HomeMy WebLinkAboutEDB Network Security Audit and SEIM Deployment and Management Renewal EXECUTIVE SUMMARY
AGENDA ITEM:
Request Approval of Contract Renewal with Softwink, Inc. DBA Quadrant Information Security
(Quadrant) for the Network Security Audit & Security Event and Incident Monitoring (SEIM)
Deployment and Management Solution, RFP# 11/12-A2
Date: February 10, 2022
BACKGROUND:
Quadrant provides a vital service in the IT Department's multi-layered computing security
strategy. Quadrant has deployed sensors at CCUA's primary office and at wastewater treatment
plants to provide real-time threat detection, analysis and notification, and risk transference.
The Network Security Audit & SIEM Deployment and Management Solution with Quadrant
requires renewal for calendar year January 1, 2022-December 31, 2022. The terms of this contract
(a allow for the renewal of additional terms, contingent upon mutual agreement of both parties.
c Quadrant expressed their desire to renew the contract.
a)
a;
ca
o BUDGET IMPACT:
r
c
a
II Staff budgeted for the annual amount of $46,000.00. Quadrant did not request an increase in
pricing for their services.
RECOMMENDATION:
Staff respectfully requests the Board of Supervisors approve the contract renewal with Quadrant
Information Security for the Network Security Audit & SEIM Deployment and Management
Solution, RFP# 11/12-A2 to be extended for an additional one-year term.
1 ATTACHMENTS:
Softwink, Inc., DBA Quadrant Information Security Renewal
//AW,DS(Author)
//AW,DS,AB (Review)
//JW(Final)
Managed Security Services
(SAGAN)
Proposal
to
IT AtJT�p�
Prepared by:
Quadrant Information Security
0.. QUADRANT
2
Table of Contents
About Quadrant 3
The Sagan Ecosystem - Overview 4
The Process 4
Monitoring, Investigation, Escalation and Remediation 4
Stage 1: Monitoring 4
Stage 2: Investigation and Analysis 5
Stage 3: Escalation 5
Stage 4: Customer Threat Remediation 5
Continuous Tuning — Maximizing Security, Removing Noise 6
The Technology 7
Threat Intelligence 8
Incident Response 11
Customer Reporting 12
Customer Communications 14
Implementation 15
Service Level Agreements 18
to
Scope 19
Billing & Payment Breakdown 19
Service Dates Error! Bookmark not defined.
Assumptions 20
Authority to Proceed 20
QUADRANT
3
About Quadrant
Founded in 2011, Quadrant Information Security is a consulting firm committed to
supporting organizations in all vertical markets by protecting their sensitive data.
Quadrant prides itself on helping its customers maintain a secure environment by
Specializing in Managed Security Services and Enterprise Security Consulting.
Our unique offerings and consultative approach, coupled with a strong past
performance and highly skilled security professionals make Quadrant an easy choice in
the security consulting arena.
HQ Address:
4651 Salisbury Road
Suite 185
Jacksonville, Florida
Company Leadership:
Ian Bush
Champ Clark
Bruce Wink
Kathrin Ritter
to
■
q.. QUADRANT
4
THIS STATEMENT OF WORK ("SOW") is entered as of December 29, 2021 , by and
between Clay County Utility Authority ("Client / CCUA") and Softwink Inc. d/b/a
Quadrant Information Security, ("Provider" or"Quadrant") for the supply of Sagan
Managed Services. The parties hereto acknowledge that they are entering into this
SOW pursuant to the provisions of the Master Services Agreement, between CCUA and
Quadrant (the "Agreement"). The parties acknowledge and agree that the provisions of
the Agreement shall apply to this SOW as though such provisions were set forth herein
in their entirety. If there are any conflicts between the terms of this SOW and the
Agreement, the terms of the Agreement shall control.
