Upload
thexplanet
View
43
Download
2
Tags:
Embed Size (px)
DESCRIPTION
atos
Citation preview
G-Cloud Service Definition
Atos Information Security APT
Service (SourceFire) SCS
1
Information Security Advanced Persistent Threat (APT) Service (SourceFire)
SCS
The Atos Advanced Persistent Threat Protection Service is a solution to detect and
protect against malware and attacks crafted to evade traditional security technologies
such as Firewalls, Anti-Virus and Intrusion Detection Systems. It delivers effective
protection for networks with well-defined organisational boundaries and for those that
are extended to cloud services and partner networks.
The service is delivered by trained certified security specialists using Sourcefire Network
and EndPoint technology. The service provides enhanced visibility and protection across
your network against cyber security threats.
Network and Endpoint coverage
The SourceFire Advanced Malware Protection (AMP) product provides integrated
coverage across network and endpoints allowing the path of any cyber-attacks to be
traced from point of entry, through propagation to post infection remediation.
Malware tracking
Tracks malware across the network, providing detailed information about point of
entry, propagation, protocols used, and which users or endpoints are involved.
Indicators of compromise
Correlates even weak signals of potential security compromises detected on devices
spread all across the network, to identify APT activities that would otherwise be lost
in the noise of overall network activity.
Certified Security Professionals
The APT Service is delivered and supported by security specialists with CISSP, CISM,
CEH, Security+, SSCP and vendor specific accreditations.
Zero day malware detection
Dynamic Analysis on the network for zero-day malware detection.
Malware detection Sandboxing
SourceFire cloud based sandboxing analyses hundreds of thousands of malware
samples in its sandbox infrastructure. Users benefit from access to expert analysis
and immediate software updates within minutes of analysis.
What is it?
The Atos Advanced Persistent Threat Protection Service delivers a bespoke
implementation of Network and EndPoint technology from SourceFire AMP, configured
specifically for the customers environment. The solution offers options for in-line
network or out-of-band (monitor) network deployments.
Features of the service include:
2
Network technology
Network appliances can be installed in-line or placed out of band in monitoring
mode. When installed in-line the appliances are able to block malware and APT
threats as they traverse the network.
Endpoint technology
EndPoint protection is installed locally onto the customers desktop / server systems.
This allows application level control which can prevent malware executing non-
approved code on the endpoint.
Installation, support and monitoring
Atos provides a service option for installation, deployment, analysis, support and
monitoring of the endpoint and network technologies.
Implementation of Network and Endpoint solutions provides maximum APT coverage.
However, the customer can opt for just endpoint or just network coverage.
What makes us unique?
Atos APT Service combines UK based security cleared resources with market leading
Advanced Malware Protection (AMP) tools from Cisco SourceFire to give a cost effective
solution for monitoring and countering APT. Unlike some other providers, Atos
complimentary security services can take the lessons learnt from specific customer
deployments of APT to recommend and support changes to an organisations
infrastructure, culture and processes for the long term mitigation of APT.
The service can provide SourceFire products to order, however, the typical delivery will
include an initial design and sizing activity leading to the delivery of:
Appropriately sized network appliances
Sufficient endpoint systems to cover the estate at risk.
Deployment support to install and configure the network appliances and endpoints in
the estate.
Traffic analysis to determine what, if any, APT activity is present.
The initial findings are presented in a report with recommendations for remediation.
Successive APT mitigations are bespoke work packages as agreed with the
organisation.
Any organisation with data or systems that are of interest to foreign agencies or cyber
criminals can benefit from this service.
High profile organisations whose public reputations might be damaged by malicious
attacks.
Organisations running critical infrastructure and systems where the consequences of
system interruption would be significant.
3
Organisations at risk of APT can adopt an entry level solution of network appliance in
monitor mode and coverage of high risk endpoints to ascertain the risk and then scale to
full deployment on discovery of APT incidents. Atos are pleased to discuss trial
installations of network and endpoint solutions for proofs of concept.
