Loren Data's SAM Daily™

 fbodaily.com
Home Today's SAM Search Archives Numbered Notes CBD Archives Subscribe
FBO DAILY ISSUE OF JUNE 10, 2007 FBO #2022
SOURCES SOUGHT

D -- Insider Threat Detect Solution Support

Notice Date
6/8/2007
 
Notice Type
Sources Sought
 
NAICS
541519 — Other Computer Related Services
 
Contracting Office
Defense Information Systems Agency, Procurement and Logistics, DITCO-Scott, 2300 East Dr. Building 3600, Scott AFB, IL, 62225-5406, UNITED STATES
 
ZIP Code
00000
 
Solicitation Number
RFIEG0078
 
Response Due
7/10/2007
 
Archive Date
7/25/2007
 
Description
DESCRIPTION THIS IS A REQUEST FOR INFORMATION (RFI) FOR INSIDER THREAT DETECT SOLUTION TO DETECT AUTHORIZED USERS WHO CONDUCT MALICIOUS ACTIVITY WITHIN A NETWORK OR ON A SYSTEM. SUBJECT: This document is a Request for Information (RFI) for an Insider Threat Detection solution that can be deployed on hosts and networks enterprise-wide across the DOD. Traditional efforts to secure networks have been focused on placing defenses at the network boundary with less emphasis on end-point or host-based security. While such defenses as network firewalls and Network Intrusion Detection Systems (NIDS) have proven effective at countering identifiable threats originating from outside the network boundary, there is an equally damaging threat posed by those who have access to information systems and networks that operate from within. The activity of the ?insiders? would not normally be detected by the security measures in place. The Insider Threat Detect solution will provide the functional capabilities for more aggressive insider data gathering by detection technology not normally a part of network management or security within a computing environment. For the purpose of this RFI, an ?insider? is defined as anyone who uses authorized credentials to access a DOD computer and/or network; regardless of whether or not those credentials were acquired through legal channels. The types of insider ?unauthorized? activities include, but not limited to: exceeding permissions through host policy violations, conducting malicious activities, providing unapproved access, circumventing security controls, unintentionally damaging resources, and accessing or removing data without authorization or in an inappropriate manner (also referred to as exfiltration or extrusion). A potential Insider Threat Detect solution can be any combinations of security products collecting activity data (i.e. correlator) from host agents installed directly on network end-points (e.g. local host workstations, servers, routers, etc.) and from Network Sensor feeds. In order to be effective across enterprise networks, a proposed solution utilizing host-based deployment capabilities must be centrally managed to support installation, data collection, updating, and configuration using the Host Based Security System (HBSS) Central Manager. For this RFI, the following descriptions will be used: Host Agent: This portion of the solution is a light-weight host agent that collects user and system activity such as user profiling and policy violations. These actions, when taken together, may be classified as normal activity, bad behavior, accidental actions, or potentially an insider with malicious intent. The local host agent communicates through the HBSS central manager to the Correlator. Correlator Console: This portion of the solution correlates data from the host and network data feeds, log files, and other available sources. The Correlator Console is specifically designed to enable the identification of variations in authorized user behavior profiles as well as potentially suspicious insider activities on either the host or network. Network Detector: The network detection portion of the solution identifies when user?s activities depart from normal user activities. In addition to being useful in detecting anomalous insider activity, the detector is also useful in detecting outsiders who have successfully penetrated the network and are acting as an authorized user. Network detection capabilities may be software only using existing sensor collected data. HBSS Central Manager: The HBSS Central Manager (ePolicy Orchestrator from McAfee) is an established DOD Enterprise tool that is designed to provide centralized installation, management, monitoring, and configuration of host-based IA capabilities. An Insider Threat Detect solution that utilizes a host agent security product is envisioned to be managed by the HBSS Central Manager. Solutions to this RFI can have any combination of the above security products. For an example, a solution can have just a network detector and a correlator that are capable of meeting any combinations of the System Capabilities, while another solution may contain all of the three security products listed above. Other potential solutions can have a totally innovative design and security products offering while still meeting some or if not all of the system requirements. DESCRIPTION The Defense Information Systems Agency (DISA), in support of the Computer Network Defense (CND) mission assigned by the United States Strategic Command (USSTRATCOM), is seeking information from industry, academia, and government that will assist in the acquisition of Insider Threat detection capabilities to enhance the CND posture of the Department of Defense (DOD) computer network systems. Small businesses are encouraged to respond to this RFI. The Government anticipates implementing