Market Survey Request for Information - NCI Agency

NATO UNCLASSIFIED
NCIA/ACQ/2017/1802
11 September 2017
Market Survey Request for Information
Replacement and Enhancement of CIS
NCI Agency Ref: MS-CO-14635-RECIS
The NATO Communications and Information Agency (NCI Agency) is seeking
inputs from Nations and their Industry regarding the replacement and
enhancement of existing Communication and Information Systems (CIS) security
capabilities across the NATO Enterprise.
NCI Agency Principal Contracting Officer (PCO): Mr. Giacomo Piliego
E-mail: Giacomo.Piliego@ncia.nato.int
Market Survey Point of Contact: Ms. Sherrie Mendes
E-mail: Sherrie.Mendes@ncia.nato.int
To:
See Distribution List
Subject:
NCI Agency Market Survey Request
Replacement and Enhancement of CIS
1. The NATO Communications and Information Agency (NCI Agency) is seeking
inputs from Industry regarding the replacement and enhancement of existing
Communication and Information Systems (CIS) security capabilities across the
NATO Enterprise. The purpose of this Request for Information (RFI) is to describe
the capabilities, identify the requested inputs, and provide instructions on how to
reply.
2. In addition to the firms noted in Annex C of this letter, the broadest possible
dissemination by Nations of this Market Survey Request to their qualified and
interested industrial base above and beyond the Annex C list of firms is requested.
NATO UNCLASSIFIED
Page 1
NATO UNCLASSIFIED
3. A summary of this emerging requirement is set forth in the Annex A attached
hereto. Respondents are requested to reply via the questionnaires at Annex B.
Annex B has two questionnaires B.1 – Part 1 and B.2 – Part 2. Other supporting
information and documentation (technical data sheets, marketing brochures,
catalogue price lists, descriptions of existing installations, etc.) are also desired.
4. The NCI Agency reference for this Market Survey Request is
NCIA/ACQ/2017/1802, and all correspondence and submissions concerning this
matter should reference this number.
5. Responses may be issued to NCI Agency directly from Nations or from their
Industry. Respondents are invited to carefully review the requirements in Annex
A.
6. Responses shall in all cases include the name of the firm, telephone number, email address, designated Point of Contact, and a NATO UNCLASSIFIED
description of the capability available and its functionalities. This shall include any
restrictions (e.g. export controls) for direct procurement of the various capabilities
by NCI Agency. Non-binding product pricing information is also requested as
called out in Annex B.
7. Responses are due back to NCI Agency no later than close of business 11
October 2017.
8. Please send all responses via email to the CIS Enhancement and Replacement
mailbox listed below:
NCIA CIS
Enhancement Email:
Cyber.Security.RFI@Ncia.Nato.Int
For Attention Of:
Mr. Giacomo Piliego
Principal Contracting Officer
&
Ms. Sherrie Mendes
Sr. Contracting Support
Postal address:
NATO Communications and Information Agency
Boulevard Leopold III
1110 Brussels
Belgium
NATO UNCLASSIFIED
Page 2
NATO UNCLASSIFIED
Courier delivery
address (e.g. DHL or
FEDEX):
NATO Communications and Information Agency
Bourgetlaan 140
1140 Evere
Belgium
9. Product demonstrations or face-to-face briefings/meetings with industry are not
foreseen during this initial stage. Respondents are requested to await further
instructions after their submissions and are requested not to contact any NCI
Agency staff directly other than the POC identified above in Para 8.
10. Any response to this request shall be provided on a voluntary basis. Negative
responses shall not prejudice or cause the exclusion of companies from any future
procurement that may arise from this Market Survey. Responses to this request,
and any information provided within the context of this survey, including but not
limited to pricing, quantities, capabilities, functionalities and requirements will be
considered as indicative and informational only and will not be construed as
binding on NATO for any future acquisition.
11. The NCI Agency is not liable for any expenses incurred by firms in conjunction with
their responses to this Market Survey and this Survey shall not be regarded as a
commitment of any kind concerning future procurement of the items described.
12. Your assistance in this Market Survey request is greatly appreciated.
FOR THE GENERAL MANAGER:
[Original Signed By]
Giacomo Piliego
Principal Contracting Officer
Attachment(s):
NATO UNCLASSIFIED
Page 3
NATO UNCLASSIFIED
•
Annex A – Market Survey RFI Requirements
•
Annex B –
o B.1 - Market Survey Questionnaire Pt 1
o B.2 - Market Survey Questionnaire Pt 2
•
Annex C – Market Survey Industrial Recipients
NATO UNCLASSIFIED
Page 4
Annex A – Market Survey RFI Requirements
NATO UNCLASSIFIED
NCI Agency Request for Information (RFI)
about Cyber Security Solutions
1 PURPOSE
The NATO Communications and Information Agency (NCI Agency) is seeking inputs from Industry
regarding the replacement and enhancement of existing Communication and Information Systems (CIS)
security capabilities across the NATO Enterprise. The purpose of this Request for Information (RFI) is to
describe the capabilities, identify the requested inputs, and provide instructions on how to reply. This
effort is sponsored by the following programmes:
•
•
The NATO Enterprise CIS Security Architecture development (a documentation effort run
under the NATO C3 Board Programme of Work – not an acquisition project)
NATO CIS Security Services Technology Refresh and Enhancements Capability Package
(CP120) pre-planning
The Agency is requesting information on individual products, architectural solutions and
recommendations addressing the requirements posed by the two programmes. This information should
be captured in a manner highlighting current technology (available on the market) in addition to future
technology catering for requirements which are foreseen. This information will be used by NATO subject
matter experts and architects to support the definition of the project architecture and to estimate the
costs in relation to implementation.
