G-Cloud Service Definition

Atos Information Security APT

Service (SourceFire) SCS

1

Information Security Advanced Persistent Threat (APT) Service (SourceFire)

SCS

The Atos Advanced Persistent Threat Protection Service is a solution to detect and

protect against malware and attacks crafted to evade traditional security technologies

such as Firewalls, Anti-Virus and Intrusion Detection Systems. It delivers effective

protection for networks with well-defined organisational boundaries and for those that

are extended to cloud services and partner networks.

The service is delivered by trained certified security specialists using Sourcefire Network

and EndPoint technology. The service provides enhanced visibility and protection across

your network against cyber security threats.

Network and Endpoint coverage

The SourceFire Advanced Malware Protection (AMP) product provides integrated

coverage across network and endpoints allowing the path of any cyber-attacks to be

traced from point of entry, through propagation to post infection remediation.

Malware tracking

Tracks malware across the network, providing detailed information about point of

entry, propagation, protocols used, and which users or endpoints are involved.

Indicators of compromise

Correlates even weak signals of potential security compromises detected on devices

spread all across the network, to identify APT activities that would otherwise be lost

in the noise of overall network activity.

Certified Security Professionals

The APT Service is delivered and supported by security specialists with CISSP, CISM,

CEH, Security+, SSCP and vendor specific accreditations.

Zero day malware detection

Dynamic Analysis on the network for zero-day malware detection.

Malware detection Sandboxing

SourceFire cloud based sandboxing analyses hundreds of thousands of malware

samples in its sandbox infrastructure. Users benefit from access to expert analysis

and immediate software updates within minutes of analysis.

What is it?

The Atos Advanced Persistent Threat Protection Service delivers a bespoke

implementation of Network and EndPoint technology from SourceFire AMP, configured

specifically for the customers environment. The solution offers options for in-line

network or out-of-band (monitor) network deployments.

Features of the service include:

2

Network technology

Network appliances can be installed in-line or placed out of band in monitoring

mode. When installed in-line the appliances are able to block malware and APT

threats as they traverse the network.

Endpoint technology

EndPoint protection is installed locally onto the customers desktop / server systems.

This allows application level control which can prevent malware executing non-

approved code on the endpoint.

Installation, support and monitoring

Atos provides a service option for installation, deployment, analysis, support and

monitoring of the endpoint and network technologies.

Implementation of Network and Endpoint solutions provides maximum APT coverage.

However, the customer can opt for just endpoint or just network coverage.

What makes us unique?

Atos APT Service combines UK based security cleared resources with market leading

Advanced Malware Protection (AMP) tools from Cisco SourceFire to give a cost effective

solution for monitoring and countering APT. Unlike some other providers, Atos

complimentary security services can take the lessons learnt from specific customer

deployments of APT to recommend and support changes to an organisations

infrastructure, culture and processes for the long term mitigation of APT.

The service can provide SourceFire products to order, however, the typical delivery will

include an initial design and sizing activity leading to the delivery of:

Appropriately sized network appliances

Sufficient endpoint systems to cover the estate at risk.

Deployment support to install and configure the network appliances and endpoints in

the estate.

Traffic analysis to determine what, if any, APT activity is present.

The initial findings are presented in a report with recommendations for remediation.

Successive APT mitigations are bespoke work packages as agreed with the

organisation.

Any organisation with data or systems that are of interest to foreign agencies or cyber

criminals can benefit from this service.

High profile organisations whose public reputations might be damaged by malicious

attacks.

Organisations running critical infrastructure and systems where the consequences of

system interruption would be significant.

3

Organisations at risk of APT can adopt an entry level solution of network appliance in

monitor mode and coverage of high risk endpoints to ascertain the risk and then scale to

full deployment on discovery of APT incidents. Atos are pleased to discuss trial

installations of network and endpoint solutions for proofs of concept.