4
5
Contents
1. Introduction ............................................................................................... 6
1.1 Service summary ........................................................................................ 6
1.2 How this product can be used .................................................................... 6
2. Service overview ........................................................................................ 7
2.1 Network APT .............................................................................................. 8
2.2 Endpoint APT .............................................................................................. 9
2.3 Service Roadmap ...................................................................................... 10
3. Information Assurance ............................................................................. 11
4. Backup/restore and disaster recovery ..................................................... 12
5. On-boarding and off-boarding .................................................................. 13
6. Pricing ...................................................................................................... 14
7. Service management ................................................................................ 16
8. Service constraints ................................................................................... 17
9. Service levels ........................................................................................... 18
10. Financial recompense ............................................................................... 19
11. Training .................................................................................................... 20
12. Ordering and invoicing process ................................................................ 21
13. Termination terms .................................................................................... 22
13.1 By consumers (i.e. consumption) ............................................................. 22
13.2 By the Supplier (removal of the G-Cloud Service) .................................... 22
14. Data restoration / service migration ........................................................ 23
15. Customer responsibilities ......................................................................... 24
16. Technical requirements ............................................................................ 25
17. Trial service .............................................................................................. 26
18. Glossary of Terms..................................................................................... 27
6
1. Introduction Atos provides a wide range of solutions that help customers address their growing
IT security challenges.
Atos Information Security APT (Advanced Persistent Threat) Service is one such
service. The service is delivered by trained certified security specialists using
Cisco Sourcefire appliances and tooling for mitigating Advanced Persistent Threats
to your IT infrastructure and data.
1.1 Service summary
Deployment of a suite of SourceFire Advanced Malware Protection (AMP) products
for countering APT risk. Professional services are available to support the trialling,
custom installation and operation of a counter APT solution.
1.2 How this product can be used
The organisation can procure SourceFire AMP products for:
Network protection (inline and monitoring)
Endpoint protection of device nodes
and provide the professional security services for
Proof of concept.
install, configure the SourceFire AMP products
a service operation to maintain the products and monitor the infrastructure for
APT events.
7
2. Service overview The Atos Advanced Persistent Threat Protection Service is a bespoke deployment
specific for the organisations environment. The solution consists of both Network and EndPoint technology with options available for in-line network or out-of-band
(monitor) network deployments. Network and EndPoint services provide
maximum coverage, however, the service is flexible should the organisation wish
to opt for a Network only or EndPoint only service.
Appropriately sized network appliance(s) are deployed onto an organisations network at strategic locations - typically at edge firewall chokes or at Internet
break-out points. Network appliances can be deployed in-line with wire-speed
interception of traffic traversing in/out interfaces. Alternatively, appliances can be
placed out-of-band with mirror or span port promiscuous monitoring mode. A
dedicated central manager is deployed to manage the network appliances.
EndPoint systems are installed locally onto client desktop / server systems. This
allows application level control which can prevent malware executing non-
approved code on end points.
The support and monitoring service can be fully outsourced to the Atos
Information Security Team, or can be operated by the organisations existing support arrangement.
Initial engagement typically commences with APT design. Trial installations of
EndPoint and Network solutions can be used to inform the design decisions. Once
the APT design has been completed and approved, Atos will work with the vendor
and organisation support teams to implement the solution as a work package.
After the SourceFire AMP deployment has been successfully completed, traffic
analysis reports are generated, detailing initial findings from the technology.
Investigations are made from these gathered results to determine detections
indicating that system compromise has occurred and malware is propagating
within the estate, and if there is communication to command and control centres.
The report is then made readily available to all relevant stakeholders for the
account, to remedy any recommendations made within the report.
The service is delivered in modules to allow service configuration to meet the
customers specific needs:
Component Description
SourceFire Network
AMP support and
malware subscription
Dedicated Network AMP Appliance(s): purpose-built
network security appliances featuring unique hardware
acceleration technology.
SourceFire Endpoint
AMP support and
malware subscription
FireAMP Connectors (Agents) installed on endpoints (PC,
laptops, mobiles etc) provide the device-based visibility
and control needed to stop cyber security threats.
