 2004.
NIST SP 800-18 Rev 1 – Guide for Developing Security Plans for Federal Information
Systems, February 2006
Federal Aviation Administration Department of Management Services
Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services
Volume 1 - Page 7 Use or disclosure of data contained on this sheet is subject to the restriction on the title page of this proposal. 02/18/2014
NIST SP 800-37 – Guide for the Security Certification and Accreditation of Federal
Information Systems, May 2004
NIST SP 800-53 Rev 3 – Recommended Security Controls for Federal Information
Systems, August 2009
NIST SP 800-61 – Computer Security Incident Handling Guide, January 2004
3500 Cyber-Security Manual Series
3505 Computer Incident Response
3515 Privacy Requirements
3540 Risk Management Program
3555 Certification and Accreditation
3570 IT Contingency and Disaster Planning
3575 Security Controls
3520 Configuration Management
3545 Personnel Security
3550 IT Systems
Our approach detailed in the following sections will incorporate the elements included within the
NIST SP 800-53 series and in particular for the IR control family shown in Figure 2.
Control
#
Description of Control
IR-1 Incident Response Policy and Procedures: The organization develops, disseminates,
and periodically reviews/updates: (i) a formal, documented, incident response policy
that addresses purpose, scope, roles, responsibilities, and compliance; and (ii) formal,
documented procedures to facilitate the implementation of the incident response
policy and associated incident response controls.
IR-2 Incident Response Training: The organization trains personnel in their incident
response roles and responsibilities with respect to the information system and provides
refresher training at least annually.
IR-2
(1)
Incident Response Training: The organization incorporates simulated events into
incident response training to facilitate effective response by personnel in crisis
situations.
IR-3 Incident Response Testing and Exercises: The tests and/or exercises the incident
response capability for the information system, at least annually using Incident
Response Tests identified in System Security Plan to determine the incident response
effectiveness and documents the results.
IR-3
(1)
Incident Response Testing and Exercises: The organization employs automated
mechanisms to more thoroughly and effectively test/exercise the incident response
capability.
IR-4 Incident Handling: The organization implements an incident handling capability for
security incidents that includes preparation, detection and analysis, containment,
eradication, and recovery.
IR-4
(1)
Incident Handling: The organization employs automated mechanisms to support the
incident handling process.
IR-5 Incident Monitoring: The organization tracks and documents information system
security incidents on an ongoing basis.
Federal Aviation Administration Department of Management Services
Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services
Volume 1 - Page 8 Use or disclosure of data contained on this sheet is subject to the restriction on the title page of this proposal. 02/18/2014
Control
#
Description of Control
IR-5
(1)
Incident Monitoring: The organization employs automated mechanisms to assist in the
tracking of security incidents and in the collection and analysis of incident
information.
IR-6 Incident Reporting: The organization promptly reports incident information to
appropriate authorities.
IR-6
(1)
Incident Reporting: The organization employs automated mechanisms to assist in the
reporting of security incidents.
IR-7 Incident Response Assistance: The organization provides an incident support resource
that offers advice and assistance to users of the information system for the handling
and reporting of security incidents. The support resource is an integral part of the
organization’s incident response capability.
IR-7
(1)
Incident Response Assistance: The organization employs automated mechanisms to
increase the availability of incident response-related information and support.
Figure 2. NIST SP 800-53 – Recommended Security Control for Federal Information
Systems – Control Family Incident Responses (IR).
ISSP Expertise Center’s proven approach for monitoring, analysis, and reporting offers SoF
NSOC Office of Information Technology (OIT)/Office of Information Security (OIS) a low-risk
solution for both transition and steady-state ISSP operations. The ASG Team has extensive,
relevant experience in monitoring, analysis, and reporting.