a procurement action for the Insider Threat Detect solution 1st quarter of FY2008. REQUIREMENTS This section describes the desired capabilities for the Insider Threat Detect solution. A solution with multiple products using a single correlator is acceptable for the purpose of this RFI. Individual products with a subset of the critical capabilities are not of interest. To provide a comprehensive solution, vendor teaming and/or government organizations with these solutions are encouraged to respond to this RFI. (NOTE: Capabilities in CAPS are critical and must be included in the solution. Due to limited FedBizOpps document formatting, each capability listed below is separated by ?;?) General System Capabilities The system may be composed of a central Correlator Console, Network Sensors, and Host Sensors; The system may have the capability to support the deployment, installation, and management of system components on small (500 users) and large-scale networks (up to 40,000 users); ALL SYSTEM COMMUNICATIONS SHALL BE ENCRYPTED USING CRYPTOGRAPHIC MODULES CERTIFIED IN ACCORDANCE WITH THE CURRENT NIST CERTIFIED CRYPTOGRAPHIC MODULES VALIDATION PROGRAM, FIPS 140. -THE SYSTEM SHALL NOT INTERFERE WITH THE OPERATION OF DOD MISSION CRITICAL APPLICATIONS; THE SYSTEM SHALL NOT INTERFERE WITH AUTHORIZED PATCHING AND UPGRADING; The system may not interfere with the normal authorized use of the monitored networks and hosts; The system may support DOD public key infrastructure (PKI) certificates for user authentication; ALL COMPONENTS OF THE SYSTEM SHALL REQUIRE SECURE IDENTIFICATION AND AUTHENTICATION MECHANISMS BETWEEN COMPONENTS; The system may support device certificates for device authentication; THE SYSTEM SHALL SUPPORT INTERNET PROTOCOL VERSION 4 (IPV4); The system may be Internet Protocol Version 6 (IPv6) capable; The system may not significantly impact network throughput; The system may have the ability to time-stamp all events in a consistent frame of reference. General Correlator Console Capabilities The Correlator Console may: operate on Windows 2000, XP, Server 2003, and Vista; allow for secure remote administration; not require proprietary hardware; provide a graphical user interface for management of network and Host Sensors; provide an open API and SDK for management of third party data sources; provide the ability to display, save and restore all console configuration settings. Correlator Console Input Capabilities THE CORRELATOR CONSOLE SHALL PROVIDE THE CAPABILITY OF COLLECTING ALL OUTPUT FROM THE NETWORK SENSORS AS CONFIGURED BY THE ANALYST; THE CORRELATOR CONSOLE SHALL PROVIDE THE CAPABILITY OF COLLECTING ALL OUTPUT ORIGINATING FROM THE HOST SENSORS, AS CONFIGURED BY THE ANALYST; The Correlator Console may: support ODBC for obtaining alert information from other sources; obtain computer, computer groups, user, and user group information from Active Directory servers; provide the capability to obtain computer, subnet, user, and user group information from LDAP servers; have the capability to import externally generated logs; have the capability to support network time protocols. Correlator Console Processing Capabilities The Correlator Console may have the capability to: generate audit logs on all monitored events. The audit logs may include, as a minimum, user ID, timestamp of activity, sensor ID, and information about the event that generated the audit log entry; normalize sensor generated and externally generated logs; correlate sensor generated and externally generated logs; integrate sensor generated and externally generated logs; perform event data filtering for historical trending; The Correlator Console may: provide the configurable capability to display a sequence map of subject activity; provide for selected data mining from external sources; be configurable to profile individual subject behavior patterns; provide predefined templates for potential misuse behavior patterns; be capable of defining role-based potential misuse behavior patterns based on analyst input; be capable of identifying subjects with potential misuse behavior patterns; have the capability to automatically generate a profile of normal role-based user behavior; have the capability to identify anomalies from the profile of normal role-based user behavior; have the capability to identify large-scale trawling for information; have the capability to identify the potential exfiltration of data; THE CORRELATOR CONSOLE SHALL HAVE THE CAPABILITY TO IDENTIFY EMAIL SENT TO A SPECIFIED RECIPIENT, DOMAIN, OR NATION; The Correlator Console may: have the capability to identify subjects with a high volume of outgoing data transfers; have the capability to identify high volume printing; have the capability to identify the mislabeling or improper tagging of data; provide the ability to monitor changes to user account profiles; be configurable to identify remote access of files containing analyst specified key words; be configurable to detect an escalation of privilege by an analyst; be configurable to detect and catalog multiple different user logins using the same user account; be configurable to detect and catalog a single subject with multiple user accounts. Correlator Console Output Capabilities THE CORRELATOR CONSOLE SHALL BE CAPABLE OF DISPLAYING ALL DETECTED ACTIVITIES AS CONFIGURED BY THE ANALYST; The Correlator Console may: provide the capability to reassemble all sensor-provided output into human-readable format as configured by