SourceFire Central
Management
Appliance and
support
Central management console for all Sourcefire security
solutions featuring patented real-time awareness
technology for next-generation solutions that provides full
stack visibility, event correlation and security automation
to respond to changing conditions and new attacks.
Not required if an existing Defence Centre DC3500,
DC1500, or DC750 is already deployed.
8
Component Description
SourceFire Central
Management
Appliance Malware
Subscription
Subscription for the Central Management Console.
Connection to Sourcefire intelligence cloud connection by
Defense Center e.g. for sandboxing, new threat
intelligence.
Atos Deployment
support
Certified security professionals at the agreed Atos SFIA
rate.
Atos Analysis and
Initial Findings
Report
Certified security professionals at the agreed Atos SFIA
rate.
Atos Ongoing event
Monitoring
Certified security professionals at the agreed Atos SFIA
rate.
Atos Adhoc
Professional Services
Certified security professionals at the agreed Atos SFIA
rate.
Atos will discuss the appropriate mix of security
professionals to deploy to meet the perceived APT. The
specialists are drawn from a pool of security professionals
with mix of certifications e.g. CISSP, CISM, CEH, Sec+,
SSCP and vendor specific accreditations.
2.1 Network APT
Important Characteristics of SourceFire AMP solution for Network APT
Virtual options are also available
Inspects all or select protocols including http, smtp, imap, pop3
Inspects inbound, outbound and internal traffic malware lookup for selected
file types including:
Office docs MSOLE2 XLW
MSWORD_MACS MDB ACCDB,
MNY NEW_OFFICE Archive files (JAR)
Multimedia files (SWF) Executable Files MSEXE
JARPACK PDF files (PDF)
Benefits:
Continuous detection of malware - immediately and retrospectively
Dynamic Analysis for zero-day malware detection
Integration with FireAMP Endpoint (for local remediation and outbreak
analysis)
Capture and save suspicious files for later analysis
Custom malware detection and integration with private intelligence feeds
9
Correlation and prioritization of events, discover devices that are compromised
on the network
C&C (Command and control) traffic detection and blocking
Protection from exploit kits, drive-by malware downloads, and other modern
infection causes
Inline detection of sophisticated malware that evades traditional network protections
Combines the worlds most effective threat prevention to stop more than just malware
Easy, integrated management of malware rules with security policy and access
controls
Lower cost-of-ownership compared to limited- purpose malware appliances
Optional FireAMP protection and remediation solution to extend malware
protection to end-devices
Integration with existing Security Information Event Management (SIEM)
deployments
2.2 Endpoint APT
Important characteristics of SourceFire AMP solution for EndPoint APT:
No Hardware Required, Web based management only.
FireAMP connectors available for the following platforms:
Windows XP SP2+
Windows Vista SP2+
Windows 7
Windows Server 2008
Windows 8
MAC OSX (available 2014)
FireAMP Mobile for Android (v2.2 or greater)
Virtual options are available using standard Windows Connector
Event integration with DC (If customer already has our NGIPS/NGFW/AMP for
FirePOWER appliances)
Prerequisites: FireAMP subscription, 5.1 or greater DC with FireSIGHT
Sourcefire intelligence cloud connection
Connect frequency: continuously for cloud intelligence lookups (frequently
seen file fingerprints are cached locally)
Benefits:
Continuous detection of malware - immediately and retrospectively
Complete visibility to track and analyze malware and advanced malware
Analyze, respond and react to endpoint infections
Robust control capabilities to stop the spread and communication of malware
10
Protection extends across virtual systems and mobile devices
Integration with Sourcefire Defense Center for central reporting and event
analysis
Integration with existing Security Information Event Management (SIEM)
deployments
2.3 Service Roadmap
The AMP products come from Cisco SourceFire. The continual evolution of cyber
security threats require timely adoption of changes to protection and detection
techniques. Atos works with the vendor and customer to ensure that roadmap
developments are communicated to ensure that systems can evolve as threat
landscapes change, thus allowing continued assurance of service protection.
11
3. Information Assurance The standard product is available at Impact Level 0 (IL0). The service can be run
at higher Impact Levels up to IL5 if required subject to a formal accreditation.
