DI Alternate 1' Proposal Template - DMS · Teaming security engineers on at least a bi-weekly basis, but if necessary on an additional as- ... Access Data Forensic Tool Suite, Paraben

Federal Aviation Administration Department of Management Services

Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services

Use or disclosure of data contained on this sheet is subject to the restriction on the title page of this proposal. 09/03/2015

Table of Contents

1 INTRODUCTION ............................................................................................................................................ 1

2 BACKGROUND .............................................................................................................................................. 1

3 CONTACT INFORMATION .............................................................................................................................. 1

4 RESPONSE ..................................................................................................................................................... 2

4.1 PRE-INCIDENT SERVICES .......................................................................................... ERROR! BOOKMARK NOT DEFINED. 4.2 POST-INCIDENT SERVICES......................................................................................... ERROR! BOOKMARK NOT DEFINED.



Volume 1 - Page 1 Use or disclosure of data contained on this sheet is subject to the restriction on the title page of this proposal. 02/18/2014

1 Introduction Atlantic Systems Group, Inc. (ASG), is a Service-Disabled Veteran-Owned

Small Business (SDVOSB) entity headquartered in Rockledge, Florida, with

satellite offices in Washington, DC. ASG is a premier information security

solutions provider in North America, dedicated to serving clients in the

Federal government, defense, telecommunications, and healthcare industries. ASG is a leader in

offering end-to-end information security solutions by building and managing security programs,

including Strategic Consulting Services, where we assist customers in meeting security

compliance requirements, from “hands-on” Execution or Deployment Services, including Design

and Engineering and Security Assessment; to Operational Services such as Support and Training.

Our core competencies include: Security Engineering Services, Security Risk Assessments,

Vulnerability Assessments, Penetration Testing, and Information Assurance.

Our security engineers and information assurance consultants are dedicated to assisting our

clients in managing and mitigating their information security risks through the implementation of

best practices and carefully tested security technologies, while ensuring compliance to Federal

regulations and mandates.

2 Background Incident response is a key component of an enterprise business continuity and resilience

program. The increasing number and diversity of information security threats can disrupt

enterprise business activities and damage enterprise information assets. A sound risk

management program can help reduce the number of incidents, but there are some incidents that

can neither be anticipated nor avoided. Therefore, the enterprise needs to have an incident

response capability to detect incidents quickly, contain them, mitigate impact, and restore and

reconstitute services in a trusted manner. The ASG Team will monitor systems and procedures.

If/when an information security event occurs; ASG personnel will assist the Computer Incident

Response Team (CIRT) in its mitigation and in the determination of an appropriate level of

security commensurate with the impact level of the event, develop and implement processes with

procedures for reporting, tracking, and resolving computer security incidents and ensure

availability of staff to support a 24x7 execution of security incident management as incidents are

reported.

3 Contact Information

Company Name Atlantic Systems Group Inc.

Company Address Atlantic Systems Group Inc. (SDVOSB)

4195 US HWY 1 STE 102

Rockledge, FL 32955




Company Representative Earnest Neal

cell: 301-502-3687

fax: 321 821-0409

[email protected]

Sources Sought Reference Number RFQ1021822

Sources Sought Issue Date August 14, 2015

Sources Sought Close Date August 31, 2015

NAICS Code 541511, 541512, 541519, 611420

DUNS Number 171384113

Cage Code 33XY0

Point of Contact for Submission Earnest Neal, COO

Sources Sought Response Prepared by Atlantic Systems Group Inc.

Contract Vehicles GSA IT 70 GS-35F-326CA

4 RESPONSE Our ASG ISSP Expertise Center staff is comprised of senior security professionals who have the

capabilities to protect the State of Florida (SoF) enterprise from cyber threats by providing

constant vigilance over security infrastructure and critical information assets. Our personnel have

the in-depth knowledge needed to identify and thwart malicious activity based on security log

review and monitoring activities, while balancing numerous ongoing operational and strategic

security tasks. We will develop and implement scalable processes to assist the SoF Network

Security Operations Center (SoF-NSOC) with implementing advanced analysis technologies that

effectively detect and respond to threats.

The ASG Team currently delivers proven and experienced network security and monitoring

support services to include real-time monitoring, correlation, and expert analysis of security

activity across the SoF enterprise 24 hours/day, 7 days/week, 365 days/year. Our enterprise

security operations center support services team has improved the effectiveness of the SoF

security infrastructure by actively analyzing the logs and alerts from network security and

enterprise operations devices in real time, 24x7x365. The ASG Team has detailed the NSOC

coverage in section 4.10.1. Our Security Monitoring service simplifies security and compliance

reporting to streamline audits. The ASG Team approach to managing and controlling the NSOC

is illustrated in Figure 1 below.




Figure 1. The Proposed ASG Team Approach to Provide NSOC Support

Objectives of the ISSP Security Operations and Security Incident

Handling

To support the NSOC/Computer Security Incident Response Capability (CSIRC), our approach

and our ISSP Expertise Center teams have been developed based on the functional areas detailed

in the SOW. These teams (Network Security and Monitoring Support Team, Incident Response

(IR) Analysis Team, IR Analysis Management, Intrusion Detection Team and Sensor

Management Team, and Vulnerability Assessment Team) will conduct the vital functions in each

designated area, as well as inform our approach to providing Network Defense Center

Documentation Support.