The Sagan Ecosystem - Overview
Our Sagan Solution is more than SIEM. It has evolved into an ecosystem that serves as
an all-inclusive security solution. At Quadrant, we serve as the eyes and ears for our
clients. Our solution provides the power and security of 24/7/365 monitoring, notification
and remediation assistance by true security professionals, supported by ever evolving
threat detection technologies and techniques.
Attacks take place around the clock. Many of these threats are not always identified
through log analysis or packet inspection alone. Along with these technologies,
Quadrant further utilizes Honeypots, human analysis (SOC) and our Malware
to Detonation Platform, all of which populate our proprietary BlueDot threat intelligence
database and are shared across our global client base.
Adversaries are always on the move. Their tools and techniques are constantly
changing and it is our job to continually enhance our solution and develop technologies
that allow us to identify, validate and report threats for our clients.
The Process
Monitoring, Investigation, Escalation and Remediation
Through a four stage process, security threats are identified, investigated and escalated
to the customer by Quadrant (stages 1-3) and subsequently neutralized via remediation
steps performed by the customer (stage 4). The methodology is comprised of the
following:
Stage 1: Monitoring
Quadrant Sensors monitor both network traffic at the packet level and system logs via
thousands of rules which trigger alerts when suspicious activity is detected. The total
transactions screened for a similarly sized organization will typically be in the range of
tens of billions per quarter.
q.. QUADRANT
5
Stage 2: Investigation and Analysis
Upon the advent of suspicious activity, the Sagan System Information Event
Management (SIEM) system forwards an alert to the Quadrant Security Operations
Center (SOC). Each alert is immediately triaged and potentially critical items are
investigated by SOC analysts.
Security Analysts categorize events using a group of prioritized classifications as seen
in Table 1 below. Priority 1 events are critical events. Priorities 2 and 3 are not
considered critical on their own, but may be flagged for monitoring of related suspicious
activities in the customer network.
Stage 3: Escalation
When a threat is deemed authentic and of significance, the client's InfoSec leadership
will be notified of the threat and provided all relevant information available in order that
appropriate remediation steps can be taken.
Stage 4: Customer Threat Remediation
Once notified by Quadrant of a security threat, the customer's security team will perform
the necessary steps to eliminate the identified threat. In most cases, the initial
escalation will be added to the customer's internal service ticketing system for
subsequent reporting and auditing of threats and subsequent steps taken for resolution.
to
Table 1 Quadrant Analyst Event Classifications
Analyst Classification Priority
Active Attack 1
Botnet Traffic 1
DoS Attempt 1
Exploit Kit 1
Phishing Attempt 1
Rogue AP 1
Security Audit 1
SQL Injection Attempt 1
Trojan Horse/Malware 1
Virus/Worm 1
Account Lockout 2
Brute Force Attack 2
NMap/Portscan/Probes 2
P2P Traffic 2
Remote File Inclusion 2
Spam 2
Spyware/Adware 2
Suspicious Traffic 2
Attempted Recon 3
(� QUADRANT
6
Authentication Failure 3
False Positive 3
Firewalled/Dropped/Denied 3
Invalid Login 3
Maintenance 3
Normal Traffic 3
Not Applicable 3
Policy Violation 3
System Error 3
System Event 3
Network Traffic
Qua-Irani Threat Iketet.ik
I I I I and Customer Kcmediation
Prcxrv.
1.0
Mnn1T r ng 1.0 nvPsi itinnf
{System ItuVPc) Ana ySic FNialalirNr Rrnx-dul icm
Quddrdnl Race S Customer StaRe
Continuous Tuning — Maximizing Security, Removing Noise
The Quadrant process includes continuous tuning of the detection systems in order to
ensure the highest level of threat detection while ensuring the smallest number of false
positives, or `noise' that is forwarded back to the customer's network security team. As
Figure 2 below shows, the ratio between total transactions compared to escalated events
can often be as great, or greater than 1 Billion to 1.