2 BACKGROUND
As highlighted during the NIAS Cyber Security Symposium 2016, NATO is continuously adapting and
implementing changes to its CIS infrastructure, adopting new approaches and technologies in order to
increase its efficiency and effectiveness. Such change is key in maintaining a high level of service to NATO
stakeholders, while at the same time ensuring the cost of operating CIS infrastructure and supporting
tools are within acceptable margins. The review and change in the infrastructure also allows NATO to
adapt the architecture to accommodate future requirements and technology.
Evolving infrastructure and the continuous change in the threat landscape has the potential to impact
NATO CIS architecture and the CIS Security capabilities, raising technical and operational challenges.
Whilst NATO presents some unique characteristics, the challenges faced are similar among civilian and
large enterprise organisations, many of which have been addressed by industry solutions currently
available on the market. As a result, NATO is interested in obtaining input on potential solutions deployed
in commercial companies and other public / international organisations that can be leveraged within the
NATO enterprise context to help protect NATO assets, and in evolving solutions aimed at addressing
emerging requirements.
NATO UNCLASSIFIED
1
Annex A – Market Survey RFI Requirements
NATO UNCLASSIFIED
3 BUSINESS ENVIRONMENT
The context of this RFI is the NATO Enterprise. The following characteristics of the NATO Enterprise should
be considered while providing input for this RFI:
1. Centralised infrastructure: most services will be provided from central Data Centres, following a
“private cloud computing” approach; NATO is undergoing a complex restructure of its CIS
infrastructure (“IT Modernization”, ITM).
2. Centralised management: CIS is managed from central Services Operation Centres, minimising
local administration activities as much as possible.
3. The CIS architecture is composed of several generations (“legacy” systems): many physical sites
with various levels of autonomy and local customizations, and a significant amount of legacy
systems.
4. Complex organisational structure: CIS management responsibilities are being changed and
centralized, resulting in challenges to integrate the CIS Security capabilities within the CIS
infrastructure as well as to maintain them properly tuned over time.
5. Service orientation: services within the NATO Enterprise as well as to external users from the
Nations are being provided based on a service oriented model. This results in a requirement for a
high level of flexibility (capacity, scope, performance, etc.) of the CIS Security capabilities to adapt
to the demand.
6. Increase in network bandwidth: changes in technology and added capabilities have resulted in
higher bandwidth within NATO’s infrastructure (WAN, between the Data Centres, local LANs),
increasing the complexity and need for network security monitoring.
7. Virtualized Infrastructure: services are being migrated to virtualized infrastructure, with
redundant Active-Active Data Centres.
8. Increased Mobility: Large scale deployment of mobiles clients (laptops, smartphones, tablets),
connected via VPN reach back to the core infrastructure.
9. Centralized computing: Large scale deployment of thin clients, the OS of the users being hosted
on top of dedicated virtualised environments.
10. VoIP: Complete VoIP infrastructure, fully integrated as part of a Unified Communications and
Collaboration (UCC) infrastructure.
11. Other constraints:
a. Spread of encrypted applicative protocols (SSL/TLS), impacting boundary protection;
b. Stringent availability requirements, in line with the operational criticality of the CIS
infrastructure.
NATO UNCLASSIFIED
2
Annex A – Market Survey RFI Requirements
NATO UNCLASSIFIED
c. Scarce skilled resources to operate the CIS Security capabilities, in a context of limited
O&M costs and an increased focus on outsourcing.
NATO UNCLASSIFIED
3
Annex A – Market Survey RFI Requirements
NATO UNCLASSIFIED
4 RFI GUIDELINES
4.1 EXPECTED RESPONDENTS
Responses are anticipated from any commercial organization or company within any NATO nation, who
provide CIS security solutions, either broadly across many areas, or in specific fields as per the topics
identified in this RFI.
4.2 DISCLAIMER
The results of this RFI will solely be used by the NCI Agency to support architecture decisions,
requirements and identify broad cost estimates for funding and affordability purposes. The information
provided will not be used as a request for quotation or an invitation for bids. The results obtained from
this RFI will not be used in any manner to select specific products or vendor solutions prior to any formal
NATO procurement process.
Since this RFI covers a broad selection of CIS security capabilities, partial responses will be accepted, and
are indeed expected. It is acknowledged that solutions available on the market cannot address all of the
identified requirements and challenges.
Moreover, because the RFI results will be used to determine generic cost estimates for various functional
requirements and not specific products, any cost information to be provided by vendors shall not take
into account specific discounts that they may negotiate for an actual deployment.
4.3 RFI STRUCTURE
This RFI is organized in two main parts:
1. Detailed information about products
2. Architecture questions and solutions
The scope of the RFI is considered broad: each vendor is only expected to answer the questions that are
relevant to their proposed product(s) / solution(s) and their areas of expertise. Each question will request
inputs regarding a specific issue; responses are expected to contain information from vendors about
current and future solutions, including cost estimates for several deployment scenarios addressing
NATO’s operational requirements.
NATO UNCLASSIFIED
4
Annex A – Market Survey RFI Requirements
NATO UNCLASSIFIED
5 PART 1: PRODUCT RELATED QUESTIONS
The objective of this part of the RFI is to collect detailed information about a large range of cyber security
products in order to shape the future cyber security architecture of the NATO Enterprise. An indicative
cost model is also requested to support cost estimates for future NATO implementation projects.
The questions cover the four following aspects:
1.
2.
3.
4.