The ASG Team’s personnel will employ our proven ITILv3-based services model, tailored to the
ISSP environment, to not only meet or exceed the ISSP incident response analysis support
requirements, but to enable Continuous Service Improvement (CSI) over time. The ASG Team
will leverage existing SOPs, and refine them if necessary, to ensure rapid problem resolution,
coordination, and escalation to keep all users on-line and productive. The ASG Team’s highly
integrated Incident, Problem, and Release Management methods not only resolve today’s
problems effectively; they also address tomorrow’s challenges associated with technology
refresh cycles, including cloud and virtualization technologies for reduced system footprints and
increased performance. The benefit of our solution to ISSP/IAD is threefold: (1) our high-
performance team and proven services framework maximize the efficiency and effectiveness of
the monitoring tools in use, enhancing system availability and end-user satisfaction even during
times of constrained funding that may preclude system enhancements, (2) our deliberate IT
investment and planning capabilities maximize the Return-On-Investment (ROI) of diminishing
IT dollars for monitoring tools, and (3) our team is proactive in preventing problems.
4.1.1.1.2 Incident Response Analysis Support
The ISSP Expertise Center staff understands that effective incident response is critical to
restoring normal operations to our customers as rapidly as possible, preventing the unintentional
disclosure of personal and sensitive information, and maintaining 99.9% reliability. Our incident
management model described above provides cradle-to-grave incident management from
preparation planning and prevention of incident occurrence to monitoring support where we
detect incidents. The ISSP Expertise Center then invokes a rapid and disciplined response where
we successfully contain, eradicate, and recover from the incident to thorough analysis and
reporting that advance planning and continuously improve prevention of future incidents.
Federal Aviation Administration Department of Management Services
Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services
Volume 1 - Page 9 Use or disclosure of data contained on this sheet is subject to the restriction on the title page of this proposal. 02/18/2014
Our personnel are experienced in dealing with multiple types of security incidents to include
breaches of confidentiality, compromised integrity, disrupted availability, repudiation,
harassment attempts, extortion attempts, pornography trafficking, computer misuse that involves
organized crime, subversion, and hoaxes. The ASG Team ISSP Expertise Center will utilize our
experience and knowledge to provide enhanced analytical reporting capabilities that will ensure
SoF’s security posture meets or exceeds all legal and regulatory compliance requirements. Our
ISSP Expertise Center will ensure all processes and procedures around incident response are
well-documented and followed. Our incident response team will use a variety of methodical
approaches to monitor, analyze, and report anomalies and security incidents to ensure SoF’s
confidentiality, integrity, availability, and policies are not violated. This will be done using
techniques such as pattern matching, protocol decoding, simple logic, and behavioral analysis to
correlate anomalies and security events into incidents of varying risk levels. The incident
response team will then utilize any information gained from all security incidents to further
enhance SoF’s security posture with cooperation and approval of their management team through
change activities on their security device policies or signatures.
Figure 3 illustrates the high-level phases of a Critical Incident Response Plan (CIRP) that relate
directly to the elements requested in the PWS for:
Monitoring – Preparing for an event
Analyzing – Responding to an event
Reporting – Throughout the process followed by a formal Post-incident Response
Figure 3. The ISSP Experience Center will prepare and respond to security breaches
A representation of our Incident Response Analysis Support process is highlighted as shown in
Figure 4.
Federal Aviation Administration Department of Management Services
Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services
Volume 1 - Page 10 Use or disclosure of data contained on this sheet is subject to the restriction on the title page of this proposal. 02/18/2014
Figure 4. Incident Reporting and Analysis continuously processes and refines inputs to
capture incidents successfully
Overall Monitoring will be conducted by collecting log information from HIPS/NIPS, firewall
proxies, antivirus tools, and through server audit trails. Our effective tuning of software, sensors,
and devices will be done in accordance with SOPs and standard processes to ensure optimal
performance. The ASG Expertise Center will utilize these tools to provide analysis of the wide
variety and enormous volume of data to reduce the events to successfully recognize the high
priority incidents that are to be contained and eradicated, but also prepare and categorize the
reporting and maintain ISSP databases.
4.1.1.1.3 Monitoring Support
Our Understanding.