1. Network Security and Monitoring Support – Infrastructure monitoring support services will

be provided on a routine basis and serve as a proactive measure against potential malicious

attacks that may normally go undetected. These scans will be performed by seasoned Red

Teaming security engineers on at least a bi-weekly basis, but if necessary on an additional as-

needed basis. This service covers the SoF network devices, as well as all of the computers

connected to the SoF network. The normal expectation of this service is to have a high number of

potential security vulnerabilities, security risks, and incidents discovered in the beginning stages,

as many false positive findings are discovered, analyzed, and recorded as such. As we work with

our SoF-counterparts to properly tune security devices, the total volume of vulnerabilities and

false positives will decrease.

2. IR Analysis Support – The SoF-NSOC ISSP Expertise Center staff possesses broad and deep

technical capabilities to monitor, analyze, and report security incidents. The ASG Team

possesses experience identifying and implementing standard industry incident analysis tools,

including Encase Enterprise, Access Data Forensic Tool Suite, Paraben Forensic Suite, System

Internal Suite, and Registry Viewer. Based on our identified indicators, we will analyze key

registry and file system artifacts during the host-based analysis that will produce additional

indicators and detail adversarial tactics, techniques, and procedures. The ASG Team can also

provide event time line reconstruction and identify vectors of compromise, along with

supplemental incident analysis reporting.




3. IR Analysis Management Support – The IR Analysis Management Team will clearly

establish and enforce all policies and procedures. Our SoF-NSOC ISSP Expertise Center staff

will actively review all vulnerability information and data feeds, conduct trend or gap analysis on

those feeds, and then prioritize the identified threats and vulnerabilities. To more effectively

manage security incidents, we also plan on utilizing the ISSP’s existing change management

procedures to ensure SoF security devices, such as firewalls and authentication systems, are

properly configured. Additionally, our security personnel will develop and maintain policies and

procedures by thoroughly testing to ensure that they are practical and clearly provide the

appropriate level of security. The ASG Team will work with SoF to gain support for security

policies and incident handling and respond to events immediately.

4. Intrusion Detection and Prevention Support – The ASG Team’s approach to detection and

prevention incorporates the identification of events through proactively monitoring indicators

such as network monitors, intrusion detection systems and cyber threat intelligence watch lists.

The incident management program determines any notable activity that might suggest malicious

behavior or identify risk and threats to the enterprise infrastructure by examining the data feeds

from US-CERT portals and vendor security portals (e.g., Microsoft Security Response Center,

Cisco Intelligence Center, etc). The Intrusion Detection and Prevention Support team consists of

highly trained staff with practical expertise in conducting Security Incident Event Manager

(SIEM) event correlation analysis and generating network security tool reports. Underpinning

our approach is our focus of extending network monitoring capabilities, under prescribed service

levels, by integrating security components such as firewalls, intrusion protection systems, system

access controls and Host-based Intrusion Detection Systems (HIPS) and Network Intrusion

Prevention Systems (NIPS).

5. Sensor Management Support – Sensor Management support and maintenance services will

be provided by both the 24x7x365 around-the-clock personnel of the Sensor Management

Support Team and additional normal business-hour security engineers. This service is founded

on establishing a baseline of regular and frequent scanning, and provides both short, mid, and

long-term assistance to the maintenance of SoF-NSOC security devices. Short-term support

includes 24 hour change request response that is revealed by US-CERT Vulnerability alerts and

Sourcefire Vulnerability Research Team, as well as potential vulnerabilities and security issues

discovered by ISSP scheduled bi-weekly vulnerability scans. Mid to long-term support includes

scheduled SoF-NSOC security device upgrades and new installs.

6. Vulnerability Assessment Support – Vulnerability Management (VM) will be carried out by

the Vulnerability Assessment Team (VAT) which is comprised of senior analysts within the

ASG ISSP Expertise Center. In accordance with NIST 800-40 v2, the VAT will utilize

established guidelines and processes to effectively identify and mitigate existing vulnerabilities

in the SoF environment. This team will be a formal subset of the Security Operations Center

within SoF/.

The solutions provided by our ISSP Expertise Center will be customized to meet SoF’s

individual requirements, ensuring accurate network defense center documentation, compliance

with security policy, and alignment with defined performance metrics. The ASG Team approach

will help to improve network uptime and performance and tighten network security controls at

SoF. As a result, security incidents will be effectively managed while protection, detection, and

IR capabilities will work as an integrated whole.

4.1.1.1 Scope

4.1.1.1.1 Network Security and Monitoring Support (NSMS)




Our ISSP Expertise Center staff will provide 24x7x365 vigilance over the SoF’s organization's

security activity. The ISSP will use their expertise to tune SoF’s SIEM tool to ensure relevant

security events are differentiated by utilizing behavioral analytics and correlation. This will

reduce the false positives and false negatives by creating rules that are not limited to just the

specific security event, but also the activity that is usually associated with an actual threat,

infection, or attack. This will be accomplished by associating events across all security and

network devices into single or multiple incidents. Our ISSP Expertise Center personnel will

analyze event data received from Network Security tools to eliminate false positives and serve as

technical experts and liaisons to external incident response personnel. Identified security

incidents will be carefully analyzed by our team of security experts to detect and validate any

signs of malicious activity.

The ASG Team’s personnel will coordinate with NSOC, Field Operations, and other SoF

Components to resolve security incidents within the enterprise to remediate security events,

determine the root cause, and to consult on the mitigation of potential future events/incidents as

well as to recommend refinements to event correlation rules for implementation on the SIEM.