4

5

Contents

1. Introduction ............................................................................................... 6

1.1 Service summary ........................................................................................ 6

1.2 How this product can be used .................................................................... 6

2. Service overview ........................................................................................ 7

2.1 Network APT .............................................................................................. 8

2.2 Endpoint APT .............................................................................................. 9

2.3 Service Roadmap ...................................................................................... 10

3. Information Assurance ............................................................................. 11

4. Backup/restore and disaster recovery ..................................................... 12

5. On-boarding and off-boarding .................................................................. 13

6. Pricing ...................................................................................................... 14

7. Service management ................................................................................ 16

8. Service constraints ................................................................................... 17

9. Service levels ........................................................................................... 18

10. Financial recompense ............................................................................... 19

11. Training .................................................................................................... 20

12. Ordering and invoicing process ................................................................ 21

13. Termination terms .................................................................................... 22

13.1 By consumers (i.e. consumption) ............................................................. 22

13.2 By the Supplier (removal of the G-Cloud Service) .................................... 22

14. Data restoration / service migration ........................................................ 23

15. Customer responsibilities ......................................................................... 24

16. Technical requirements ............................................................................ 25

17. Trial service .............................................................................................. 26

18. Glossary of Terms..................................................................................... 27

6

1. Introduction Atos provides a wide range of solutions that help customers address their growing

IT security challenges.

Atos Information Security APT (Advanced Persistent Threat) Service is one such

service. The service is delivered by trained certified security specialists using

Cisco Sourcefire appliances and tooling for mitigating Advanced Persistent Threats

to your IT infrastructure and data.

1.1 Service summary

Deployment of a suite of SourceFire Advanced Malware Protection (AMP) products

for countering APT risk. Professional services are available to support the trialling,

custom installation and operation of a counter APT solution.

1.2 How this product can be used

The organisation can procure SourceFire AMP products for:

Network protection (inline and monitoring)

Endpoint protection of device nodes

and provide the professional security services for

Proof of concept.

install, configure the SourceFire AMP products

a service operation to maintain the products and monitor the infrastructure for

APT events.

7

2. Service overview The Atos Advanced Persistent Threat Protection Service is a bespoke deployment

specific for the organisations environment. The solution consists of both Network and EndPoint technology with options available for in-line network or out-of-band

(monitor) network deployments. Network and EndPoint services provide

maximum coverage, however, the service is flexible should the organisation wish

to opt for a Network only or EndPoint only service.

Appropriately sized network appliance(s) are deployed onto an organisations network at strategic locations - typically at edge firewall chokes or at Internet

break-out points. Network appliances can be deployed in-line with wire-speed

interception of traffic traversing in/out interfaces. Alternatively, appliances can be

placed out-of-band with mirror or span port promiscuous monitoring mode. A

dedicated central manager is deployed to manage the network appliances.

EndPoint systems are installed locally onto client desktop / server systems. This

allows application level control which can prevent malware executing non-

approved code on end points.

The support and monitoring service can be fully outsourced to the Atos

Information Security Team, or can be operated by the organisations existing support arrangement.

Initial engagement typically commences with APT design. Trial installations of

EndPoint and Network solutions can be used to inform the design decisions. Once

the APT design has been completed and approved, Atos will work with the vendor

and organisation support teams to implement the solution as a work package.

After the SourceFire AMP deployment has been successfully completed, traffic

analysis reports are generated, detailing initial findings from the technology.

Investigations are made from these gathered results to determine detections

indicating that system compromise has occurred and malware is propagating

within the estate, and if there is communication to command and control centres.

The report is then made readily available to all relevant stakeholders for the

account, to remedy any recommendations made within the report.

The service is delivered in modules to allow service configuration to meet the

customers specific needs:

Component Description

SourceFire Network

AMP support and

malware subscription

Dedicated Network AMP Appliance(s): purpose-built

network security appliances featuring unique hardware

acceleration technology.

SourceFire Endpoint

AMP support and

malware subscription

FireAMP Connectors (Agents) installed on endpoints (PC,

laptops, mobiles etc) provide the device-based visibility

and control needed to stop cyber security threats.

SourceFire Central

Management

Appliance and

support

Central management console for all Sourcefire security

solutions featuring patented real-time awareness

technology for next-generation solutions that provides full

stack visibility, event correlation and security automation

to respond to changing conditions and new attacks.