Monitoring support requires collecting a multitude of information and maintaining that
information in a structured and organized way in order to be able to analyze associated threats
for patterns and trends. We recognize that enterprise monitoring must be collaborative between
SoF elements that also report vulnerabilities, potential attack vectors, technical vulnerabilities
that could be exploited, events, and incidents outages. Network monitoring effectiveness is a
direct function of:
How well the monitoring tools are configured for detection and alerts
The degree of event correlation provided by the monitoring tools
Whether or not the system is properly configured with all “high risk” security patches
Whether or not intrusion detection systems and firewalls are configured properly
How well log files are analyzed and archived
Federal Aviation Administration Department of Management Services
Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services
Volume 1 - Page 11 Use or disclosure of data contained on this sheet is subject to the restriction on the title page of this proposal. 02/18/2014
The capabilities of system/network administrators to proactively anticipate performance
degradation and resolve performance issues through load balancing and capacity
management.
The ASG Team’s ISSP Expertise Center is committed to ensuring that all of these factors are
properly implemented and functioning effectively. We also understand the importance of
monitoring all configuration changes for network security devices, tracking security related
issues by monitoring tickets and working with the SoF Information Security Offices (ISOs), and
inspecting and identifying network traffic for possible anomalous network activity. The ASG
Team’s ISSP Expertise Center is poised to respond to these requirements.
Our Approach.
The ASG Team’s number one focus for the monitoring task is to ensure that systems and
network monitoring tools are configured at the proper thresholds for detection, alerts, event
correlation, and automated ticket generation. The benefit of this approach is that the average
problem resolution cycle time is reduced, thereby increasing system availability for SoF users. In
addition, we will maintain the security posture of the network, protecting SoF’s vital data from
compromise. The ASG Team ISSP Expertise Center will be proactively focused on CSI and
optimization in order to provide more effective incident monitoring. This approach results in
increased positive results as optimization and improvement simplifies ISSP responsibilities and
stabilizes the environment. Also, improved ISSP capabilities ensure engineering support
resources are increasingly available to continue work on other important projects. We will
coordinate input of all activity reports and metrics for streamlined analysis of trends and issues,
and identify corresponding corrective or preventive actions to update monitoring activities. This
will permit our monitoring team to become “more proactive and less reactive.”
Our security personnel will monitor events using the SoF toolset. The ISSP Expertise Center will
select the tools that will be deployed based on a combination of existing tools, evaluations of tool
improvements, and and Federal guidelines. We will use integrated system and network
monitoring tools, whenever possible. Where there are gaps in the automated tool set, we will
recommend suitable replacements drawing upon our resources from our IS-COE and from
similar support projects. We will analyze monitoring goals and track them against objectives and
report them to SoF on a regular basis. Monitoring metrics will be analyzed for thoroughness,
compliance, and for system performance impacts.
Every security appliance, business-critical system, noncritical server, and endpoint in SoF
organization generates extensive logs daily. Our personnel will analyze raw logs that need to be
monitored continuously, analyzing and correlating to filter out false positives in order to identify
real security events of concern. The ISSP Expertise Center provides dedicated, skilled resources
around the clock to review and interpret all the logs and alerts in all the different formats
generated in the SoF infrastructure.
Our personnel will provide administration of servers for security software on primarily Windows
servers. While the current security suite provides alerting, SIEM, and vulnerability identification,
additional information is supplied by users and others who identify additional anomalous
activity.
Our ISSP Expertise Center provides a security staff with experience using these tools and most
other commercial tools. As the overall Security Knowledge Management database improves over
time, our senior personnel will provide well-timed recommendations to refine event correlation
rules as needed within the SIEM. Each of the administrators is trained on the appropriate tools
and receives a skill check before they conduct administrative activities. The team will work with
Federal Aviation Administration Department of Management Services
Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services
Volume 1 - Page 12 Use or disclosure of data contained on this sheet is subject to the restriction on the title page of this proposal. 02/18/2014
network management staff to ensure that alerts from sensors arrive at consoles in a timely
manner.
