Loren Data's SAM Daily™

 fbodaily.com
Home Today's SAM Search Archives Numbered Notes CBD Archives Subscribe
FBO DAILY ISSUE OF APRIL 29, 2012 FBO #3809
SOURCES SOUGHT

70 -- Request for Information (RFI) – Advanced Threat Protection / Deep Packet Inspection & Analytics (DPIA)

Notice Date
4/27/2012
 
Notice Type
Sources Sought
 
NAICS
334112 — Computer Storage Device Manufacturing
 
Contracting Office
U.S. Department of State, Office of Logistics Management, Acquisition Management, P.O. Box 9115, Rosslyn Station, Arlington, Virginia, 22219, United States
 
ZIP Code
22219
 
Solicitation Number
SAQMMA12I0011
 
Archive Date
5/25/2012
 
Point of Contact
Anil N. Nayak, Phone: 7038756843, Vincent J Sanchez, Phone: 703-875-6629
 
E-Mail Address
nayakan@state.gov, SanchezVJ@state.gov
(nayakan@state.gov, SanchezVJ@state.gov)
 
Small Business Set-Aside
N/A
 
Description
This is an industry-wide Request for Information Notice for planning purposes only. This is not a competitive solicitation announcement and no contract will be awarded from this notice. The Department of State is requesting industry expertise to assist in developing a potential requirement for the future. All information requested is voluntary, no reimbursement will be made for any cost associated with providing information in response to this Notice. We thank you for your participation and ask that all questions regarding this announcement be submitted electronically via email so we can keep track of the information exchanges. Please see the following information below and respond accordingly: Introduction The Department of State is looking to refresh their Network-based Advanced Threat Detection (ATD) / Deep Packet Inspection & Analytics (DPIA) technologies that support their Defense in Depth architecture. The technology will be adjacent to current Intrusion Detection Systems (IDS) and other border protection technologies. We are looking to combat the problem of the zero-day polymorphic malware that is often used to deliver the targeted attack payload. Advanced malware often uses file multi-packing, layered encoding, dynamic malware creation and other more advanced techniques to bypass many of today's existing signature-based security controls and deliver their malicious payloads onto the targeted individuals' computing systems. We are looking to get the best of breed of these products which should also includes features such as behavioral detection, heuristics, anomaly detection, virtual execution environments and other policy rules around content to enable the rapid evaluation and playback of potentially malicious content. The tool must also be scalable to monitor both inside and outside of our border protection schemes at two internet points of presence at line speed. With that said, this RFI is seeking comments on the requirements and measurements to ensure that we get the best of breed in the Advanced Threat Detection / Deep Packet Inspection & Analytics Market. Infrastructure Department of State infrastructure consists of 2 points of presence and includes an arsenal of security tools that support a security in depth architecture. The network architecture and tools pull data from a global environment that consist of IDS/IPS tools, firewalls, insider threat protection tools, host based security tools, enterprise SAN, and a SIEM. Network backbone consists of various line speeds which produces an average of 700 MB/ sec captured data packets into our repository. This average is expected to grow 30% - 40% compounded per year. Interface, storage and retention requirements will grow to adhere to mandates. User Adoption Department of State's security posture is based on project success and milestones of which analysts spear head the programs worth. A Successful program relies on carefully calculated attainable metrics. To facilitate user adoption, it is important to find out what the legacy process is. Most IT projects involve designing systems which replace or augment some legacy process. Hence, it is important to show that not only is the new system being used, but that the old process is phased out. In general, if the legacy process that the system solution was designed to replace is still in use after not meeting certain milestones or metric's, then the project is a failure. It is important to show value by properly planning and measuring agreed upon metrics. How would you propose a set of requirements to address a successful user adoption model? Submission Details The Department of State is looking for potential RFI responders to outline their approach to how to write the requirements, what we could look for in a response, and what is commercially available to address, and expand on the functional areas below. Infrastructure 1. What is your timeline for full-deployment, interoperability, and provide examples of previous work performed? 2. How will your solution monitor and manage 3 Points of Presence (POPs)? 3. How will your solution address fault tolerance, and load balancing, and disaster recovery? 4. How would your solution leverage existing NetApp SAN or other vender neutral custom SANs? 5. How do you propose transitioning existing data from existing SAN to new SAN? 6. If you have a proprietary SAN, can the data be transitioned to another SAN? 7. How could we plan to ensure a minimum of 30-days of storage is maintained across a 3-5 year product lifecycle? 