General information about the product / solution and the company
Licensing model and costing information, for various deployment scenarios
Questions applying to all categories of products / solutions
Questions applying to specific categories of products / solutions
5.1 Categories of products and solutions
You are invited to propose products related to the following subject areas:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Firewall solutions
Log collection solutions
Security Information and Event Management solutions (SIEM)
Network-based Intrusion Detection and Prevention Systems (NIDPS)
Host-based Intrusion Detection and Prevention Systems (HIDPS)
Combined security analytics of logs, network packets, network flows and endpoint information
Threat Hunting solutions
Cyber Threat Intelligence (CTI) management solutions
Combined security systems (e.g. firewall with NIDPS)
VoIP infrastructure security monitoring and boundary protection
Data Leak Prevention (DLP) solutions
Endpoint monitoring and incident response solutions, Endpoint Detection and Response solutions
(EDR)
Network Taps and Aggregators
Full Packet Capture (FPC) and Network Forensics solutions
Standalone Vulnerability Assessment Scanning solutions
Distributed Vulnerability Assessment scanning solutions
Web Application Vulnerability Assessment scanning solutions
Penetration Testing solutions
Standalone Computer Forensics solutions
Remote / Distributed Computer Forensics solutions
Cyber Security Incident Management solutions
Orchestration / Automation solutions for Incident Response
Cyber Defence Situational Awareness (CDSA) solutions
Automated Sandbox / Detonation solutions for malware detection
Sandbox / Detonation solutions for malware analysis
Malware Analysis tools (reverse-engineering, debuggers, decompilers, static analysis, malware
collection management, etc.)
NATO UNCLASSIFIED
5
Annex A – Market Survey RFI Requirements
NATO UNCLASSIFIED
•
•
•
•
•
•
•
•
•
Digital Forensics solutions (disk, mobile phones, memory forensics, timeline generation, evidence
management)
Distributed / Remote Digital Forensics solutions (disk and memory forensics)
Deception-based detection solutions (e.g. honeypots, honey tokens)
Network flows generation / collection solutions (e.g. NetFlow, IPFIX and similar)
SSL/TLS Decryption solutions
Anomaly Detection solutions
User and Entity Behaviour Analytics (UEBA) and Insider Threat Detection solutions
Website security monitoring and defacement detection solutions
Cyber Security Data Analytics and Machine Learning solutions
5.2 Guidance
The list of questions is located in the attached Microsoft Excel file named
“NU_Cyber_Security_Solutions_RFI_Part1_Answers.xlsx”, in the Questions tab. Please use that file as a
template, and populate one answer column for each product or solution.
Please follow this guidance when answering questions:
1. Complete the general information about the product / solution and the company.
2. Make sure to select the relevant product category, or indicate it when several categories apply.
3. The most important part of this RFI is to indicate the licensing model and the costing information,
for various deployment scenarios. Select the proper set of questions matching the licensing
model. That information is crucial to support the cost estimation of upcoming NATO acquisition
projects.
a. The first set of costing questions is for the initial purchase of the solution.
b. The second set of costing questions is for the annual cost to support the solution over
time.
4. The rest of the questions covers functional features of the solution:
a. Questions applying to all categories of products / solutions: Please answer at least the
mandatory questions, and as much optional questions as possible.
b. Questions applying to specific categories of products / solutions: Please answer the
questions matching the product category.
Important note: The answers to this RFI related to features of each product will not be used to select
those products for future acquisitions. Their purpose is to check whether specific features are sufficiently
supported in existing solutions on the market, to be used later on to refine project requirements.
The questions marked with an “M” are mandatory questions, which need to be answered for each product
/ solution. The questions marked with an “O” are optional, please answer as many as possible.
NATO UNCLASSIFIED
6
Annex A – Market Survey RFI Requirements
NATO UNCLASSIFIED
6 PART 2: ARCHITECTURE-RELATED QUESTIONS
Organisations are invited to provide answers to one or multiple questions / capability areas depending on
their proposed product / solution or subject matter expertise. The NCI Agency seeks input from industry
partners who are able to provide information on proposed solutions and / or general information in any
one of the following subject areas.
Guidelines:
Please
use
the
attached
Microsoft
Word
file
named
“NU_Cyber_Security_Solutions_RFI_Part2_Answers.docx” as a template, and enter the answers below
each question that is applicable.
Important note: Please make sure that all solutions mentioned in the answers to the questions below are
also described in the answers to part 1 of this RFI, otherwise they cannot be taken into consideration for
the architecture definition.
6.1 SSL Decryption for Monitoring and Filtering
Network traffic within the internal networks and towards external networks is more and more encrypted
at the application level, using protocols such as SSL/TLS. This evolution has a dramatic impact on the
effectiveness of all security products that analyse the network traffic, such as application-level firewalls,
network intrusion detection systems and full packet capture / network forensics.
Question: Which solutions do you propose to address that challenge, using existing products?
6.2 Internal E-mail Traffic Monitoring and Filtering
Question: Which solutions do you propose to monitor and filter internal e-mail traffic (i.e. between
internal employees of an organisation), using existing products? How do you propose to analyse
encrypted e-mails (e.g. using S/MIME)?
6.3 Service-specific Monitoring
Question: Which solutions do you propose to monitor and filter the following services specifically, in
addition to generic security solutions using logs and network traffic capture (e.g. beyond SIEM and IDS),
using existing dedicated products?