QUADRANT
7
All Traffic
1,000,000,000 System Screened
Billion
System Flagged
EptiOjer
10,000 Tuning Filters Applied
Investigated
1,000 Analyst Investigation
Escalated
Client Notified QUADRANT
to
The Technology
The objective of this engagement is to deploy, monitor, and manage Quadrants SIEM
solution (Sagan) and provide 24/7/365 alerting on all log traffic deemed malicious by the
Quadrant Security Operations team. This deployment will provide Client IT staff with
around-the-clock monitoring of the internal environment and external Points-of—
Presence, allowing internal team members to concentrate their efforts on other IT
related priorities. Client is seeking an Information Security Firm that can provide
24/7/365 eyes-on-target, as well as assessment services, and report on unusual
network activity and compromise attempts.
Quadrant plans on satisfying all customer requirements by deploying the following:
Sagan - Security Event Analyzer Application (SIEM +)
Sagan is a multi-threaded, real time Security Event Management and Analyzer
Application that uses a Snort-like rule to detect malicious traffic on your network and/or
enterprise data assets. Upon start-up, our product contains over 8000 internally
developed attack signatures that are used to detect and validate malicious activity and
critical events throughout your infrastructure (e.g., hardware failures, etc.).
QUADRANT
8
The Sagan Console is Quadrant's world-class security dashboard and event analysis
portal. Each client has access to their own portal via the web, thus making it available
from anywhere. The Console serves a number of important functions.
There is the dashboard for the quick overview of the system operational status and
security threat activity. Events, network packets and logs can be searched through the
Console, and security event origins are displayed on an `Attack Map', giving clients a
glimpse at the type of threat actors that may be targeting their networks. Finally, the
Sagan Console provides custom, Executive-level reporting capabilities through
aggregated event data.
ass
AYM
ass 01
se.� 106 A 6
66.
ss
w Eve.Fa.na Latest Log Activity
,.., ..BlueDal sar.v r..�.ry r.-,n u.w rw O. rave •.
Ca1R..L L..af.y aaurce ro-
.. . sermn s..mo AaQa. se�� sws® I)oliulwre
_. Event Count vs Time try Sensor
L..rs u.n.LV.CI. w • _
nnrdWOre .. row.. 0 11 1 1
GrEleallla
Last E.licurs
Threat Intelligence - ' F L Dot
Lists of"bad" IP addresses and domain names are of little value to organizations that take
information security seriously. IP blacklists or blocklists often lack context that is required
for decisive actions, lack relevance required by decision makers, are too ambiguous to
be reasonably actionable, and are provided with little to no regards to timeliness.
Quadrant Information Security is aware of the shortcomings of reputation lists. BlueDot,
Quadrant information Security's threat intelligence system, is an effort to combat
reputational deficiencies and garner a new paradigm of threat detection technology.
Powered by Sagan, BlueDot is a comprehensive system that analyzes a variety of system
and network artifacts in real-time in order to identify emerging threats to our customers.
BlueDot aggregates and processes information from honeypots, malware research, and
incidents vetted by Quadrant Information Security's skilled team of security analysts to
find relationships between attack data. Information from BlueDot feeds Sagan's real-time
,- QUADRANT
9
detection capabilities, where analysts can use historical threat data to correlate attacks
between adversaries and industries. New threats observed may provide new threat
indicators, and identification of known threat indicators leads to the collection of additional
ones. BlueDot strives for "quality over quantity" to ensure that decision makers in your
organization are performing their duties with the most accurate intelligence available.