The ISSP Expertise Center will achieve CSI through optimization, greater stability, improved
performance, and enhanced capabilities. We facilitate the achievement of these goals by
proactively identifying monitoring service requirements along with performance gaps, trends,
and opportunities for enhancement. We will work with SoF to prepare project requirements and
prioritize these improvement initiatives to develop actionable plans with realistic delivery
milestones and associated performance metrics.
Our Expertise Center ISSP Expertise Center staff will host and maintain the management servers
for HIPS that collect information from the environment and consolidate the server input in a
preconfigured and automated manner. This data, along with the vulnerability management
service, will be combined, analyzed, and reported by the ISSP Expertise Center outlining the
Health and Wellness of SoF networks and clearly displaying that a risk to one SoF element is a
risk to all SoF elements.
Over the last seven years, the ASG Team has worked with many Federal and DoD organizations
across a wide-range of different mission applications. During this time, we have learned a great
deal about what organizations need from network monitoring and recording solutions to ensure
their networks remain secure, reliable, and compliant by collecting the right data with the correct
tools and filtering. We will apply these lessons-learned to the SoF enterprise.
Our security personnel assigned to the ISSP Expertise Center will provide a full breadth of
monitoring services to help SoF comply with regulations and standards. We will also accomplish
this by monitoring various US-CERT threat portals and other credible sources for cyber threat
information and continuously monitoring availability, network management systems,
configuration changes, logs, and network traffic for the entire SoF enterprise. By maintaining
this valuable information in a collected, organized way, we can provide the best monitoring
support to SoF for informed decision making, and share that information with ISSP elements to
strengthen awareness of threats to local, national, and global operations.
The ASG ISSP Expertise Center realizes the importance total security management and staying
ahead of threats, both internal and external. Armed with this knowledge, our personnel will
conduct penetration and wireless access testing in accordance with well-defined rules of
engagement (ROE) coordinated with the ISSPM. The ISSP Expertise Center has vast experience
in coordinating with internal as well as external entities to ensure hardened security posture
assurance.
Our Proven Capabilities.
The ASG Team ISSP Expertise Center’s monitoring expertise is vast. Our team also has
extensive knowledge and experience both internally and externally to SoF on automated tools
and reporting capabilities from HIPS and NIPS, to analyzing sensor data feeds, discovery
through scanning for vulnerabilities across ports and protocols, managing those vulnerabilities,
and coordinating the gaps that may exist between them. Identifying brown-out activity from
within SoF and receiving both automated and manual data feeds from across SoF elements
allows the ISSP team to better understand and provide additional CSI to the ISSP and help to
minimize overall risk to the mission that occurs across the shared SoF environment.
4.1.1.1.4 Analysis Support
Our Understanding.
Network analysis support is heavily dependent on two primary factors: the technical expertise of
the network support team and a disciplined, yet expedient, approach for root cause analysis and
Federal Aviation Administration Department of Management Services
Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services
Volume 1 - Page 13 Use or disclosure of data contained on this sheet is subject to the restriction on the title page of this proposal. 02/18/2014
fix determinations. We must be able to filter and triage appropriately to determine scope,
urgency, and potential operational impact by identifying the specific vulnerability and making
recommendations, escalating as appropriate, and eliminating false positives. Figure 4 in the
previous section also indicates the need for analysis and correlation of all inputs with
comparisons to emerging patterns, suspicious ports, and protocols, as well as our internally
developed Knowledge Management (KM) database.
All the tools and logs are meaningless without a well-developed security team with standardized
processes to wade through large amount of events of data collected, triggered, and logged during
an average day at SoF. Using our KM database and SOPs, the ASG Team ISSP Expertise
Center’s approach and proven capabilities will allow us the ability to sift through this large
amount of data.
Our security experts are aware of the SoF investment in a variety of technologies, such as
network firewalls, IPS/IDS, VPNs, network management, routers, and switches to detect events.