The ASG Team’s security experts perform extensive research and search global security

intelligence sites and forums. They will use this knowledge to ensure that emerging threats and

advanced attack methodologies are identified to further enhance the customers SIEM analysis

and device signature content to thwart attacks before damage is done. The ASG Team’s security

experts also identify signs of potential insider threats, such as unauthorized access or policy

compliance issues.

The ASG Team’s knowledge of the SoF’s IT security controls is unmatched by any other

contractor, as the ASG Team has performed hundreds of security control assessments across all

the control families in the NIST SP 800-53 series at . With this real world experience, the ASG

Team’s ISSP Expertise Center personnel not only understand what NIST special publications are

trying to convey, but how these controls are deployed at . The security experts will also use their

extensive knowledge when reviewing SoF’s current network security posture and when any

change requests are submitted to prevent any unnecessary risk or exposure to SoF’s network.

The ASG Team will also ensure all processes and procedures around change management will

meet SoF’s needs to ensure unnecessary operational outages are avoided.

To ensure the highest level of customer service and continual uptime for SLA bearing

infrastructure, the ISSP Expertise Center will implement a process for change control and

maintenance window management that aligns with SoF change management policies. This

process will ensure that all access and work activity performed on NSOC production systems

occurs in a scheduled, documented, and controlled environment. In addition, these procedures

enable NSOC to fulfill the requirements of external process and procedural audits pursuant to

maintaining best practice certifications.

Access to production devices for maintenance must receive prior authorization by the NSOC

Change Control Board, will be documented fully, and must occur during one of the NSOC

standard maintenance windows.

Informational changes must be documented for all changes to NSOC. This includes, but is not

limited to, upgrading patches and service packs, changing IP addresses, making interface

changes, adding scripts, renaming devices, performing database updates, and updating

signatures.

An emergency change control can be performed outside of standard maintenance windows

providing that the NSOC Change Control Board authorizes the change and the proposed




provisional maintenance window. Emergency Change Control Board requests should be

presented to SoF.

Change controls for SoF devices can be performed outside of standard maintenance windows

providing that the change control has been authorized by the SoF Change Control Board, and

SoF has agreed to the provisional maintenance window.

Maintenance Window Objective:

Facilitate preparation, planning, and scheduling of changes

Establish an approval process for all changes

Provide timely communication of planned changes to NSOC customers (internal and

external)

Provide a central repository for tracking changes to improve service quality to customers

and document changes for auditing purposes

The ASG Team’s ISSP Expertise Center takes a practical approach to security solutions,

focusing on operational needs, associated risks, and potential cost to devise an optimal strategy

that offers the best value with an acceptable level of risk. We will follow a focused process from

assessment, mitigation, test, and certification through ongoing maintenance and support as part

of our managed security capability to ensure continued secure operations in the face of newly

identified risks. The ASG Team’s personnel will support SoF in designing, building, certifying,

and operating IT security infrastructures and networks, including but not limited to:

Firewalls

Network and host intrusion detection systems

Remote access systems

Virtual Private Networks (VPNs)

Antivirus systems

Compliance and patching activities

URL Filtering/SPAM Blocking

Cryptographic Systems

Multi-factor identification/credential management, including: tokens, biometrics, and

Public Key Infrastructure

Multi-security level systems

Our personnel also understand the policies that support the Incident Response Plan (IRP) and

define the plan’s authority and scope to establish specific requirements for incident response or

incident response planning in Federal information systems. Some of the Federal laws, regulatory

guidance, and directives that drive the information security programs including the development

of an IRP are listed below:

Federal Information Security Management Act (FISMA) of 2002

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

Computer Fraud and Abuse Act of 1986, as amended.

OMB Circular No. A 130, Appendix III “Security of Federal Automated Information

Systems”

Federal Information Processing Standard (FIPS) 199 “Standards for Security

Categorization of Federal Information and Information Systems” February 2004.

NIST SP 800-18 Rev 1 – Guide for Developing Security Plans for Federal Information

Systems, February 2006




NIST SP 800-37 – Guide for the Security Certification and Accreditation of Federal

Information Systems, May 2004

NIST SP 800-53 Rev 3 – Recommended Security Controls for Federal Information

Systems, August 2009

NIST SP 800-61 – Computer Security Incident Handling Guide, January 2004

3500 Cyber-Security Manual Series

3505 Computer Incident Response

3515 Privacy Requirements

3540 Risk Management Program

3555 Certification and Accreditation

3570 IT Contingency and Disaster Planning

3575 Security Controls

3520 Configuration Management

3545 Personnel Security

3550 IT Systems

Our approach detailed in the following sections will incorporate the elements included within the

NIST SP 800-53 series and in particular for the IR control family shown in Figure 2.

Control

#

Description of Control

IR-1 Incident Response Policy and Procedures: The organization develops, disseminates,

and periodically reviews/updates: (i) a formal, documented, incident response policy

that addresses purpose, scope, roles, responsibilities, and compliance; and (ii) formal,

documented procedures to facilitate the implementation of the incident response

policy and associated incident response controls.

IR-2 Incident Response Training: The organization trains personnel in their incident

response roles and responsibilities with respect to the information system and provides

refresher training at least annually.

IR-2

(1)

Incident Response Training: The organization incorporates simulated events into

incident response training to facilitate effective response by personnel in crisis

situations.

IR-3 Incident Response Testing and Exercises: The tests and/or exercises the incident

response capability for the information system, at least annually using Incident

Response Tests identified in System Security Plan to determine the incident response

effectiveness and documents the results.