Campaigns
QUADRANT Vulnerabilities Exploded(CVE)
wanwanEasTy
Filenames
Filepaths
IP Addresses File Hashes
Malware Research
File Hashes Sentinel-External Feeds Domain Names
Metadata IP Addresses
Malware Behavior APT!Threat Actor Names
Registry Keys
Industries Targeted
Geolocation of Honeypot URLs
IP Addresses Tor Discovery
Attack Payloads Honeypots BlueDot
Emerging Attack Vectors
Malware Samples Trend Analyses
Full Packet Capture
SOC Alert Data Industries
APT Deflector — Signatures
IP Addresses
Domain Names
t0
Packet Inspection Engine (IDS / Full Packet Capture / Metadata)
During the installation process, our team of security professionals will set up a machine
that acts as an alarm system for your network. This machine (referred to as our
Quadrant Sensor), analyzes the traffic coming into the network point-of-presence for
any nefarious data and compromise attempts.
Quadrant uses a system that can be tailored 100% to your company's needs. Its
specialized language allows us to select alerts appropriate to your network, as well as
add and remove alerts as your policies change and new attacks are discovered.
Our sensor detects intrusions by first parsing network traffic in order to extract its
application-level semantics. It then executes event-oriented analyzers that compare the
activity with patterns deemed nefarious. Its analysis includes detection of specific
attacks including those defined by signatures, as well as those defined in terms of
events and unusual activities (certain hosts connecting to certain services, or patterns of
failed connection attempts).
q.. QUADRANT
10
Malware Detonation / File Extraction
As part of the Sagan platform, Quadrant has developed an exciting new component
called Malware Detonation. This new platform allows Quadrant sensors to extract files
traversing your network and safely execute them (detonation) in a secure network off
premises in the Quadrant "cloud". Rather than relying on signature technology, Malware
is detected by its behavior in the virtual environment.
This technology is used to detect malware where other tools, like antivirus, fail. Rather
than depending on signatures and static analysis, the malware is detected by its
behavior within a secure virtual environment. This type of service is useful in detecting
advanced threats and undocumented attacks. For example, this type of service is useful
in attacks prior to indicators being distributed like in the early stages of the "WannaCry"
outbreak.
Clients are given access to all the analysis data that is generated in the Quadrant
Malware Analysis platform. This includes screenshots, network traffic recordings, static
analysis, behavior data, registry keys create/modified/destroyed, event logs and more.
to
Domain Tracking
Phishing and domain squatting attacks often rely on the end user for detection and
reporting of potential threats and incidents. Quadrant has developed a proactive
utility, Domain Tracker, which reduces the potential for human error, automates
enrichment of data related to suspicious domains, and disseminates additional potential
indicators of attack throughout the Sagan ecosystem. Domain Tracker takes initiative
from potential attackers by anticipating potential attack vectors before they can be
utilized.
Domain Tracker ingests domain names registered to an
organization. Each domain name ingested is processed by an algorithm which
generates domain names similar to the original, but varied by character additions,
omissions, substitutions, and other methods. Registration details are requested for
each domain name generated, and domains which return registration information are
stored for additional analyses. Contact details, IPv4 addresses, and geo-location for
each domain name are stored in a database. Findings appear in the Sagan console as
soon as a new domain registration or DNS change is observed. The Sagan ecosystem
provides signatures tailored for each client's log analysis engine as suspicious domains
are detected, and alerting of communications to or from suspicious domains may
produce an alert within minutes of the domain being registered.
q.. QUADRANT
11
24/7/365 Managed Services
Our Security Operation Center (SOC) handlers assess each alert to determine the
nature and significance of the attack. In the case of a serious event, the system
automatically alerts our SOC, 24 hours a day 7 days a week. If we determine that your
Enterprise could be compromised, we will either block the source address of the
offending traffic or notify your management personnel.
All alerts that come into our SOC are stored in a database at our site and the traffic
between your company and ours is securely encrypted. There are many other
companies that perform Managed Intrusion Detection services but they do not encrypt
the traffic. Instead, they send their alerts in clear text using utilities such as "syslog".
This method is counter-productive to your network security since a "hacker" can watch
that traffic and gain information that may help them break into your network.