Every security appliance, business-critical system, noncritical server, and endpoint in the SoF
organization generates extensive logs daily. The ASG Team ISSP Expertise Center will apply
automated scripts to help filter out false positives and false negatives in order to identify real
security events of concern and accelerate the overall process. We will provide dedicated, skilled
resources around the clock to review and interpret all the logs and alerts in all the different
formats generated in the SoF infrastructure and distill them into a single format.
The ISSP Expertise Center will validate security or privacy events as incidents and assign
severity levels. We will provide incident handling support (i.e., intrusion correlation tracking,
threat analysis) to on-site personnel.
Our Approach.
To support SoF with the most rapid analysis and response available, the ISSP Expertise Center
will examine the current processes and tools to determine which actions may speed analysis and
response time and which tools could serve secondary purposes for incident response.
Specifically, we will look at interdepartmental communications, alert escalation, and
identification and configuration tools. Any recommendations to expedite triage, data capture, or
other activities will ensure that current regulations and policies for data capture remain
compliant.
Through coordination and collaboration between the NSOC and SoF elements, the ISSP
Expertise Center will identify, characterize, and provide the operational context for technical
vulnerabilities that may impact SoF. We will also prepare detailed and summary reports and
briefs on a routine or ad hoc basis. To further bolster this program, the ISSP Expertise Center
will develop an automated, hierarchal mechanism or portal for disseminating vulnerability
information and reporting system compliance. This system will allow each SoF element to
submit and track individual compliance status information, provide asset information, request
waivers, and make corrections. The system will enable the NSOC to instantly capture the
vulnerability status of SoF. The system will provide a means of Risk Scoring, the ability to score
each security risk based on a number of factors, thereby quantifying the Information Assurance
(IA) risk posed by not patching the vulnerability such that each SoF element may prioritize its
mitigation measures. The ISSP Expertise Center will use this tool to streamline the process of
assessing vulnerabilities.
Our ISSP Expertise Center will employ the methodical approach shown in Figure 4 to analyze
event data. Our primary concern is the elimination of false positives to avoid unnecessary
outages. We will ensure that all alert thresholds are optimally configured to avoid false positives,
Federal Aviation Administration Department of Management Services
Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services
Volume 1 - Page 14 Use or disclosure of data contained on this sheet is subject to the restriction on the title page of this proposal. 02/18/2014
using trend analyses to assist in determining the most effective values. As events occur that
achieve the threshold of incident potential, both the NSOC and the IR Teams are engaged to
determine the appropriate classification, threat level, and disposition that may include US-CERT
notification as shown in the diagram below. At the very least, the process shown depicts the
well-disciplined, documented, and repeatable process that will provide the complete analysis and
capture of the data necessary to record and remediate the event and disposition.
Our ISSP Expertise Center will employ ITILv3-based principles to ensure accurate and timely
problem resolution. This includes a triage technique to establish scope, urgency, and impact of
each event or alert. If users are down, we focus all of our energies on getting the users back
online quickly. We will then escalate the event to problem management to engineer solutions
that will prevent that same problem from reoccurring. Part of the triage effort includes using best
professional judgment in determining whether the problem can be fixed with ISSP resources in a
timely manner or if it is necessary to engage third-level support or other groups to aid in the
resolution as indicated. The ASG team has certified ITILv3 experts who can provide guidance
and oversight to on-site staff at SoF.
Whether the problem is being handled in the ISSP or with the engagement of outside groups,
SOPs will specify at which point in time incidents must be escalated based on the progress of
resolution, time elapsed, and severity level. Initial and recurring status notification to users and
management will also be specified based on the severity level: criticality of the user’s mission
function and time elapsed. See Figure 5 below.