Not required if an existing Defence Centre DC3500,

DC1500, or DC750 is already deployed.

8

Component Description

SourceFire Central

Management

Appliance Malware

Subscription

Subscription for the Central Management Console.

Connection to Sourcefire intelligence cloud connection by

Defense Center e.g. for sandboxing, new threat

intelligence.

Atos Deployment

support

Certified security professionals at the agreed Atos SFIA

rate.

Atos Analysis and

Initial Findings

Report

Certified security professionals at the agreed Atos SFIA

rate.

Atos Ongoing event

Monitoring

Certified security professionals at the agreed Atos SFIA

rate.

Atos Adhoc

Professional Services

Certified security professionals at the agreed Atos SFIA

rate.

Atos will discuss the appropriate mix of security

professionals to deploy to meet the perceived APT. The

specialists are drawn from a pool of security professionals

with mix of certifications e.g. CISSP, CISM, CEH, Sec+,

SSCP and vendor specific accreditations.

2.1 Network APT

Important Characteristics of SourceFire AMP solution for Network APT

Virtual options are also available

Inspects all or select protocols including http, smtp, imap, pop3

Inspects inbound, outbound and internal traffic malware lookup for selected

file types including:

Office docs MSOLE2 XLW

MSWORD_MACS MDB ACCDB,

MNY NEW_OFFICE Archive files (JAR)

Multimedia files (SWF) Executable Files MSEXE

JARPACK PDF files (PDF)

Benefits:

Continuous detection of malware - immediately and retrospectively

Dynamic Analysis for zero-day malware detection

Integration with FireAMP Endpoint (for local remediation and outbreak

analysis)

Capture and save suspicious files for later analysis

Custom malware detection and integration with private intelligence feeds

9

Correlation and prioritization of events, discover devices that are compromised

on the network

C&C (Command and control) traffic detection and blocking

Protection from exploit kits, drive-by malware downloads, and other modern

infection causes

Inline detection of sophisticated malware that evades traditional network protections

Combines the worlds most effective threat prevention to stop more than just malware

Easy, integrated management of malware rules with security policy and access

controls

Lower cost-of-ownership compared to limited- purpose malware appliances

Optional FireAMP protection and remediation solution to extend malware

protection to end-devices

Integration with existing Security Information Event Management (SIEM)

deployments

2.2 Endpoint APT

Important characteristics of SourceFire AMP solution for EndPoint APT:

No Hardware Required, Web based management only.

FireAMP connectors available for the following platforms:

Windows XP SP2+

Windows Vista SP2+

Windows 7

Windows Server 2008

Windows 8

MAC OSX (available 2014)

FireAMP Mobile for Android (v2.2 or greater)

Virtual options are available using standard Windows Connector

Event integration with DC (If customer already has our NGIPS/NGFW/AMP for

FirePOWER appliances)

Prerequisites: FireAMP subscription, 5.1 or greater DC with FireSIGHT

Sourcefire intelligence cloud connection

Connect frequency: continuously for cloud intelligence lookups (frequently

seen file fingerprints are cached locally)

Benefits:

Continuous detection of malware - immediately and retrospectively

Complete visibility to track and analyze malware and advanced malware

Analyze, respond and react to endpoint infections

Robust control capabilities to stop the spread and communication of malware

10

Protection extends across virtual systems and mobile devices

Integration with Sourcefire Defense Center for central reporting and event

analysis

Integration with existing Security Information Event Management (SIEM)

deployments

2.3 Service Roadmap

The AMP products come from Cisco SourceFire. The continual evolution of cyber

security threats require timely adoption of changes to protection and detection

techniques. Atos works with the vendor and customer to ensure that roadmap

developments are communicated to ensure that systems can evolve as threat

landscapes change, thus allowing continued assurance of service protection.

11

3. Information Assurance The standard product is available at Impact Level 0 (IL0). The service can be run

at higher Impact Levels up to IL5 if required subject to a formal accreditation.