8. How is your storage solution scalable? 9. How would you address scalability for your solution? 10. How would your product integrate with Symantec SIEM? 11. How much integration would be required for SIEM integration? 12. What type of log formats can be exported from your product? 13. How and can your product integrate with IBM ISS and McAfee IDS? 14. Can your product support 10 GB line rate? 15. Will your product support throughput of 500 mbps to 1 GB capture rate and have the ability to capture higher rates based on increasing anticipated future flow rate? 16. Can your product be virtualized? If so, what would the virtualized environment look like? 17. Are there any limitations with installing the solution on a custom hardware platform? 18. Do you offer software / application only installs option? 19. What is the licensing model for your solution? 20. How does your product provide Role Based Access Controls (RBAC)? Technical Analyst Requirements Matrix 1. How and what is your plan for migration of current signatures, parsers, feeds, alerts? 2. List examples of tools that your product currently (full public release, not a Beta) interoperates with 3. Where and how do you get malware analysis and reputation feeds? 4. How do you facilitate identification of malicious email? 5. What enhanced analytics capabilities does your product provide? 6. What do you consider "full packet capture"? Does your product provide full packet capture? 7. Can you decrypt / break SSL, TLS and other encrypted traffic? If so, which ones can you decrypt? 8. Does the SSL/TLS/ encrypted traffic breakout solution come from a 3rd party integration partner? If so who? 9. How do you build your baseline for anomaly detection? 10. How does your product handle pivoting on packet data to provide insight into lateral activity? 11. How does your product use virtual environments/appliances? 12. How is it able to interact with Sandbox solutions for file analysis? List Sandbox solutions. 13. Which protocols and best practices does your product identify and provide alerts for? 14. How can your product be used to create custom alerts/rules that are not common to everyone, but only the Department of State? What is the process of creating custom rule sets? 15. How does your tool allow for drill-down capability for anomalous data? 16. How does your product locate and reconstruct sessions? What is the reconstruction format? 17. How does it integrate with Active Directory, DNS to provide the bigger picture of anomalies? 18. How "low" does packet inspection go? If it is customizable, please list examples. What characteristics of UDP, TCP, SMTP, SSL, TLS,... packets are readable/alertable with your product? 19. What is the maximum size of a PCAP (packet capture) export for your product? 20. What are the searchable fields in your product (e.g. IP, URL, domain, username, originating email, spoofed email, email server, attachment name, file type, attachment header, user-agent, GET/POST, MD5, exploit)? 21. How does your product handle malware analysis (inline)? What files are supported for analysis? 22. Can strings be run on attachments? Can packed executables provide an alert? 23. Is the product able to alert on encoding and encryption of files? Is your tool able to recognize that a GET and return are different files? 24. How does your tool handle common encoding schemes, like BASE64? 25. How does your product run an MD5 and SHAH1 search of malware analysis data? 26. How does your product alert on MD5 and/or SHAH1 creation of files? 27. Can the malware analysis data be exported into a standard XML format? 28. How does your product interact with both IPv4 and IPv6 environments? Program Implementation 1. How would you propose a transition model from existing tool? 2. What type of training curriculum and tool adoption model would you propose? 3. What is the general software / hardware update schedule for your product? 4. What is the cost model and availability for a 24 x 7 support for both hardware and software? 5. How do you qualify the requirements for a Subject Matter Expert (SME) for your solution? 6. Can you provide any industry white paper that provides all the functionality of this RFI? 7. What other large Federal customers of deployments on networks of 100,000 or more nodes and 2TB daily throughput, deployed worldwide do you have currently? May we contact one of these customers? All responses to the above and questions should be sent to both points of contact listed on this notice by the time stated. Thank you for your participation we look forward to receiving your firm's input and interest.
 
Web Link
FBO.gov Permalink
(https://www.fbo.gov/spg/State/A-LM-AQM/A-LM-AQM/SAQMMA12I0011/listing.html)
 
Place of Performance
Address: DC Metropolitan Area, Washington, District of Columbia, 20520, United States
Zip Code: 20520
 
Record
SN02733274-W 20120429/120427235127-77311f2c4d1688d1a73edc6dda9c2e54 (fbodaily.com)
 
Source
FedBizOpps Link to This Notice
(may not be valid after Archive Date)
FSG Index  |  This Issue's Index  |  Today's FBO Daily Index Page |
ECGrid: EDI VAN Interconnect ECGridOS: EDI Web Services Interconnect API Government Data Publications CBDDisk Subscribers
 Privacy Policy  © 1994-2020, Loren Data Corp.