The ASG Team treats all security-related incidents in a special manner. Maintaining compliance
with all security standards, as well as NIST 800-61, NIST 800-90, US-CERT, and OMB
standards, is very important to support the number one priority: mitigating the impact of a
security incident. Our team will give security-related events all the attention and resources they
require in order to remedy them swiftly but correctly. Our analysis team is driven by one
overarching goal – maintain the integrity of the baseline across the enterprise, including security.
We will manage our analysis team resources accordingly. The ASG Team will also look for
opportunities to improve information and data flow, and we will make recommendations to SoF
in this regard.
Our security SMEs will develop an integrated security program that will coordinate with and
provide expert technical support to SoF technicians. Our personnel will analyze event data
received from network security tools to address SoF’s security concerns and compliance
requirements. We also recognize that being compliant does not necessarily mean that the
environment is also secure. We have proven processes to deal with millions of security events
across multiple network security applications. Performing incident triage to determine scope,
urgency, and potential operational impact by identifying the specific vulnerability and making
recommendations, which enables rapid remediation at the enterprise level, is a significant part of
the ASG Team’s ISSP Expertise Center core competencies.
Our team will also perform security event correlation, categorization, and prioritization and
prepare post analysis reports that provide added value to the service provided to SoF and ensure
they meet or exceed their legal, compliance, and certification standards. We will also perform
event categorization involving analysis of incoming data flow from security devices and data
searches for indications of anomalous events.
Our Proven Capabilities.
Our Expertise Center provides highly capable analysts, and we will leverage our proven analyst
techniques from other programs to enhance SoF’s analysis support. For example, in support of
Federal Aviation Administration Department of Management Services
Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services
Volume 1 - Page 15 Use or disclosure of data contained on this sheet is subject to the restriction on the title page of this proposal. 02/18/2014
the USGCB, we provide expert network, server, data and desktop computer security support
services including planning and analysis, audits, remote monitoring and intrusion detection,
vulnerability scans, and application systems certification and accreditation.
The ISSP Expertise Center has worked with several SIEM systems and tools, including
ArcSight, eSecurity, and TrustWave (Intellitactics). Our team has the experience correlating
security events and analyzing logs and alerts across virtually any security technology and critical
information asset, 24x7, to identify anomalies and respond to threats in real time. Deeply-skilled
security experts will work with the NSOC, field operations, and other SoF components to
analyze security incidents and assist with remediating outbreaks within the enterprise and
expeditiously respond to security events to determine the root cause and consult on the
mitigation to any malicious activity. Our team will be able to provide the expertise in behavioral
analytics, which will greatly improve security incident correlation within the SIEM tool. By
utilizing the known behaviors of various security threats, SIEM correlation rules can be
customized to not react strictly based on vendor signatures, which are known to over report,
thereby reducing unnecessary response activities.
Federal Aviation Administration Department of Management Services
Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services
Volume 1 - Page 16 Use or disclosure of data contained on this sheet is subject to the restriction on the title page of this proposal. 02/18/2014
Figure 5. NSOC Incident Process Flow Ensures Through Analysis of Potential Threats
For this effort, we will provide comprehensive network security analysis reports to SoF NSOC
managers, the SoF COR, and the SoF PM. Our team previously supported a variety of key
technical security platforms including antivirus, public key infrastructures (PKIs), HIPS, NIPS,
Federal Aviation Administration Department of Management Services
Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services
Volume 1 - Page 17 Use or disclosure of data contained on this sheet is subject to the restriction on the title page of this proposal. 02/18/2014
virtual private networks (VPNs), and other security-related devices. The ASG Team’s Expertise
Center will apply these skills and also be able to provide recommendations for system policy and
auditing modifications to enhance the capability of existing or future HIPS deployments to
ensure potential threat risks are seen by the SoF’s security tools or SIEM.
4.1.1.1.5 Reporting Support
Our ISSP Expertise Center solution features CSI. We know from experience that this is only
possible by accurate documentation and the reporting of the findings in that documentation. All
event correlation, problem analysis, and trend analysis must be correctly recorded, reported, and
clearly communicated. The Reporting Support phase is also the process of establishing policies,
processes, procedures, and agreements covering the management and response to security
incidents as well as IR tactics, techniques, and procedures.