Quadrant's IDS trend information is gathered every 5 minutes from multiple field
sensors. This information is used to show general attacks detected on the Internet and
allows our SOC handlers to trend attacks across multiple Enterprises.
to Incident Response
When an incident has occurred, Quadrant supports its Client through the life-cycle of
the incident by providing around-the-clock Incident Response (IR) support. In
conjunction with the 24/7/365 Security Operations Center (SOC), a Quadrant IR Lead
engages with the Client to ensure that all necessary analyses are completed and that all
data and information deemed related to the event are provided to the Client in a time-
efficient and quality-assured manner.
Examples of the functions Quadrant provides in relation to IR are:
• IR support dedicated to the Client around-the-clock for the duration of the
incident
• Real time monitoring for Indicators of Compromise (IOCs)
• In-depth research into possible IOCs
• Comprehensive and customized data searches into the events surrounding the
incident in order to identify IOCs
• On-the-fly creation of rules to detect future and/or ongoing occurrences of IOCs
• Thorough search through the Client's network for other occurrences of IOCs
• Event validation and team notification of live activity during the incident
• Custom reporting and recommendations based on the incident
• Implementation of permanent rules and monitoring tools once the incident is over
QUADRANT
12
Quadrant understands that most organizations do business with MSSPs as a way to
gain additional security support, yet still allow the organization to focus on the day-to-
day functions for which it is responsible. The Quadrant team prides itself on being able
to extend its capabilities outside of the legacy Managed Security Services model, which
in its traditional sense, is only about identifying malicious activity and notifying the client
without additional follow-through on security incidents.
Identification, Validation, Reporting and Incident Response are the 4 components that
make up the Quadrant MSSP model. It is Quadrant's job to assist with with Root Cause
analysis and ultimately help the Client with incident containment and ensure continued
business operations.
Quadrant MSSP Model:
Identify
to
Validate
Report
Incident
Response/
Root Cause
Remediate
Customer Reporting
Upon execution of this contract, Quadrant will provide the customer with access to the
Sagan portal. This portal provides the customer with real-time security event activity and
information regarding how each security event is being handled in our Security
Operation Center.
Striving to provide its customers with as much understanding of their security
environment as possible, Quadrant has developed a number of reports, each providing
a targeted level of detail to point to a pathway to action. There are both executive-level
and technical-level reports.
q.. QUADRANT
13
Executive Summary:
10
t....ti....L_E:41.: hilliki 0 0
VP ON--- INIM de Wiz:-_ —•-- --
--i
IIIIi . _ IIIII1
I
wal. Mal
0 0/...A.;
� . ___ =.- I I I I I
•
t0
Among others, Quadrant provides both 24 Hour Recap Reports and Weekly Syslog
Reports for its customer's network and security teams. The 24 Hour Recap Report
provides a listing of all alerts that occurred during the prior day.
. QUADRANT
14
24 Hour Recap:
QUADRANT Quadrant/Sagan/MSSP QUADRANT Quadrant/Sagan/MSSP
24 Hour Alert Recap 24 Hour Alert Recap
Sensor Events,24 Hours
�a w n Sensor Details
2 4 h r g
m Each of the Quadrant sensors n your environment is listed below with the the names and
€ II I I I I I counts for each event signature.Each event signature has a color coded bullet point next to it,
Indicating priority:red=high,orange=medium and yellow=low.
Recap man
Acme-Sagan-Windows
Wed Nov 16 2016 0 Mon a.aw. Loa slam.. Lana./Dare •.tans •sa. •o•.l
This report represents IWNDOWS-AUTH)DC-Ck h skew toogreatlLmkl 20116-111.17 16 14 6
security1
events that have Percent Change.Sensor Events,24 Hours vs.
occurred on your sensor(s) Previous 10 Day Average • ]WNDOWS-AUfHI User aauulurockedjunkl 2016-11-16 1 1 1
for the 24 hour period of o,•dn n 13:4125
2016-11-16,UTC. rs
• IINNDOWS-AUf11I Potential Windows User Ervnera9co 2016-11-16 6 6 6
Two charts to the right 6 -User Name Does Not Exist[Brun Facet[2✓11A.iold 2029:12
provide an overview of the t .