IR-3

(1)

Incident Response Testing and Exercises: The organization employs automated

mechanisms to more thoroughly and effectively test/exercise the incident response

capability.

IR-4 Incident Handling: The organization implements an incident handling capability for

security incidents that includes preparation, detection and analysis, containment,

eradication, and recovery.

IR-4

(1)

Incident Handling: The organization employs automated mechanisms to support the

incident handling process.

IR-5 Incident Monitoring: The organization tracks and documents information system

security incidents on an ongoing basis.




Control

#

Description of Control

IR-5

(1)

Incident Monitoring: The organization employs automated mechanisms to assist in the

tracking of security incidents and in the collection and analysis of incident

information.

IR-6 Incident Reporting: The organization promptly reports incident information to

appropriate authorities.

IR-6

(1)

Incident Reporting: The organization employs automated mechanisms to assist in the

reporting of security incidents.

IR-7 Incident Response Assistance: The organization provides an incident support resource

that offers advice and assistance to users of the information system for the handling

and reporting of security incidents. The support resource is an integral part of the

organization’s incident response capability.

IR-7

(1)

Incident Response Assistance: The organization employs automated mechanisms to

increase the availability of incident response-related information and support.

Figure 2. NIST SP 800-53 – Recommended Security Control for Federal Information

Systems – Control Family Incident Responses (IR).

ISSP Expertise Center’s proven approach for monitoring, analysis, and reporting offers SoF

NSOC Office of Information Technology (OIT)/Office of Information Security (OIS) a low-risk

solution for both transition and steady-state ISSP operations. The ASG Team has extensive,

relevant experience in monitoring, analysis, and reporting.

The ASG Team’s personnel will employ our proven ITILv3-based services model, tailored to the

ISSP environment, to not only meet or exceed the ISSP incident response analysis support

requirements, but to enable Continuous Service Improvement (CSI) over time. The ASG Team

will leverage existing SOPs, and refine them if necessary, to ensure rapid problem resolution,

coordination, and escalation to keep all users on-line and productive. The ASG Team’s highly

integrated Incident, Problem, and Release Management methods not only resolve today’s

problems effectively; they also address tomorrow’s challenges associated with technology

refresh cycles, including cloud and virtualization technologies for reduced system footprints and

increased performance. The benefit of our solution to ISSP/IAD is threefold: (1) our high-

performance team and proven services framework maximize the efficiency and effectiveness of

the monitoring tools in use, enhancing system availability and end-user satisfaction even during

times of constrained funding that may preclude system enhancements, (2) our deliberate IT

investment and planning capabilities maximize the Return-On-Investment (ROI) of diminishing

IT dollars for monitoring tools, and (3) our team is proactive in preventing problems.

4.1.1.1.2 Incident Response Analysis Support

The ISSP Expertise Center staff understands that effective incident response is critical to

restoring normal operations to our customers as rapidly as possible, preventing the unintentional

disclosure of personal and sensitive information, and maintaining 99.9% reliability. Our incident

management model described above provides cradle-to-grave incident management from

preparation planning and prevention of incident occurrence to monitoring support where we

detect incidents. The ISSP Expertise Center then invokes a rapid and disciplined response where

we successfully contain, eradicate, and recover from the incident to thorough analysis and

reporting that advance planning and continuously improve prevention of future incidents.




Our personnel are experienced in dealing with multiple types of security incidents to include

breaches of confidentiality, compromised integrity, disrupted availability, repudiation,

harassment attempts, extortion attempts, pornography trafficking, computer misuse that involves

organized crime, subversion, and hoaxes. The ASG Team ISSP Expertise Center will utilize our

experience and knowledge to provide enhanced analytical reporting capabilities that will ensure

SoF’s security posture meets or exceeds all legal and regulatory compliance requirements. Our

ISSP Expertise Center will ensure all processes and procedures around incident response are

well-documented and followed. Our incident response team will use a variety of methodical

approaches to monitor, analyze, and report anomalies and security incidents to ensure SoF’s

confidentiality, integrity, availability, and policies are not violated. This will be done using

techniques such as pattern matching, protocol decoding, simple logic, and behavioral analysis to

correlate anomalies and security events into incidents of varying risk levels. The incident

response team will then utilize any information gained from all security incidents to further

enhance SoF’s security posture with cooperation and approval of their management team through

change activities on their security device policies or signatures.

Figure 3 illustrates the high-level phases of a Critical Incident Response Plan (CIRP) that relate

directly to the elements requested in the PWS for:

Monitoring – Preparing for an event

Analyzing – Responding to an event

Reporting – Throughout the process followed by a formal Post-incident Response

Figure 3. The ISSP Experience Center will prepare and respond to security breaches

A representation of our Incident Response Analysis Support process is highlighted as shown in

Figure 4.




Figure 4. Incident Reporting and Analysis continuously processes and refines inputs to

capture incidents successfully

Overall Monitoring will be conducted by collecting log information from HIPS/NIPS, firewall

proxies, antivirus tools, and through server audit trails. Our effective tuning of software, sensors,

and devices will be done in accordance with SOPs and standard processes to ensure optimal

performance. The ASG Expertise Center will utilize these tools to provide analysis of the wide

variety and enormous volume of data to reduce the events to successfully recognize the high

priority incidents that are to be contained and eradicated, but also prepare and categorize the

reporting and maintain ISSP databases.

4.1.1.1.3 Monitoring Support

Our Understanding.