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Operating Systems (servers, clients, all endpoints)
Network infrastructure (routers, switches)
Active Directory infrastructure
DNS Servers
DHCP Servers
Time Distribution (NTP/PTP Servers)
Virtualisation Infrastructure
Remote Access Services (VPN concentrators and clients)
SAN Infrastructure
File Servers (including NAS)
Backup & Archive Systems
Wireless Infrastructure
VoIP/VTC Infrastructure
Standard Desktop Applications
NATO UNCLASSIFIED
7
Annex A – Market Survey RFI Requirements
NATO UNCLASSIFIED
•
•
•
•
•
•
•
•
•
•
•
•
•
Application Store
Printing and scanning services
Enterprise Portal Services (e.g. Microsoft SharePoint)
Enterprise Real-Time communication infrastructure (e.g. Microsoft Skype, Lync, Office
Communicator)
Internal Web Servers
Externally Facing Web Servers
Web Proxies
Reverse Proxies
Databases
Firewalls
Data diodes
Authentication and Access Management Infrastructure
NAC
6.4 Netflow generation, collection, analysis and archiving
Question: Which solutions do you propose to generate, collect, analyse (e.g. for intrusion detection) and
archive Netflow data (e.g. NetFlow, IPFIX or similar) corresponding to the network traffic, using existing
products?
6.5 Windows Events Collection
Question: Which solutions do you propose to collect, filter, enhance Windows event logs on each
endpoint (client or server), and to centralize them into a single data store for further processing, using
existing products?
6.6 VoIP Infrastructure Monitoring and Filtering
VoIP infrastructures are more and more integrated with IT networks, exposing them to more threats.
Question: Which solutions do you propose to protect VoIP infrastructures specifically, in terms of filtering
(e.g. firewalls), monitoring and intrusion detection? Is it possible to integrate those solutions with the
generic cyber security solutions (e.g. SIEM)?
6.7 Log Storage
Question: Which solutions do you propose to store and archive very large volumes of logs, so that third
party products can query and access the data for further processing?
6.8 Security Effectiveness Monitoring
Question: Which solutions do you propose to regularly check the effectiveness of all the detection and
prevention solutions deployed enterprise-wide (e.g. by generating network traffic that should trigger
intrusion detection systems, by sending e-mails with attachments that should be blocked by gateways,
etc), in an automated or semi-automated way?
6.9 Data Analytics
Question: Which solutions do you propose to perform large scale data analytics on all the data collected
by security products (e.g. logs, alerts, netflows, packets) in order to complement a SIEM and to detect
malicious activity that is difficult to catch with traditional tools?
NATO UNCLASSIFIED
8
Annex A – Market Survey RFI Requirements
NATO UNCLASSIFIED
6.10 Monitoring strategies on mobile and thin clients
Question: Which solutions do you propose to monitor the security of mobile clients (e.g. laptops,
smartphones, tablets) that connect to the enterprise network via a VPN, including the periods of time
when they are used without being connected?
6.11 Vulnerability Detection
Question: Which solutions do you propose to detect and identify vulnerabilities in software and
configurations deployed throughout large enterprise networks, using various approaches such as active
scanning through the network, passive scanning, endpoint agents, or connection to management systems
(e.g. CMDB)?
6.12 Network Mapping
Question: Which solutions do you propose to discover the detailed topology of large, distributed
enterprise networks using various approaches such as active scanning through the network, passive
scanning, endpoint agents, or connection to network management systems?
6.13 DLP
Question: Which solutions do you propose to implement data leak detection and prevention (DLP)?
NATO UNCLASSIFIED
9
Annex A – Market Survey RFI Requirements
NATO UNCLASSIFIED
7 ABBREVIATIONS
CDSA
CIS
CMDB
CTI
DHCP
DLP
DNS
EDR
FPC
HIDPS
IAM
IDS
IEC
IPFIX
ISO
IT
ITM
IdM
MIME
NAC
NAS
NATO
NCI
NCIA
NIAS
NIDPS
NII
NTP
O&M
OS
PTP
RFI
SAN
SIEM
SSL
TLS
UCC
UEBA
VPN
VTC
VoIP
WAN
Cyber Defence Situational Awareness
Communication and Information System
Configuration Management Database
Cyber Threat Intelligence
Dynamic Host Configuration Protocol
Data Loss Prevention
Domain Naming System
Endpoint Detection and Response
Full Packet Capture
Host Intrusion Detection and Prevention System
Identity and Access Management
Intrusion Detection System
International Electrotechnical Commission
IP Flow Information Export
International Standards Organization
Information Technology
Information Technology Modernization
Identity Management
Multipurpose Internet Mail Extensions
Network Access Control
Network Attached Storage
North Atlantic Treaty Organization
NATO Communication Infrastructure
NATO Communications and Information Agency
NATO Information Assurance Symposium
Network Intrusion Detection/Prevention System
Network and Information Infrastructure
Network Time Protocol
Operations and Maintenance
Operative System
Precision Time Protocol
Request For Information
Storage Area Network
Security Information and Event Management
Secure Sockets Layer
Transport Layer Security
Unified Communications and Collaboration
User and Entity Behaviour Analytics
Virtual Private Network
Video Teleconference
Voice over IP
Wide Area Network
NATO UNCLASSIFIED
10
Annex B.1 - Market Survey Questionnaire Pt 1
Category
Section
Cost Estimate to
Purchase the
solution (once)
Annual Cost
Estimate to
Maintain/Suppo
rt the solution
(every year)
Licensing Model
Installation models
Distributed Deployment
Features
Questions for
Network
Features
Question is
Mandatory (M)
or Optional (O)
M
M
M
M
O
O
O
M
O
M
O
O
M
M
O
O
O
O
O
O
O
O
O
O
O
O
O
O
O
O
O
O
O
O
O
O
M
O
O
O
O
O
O
O
O
O
O
O
O
O
O
O
O
O
O
O
O
O
Please provide any other description to explain the licensing/costing model for the annual cost
O
Can the solution be installed as software on an existing operating system, on a physical
machine?