activities per sensor. The 5 • [Wf1DOWS-AUTav]Windows DC Logon Failure•Bmte 2016-11-16 1 1 1
first of these shows the total S?a few.Os16-Preautenticaton irtormabon was Invalid 132521
high, medium and low r16'tl Nnkl
priority events for the 24 1 a -- -. - - - • IWNDOWs-AUtg Usereccauadisabledit,nk( 2016-11-16 2 1 1
hour period. The second 10553a9
chart shows the difference ,sa
between the number of ,, • IWt1DOWS-AU}g Windows Brute force-User Correct 2016-11-16 1 1 1
events over the previous day but hcrrect Password 125/11ynk1 2323U4
and the average events of the prior 10 days, thus
illustrating the change in
activity. IW14DDW$-M6C]hstaWtion of service pia SCM 20129:436 8 2 2
•,4a ••••m w l 1829:13
Sensor-level details are IWNDOWS-M6C]Applicationrengn;atrl 2016-11-18 1 1 1
listed In tables on the 142439
following pages. These
provide the breakdown Of pveiDOWS-M6 d C]System time has enged iak! 2016-1146 1 1 1
event signatures per sensor. 21:09.13
Quadrant Oak..M5umarry var.20.•Cayyr•a 201noclwu Mana0.,Seaway Page 1 of7 Ombaa Oak Eras Sammy var.20.0 Capy,tla 2010 0Wea Wormer.Seaway Page 2017
Customer Communications
Our Security Operation Center handlers assess each Packet Inspection Engine / Sagan
alert to determine the nature and significance of the attack. When a security event takes
place, the system automatically alerts our SOC, 24 hours a day 7 days a week. In the
event of a high-risk alert where we determine that the Enterprise could be
compromised, our handlers either block the source address of the offending traffic or
notify your management personnel.
All entries are prioritized into one of three categorized as outlined below:
. QUADRANT
15
o High (Priority 1): Security Event could cause significant impact to business
operations if executed.
o Medium (Priority 2): Security Event severely restricts the use of an
application, system or piece of equipment affecting significant business
functions.
o Low (Priority 3): Security Event could impact a single user or Client users
where the restriction is not critical to the overall operation of the Company.
Each event category is associated with a timeframe which represents the length of time
in which the customer must be notified after the security event has taken place.
o High (Priority 1): Within 15 minutes
o Medium (Priority 2): Within 30 minutes
o Low (Priority 3): Within 60 minutes
During initial IDS / Sagan deployment projects, Quadrant will work with the customer to
determine how and when event categories are reported.
Customers may choose to be notified via email and/or phone, as a Contact Tree will be
to completed during deployment and regularly updated throughout the life of the contract.
Implementation
Overview
Once the decision has been made to implement the Sagan solution, whether as a
Proof-of-Concept (POC) or full implementation, there are a number of considerations
and subsequent actions that will be required to commence with the SIEM and IDS
service. Primary consideration will be the number and placement of sensors for both
network packet analysis (IDS) and log analysis.
In order to ensure a smooth implementation and minimize client resources, Quadrant
provides a Client Liaison/Project Manager to coordinate the efforts of the client's team
and the Quadrant Implementation Team. Much of the hardware setup and installation
will be completed by the Quadrant Implementation team, though some actions, such as
directing log traffic to Sagan, will need to be completed by the client's information
systems/network team.
QUADRANT
16
Determining Number, Type and Placement of Sensors
Number of Sensors
The number of sensors required is determined, primarily, by the physical nature of the
client's infrastructure. For example, if there are three physical locations that have
Internet points of presence which are determined to need IDS sensors, then there will
need to be three physical IDS sensors, at each location. There will also be at least one
log analysis and storage sensor/appliance, though, if the traffic volume allows, the
sensor may function as one of the IDS sensors as well. Determination of the number of
sensors is usually determined by Quadrant through review of a supplied scoping
document and discussion with the client network team.