The tracking process involves learning about a potential security incident and reporting it to
generate a Remedy incident ticket. This phase also involves the reporting of potential incidents
to the NSOC, who will immediately refer the incident to the IR Team.
Our Approach.
Our ISSP Expertise Center ensures effective reporting by:
1. Developing robust scripts/queries to generate automated reports with reliable data that
can be used for analysis
2. Ensuring that timely notifications are generated and distributed to all stakeholders for
events that users need to know about, especially security-related events, system performance
issues, and planned maintenance windows
3. Producing incident response guidance
4. Tracking the progress of incident response activity and providing updates to SoF
management
5. Creating and maintaining the body of documentation that describes the NSOC Incident
Response Tactics, Techniques, Signature Management and Procedures (TTPs)
The use of common terminology, timeframes, and reports will facilitate communication,
reporting, and improved incident management. Our ISSP Expertise Center will develop many
types of reports across large data sets that will include identifying active nodes within the SoF’s
enterprise.
We will provide enterprise /SoF reporting to Departmental stakeholders including host, network,
and server-based scan information that includes scan and patch certification, deployment,
verification data, and vendor patch release information.
We will provide security-related FISMA reporting including but not limited to security incident
information as well as fiscal year totals for trackability purposes.
Incident Reporting Timeframe Criteria will include the target of one-hour reporting upon
discovery/detection of an incident. Our team has experience developing many types of security
reports using Crystal Reports, ActiveReports, and Microsoft (MS) reporting service to name a
few. This reporting will also include the comparison of inputs from a variety of sources to
determine trending for weakness and vulnerability to provide the SoF with proactive
recommendations for remediation or avoidance strategies.
We will collect this information in a timely manner, obtain approvals as necessary and post to
SharePoint, Dashboard, or Intranet Web-enabled portals as we advance the capabilities of the
ISSP capabilities. Starting with the transition, we will begin to assemble a comprehensive list of
all available tools and standard or customized reports that are available from the SoF security
platform management applications, sensors, and HIPS/NIPS reports. We will analyze and
Federal Aviation Administration Department of Management Services
Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services
Volume 1 - Page 18 Use or disclosure of data contained on this sheet is subject to the restriction on the title page of this proposal. 02/18/2014
categories the reports in order to understand the overall security coverage for a specific platforms
and the most efficient and secure methods for distributing the sensitive data. Our staff will ensure
protective actions are performed on systems to safeguard data and resources for SoF systems.
Our Proven Capabilities.
The ISSP Expertise Center’s appreciation for the importance of effective reporting is
demonstrated by our success on programs similar to the SoF’s. For example, the ASG Team
(ASG) is a member of the VA NSOC executive steering committee and has developed many of
VA OIT’s policies and procedures, including those for service desk management, Local Area
Network (LAN)/Wide Area Network (WAN) operations, incident management, outage
coordination and incident reporting, problem management, in full implementation of ITILv3.
Requirement
Pre-Incident Services:Incident Response Agreements – Terms and conditions in place ahead
of time to allow for quicker response in the event of a cyber-security
incident.
Assessments – Evaluate a State Agency’s current state of information
security and cyber-security incident response capability.
Preparation – Provide guidance on requirements and best practices.
Developing Cyber-Security Incident Response Plans – Develop or assist
in development of written State Agency plans for incident response in
the event of a cyber-security incident.
Training – Provide training for State Agency staff from basic user
awareness to technical education.
Post-Incident Services:
Breach Services Toll-free Hotline – Provide a scalable, resilient call
center for incident response information to State Agencies.
Investigation/Clean-up – Conduct rapid evaluation of incidents, lead
investigations and provide remediation services to restore State Agency
operations to pre-incident levels.
Incident response – Provide guidance or technical staff to assist State
Agencies in response to an incident.