M
Can the solution be installed as software on an existing operating system, on a virtual machine?
M
Can the solution be deployed as a virtual appliance? (i.e. as a virtual machine including its own
operating system)
Can the solution be deployed as a hardware appliance?
Can the solution be deployed with another installation model? Please describe.
Can the solution function without Internet connection (air-gapped networks), with manual
Air-gapped networks support
updates?
What is the normal update frequency for detection/remediation data such as signatures, rules,
hashes, indicators, etc?
Updates
How are customers informed of security updates of the product (website, email, online
structured API, integrated in the product itself, ...) ?
Is the source code of the product available for security analysis/auditing, with or without an
NDA?
Security
Is there vendor specific documentation in relation to the hardening of the product? (if so, please
provide the URL)
URL of web page providing the list of third-party products that can be integrated with the
solution (may also be provided in a separate document)
Does the solution provide a supported and documented API to automate functionality, to push
data into the solution?
Does the solution provide a supported and documented API to automate functionality, to pull
data from the solution?
URL of web page containing the documentation of the product API (otherwise the
Integration
documentation may be provided as a separate document)
Which cyber security standards (e.g. CVE, CPE, STIX, …) and de-facto industry standards (e.g.
Snort rules, YARA rules, …) are supported by the solution?
Which format and/or standard does the solution use to generate and store its logs and events
(single-line text, multiline text, json, syslog, ...)
Are logs from the solution exportable in real-time and/or at scheduled times?
For agent/server based solutions, can data produced by the agents be sent to a third party data
store in addition to the dedicated server of the solution?
How many resources are required to maintain and manage the solution? (FTEs)
Manpower
How many resources are required to operate the solution on a daily basis? (FTEs)
Performance
Questions for
Firewall
products only
What is the main licensing model for the solution?
Licensing model description (if selected "per usage", "several" or "other")
License duration (e.g. 1, 2, 3 years)
Currency for cost estimates
Cost Estimate Currency
Cost Estimate to Purchase the
Note: Please fill in the cells below that match the licensing model, and leave the others empty
solution (once)
Purchase Cost Estimate for 1 unit (if applicable) - unit cost
Per unit / installed instance Purchase Cost Estimate for 10 units (if applicable)
Purchase Cost Estimate for 100 units (if applicable)
Purchase Cost Estimate to protect 1000 end-users (if applicable)
Per protected end-user
Purchase Cost Estimate to protect 10000 end-users (if applicable)
Purchase Cost Estimate to protect 50000 end-users (if applicable)
Purchase Cost Estimate to protect 1000 endpoints (if applicable)
Per protected endpoint
Purchase Cost Estimate to protect 10000 endpoints (if applicable)
Purchase Cost Estimate to protect 50000 endpoints (if applicable)
Purchase Cost Estimate to protect 10 servers (if applicable)
Per protected server
Purchase Cost Estimate to protect 100 servers (if applicable)
Purchase Cost Estimate to protect 1000 servers (if applicable)
Purchase Cost Estimate for 1 console/client user (if applicable)
Per console/client user
Purchase Cost Estimate for 10 console/client users (if applicable)
Purchase Cost Estimate for 100 console/client users (if applicable)
Purchase Cost Estimate for 1 active console/client user session (if applicable)
Per active console/client user
Purchase Cost Estimate for 10 active console/client user sessions (if applicable)
session
Purchase Cost Estimate for 100 active console/client user sessions (if applicable)
Based on Storage Capacity Purchase Cost Estimate based on storage capacity: please describe (if applicable)
Based on daily amount of
Purchase Cost Estimate based on ingested data: please describe (if applicable)
ingested data
Based on Usage
Purchase Cost Estimate based on usage: please describe (if applicable)
Please provide any other description to explain the licensing/costing model for the purchase
Other Model
cost
Annual Cost Estimate to
Maintain/Support the solution Note: Please fill in the cells below that match the licensing model, and leave the others empty
(every year)
Annual Cost Estimate for 1 unit (if applicable) - unit cost
Per unit / installed instance Annual Cost Estimate for 10 units (if applicable)
Annual Cost Estimate for 100 units (if applicable)
Annual Cost Estimate to protect 1000 end-users (if applicable)
Per protected end-user
Annual Cost Estimate to protect 10000 end-users (if applicable)
Annual Cost Estimate to protect 50000 end-users (if applicable)
Annual Cost Estimate to protect 1000 endpoints (if applicable)
Per protected endpoint
Annual Cost Estimate to protect 10000 endpoints (if applicable)
Annual Cost Estimate to protect 50000 endpoints (if applicable)
Annual Cost Estimate to protect 10 servers (if applicable)
Per protected server
Annual Cost Estimate to protect 100 servers (if applicable)
Annual Cost Estimate to protect 1000 servers (if applicable)
Annual Cost Estimate for 1 console/client user (if applicable)
Per console/client user
Annual Cost Estimate for 10 console/client users (if applicable)
Annual Cost Estimate for 100 console/client users (if applicable)
Annual Cost Estimate for 1 active console/client user session (if applicable)
Per active console/client user
Annual Cost Estimate for 10 active console/client user sessions (if applicable)
session
Annual Cost Estimate for 100 active console/client user sessions (if applicable)
Based on Storage Capacity Annual Cost Estimate based on storage capacity: please describe (if applicable)
Based on daily amount of
Annual Cost Estimate based on ingested data: please describe (if applicable)
ingested data
Based on Usage
Annual Cost Estimate based on usage: please describe (if applicable)
Other Model
Generic
Questions (all
products)
Question
Company Name
Product Name
Current Version or Model
Main Product Category
Product Categories (if several or other)
Former Company Name (if applicable)
Former Product Name (if applicable)
Company Headquarters Country
URL to product description webpage
Product
Information
Costing
NATO UNCLASSIFIED
What is the maximal network throughput supported by the solution? (if applicable)
Can the solution be distributed on several geographical sites, and can it be centrally managed as
a single solution? (if applicable)
What product features does your solution have which make it appropriate for low bandwidth,
limited connectivity and/or low QoS environments?