12
4. Backup/restore and disaster recovery Backup/restore and Disaster Recovery will be configured to the Organisation
specific needs and according to the specification of the products employed. Atos
has extensive experience in providing these capabilities from IL0 to IL5, subject
to a formal accreditation
13
5. On-boarding and off-boarding
On-boarding and Off-boarding will be dependent upon the types of products
employed and the service delivered. It will be discussed, documented and agreed
prior to commencement of on-boarding.
14
6. Pricing The service is priced according to time and material spent on mandatory modules
and a selection of optional modules.
Sourcefire products and services
Module Description Price
SourceFire Network AMP
Dedicated Network AMP
7150 Appliance(s) For network speeds up to
500Mbps
AMP7150 product inc 1st
year support and
subscription
Support per appliance
per year
Subscription per
appliance per year
26,000
5,700
5,200
Dedicated Network AMP
8150 Appliance(s) For network speeds up to
2Gbps
AMP8150 product inc 1st
year support and
subscription
Support per appliance
per year
Subscription per
appliance per year
57,000
9,400
11,400
Central Management
(required)
Defense Center 3500
(manages up to 150
appliances) inc 1st year
support.
Defence Center 3500
support per DC3500 per
year
Defense Center 1500
(manages up to 35
appliances).
Defence Center 1500
support per DC1500 per
year
Defense Center 750
(manages up to 10
appliances) ) inc 1st
year support.
Defence Center 750
support per DC750 per
year
39,000
8,600
23,500
5,200 per installation
per year
11,700
2,600
SourceFire Endpoint AMP
FireAMP software 0-100 endpoint nodes 42 per node
101-500 endpoint nodes 35 per node
501-1000 endpoint nodes 26 per node
15
Module Description Price
1001-5000 endpoint nodes 22 per node
5001-10000 endpoint
nodes
19 per node.
10001 and greater 16 or lower
Volume based prices are based on initial order, if additional pricing breaks are
met further licences will be at the new price break. Prices are based on
cumulative licence count per end user organisation.
Professional Services
The service is priced according to the time and material and the agreed SFIA Rate
Card - Atos
Travel and Subsistence Payable at the Customers standard T&S rate.
Mileage Payable at the Customers standard T&S rate
Professional Indemnity Insurance included in day rate.
Module Description Price
Network POC Install & configure
network appliance
Discovery phase
Recommendation of
needs
At agreed SFIA Rate Card
Atos.
Simple short term product
only trials can be
arranged free of charge.
Endpoint POC Install & configure
endpoint software
Discovery phase
Recommendation of
needs
At agreed SFIA Rate Card
Atos.
Simple short term product
only trials can be
arranged free of charge.
ATP Specification Analysis of needs
Design of solution
Proposal
At agreed SFIA Rate Card
Atos
Install, configure ATP
products Install and configure the
products specified in the
ATP Specification.
At agreed SFIA Rate Card
Atos
Provide managed ATP
service Provide managed ATP
service including:
o Product maintenance
o Event Escalation
o Monthly reporting.
At agreed SFIA Rate Card
Atos
ATP professional services Consultancy from
certified security
professionals for ATP
At agreed SFIA Rate Card
Atos
16
7. Service management The service is typically available during standard Working Hours/Days Monday to Friday 09:00 to 17:30 excluding public holidays.
Atos are pleased to discuss additional coverage should it be required.
17
8. Service constraints In order for the service to be provided, the Customer will need to:
Give authorisation for the analysis and scanning to proceed
Give access to the IT estate
Provide data centre accommodation for network appliances
Provide deployment mechanism for rolling out endpoint protection to the
chosen devices
Provide site or data centre accommodation to security specialists during the
setup and provision of the service.
The service as defined in this catalogue provides information of the threats
discovered and short term threat reduction. Long term remediation remains a
customer responsibility or that of the customers service providers. Atos will be pleased to discuss additional services for remediation of cyber security threats.