Mitigation Plans – Assist State Agency staff in development of
mitigation plans based on investigation and incident response. Assist
State Agency staff with incident mitigation activities.
Identity Monitoring, Protection, and Restoration – Provide identity
monitoring, protection, and restoration services to any individuals
potentially affected by a cyber-security incident.
Response
ASG has a flexible SLA agreement that can be shaped to cover all customer
needs.
The ASG Team has completed over 1,000 security control assessments at the
other Federal agencies alone. ASG Team members have developed or help to
update many IT directives and will be able to apply this experience to the
Department of Management Services Division. The Security Assessment
boundary for the enterprise will be comprised of multiple components. Using
this experience, the ISSP Expertise Center will perform product testing
utilizing multiple assessment methods and tools and certification test plans.
System documentation will be gathered and reviewed to obtain an accurate
representation of the information system security controls, policies, and
procedures that pertain to each system review. In conjunction with
documentation review, we will conduct interviews with System Owners and
System Development Leads (SDLs) to assess NIST SP 800-53 security controls.
This security assessment will be conducted in part based on IT Security
Directives.
The IR Analysis Management Team will clearly establish and enforce all
policies and procedures. Our NSOC ISSP Expertise Center staff will actively
review all vulnerability information and data feeds, conduct trend or gap
analysis on those feeds, and then prioritize the identified threats and
vulnerabilities. To more effectively manage security incidents, we also plan
on utilizing the ISSP’s existing change management procedures to ensure
security devices, such as firewalls and authentication systems, are properly
configured. Additionally, our security personnel will develop and maintain
policies and procedures by thoroughly testing to ensure that they are
practical and clearly provide the appropriate level of security. The ASG Team
will work with staff to gain support for security policies and incident handling
and respond to events immediately.
The ASG Team understands Security Awareness training is Federally-
mandated and essential component of the Information Assurance objectives.
It is critical that all employees understand the potential threats and risks in
their day-to-day operations. The ASG Team is currently filling this role at DoD
and Federal Agencies, where we are confirming business requirements,
identifying business process, reviewing potential integration gaps, developing
draft policies, SOPs, guidelines, developing standard security awareness and
training templates and tools, developing reporting tools, security awareness
remainders, templates for schedule tracking, and developing lessons-learned
documentation.
ASG can provide a scalable call center. We can use ASG's current capability or
setup a new one.
Incident response is a key component of an enterprise business continuity
and resilience program. The increasing number and diversity of information
security threats can disrupt enterprise business activities and damage
enterprise information assets. A sound risk management program can help
reduce the number of incidents, but there are some incidents that can
neither be anticipated nor avoided. Therefore, the enterprise needs to have
an incident response capability to detect incidents quickly, contain them,
mitigate impact, and restore and reconstitute services in a trusted manner.
The ASG Team will monitor systems and procedures. If/when an information
security event occurs; ASG personnel will proved the Computer Incident
Response Team (CIRT) in its mitigation and in the determination of an
appropriate level of security commensurate with the impact level of the
event, develop and implement processes with procedures for reporting,
tracking, and resolving computer security incidents
The ASG Security Analyst and Engineers will assist the Senior IA Official with
developing and instituting a Component-level Cyber Security Inspection
Program (CSIP). The CSIP will reflect the current process instituted by the
Defense Information Systems Agency Field Security Operations and US Cyber
Command. Information security continuous monitoring (ISCM) is defined as
maintaining ongoing awareness of information security, vulnerabilities, and
threats to support organizational risk management decisions. Risk
management embodies a continuous process of identification, assessment,
and monitoring of risk in accordance with organizational management policy
and key industry practices. The RMF combined with the Security
Development Life Cycle (SDLC) provides a structured, yet flexible approach
for managing the portion of risk resulting from the incorporation of
information systems into the mission and business processes of the
organization. The risk management concepts are intentionally broad-based
with the specific details of assessing risk and employing appropriate risk
mitigation strategies provided by the supporting NIST security standards and
guidelines.