Which unique features does the solution provide, compared to its competitors?
M
M
O
M
O
O
O
O
M
M
M
M
O
O
O
O
M
M
O
M
O
O
Please indicate which features are supported by the product in the list below:
Application Awareness (detect an application protocol on any port)
Dedicated Network Interface for Management
Different routing instances
Centralized Management of distributed devices with a graphical user interface
Centralized Management of filtering policies
Centralized Management of upgrades
Network troubleshooting / Packet Capture
EAL4+ evaluation
Encrypted traffic decryption (SSL decryption)
Option for integrated Network Intrusion Prevention (NIPS)
O
O
O
O
O
O
O
O
O
O
Please indicate which features are supported by the product in the list below:
Network Intrusion Detection
Network Intrusion Prevention
Centralized Management
Hierarchical policy for detection signatures
Compatible with Snort rules
Inline bandwidth up to 10GbE
Integration with Active Directory
O
O
O
O
O
O
O
Answers for Product 1
EUR
Answers for Product 2
EUR
Answers for Product 3
EUR
Answers for Product 4
EUR
Answers for Product 5
EUR
Answers for Product 6
EUR
Answers for Product 7
EUR
Answers for Product 8
EUR
Answers for Product 9
EUR
Answers for Product 10
EUR
Annex B.1 - Market Survey Questionnaire Pt 1
Intrusion
Detection
products
(NIDPS) only
Questions for
Host Intrusion
Detection
products
(HIDPS) and
Endpoint
Detection and
Response (EDR)
only
Features
Features
NATO UNCLASSIFIED
Integration with SIEM
Fail Safe when deployed inline
Encrypted traffic decryption (SSL decryption)
Rogue Detection (detection of unknown/new endpoints)
Anomaly Detection (record network traffic baseline, detect deviations)
Passive application layer network traffic log generation (passive http, dns, smtp, ssl/tls certinfo...)
Detailed application layer session context information available in alert (eg: http headers
extracted if a part of the body matches a rule)
O
O
O
O
O
Features to help configuration and tuning of the detection policies (e.g. discovery mode)
O
Please indicate which features are supported by the product in the list below:
Host Intrusion Detection
Host Intrusion Prevention
Centralized Management
Hierarchical policy for detection signatures
Support for YARA rules
Support for OpenIOC rules
Integration with Active Directory
Integration with SIEM
Encrypted traffic decryption (SSL decryption)
Rogue Detection (detection of unknown/new endpoints)
Anomaly Detection (record network traffic baseline, detect deviations)
Memory dump capability
Is it possible to define and deploy custom rules from a central management server to all the
endpoints?
Which concepts and combinations can be used in custom rules? (file, process, imported
libraries, network sockets, mutexes, memory strings, ...)
Is it possible to run a query on all the endpoints from a central management server? Or on
groups of endpoints based on their characteristics?
O
O
O
O
O
O
O
O
User interface performance: can the user interface (and the corresponding application server if
applicable) run separately from the correlation engine, in order to avoid any impact on the UI
responsiveness when the correlation engine is heavily loaded?
O
Extensible data model: is it possible to create custom objects and attributes to store additional
data, and to use it for correlation and visualization?
O
Can the solution be deployed with a hierarchy of several SIEM systems? (e.g. several layers)
O
O
O
O
Is the system limited in the maximum amount of information it can ingest or is it fully scalable
(meaning you can extend it indefinitely assuming you increase the number of servers)
O
Does the system allows load balancing between the data repository
O
Does the system allow for data redundancy and servers redundancy allowing to lose one or
several of the components to become unavailable without impacting the access to the data. If it
does, is the data redundancy counted in the license model (ie: if the same event appears 2 or 3
times, is that event counted as 2 or 3 events in the licensing model or only as a single event )
O
Can all the data , all the content and all the configuration files be easily backed up without
having to stop a database or an application server? How easy is it to restore data ?
O
For the reports and dashboards, is it possible to do advanced customization ? Can the reports be
scheduled ? Can the dashboards be automatically refreshed on a regular interval basis ?
Please indicate which features are supported by the product in the list below:
Integration with custom event sources (with configuration or scripting)
Flexible visualization and dashboards
Scalability (distributed system)
User interface performance
Centralized Management and Configuration
Local search per site, from central server
Global search from central server - Is a search on the central interface distributed to all remote
instances and results centrally aggregated in the management interface?
Powerful query language
URL of web page providing the list of third-party products that can be integrated as log/event
sources (may also be provided in a separate document)
Features
O
Features to help configuration and tuning of the detection policies (e.g. discovery mode)
Is there an advanced monitoring mechanism in the solution allowing to measure the potential
performance bottlenecks and to give clear information about what should be done to fix the
limitation?
Is there a way to centrally manage all components from the events collector to the main SIEM
servers?
Can the data collection mechanism be updated remotely without having to access the server
where the data is standing ?
Questions for
Full Packet
Capture (FPC)
and Network
Forensics
products only
O
O
Is there a query optimization or query analyser mechanism in the solution, which can be used to
analyse the performance impact of each query on the system and assist optimizing those?