12

4. Backup/restore and disaster recovery Backup/restore and Disaster Recovery will be configured to the Organisation

specific needs and according to the specification of the products employed. Atos

has extensive experience in providing these capabilities from IL0 to IL5, subject

to a formal accreditation

13

5. On-boarding and off-boarding

On-boarding and Off-boarding will be dependent upon the types of products

employed and the service delivered. It will be discussed, documented and agreed

prior to commencement of on-boarding.

14

6. Pricing The service is priced according to time and material spent on mandatory modules

and a selection of optional modules.

Sourcefire products and services

Module Description Price

SourceFire Network AMP

Dedicated Network AMP

7150 Appliance(s) For network speeds up to

500Mbps

AMP7150 product inc 1st

year support and

subscription

Support per appliance

per year

Subscription per

appliance per year

26,000

5,700

5,200

Dedicated Network AMP

8150 Appliance(s) For network speeds up to

2Gbps

AMP8150 product inc 1st

year support and

subscription

Support per appliance

per year

Subscription per

appliance per year

57,000

9,400

11,400

Central Management

(required)

Defense Center 3500

(manages up to 150

appliances) inc 1st year

support.

Defence Center 3500

support per DC3500 per

year

Defense Center 1500

(manages up to 35

appliances).

Defence Center 1500

support per DC1500 per

year

Defense Center 750

(manages up to 10

appliances) ) inc 1st

year support.

Defence Center 750

support per DC750 per

year

39,000

8,600

23,500

5,200 per installation

per year

11,700

2,600

SourceFire Endpoint AMP

FireAMP software 0-100 endpoint nodes 42 per node

101-500 endpoint nodes 35 per node

501-1000 endpoint nodes 26 per node

15

Module Description Price

1001-5000 endpoint nodes 22 per node

5001-10000 endpoint

nodes

19 per node.

10001 and greater 16 or lower

Volume based prices are based on initial order, if additional pricing breaks are

met further licences will be at the new price break. Prices are based on

cumulative licence count per end user organisation.

Professional Services

The service is priced according to the time and material and the agreed SFIA Rate

Card - Atos

Travel and Subsistence Payable at the Customers standard T&S rate.

Mileage Payable at the Customers standard T&S rate

Professional Indemnity Insurance included in day rate.

Module Description Price

Network POC Install & configure

network appliance

Discovery phase

Recommendation of

needs

At agreed SFIA Rate Card

Atos.

Simple short term product

only trials can be

arranged free of charge.

Endpoint POC Install & configure

endpoint software

Discovery phase

Recommendation of

needs

At agreed SFIA Rate Card

Atos.

Simple short term product

only trials can be

arranged free of charge.

ATP Specification Analysis of needs

Design of solution

Proposal

At agreed SFIA Rate Card

Atos

Install, configure ATP

products Install and configure the

products specified in the

ATP Specification.

At agreed SFIA Rate Card

Atos

Provide managed ATP

service Provide managed ATP

service including:

o Product maintenance

o Event Escalation

o Monthly reporting.

At agreed SFIA Rate Card

Atos

ATP professional services Consultancy from

certified security

professionals for ATP

At agreed SFIA Rate Card

Atos

16

7. Service management The service is typically available during standard Working Hours/Days Monday to Friday 09:00 to 17:30 excluding public holidays.

Atos are pleased to discuss additional coverage should it be required.

17

8. Service constraints In order for the service to be provided, the Customer will need to:

Give authorisation for the analysis and scanning to proceed

Give access to the IT estate

Provide data centre accommodation for network appliances

Provide deployment mechanism for rolling out endpoint protection to the

chosen devices

Provide site or data centre accommodation to security specialists during the

setup and provision of the service.

The service as defined in this catalogue provides information of the threats

discovered and short term threat reduction. Long term remediation remains a

customer responsibility or that of the customers service providers. Atos will be pleased to discuss additional services for remediation of cyber security threats.

