The client's SOC has the primary task of monitoring the organization's IT landscape around the clock and initiating appropriate measures in case of security incidents.
The previous contractor provided the focal points of Endpoint Detection and Response (EDR), analysis and incident response, vulnerability management, and Security Information and Event Management (SIEM). Consequently, the present tender primarily involves the replacement of these components and services. While some tasks will be newly performed by the client's SOC, internal human resources are a limiting factor. Therefore, some tasks, including ongoing monitoring of the environment, will also have to be carried out together with support from an external partner.
The future environment should be based on the current internal log data platform Splunk, which will be expanded into a SIEM. This platform should be supplemented by a Managed Detection and Response (MDR) solution, which operates using its own Data Lake and transmits alerts to the internal SIEM. Ongoing monitoring should be based on the MDR service, while the client's employees will primarily deal with the internal SIEM and thus also cover internal and organization-specific use cases.
The systems will be supplemented with various services to operate the SIEM platform, as well as with cyber analysis services and support in the event of incidents. The future platform must also support operation in vulnerability management with suitable tools.
The procurement will be divided into four lots.
LOT-0001
MDR Service / XDR License and Vulnerability Management.
Lot 1 aims to ensure the basic cybersecurity of the client. For this purpose, an XDR solution should be procured, which must be guaranteed with a suitable MDR service seven days a week, around the clock (24x7). The MDR service should be provided based on the XDR's own Data Lake. Data retention should last for at least 6 months, and an option to extend this period to 2 years should be offered.
The client's systems should also be automatically scanned for vulnerabilities both on internal networks and from external sources. Therefore, a vulnerability management solution must be offered, which can be integrated into the XDR or provided as a standalone solution, that conducts scans as automated as possible and can prioritize vulnerabilities.
Both XDR and vulnerability scanning must be able to interface with the log data management tool Splunk.
LOT-0002
Support and Operation of Log Data Platform.
For the operation of the log data platform, primarily consisting of Splunk Enterprise and Cribl, and later Splunk Enterprise Security, a service partner is required to support the daily operation of the infrastructure. This partner should also assist the client in optimization, further development, and updates.
The operational aspect also includes a response time (see specification for Lot 2). The SLA covers support on weekdays; 24-hour readiness is not required.
LOT-0003
Incident Response, Analysis, Consulting.
As described, the client is transitioning from a SOC outsourcing model with internal support to a largely internally operated SOC with supplementary services from external partners. In this context, the internally existing infrastructure is being expanded or rebuilt where necessary. The same applies to use cases and processes.
This lot is seeking consulting and development services for this initiative as well as for future operations. Furthermore, the client desires support during cyber security incidents from the same partner. Specifically, the following services are sought:
LOT-0004
Licenses.
The existing platform should continue to be used and expanded, for which the Kapo Bern requires licenses for Splunk Enterprise, Splunk Enterprise Security, and Cribl.