Type of Sensors
The type and specifications of the sensors are determined by volume of traffic each
machine is expected to analyze and, in the case of log storage, the volume of log data
expected for a fifty-three week period. The number of ports that are required for each
sensor is a function of the number of IDS input ports that are required plus one port for
use as a Quadrant management port. Finally, the type of connection (copper or fiber-
optic cabling, etc.) and the expected bandwidth needs to be provided to Quadrant. It is
to important to note that the ownership and responsibility of maintenance of the sensors
remains with Quadrant, freeing the client from dedicating additional resources to the
sensor hardware.
Placement of Sensors
Through the discussions with the client network team, scoping document and additional
network documentation, the best placement of the sensors will be determined. Typically,
the IDS sensors will be placed physically close to core infrastructure. Where applicable,
the IDS sensors are usually placed behind the firewall in order to cut down on alerts
triggered by detections that would ultimately be stopped by the firewall.
Preparation of Sensors
When the sensor hardware has been received by Quadrant, the implementation team
will have the sensor operating system(s) and all required software loaded. They will
then have the machines configured for the specific client sites. Towards this purpose,
the Quadrant team will request the IP addresses that each sensor will have, as they will
be needed for remote access for maintenance, etc... The client will not be required to
load any software or configure the sensors.
q.. QUADRANT
17
Directing Log Traffic to Sagan for Analysis
Quadrant's log analysis and storage process requires that logs for all relevant assets
are forwarded to the Sagan log sensor. This typically includes servers, firewalls,
switches as well as other network devices. The Sagan appliance is design to analyze
and store logs in Syslog format.
iyslog
For almost all non-Windows devices, logs can be directed to the Sagan device in Syslog
format, without any additional software. The client network team will need to configure
each of these devices to forward logs to the Sagan device. Once complete, the
Quadrant team will be able to provide confirmation that logs are, in fact, being received
from each device.
Windows Agent
Windows devices do not have a native option for sending logs in syslog format.
Fortunately, Quadrant provides a custom Syslog agent that is delivered in an install
to package (MSI) that does not require restart. Though most Windows devices are 64bit, it
is important that the client inform Quadrant of the existence of any 32bit devices, as this
will require a separate installer package. As with non-Windows devices, the Quadrant
team will verify that logs are being received from each of the Windows devices.
Additional Network and Systems Considerations
Network Traffic Analysis
In order to ensure that Quadrant sensors will not disrupt network traffic, even in the
event of failure, Quadrant sensors are not placed 'in-line', but rather, receive traffic
mirrored via span. Network impacts are addressed during the implementation kick-off
meeting, prior to span configuration.
Log Analysis and Storage
Windows Agent Install
As stated before, there is a need to have an agent installed on each Windows device in
order for those devices to forward logs to the Sagan log sensor. Quadrant continually
tests to ensure that there are no server issues with the addition of the agents.
CO- QUADRANT
Log Traffic/Network Load 18
Finally, it should be noted that the transmission of logs to any central log repository will
increase the network load by the volume of log data to be stored. This is not typically,
however, a significant burden over the existing traffic load.
Implementation Action Items at a Glance
The table below provides an at-a-glance view of the steps and responsible parties for a
typical Sagan implementation:
Implementation Action Responsible Parties
Scoping Document Completed and Delivered Client 1
Meeting to Determine Sensor Placement and Set up by Quadrant Client Liaison/PM 1
Configuration
- Schedule Meeting 1
- Meet Client and Quadrant Implementation Team 1
- Provide IPs for Sensors Client 1
- Provide Cabling and Rack Specs for Client 1
each Sensor(Copper/Fiber?)
- All 64bit Windows Servers(if Client 1
Applicable)?