Features
O
Does the analysis for detection happen on the endpoint itself (i.e. using the endpoint's CPU), on
a central server of the solution, or a mix of both?
Is the SIEM working with a fixed database schema for each event (for instance one field for the
source address) or is there no fixed schema (a given event could for instance have multiple
source IP addresses)
Does the system allow to run advanced analytical queries? (e.g. does it allow to manipulate data
in a nearly unlimited way, using a query language)
Can the data be sent to another system and does it impact the license model ?
Is there a native event source monitoring mechanism in the solution, to detect when event
sources are failing to send data?
Questions for
Log Aggregation
products only
O
O
O
O
O
O
O
O
O
O
O
O
O
Does the system support data enrichment (adding external data to an “event” after it has been
collected to make it more relevant)
Does the system support IP geo location enrichment
Does the system allow to map the IP/hostnames with an internal network architecture
(associating a subnet or an asset type to an IP/hostname for instance, it is a specific data
enrichment type)
Features
O
Does the solution require a software agent to be deployed on every protected endpoint?
Please indicate which features are supported by the product in the list below:
URL of web page providing the list of third-party products that can be integrated as log/event
sources (may also be provided in a separate document)
Integration with custom event sources (with configuration or scripting)
Support for network flow data sources (NetFlow, IPFIX, JFlow, sFlow, …)
Simple correlation rules (e.g. simple tests such as "if event A and event B with same destination
IP address then ...")
Elaborate correlation rules with intermediate results (e.g. combining several simple rules and
keeping track of previous results)
Flexible visualization and dashboards
Scalability (distributed system) - Can the solution be distributed over several hardware instances
in order to improve scalability and performance over time?
Questions for
SIEM products
only
O
O
O
O
O
O
O
O
O
O
O
O
O
O
O
O
O
O
O
Please indicate which features are supported by the product in the list below:
Flexible visualization and dashboards
Scalability (distributed system)
User interface performance
Local search per site
Global search from central server
Powerful query language
Integration with SIEM
Encrypted traffic decryption (SSL decryption)
Network flows generation from network traffic (NetFlow, IPFIX, JFlow, sFlow, …)
Centralized Management and Configuration
metadata and file extraction
O
O
O
O
O
O
O
O
O
O
O
application layer based indexed search
O
can custom protocols be described and imported (custom protocol parsers)
Passive application layer network traffic log generation (passive http, dns, smtp, ssl/tls certinfo...)
real-time push-based data (and/or file) extraction based on pre-defined rules (example: extract
all files of type X or containing Y to a folder or remote system)
O
Please indicate which features are supported by the product in the list below:
O
O
Annex B.1 - Market Survey Questionnaire Pt 1
Questions for
Orchestration /
Automation
products only
Questions for
Network
Aggregator and
Tap products
only
Features
Features
NATO UNCLASSIFIED
Provided with a library of reusable playbooks corresponding to cyber security processes,
including incident response processes
Playbooks support a mix of automated and manual tasks
Fully customizable playbooks
URL of web page providing the list of third-party products that can be integrated for
orchestration / automation (may also be provided in a separate document)
Can the solution record metrics on time savings, how often playbooks are triggered, and which
aspects of playbooks are triggered?
Please indicate which features are supported by the product in the list below:
Network flows generation from network traffic (NetFlow, IPFIX, JFlow, sFlow, …)
Encrypted traffic decryption (SSL decryption)
Traffic aggregation (several ports into one)
Traffic filtering (for example to discard encrypted traffic)
Traffic splitting (one port into several)
Remote management and configuration
Fail safe
O
O
O
O
O
O
O
O
O
O
O
O
Support for "virtual inline" deployment of NIDPS (e.g. using software configuration of the
aggregator to force network traffic to go through a NIDPS, as opposed to physical cables)
O
Integration with virtual infrastructures (e.g. virtual taps)
O
Product Categories
Firewall solutions
Log collection solutions
Security Information and Event
Management solutions (SIEM)
Network-based Intrusion Detection and
Prevention Systems (NIDPS)
Host-based Intrusion Detection and
Prevention Systems (HIDPS)
Combined security analytics of logs,
network packets, network flows and
endpoint information
Threat Hunting solutions
Cyber Threat Intelligence (CTI)
management solutions
Combined security systems (e.g. firewall
with NIDPS)
VoIP infrastructure security monitoring
and boundary protection
Data Leak Prevention solutions (DLP)
Endpoint monitoring and incident
response solutions, Endpoint Detection
and Response solutions (EDR)
Network Taps and Aggregators
Full Packet Capture (FPC) and Network
Forensics solutions
Standalone Vulnerability Assessment
Scanning solutions
Distributed Vulnerability Assessment
scanning solutions
Web Application Vulnerability Assessment
scanning solutions
Penetration Testing solutions
Standalone Computer Forensics solutions
Remote/Distributed Computer Forensics
solutions
Cyber Security Incident Management
solutions
Orchestration/Automation solutions for
Incident Response
Cyber Defence Situational Awareness
solutions (CDSA)
Automated Sandbox/Detonation solutions
for malware detection
Sandbox/Detonation solutions for
malware analysis
Malware Analysis tools (reverseengineering, debuggers, decompilers,
static analysis, malware collection
management, etc)
Standalone Digital Forensics solutions
(disk, mobile phones, memory forensics,
timeline generation, evidence
management)
Distributed/Remote Digital Forensics
solutions (disk and memory forensics)
License Models
Per unit / installed instance (unit cost)
Per protected end-user
Currencies
EUR
USD
Per console/client user
GBP
Per active user session
Other (please describe below)
Per protected endpoint/device
Based on storage capacity
Based on daily amount of ingested data
Per usage (please describe below)
Several (please describe below)
Other (please describe below)
Deception-based detection solutions (e.g.