Monitoring support requires collecting a multitude of information and maintaining that

information in a structured and organized way in order to be able to analyze associated threats

for patterns and trends. We recognize that enterprise monitoring must be collaborative between

SoF elements that also report vulnerabilities, potential attack vectors, technical vulnerabilities

that could be exploited, events, and incidents outages. Network monitoring effectiveness is a

direct function of:

How well the monitoring tools are configured for detection and alerts

The degree of event correlation provided by the monitoring tools

Whether or not the system is properly configured with all “high risk” security patches

Whether or not intrusion detection systems and firewalls are configured properly

How well log files are analyzed and archived




The capabilities of system/network administrators to proactively anticipate performance

degradation and resolve performance issues through load balancing and capacity

management.

The ASG Team’s ISSP Expertise Center is committed to ensuring that all of these factors are

properly implemented and functioning effectively. We also understand the importance of

monitoring all configuration changes for network security devices, tracking security related

issues by monitoring tickets and working with the SoF Information Security Offices (ISOs), and

inspecting and identifying network traffic for possible anomalous network activity. The ASG

Team’s ISSP Expertise Center is poised to respond to these requirements.

Our Approach.

The ASG Team’s number one focus for the monitoring task is to ensure that systems and

network monitoring tools are configured at the proper thresholds for detection, alerts, event

correlation, and automated ticket generation. The benefit of this approach is that the average

problem resolution cycle time is reduced, thereby increasing system availability for SoF users. In

addition, we will maintain the security posture of the network, protecting SoF’s vital data from

compromise. The ASG Team ISSP Expertise Center will be proactively focused on CSI and

optimization in order to provide more effective incident monitoring. This approach results in

increased positive results as optimization and improvement simplifies ISSP responsibilities and

stabilizes the environment. Also, improved ISSP capabilities ensure engineering support

resources are increasingly available to continue work on other important projects. We will

coordinate input of all activity reports and metrics for streamlined analysis of trends and issues,

and identify corresponding corrective or preventive actions to update monitoring activities. This

will permit our monitoring team to become “more proactive and less reactive.”

Our security personnel will monitor events using the SoF toolset. The ISSP Expertise Center will

select the tools that will be deployed based on a combination of existing tools, evaluations of tool

improvements, and and Federal guidelines. We will use integrated system and network

monitoring tools, whenever possible. Where there are gaps in the automated tool set, we will

recommend suitable replacements drawing upon our resources from our IS-COE and from

similar support projects. We will analyze monitoring goals and track them against objectives and

report them to SoF on a regular basis. Monitoring metrics will be analyzed for thoroughness,

compliance, and for system performance impacts.

Every security appliance, business-critical system, noncritical server, and endpoint in SoF

organization generates extensive logs daily. Our personnel will analyze raw logs that need to be

monitored continuously, analyzing and correlating to filter out false positives in order to identify

real security events of concern. The ISSP Expertise Center provides dedicated, skilled resources

around the clock to review and interpret all the logs and alerts in all the different formats

generated in the SoF infrastructure.

Our personnel will provide administration of servers for security software on primarily Windows

servers. While the current security suite provides alerting, SIEM, and vulnerability identification,

additional information is supplied by users and others who identify additional anomalous

activity.

Our ISSP Expertise Center provides a security staff with experience using these tools and most

other commercial tools. As the overall Security Knowledge Management database improves over

time, our senior personnel will provide well-timed recommendations to refine event correlation

rules as needed within the SIEM. Each of the administrators is trained on the appropriate tools

and receives a skill check before they conduct administrative activities. The team will work with




network management staff to ensure that alerts from sensors arrive at consoles in a timely

manner.

The ISSP Expertise Center will achieve CSI through optimization, greater stability, improved

performance, and enhanced capabilities. We facilitate the achievement of these goals by

proactively identifying monitoring service requirements along with performance gaps, trends,

and opportunities for enhancement. We will work with SoF to prepare project requirements and

prioritize these improvement initiatives to develop actionable plans with realistic delivery

milestones and associated performance metrics.

Our Expertise Center ISSP Expertise Center staff will host and maintain the management servers

for HIPS that collect information from the environment and consolidate the server input in a

preconfigured and automated manner. This data, along with the vulnerability management

service, will be combined, analyzed, and reported by the ISSP Expertise Center outlining the

Health and Wellness of SoF networks and clearly displaying that a risk to one SoF element is a

risk to all SoF elements.

Over the last seven years, the ASG Team has worked with many Federal and DoD organizations

across a wide-range of different mission applications. During this time, we have learned a great

deal about what organizations need from network monitoring and recording solutions to ensure

their networks remain secure, reliable, and compliant by collecting the right data with the correct

tools and filtering. We will apply these lessons-learned to the SoF enterprise.

Our security personnel assigned to the ISSP Expertise Center will provide a full breadth of

monitoring services to help SoF comply with regulations and standards. We will also accomplish

this by monitoring various US-CERT threat portals and other credible sources for cyber threat

information and continuously monitoring availability, network management systems,

configuration changes, logs, and network traffic for the entire SoF enterprise. By maintaining

this valuable information in a collected, organized way, we can provide the best monitoring

support to SoF for informed decision making, and share that information with ISSP elements to

strengthen awareness of threats to local, national, and global operations.

The ASG ISSP Expertise Center realizes the importance total security management and staying

ahead of threats, both internal and external. Armed with this knowledge, our personnel will

conduct penetration and wireless access testing in accordance with well-defined rules of

engagement (ROE) coordinated with the ISSPM. The ISSP Expertise Center has vast experience

in coordinating with internal as well as external entities to ensure hardened security posture

assurance.