- Determine Install Dates Client and Quadrant Implementation Team 1 1
Procure Hardware Quadrant Implementation Team 1
Configure Sensors Quadrant Implementation Team 2-3
Build and Deliver Windows Agent MSI (if Quadrant Implementation Team 2-3
Applicable)
Install Hardware Client and Quadrant Implementation Team 2-3
Configure IDS Spans Client
Load Windows Agent on Windows Devices Client 2-3
Direct Syslog to Sagan Sensor for Non- Client 2-3
Windows Devices
Service Level Agreements
The following Service Level Agreements (SLAs) shall apply to the services provided
hereunder, subject to the terms, conditions and limitations contained in this document.
The SLAs set forth herein are subject to the following terms, conditions and limitations:
q.. QUADRANT
19
i. The SLAs shall not apply during scheduled maintenance outages and therefore are
not eligible for any Agreement credit.
ii. The SLAs shall not apply in the event of any Client-caused service outage that
prohibits or otherwise limits Quadrant from providing the service, delivering the service
level Agreement or managed service descriptions, including but not limited to,
misconduct, negligence, inaccurate or incomplete information, modifications made to
the services, or modifications made to any managed hardware or software devices by
the Client. This includes issues caused by Client's employees, agents, or third parties.
iii. The SLAs shall not apply to the extent Client does not fulfill and comply with its
obligations and interdependencies.
• Help Desk Requests: Standard requests submitted via email or via telephone will
be subject to "initial response" (either through the SOC help desk ticketing
system, email, telephonically or otherwise) within one (1) hour from the time
stamp on communication. An initial response to requests classified as
"Emergency" will be sent within fifteen (15) minutes from the time stamp.
to Scope of these services is limited to the assets below residing within the CCUA
environment:
• Corporate — Sagan / IDS
• SCADA— Sagan / IDS (new)
• SCADA— IDS
• 1 Annual External Penetration Test
Billing & Payment Breakdown
Cost for the managed security services outlined in this proposal are offered at an annual
fixed fee of $46,000.00 for the year of service below.
Service Dates
Year 1: January 1, 2022 — December 31, 2022
QUADRANT
20
Assumptions
• The Provider shall be under no liability whatsoever to the Client for any direct /
indirect loss and/or expense (including loss of profit) suffered by the Client, as a
result of any Sagan / IDS appliance being tampered with or manipulated by
Client staff.
• The Provider shall be under no liability whatsoever to the Client for any direct /
indirect loss and/or expense (including loss of profit) suffered by the Client arising
out of a breach by any 3rd party or unauthorized external user.
• The Provider shall be under no liability whatsoever to the Client for any direct /
indirect loss and/or expense (including loss of profit) suffered by the Client arising
out of a breach by the Provider or by any 3rd party or unauthorized external user
during or after the testing process.
• Both parties shall maintain this contract as confidential. No information about
this contract, contract terms, or contract fees shall be released by either party.
Information about the Client's business or computer systems or security situation
that the Provider obtains during the course of its work will not be released to any
third party without prior written approval.
to • The Provider is ultimately responsible for the replacement of all Sagan / IDS
appliances (and associated costs) that fall within the scope of this Managed
Services engagement unless hardware is procured by the Client. Provider will
preconfigure new hardware and ship to Client location. In the event travel is
required, Provider would assume all costs.
• The Provider is not responsible for any system performance issues or network
availability issues that are a result of Client initiated changes to network
resources or network design / layout. Client is responsible for notifying Provider
48 hours prior to any network/ infrastructure notification.
• The Client is responsible for all charges incurred wintin the AWS
environement(s).
Authority to Proceed
Quadrant appreciates the opportunity to provide your organization with this proposal for
Managed Security services. By executing below, CCUA is permitting Quadrant
Information Security to engage in the services outlined in this proposal.
Accepted by: Accepted by:
QUADRANT
21
Name: Name: Ian Bush
Title: Title: President
Date: Date: 12/29/21
to
QUADRANT