honeypots, honeytokens)
Network flows generation/collection
solutions (e.g. NetFlow, IPFIX and similar)
SSL/TLS Decryption solutions
Anomaly Detection solutions
User and Entity Behavior Analytics (UEBA)
and Insider Threat Detection solutions
Website security monitoring and
defacement detection solutions
Cyber Security Data Analytics and
Machine Learning solutions
Several (please describe)
Other (please describe)
Annex B.2 – Market Survey Q&A Pt 2
NATO UNCLASSIFIED
Cyber Security Solutions RFI Part 2
Answer Sheet - Architecture
1 Company Information
Questions
Answers
Company Name
Former Company Name (if applicable)
Company Headquarters Country
URL to company main webpage
Company Logo (small picture)
2 Architecture Questions
Important note: Please make sure that all solutions mentioned in the answers to the questions
below are also described in the answers to part 1 of this RFI, otherwise they cannot be taken into
consideration for the architecture definition.
2.1 SSL Decryption for Monitoring and Filtering
Network traffic within the internal networks and towards external networks is more and more
encrypted at the application level, using protocols such as SSL/TLS. This evolution has a dramatic
impact on the effectiveness of all security products that analyse the network traffic, such as
application-level firewalls, network intrusion detection systems and full packet capture / network
forensics.
Question: Which solutions do you propose to address that challenge, using existing products?
Answer:
2.2 Internal E-mail Traffic Monitoring and Filtering
Question: Which solutions do you propose to monitor and filter internal e-mail traffic (i.e. between
internal employees of an organisation), using existing products? How do you propose to analyse
encrypted e-mails (e.g. using S/MIME)?
Answer:
2.3 Service-specific Monitoring
Question: Which solutions do you propose to monitor and filter the following services specifically, in
addition to generic security solutions using logs and network traffic capture (e.g. beyond SIEM and
IDS), using existing dedicated products?
•
•
•
Operating Systems (servers, clients, all endpoints)
Network infrastructure (routers, switches)
Active Directory infrastructure
Annex B.2 – Market Survey Q&A Pt 2
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
NATO UNCLASSIFIED
DNS Servers
DHCP Servers
Time Distribution (NTP/PTP Servers)
Virtualisation Infrastructure
Remote Access Services (VPN concentrators and clients)
SAN Infrastructure
File Servers (including NAS)
Backup & Archive Systems
Wireless Infrastructure
VoIP/VTC Infrastructure
Standard Desktop Applications
Application Store
Printing and scanning services
Enterprise Portal Services (e.g. Microsoft SharePoint)
Enterprise Real-Time communication infrastructure (e.g. MS Skype, Lync, Office
Communicator)
Internal Web Servers
Externally Facing Web Servers
Web Proxies
Reverse Proxies
Databases
Firewalls
Data diodes
Authentication and Access Management Infrastructure
NAC
Answer:
2.4 Netflow generation, collection, analysis and archiving
Question: Which solutions do you propose to generate, collect, analyse (e.g. for intrusion detection)
and archive Netflow data (e.g. NetFlow, IPFIX or similar) corresponding to the network traffic, using
existing products?
Answer:
2.5 Windows Events Collection
Question: Which solutions do you propose to collect, filter, enhance Windows event logs on each
endpoint (client or server), and to centralize them into a single data store for further processing,
using existing products?
Answer:
2.6 VoIP Infrastructure Monitoring and Filtering
VoIP infrastructures are more and more integrated with IT networks, exposing them to more threats.
Annex B.2 – Market Survey Q&A Pt 2
NATO UNCLASSIFIED
Question: Which solutions do you propose to protect VoIP infrastructures specifically, in terms of
filtering (e.g. firewalls), monitoring and intrusion detection? Is it possible to integrate those solutions
with the generic cyber security solutions (e.g. SIEM)?
Answer:
2.7 Log Storage
Question: Which solutions do you propose to store and archive very large volumes of logs, so that
third party products can query and access the data for further processing?
Answer:
2.8 Security Effectiveness Monitoring
Question: Which solutions do you propose to regularly check the effectiveness of all the detection
and prevention solutions deployed enterprise-wide (e.g. by generating network traffic that should
trigger intrusion detection systems, by sending e-mails with attachments that should be blocked by
gateways, etc), in an automated or semi-automated way?
Answer:
2.9 Data Analytics
Question: Which solutions do you propose to perform large scale data analytics on all the data
collected by security products (e.g. logs, alerts, netflows, packets) in order to complement a SIEM
and to detect malicious activity that is difficult to catch with traditional tools?
Answer:
2.10 Monitoring strategies on mobile and thin clients
Question: Which solutions do you propose to monitor the security of mobile clients (e.g. laptops,
smartphones, tablets) that connect to the enterprise network via a VPN, including the periods of
time when they are used without being connected?
Answer:
2.11 Vulnerability Detection
Question: Which solutions do you propose to detect and identify vulnerabilities in software and
configurations deployed throughout large enterprise networks, using various approaches such as
active scanning through the network, passive scanning, endpoint agents, or connection to
management systems (e.g. CMDB)?
Answer:
Annex B.2 – Market Survey Q&A Pt 2
NATO UNCLASSIFIED
2.12 Network Mapping
Question: Which solutions do you propose to discover the detailed topology of large, distributed
enterprise networks using various approaches such as active scanning through the network, passive
scanning, endpoint agents, or connection to network management systems?
Answer:
2.13 DLP
Question: Which solutions do you propose to implement data leak detection and prevention (DLP)?
Answer: