SIEM ▪ Procure, provide, setup, support, tune, update, maintain, and fully manage a cloud-based Security Information & Event Management (SIEM) solution. SIEM solution shall include, without limitation: o Cloud-based, fully outsourced, SIEM solution including rule writing, report generation, alert generation, and incident workflow. o A properly sized SIEM solution to support 90 days of “hot” log data and 275 additional days of “cold” storage. o Must include ability for customer export of log data for additional cold storage requirements. o Centralized authentication (e.g., SAML) with multi-factor support, event collection, parsing, storage, and retention. o Correlation rule development, maintenance, and tuning. o Threat intelligence feed integration, ingestion, parsing and policy configurations. o Investigation of alerts, configuration of incident workflows, notifications, and solution orchestration. o Reporting & metrics development. o Ability for installation of software on customer endpoints. o Real-time monitoring and maintenance of system health and performance. o Ability to ingest log data from nearly any security or Information Technology. o Ability to provide User and Entity Behavior Analytics (UEBA) to identify, triage, and alert on privileged account abuse, privilege escalation, data exfiltration, anomalous behavior, and credential compromise. o Ability to perform analytics using AI (artificial intelligence) and/or ML (machine learning) to identify and triage, based on regression, classification, forecasting, clustering, and anomaly detection. SIEM Setup and Operations: o Full platform management of the cloud-based SIEM solution. o Integration of all applicable data sources for Windows/syslog-based data sources. o Ensure ingestion of appropriate Security Events. o Integration of any applicable API. o Installation, setup, tuning, and operation. o Security architecture workshop – Initial and periodic. SIEM Tuning and Baselining: o Setup basic, pre-packaged SIEM alerts for the environment. o Setup custom alerts applicable to the environment. o Adjust rules and thresholds as applicable to the environment. SOC ▪ Provide, manage, support, and operate a 24x7x365, US-based, Security Operation Center (SOC) to fully monitor and manage the SIEM solution. Security response and Brunswick staff augmentation: o Serve as an extension to Brunswick County Information Technology to provide threat analysis and triage, data collection and analysis of security events and cyber-attacks, review threat vectors, evaluate internal and external security breaches, determine scope of threats, suggest remediation tactics, remediate cyber threats, proactive threat-hunting, intrusion, and alarm analysis. Severe events will be escalated to Brunswick County Information Technology. o Provide a timely response to all security events and threats.