Our Proven Capabilities.

The ASG Team ISSP Expertise Center’s monitoring expertise is vast. Our team also has

extensive knowledge and experience both internally and externally to SoF on automated tools

and reporting capabilities from HIPS and NIPS, to analyzing sensor data feeds, discovery

through scanning for vulnerabilities across ports and protocols, managing those vulnerabilities,

and coordinating the gaps that may exist between them. Identifying brown-out activity from

within SoF and receiving both automated and manual data feeds from across SoF elements

allows the ISSP team to better understand and provide additional CSI to the ISSP and help to

minimize overall risk to the mission that occurs across the shared SoF environment.

4.1.1.1.4 Analysis Support

Our Understanding.

Network analysis support is heavily dependent on two primary factors: the technical expertise of

the network support team and a disciplined, yet expedient, approach for root cause analysis and




fix determinations. We must be able to filter and triage appropriately to determine scope,

urgency, and potential operational impact by identifying the specific vulnerability and making

recommendations, escalating as appropriate, and eliminating false positives. Figure 4 in the

previous section also indicates the need for analysis and correlation of all inputs with

comparisons to emerging patterns, suspicious ports, and protocols, as well as our internally

developed Knowledge Management (KM) database.

All the tools and logs are meaningless without a well-developed security team with standardized

processes to wade through large amount of events of data collected, triggered, and logged during

an average day at SoF. Using our KM database and SOPs, the ASG Team ISSP Expertise

Center’s approach and proven capabilities will allow us the ability to sift through this large

amount of data.

Our security experts are aware of the SoF investment in a variety of technologies, such as

network firewalls, IPS/IDS, VPNs, network management, routers, and switches to detect events.

Every security appliance, business-critical system, noncritical server, and endpoint in the SoF

organization generates extensive logs daily. The ASG Team ISSP Expertise Center will apply

automated scripts to help filter out false positives and false negatives in order to identify real

security events of concern and accelerate the overall process. We will provide dedicated, skilled

resources around the clock to review and interpret all the logs and alerts in all the different

formats generated in the SoF infrastructure and distill them into a single format.

The ISSP Expertise Center will validate security or privacy events as incidents and assign

severity levels. We will provide incident handling support (i.e., intrusion correlation tracking,

threat analysis) to on-site personnel.

Our Approach.

To support SoF with the most rapid analysis and response available, the ISSP Expertise Center

will examine the current processes and tools to determine which actions may speed analysis and

response time and which tools could serve secondary purposes for incident response.

Specifically, we will look at interdepartmental communications, alert escalation, and

identification and configuration tools. Any recommendations to expedite triage, data capture, or

other activities will ensure that current regulations and policies for data capture remain

compliant.

Through coordination and collaboration between the NSOC and SoF elements, the ISSP

Expertise Center will identify, characterize, and provide the operational context for technical

vulnerabilities that may impact SoF. We will also prepare detailed and summary reports and

briefs on a routine or ad hoc basis. To further bolster this program, the ISSP Expertise Center

will develop an automated, hierarchal mechanism or portal for disseminating vulnerability

information and reporting system compliance. This system will allow each SoF element to

submit and track individual compliance status information, provide asset information, request

waivers, and make corrections. The system will enable the NSOC to instantly capture the

vulnerability status of SoF. The system will provide a means of Risk Scoring, the ability to score

each security risk based on a number of factors, thereby quantifying the Information Assurance

(IA) risk posed by not patching the vulnerability such that each SoF element may prioritize its

mitigation measures. The ISSP Expertise Center will use this tool to streamline the process of

assessing vulnerabilities.

Our ISSP Expertise Center will employ the methodical approach shown in Figure 4 to analyze

event data. Our primary concern is the elimination of false positives to avoid unnecessary

outages. We will ensure that all alert thresholds are optimally configured to avoid false positives,




using trend analyses to assist in determining the most effective values. As events occur that

achieve the threshold of incident potential, both the NSOC and the IR Teams are engaged to

determine the appropriate classification, threat level, and disposition that may include US-CERT

notification as shown in the diagram below. At the very least, the process shown depicts the

well-disciplined, documented, and repeatable process that will provide the complete analysis and

capture of the data necessary to record and remediate the event and disposition.

Our ISSP Expertise Center will employ ITILv3-based principles to ensure accurate and timely

problem resolution. This includes a triage technique to establish scope, urgency, and impact of

each event or alert. If users are down, we focus all of our energies on getting the users back

online quickly. We will then escalate the event to problem management to engineer solutions

that will prevent that same problem from reoccurring. Part of the triage effort includes using best

professional judgment in determining whether the problem can be fixed with ISSP resources in a

timely manner or if it is necessary to engage third-level support or other groups to aid in the

resolution as indicated. The ASG team has certified ITILv3 experts who can provide guidance

and oversight to on-site staff at SoF.

Whether the problem is being handled in the ISSP or with the engagement of outside groups,

SOPs will specify at which point in time incidents must be escalated based on the progress of

resolution, time elapsed, and severity level. Initial and recurring status notification to users and

management will also be specified based on the severity level: criticality of the user’s mission

function and time elapsed. See Figure 5 below.

The ASG Team treats all security-related incidents in a special manner. Maintaining compliance

with all security standards, as well as NIST 800-61, NIST 800-90, US-CERT, and OMB

standards, is very important to support the number one priority: mitigating the impact of a

security incident. Our team will give security-related events all the attention and resources they

require in order to remedy them swiftly but correctly. Our analysis team is driven by one

overarching goal – maintain the integrity of the baseline across the enterprise, including security.