18
9. Service levels The standard service level is:
Service measure Typical service level
Service Availability 95%
Service Availability
Window
09:00-17:00 Mon-Fri Business Days
Support Availability
Window (second line)
5*9 hours: Business Days, 08:00-17:00 h
Support Language English
Report generation Inform stakeholders that a report is readily available
within 5 days after investigation has been concluded
19
10. Financial recompense To minimise the cost to users, Atos does not provide service credits for use of the
service. All Atos services are provided on a reasonable endeavours basis. Please
refer to G Cloud terms and conditions
In accordance with the guidance within the GPS G-Cloud Framework Terms and
Conditions, the Customer may terminate the contract at any time, without cause,
by giving at least thirty (30) Working Days prior notice in writing. The Call Off
Contract terms and conditions and the Atos terms will define the circumstances
where a refund of any pre-paid service charges may be available.
20
11. Training No training is required to benefit from this service although the deliverables of the
APT service should be communicated to security and infrastructure specialists in
the customers organisation or that of the service provider to remedy the vulnerabilities.
Our security specialists will discuss the coverage and benefit from the various
scan options prior to scanning the estate.
If training and guidance to customer and/or provider staff is required it can be
delivered at the rates defined in our Atos Information Security Professional
Services SFIA Rate Card available through G-Cloud. Please get in touch for details ([email protected]).
21
12. Ordering and invoicing process Ordering this product is a straightforward process.
Please forward your requirements to the email address [email protected] Atos will
prepare a quotation and agree that quotation with you, including any volume
discounts that may be applicable.
Once the quotation is agreed, Atos will issue the customer with the necessary
documentation (as required by the G-Cloud Framework) and ask for the customer
to provide Atos with a purchase order.
Once received, the customer services will be configured to the requirements as
per the original quotation.
For new customers, additional new supplier forms may need to be completed.
Invoices will be issued to the customer and Shared Services (quoting the
purchase order number) for the services procured. On a monthly basis, Atos will
also complete the mandated management information reports to Government
Procurement Services detailing the spend that the customer has placed with us.
Cabinet Office publish a summary of this monthly management information at:
http://gcloud.civilservice.gov.uk/about/sales-information/
22
13. Termination terms
13.1 By consumers (i.e. consumption)
Termination shall be in accordance with:
The G-Cloud Framework terms and conditions
Any terms agreed within the Call Off Contract under section 10.2 of the Order
Form (termination without cause) where the Government Procurement Service
(GPS) guidance states At least thirty (30) Working Days in accordance with Clause CO-9.2 of the Call-Off Contract
Atos Supplier Terms for this Service as listed on the G-Cloud CloudStore.
For this specific service, by default Atos ask for at least thirty (30) Working Days
prior written notice of termination as per the guidance within the GPS G-Cloud
Framework Terms and Conditions.
13.2 By the Supplier (removal of the G-Cloud Service)
Atos commits to continue to provide the service for the duration of the Call Off
Contract subject to the terms and conditions of the G-Cloud Framework and Atos
Supplier Terms.
23
14. Data restoration / service migration Not applicable as there is no data to restore and no service to migrate.
24
15. Customer responsibilities The principal customer responsibilities are:
To provide of all required authorisation for access (escorted or un-escorted) to
the Customer Sites. Where access disputes arise, the customer will mediate
the dispute and inform the WISC team of the outcome
To ensure that the Security Specialist conducting the APT service has full or
escorted access to all areas of the customer sites needed to fulfil the service.
To provide all possible assistance to allow the Atos security specialists to
operate at the specified sites
To escalate and manage the actions required to deal with any security
remediation or mitigation recommended from the APT service.
25
16. Technical requirements Technical requirements will be discussed and agreed with customer and their
representatives prior to the start of service.
26
17. Trial service Atos are pleased to discuss provision of a trial service. Implementation and scope
are to be discussed with security stakeholders and are subject to agreement.
27
18. Glossary of Terms
Term Explanation
AMP Sourcefire product suite Advanced Malware Protection
APT Advanced Persistent Threat
CEH Certified Ethical Hacking
CISM Certified Information Security Manager
CISSP Certified Information Security Professional
GPS Government Procurement Service
IL Impact Level
Security+ CompTIA Security+ certification
SSCP Systems Security Certified Practitioner
28