18

9. Service levels The standard service level is:

Service measure Typical service level

Service Availability 95%

Service Availability

Window

09:00-17:00 Mon-Fri Business Days

Support Availability

Window (second line)

5*9 hours: Business Days, 08:00-17:00 h

Support Language English

Report generation Inform stakeholders that a report is readily available

within 5 days after investigation has been concluded

19

10. Financial recompense To minimise the cost to users, Atos does not provide service credits for use of the

service. All Atos services are provided on a reasonable endeavours basis. Please

refer to G Cloud terms and conditions

In accordance with the guidance within the GPS G-Cloud Framework Terms and

Conditions, the Customer may terminate the contract at any time, without cause,

by giving at least thirty (30) Working Days prior notice in writing. The Call Off

Contract terms and conditions and the Atos terms will define the circumstances

where a refund of any pre-paid service charges may be available.

20

11. Training No training is required to benefit from this service although the deliverables of the

APT service should be communicated to security and infrastructure specialists in

the customers organisation or that of the service provider to remedy the vulnerabilities.

Our security specialists will discuss the coverage and benefit from the various

scan options prior to scanning the estate.

If training and guidance to customer and/or provider staff is required it can be

delivered at the rates defined in our Atos Information Security Professional

Services SFIA Rate Card available through G-Cloud. Please get in touch for details (gcloud@atos.net).

21

12. Ordering and invoicing process Ordering this product is a straightforward process.

Please forward your requirements to the email address GCloud@atos.net Atos will

prepare a quotation and agree that quotation with you, including any volume

discounts that may be applicable.

Once the quotation is agreed, Atos will issue the customer with the necessary

documentation (as required by the G-Cloud Framework) and ask for the customer

to provide Atos with a purchase order.

Once received, the customer services will be configured to the requirements as

per the original quotation.

For new customers, additional new supplier forms may need to be completed.

Invoices will be issued to the customer and Shared Services (quoting the

purchase order number) for the services procured. On a monthly basis, Atos will

also complete the mandated management information reports to Government

Procurement Services detailing the spend that the customer has placed with us.

Cabinet Office publish a summary of this monthly management information at:

http://gcloud.civilservice.gov.uk/about/sales-information/

22

13. Termination terms

13.1 By consumers (i.e. consumption)

Termination shall be in accordance with:

The G-Cloud Framework terms and conditions

Any terms agreed within the Call Off Contract under section 10.2 of the Order

Form (termination without cause) where the Government Procurement Service

(GPS) guidance states At least thirty (30) Working Days in accordance with Clause CO-9.2 of the Call-Off Contract

Atos Supplier Terms for this Service as listed on the G-Cloud CloudStore.

For this specific service, by default Atos ask for at least thirty (30) Working Days

prior written notice of termination as per the guidance within the GPS G-Cloud

Framework Terms and Conditions.

13.2 By the Supplier (removal of the G-Cloud Service)

Atos commits to continue to provide the service for the duration of the Call Off

Contract subject to the terms and conditions of the G-Cloud Framework and Atos

Supplier Terms.

23

14. Data restoration / service migration Not applicable as there is no data to restore and no service to migrate.

24

15. Customer responsibilities The principal customer responsibilities are:

To provide of all required authorisation for access (escorted or un-escorted) to

the Customer Sites. Where access disputes arise, the customer will mediate

the dispute and inform the WISC team of the outcome

To ensure that the Security Specialist conducting the APT service has full or

escorted access to all areas of the customer sites needed to fulfil the service.

To provide all possible assistance to allow the Atos security specialists to

operate at the specified sites

To escalate and manage the actions required to deal with any security

remediation or mitigation recommended from the APT service.

25

16. Technical requirements Technical requirements will be discussed and agreed with customer and their

representatives prior to the start of service.

26

17. Trial service Atos are pleased to discuss provision of a trial service. Implementation and scope

are to be discussed with security stakeholders and are subject to agreement.

27

18. Glossary of Terms

Term Explanation

AMP Sourcefire product suite Advanced Malware Protection

APT Advanced Persistent Threat

CEH Certified Ethical Hacking

CISM Certified Information Security Manager

CISSP Certified Information Security Professional

GPS Government Procurement Service

IL Impact Level

Security+ CompTIA Security+ certification

SSCP Systems Security Certified Practitioner

28