We will manage our analysis team resources accordingly. The ASG Team will also look for

opportunities to improve information and data flow, and we will make recommendations to SoF

in this regard.

Our security SMEs will develop an integrated security program that will coordinate with and

provide expert technical support to SoF technicians. Our personnel will analyze event data

received from network security tools to address SoF’s security concerns and compliance

requirements. We also recognize that being compliant does not necessarily mean that the

environment is also secure. We have proven processes to deal with millions of security events

across multiple network security applications. Performing incident triage to determine scope,

urgency, and potential operational impact by identifying the specific vulnerability and making

recommendations, which enables rapid remediation at the enterprise level, is a significant part of

the ASG Team’s ISSP Expertise Center core competencies.

Our team will also perform security event correlation, categorization, and prioritization and

prepare post analysis reports that provide added value to the service provided to SoF and ensure

they meet or exceed their legal, compliance, and certification standards. We will also perform

event categorization involving analysis of incoming data flow from security devices and data

searches for indications of anomalous events.


Our Expertise Center provides highly capable analysts, and we will leverage our proven analyst

techniques from other programs to enhance SoF’s analysis support. For example, in support of




the USGCB, we provide expert network, server, data and desktop computer security support

services including planning and analysis, audits, remote monitoring and intrusion detection,

vulnerability scans, and application systems certification and accreditation.

The ISSP Expertise Center has worked with several SIEM systems and tools, including

ArcSight, eSecurity, and TrustWave (Intellitactics). Our team has the experience correlating

security events and analyzing logs and alerts across virtually any security technology and critical

information asset, 24x7, to identify anomalies and respond to threats in real time. Deeply-skilled

security experts will work with the NSOC, field operations, and other SoF components to

analyze security incidents and assist with remediating outbreaks within the enterprise and

expeditiously respond to security events to determine the root cause and consult on the

mitigation to any malicious activity. Our team will be able to provide the expertise in behavioral

analytics, which will greatly improve security incident correlation within the SIEM tool. By

utilizing the known behaviors of various security threats, SIEM correlation rules can be

customized to not react strictly based on vendor signatures, which are known to over report,

thereby reducing unnecessary response activities.




Figure 5. NSOC Incident Process Flow Ensures Through Analysis of Potential Threats

For this effort, we will provide comprehensive network security analysis reports to SoF NSOC

managers, the SoF COR, and the SoF PM. Our team previously supported a variety of key

technical security platforms including antivirus, public key infrastructures (PKIs), HIPS, NIPS,




virtual private networks (VPNs), and other security-related devices. The ASG Team’s Expertise

Center will apply these skills and also be able to provide recommendations for system policy and

auditing modifications to enhance the capability of existing or future HIPS deployments to

ensure potential threat risks are seen by the SoF’s security tools or SIEM.

4.1.1.1.5 Reporting Support

Our ISSP Expertise Center solution features CSI. We know from experience that this is only

possible by accurate documentation and the reporting of the findings in that documentation. All

event correlation, problem analysis, and trend analysis must be correctly recorded, reported, and

clearly communicated. The Reporting Support phase is also the process of establishing policies,

processes, procedures, and agreements covering the management and response to security

incidents as well as IR tactics, techniques, and procedures.

The tracking process involves learning about a potential security incident and reporting it to

generate a Remedy incident ticket. This phase also involves the reporting of potential incidents

to the NSOC, who will immediately refer the incident to the IR Team.

Our Approach.

Our ISSP Expertise Center ensures effective reporting by:

1. Developing robust scripts/queries to generate automated reports with reliable data that

can be used for analysis

2. Ensuring that timely notifications are generated and distributed to all stakeholders for

events that users need to know about, especially security-related events, system performance

issues, and planned maintenance windows

3. Producing incident response guidance

4. Tracking the progress of incident response activity and providing updates to SoF

management

5. Creating and maintaining the body of documentation that describes the NSOC Incident

Response Tactics, Techniques, Signature Management and Procedures (TTPs)

The use of common terminology, timeframes, and reports will facilitate communication,

reporting, and improved incident management. Our ISSP Expertise Center will develop many

types of reports across large data sets that will include identifying active nodes within the SoF’s

enterprise.

We will provide enterprise /SoF reporting to Departmental stakeholders including host, network,

and server-based scan information that includes scan and patch certification, deployment,

verification data, and vendor patch release information.

We will provide security-related FISMA reporting including but not limited to security incident

information as well as fiscal year totals for trackability purposes.

Incident Reporting Timeframe Criteria will include the target of one-hour reporting upon

discovery/detection of an incident. Our team has experience developing many types of security

reports using Crystal Reports, ActiveReports, and Microsoft (MS) reporting service to name a

few. This reporting will also include the comparison of inputs from a variety of sources to

determine trending for weakness and vulnerability to provide the SoF with proactive

recommendations for remediation or avoidance strategies.

We will collect this information in a timely manner, obtain approvals as necessary and post to

SharePoint, Dashboard, or Intranet Web-enabled portals as we advance the capabilities of the

ISSP capabilities. Starting with the transition, we will begin to assemble a comprehensive list of

all available tools and standard or customized reports that are available from the SoF security

platform management applications, sensors, and HIPS/NIPS reports. We will analyze and




categories the reports in order to understand the overall security coverage for a specific platforms

and the most efficient and secure methods for distributing the sensitive data. Our staff will ensure

protective actions are performed on systems to safeguard data and resources for SoF systems.


The ISSP Expertise Center’s appreciation for the importance of effective reporting is

demonstrated by our success on programs similar to the SoF’s. For example, the ASG Team

(ASG) is a member of the VA NSOC executive steering committee and has developed many of

VA OIT’s policies and procedures, including those for service desk management, Local Area

Network (LAN)/Wide Area Network (WAN) operations, incident management, outage

coordination and incident reporting, problem management, in full implementation of ITILv3.

Requirement

Pre-Incident Services:Incident Response Agreements – Terms and conditions in place ahead

of time to allow for quicker response in the event of a cyber-security

incident.

Assessments – Evaluate a State Agency’s current state of information

security and cyber-security incident response capability.

Preparation – Provide guidance on requirements and best practices.

Developing Cyber-Security Incident Response Plans – Develop or assist

in development of written State Agency plans for incident response in

the event of a cyber-security incident.

Training – Provide training for State Agency staff from basic user

awareness to technical education.

Post-Incident Services:

Breach Services Toll-free Hotline – Provide a scalable, resilient call

center for incident response information to State Agencies.

Investigation/Clean-up – Conduct rapid evaluation of incidents, lead

investigations and provide remediation services to restore State Agency

operations to pre-incident levels.

Incident response – Provide guidance or technical staff to assist State

Agencies in response to an incident.

Mitigation Plans – Assist State Agency staff in development of

mitigation plans based on investigation and incident response. Assist

State Agency staff with incident mitigation activities.

Identity Monitoring, Protection, and Restoration – Provide identity

monitoring, protection, and restoration services to any individuals

potentially affected by a cyber-security incident.

Response

ASG has a flexible SLA agreement that can be shaped to cover all customer

needs.

The ASG Team has completed over 1,000 security control assessments at the

other Federal agencies alone. ASG Team members have developed or help to

update many IT directives and will be able to apply this experience to the

Department of Management Services Division. The Security Assessment

boundary for the enterprise will be comprised of multiple components. Using

this experience, the ISSP Expertise Center will perform product testing

utilizing multiple assessment methods and tools and certification test plans.

System documentation will be gathered and reviewed to obtain an accurate

representation of the information system security controls, policies, and

procedures that pertain to each system review. In conjunction with

documentation review, we will conduct interviews with System Owners and

System Development Leads (SDLs) to assess NIST SP 800-53 security controls.

This security assessment will be conducted in part based on IT Security

Directives.

The IR Analysis Management Team will clearly establish and enforce all

policies and procedures. Our NSOC ISSP Expertise Center staff will actively

review all vulnerability information and data feeds, conduct trend or gap

analysis on those feeds, and then prioritize the identified threats and

vulnerabilities. To more effectively manage security incidents, we also plan

on utilizing the ISSP’s existing change management procedures to ensure

security devices, such as firewalls and authentication systems, are properly

configured. Additionally, our security personnel will develop and maintain

policies and procedures by thoroughly testing to ensure that they are

practical and clearly provide the appropriate level of security. The ASG Team

will work with staff to gain support for security policies and incident handling

and respond to events immediately.

The ASG Team understands Security Awareness training is Federally-

mandated and essential component of the Information Assurance objectives.

It is critical that all employees understand the potential threats and risks in

their day-to-day operations. The ASG Team is currently filling this role at DoD

and Federal Agencies, where we are confirming business requirements,

identifying business process, reviewing potential integration gaps, developing

draft policies, SOPs, guidelines, developing standard security awareness and

training templates and tools, developing reporting tools, security awareness

remainders, templates for schedule tracking, and developing lessons-learned

documentation.

ASG can provide a scalable call center. We can use ASG's current capability or

setup a new one.

Incident response is a key component of an enterprise business continuity

and resilience program. The increasing number and diversity of information

security threats can disrupt enterprise business activities and damage

enterprise information assets. A sound risk management program can help

reduce the number of incidents, but there are some incidents that can

neither be anticipated nor avoided. Therefore, the enterprise needs to have

an incident response capability to detect incidents quickly, contain them,

mitigate impact, and restore and reconstitute services in a trusted manner.

The ASG Team will monitor systems and procedures. If/when an information

security event occurs; ASG personnel will proved the Computer Incident

Response Team (CIRT) in its mitigation and in the determination of an

appropriate level of security commensurate with the impact level of the

event, develop and implement processes with procedures for reporting,

tracking, and resolving computer security incidents

The ASG Security Analyst and Engineers will assist the Senior IA Official with

developing and instituting a Component-level Cyber Security Inspection

Program (CSIP). The CSIP will reflect the current process instituted by the

Defense Information Systems Agency Field Security Operations and US Cyber

Command. Information security continuous monitoring (ISCM) is defined as

maintaining ongoing awareness of information security, vulnerabilities, and

threats to support organizational risk management decisions. Risk

management embodies a continuous process of identification, assessment,

and monitoring of risk in accordance with organizational management policy

and key industry practices. The RMF combined with the Security

Development Life Cycle (SDLC) provides a structured, yet flexible approach

for managing the portion of risk resulting from the incorporation of

information systems into the mission and business processes of the

organization. The risk management concepts are intentionally broad-based

with the specific details of assessing risk and employing appropriate risk

mitigation strategies provided by the supporting NIST security standards and

guidelines.

Documents

DI Alternate 1' Proposal Template - DMS · Teaming security engineers on at least a bi-weekly basis, but if necessary on an additional as- ... Access Data Forensic Tool Suite, Paraben