the analyst; enable the analyst to view on the console near-real-time monitoring of specific subjects; support generation of custom reports from collected data; provide the capability to export the collected data in CSV and/or XML formats; support generation of custom reports from the output of all processing; may provide the capability to export the results from all processing in CSV and/or XML formats; support ODBC for providing information to other systems. Correlator Console Notification Capabilities The Correlator Console may have the capability to: alert the analyst based on configurable events; generate a configurable alarm to provide notification through web services; generate a configurable alarm to provide notification through email; generate a configurable alarm to provide notification through pagers. Correlator Console System Status Monitoring Capabilities The Correlator Console may provide an ability to: display the status of all Network and Host Sensors; to monitor the heartbeat of Network Sensors. Correlator Console System Analysis Monitoring Capabilities The Correlator Console may be capable of: attributing and logging activities by the analyst; displaying separation of duties violations. General Host Sensor Capabilities THE HOST SENSOR SHALL INTEGRATE WITH THE HBSS MANAGEMENT AGENT ON EACH HOST; THE HOST SENSOR SHALL SUPPORT WINDOWS 2000, WINDOWS XP, WINDOWS 2003, AND WINDOWS VISTA; The Host Sensor may support Windows NT4 (SP6a); The Host Sensor should support non-NT based Microsoft Windows operating systems; The Host Sensor should support non Microsoft OS including SOLARIS, HPUX, Linux, and Mac OS-X; THE HOST SENSOR SHALL BE CONFIGURABLE TO CONCEAL ALERT GENERATION FROM USERS; Sensor detection and alerting may be analyst configurable; The Host Sensor may report the following information, as a minimum, for all alerts: user ID, host name, and timestamp of activity; The Host Sensor may provide a configurable sensor status; THE HOST SENSOR SHALL NOT INTERFERE WITH THE USER'S PRODUCTIVITY, USABILITY AND FUNCTIONALITY; The Host Sensor may provide minimum degradation on: Central Processing Unit (CPU) performance; input-output (IO) performance; host network accessibility; The Host Sensor may securely preserve all collected data by ensuring availability, confidentiality, and integrity. Host Sensor Content Monitoring Capabilities The Host Sensor may have the capability to: detect digital rights management changes; detect the modification of analyst-specified data; include honey token or beaconing capability that allows for the unique identification of data or products generated on that computer. Host Sensor System Monitoring Capabilities The Host Sensor may have the capability to: capture covert channel usage; capture voice over IP usage; The Host Sensor may support activity detection for user profiling by the Correlator Console. Host Sensor Device Monitoring Capabilities A Host Sensor may detect access to hardware devices including, but not limited to, modems and external media; The Host Sensor may have the capability to: detect when files are written to a network device; detect use of USB and serial devices (e.g. PDA, digital camera, MP3 player, printers, etc.) and identify the type of device; detect use of parallel port devices (e.g. PDA, printers, etc.) and identify the type of device; detect use of fire-wire (IEEE 1394) devices (e.g. PDA, printers, etc.) and identify the type of device; detect use of Floppy Disks, writable CDs, writable DVDs, and Zip Disks; detect use of tape back-up devices; capture the removable device name, time of connection or removal, device type, and file system type. Host Sensor Web Browser Monitoring Capabilities The Host Sensor may have the capability to: monitor for analyst specified Web search parameters; capture analyst defined key word usage among search parameters; capture the use of web conferencing capabilities; detect data downloaded through the web browser; detect data uploaded through the web browser; capture HTTPS session data prior to encryption and after decryption; capture web sites visited. Host Sensor Protocol Monitoring Capabilities The Host Sensor may have the capability to detect these sessions: Telnet, FTP, TFTP, SecureFTP, Instant Messaging, Secure Shell, mIRC, SMTP, POP, IMAP, Peer-To-Peer, RPC, DNS, SNMP, XWindows, Rlogin, SSL, and Voice-Over-IP. Host Sensor Printer Monitoring Capabilities The Host Sensor may have the capability to: detect print jobs; report the printer name information in the alert for print jobs; report the print server name information in the alert for print jobs; report the printer location information in the alert for print jobs; report the printer driver name information in the alert for print jobs; report the printed document file name information in the alert for print jobs; report the user name information in the alert for print jobs; report printed data type information such as text, graphics, and PostScript in the alert for print jobs. Host Sensor Usage Monitoring Capabilities The Host Sensor may have the capability to: generate an alert when a file is transferred via the network connection; generate an alert when data is transferred via the network connection; THE HOST SENSOR SHALL HAVE THE CAPABILITY TO CAPTURE THE SENDER AND RECIPIENT OF ALL EMAIL SENT FROM THE HOST; The Host Sensor may: be configurable to generate an alert on file access by remote users; have the capability to detect the mislabeling or improper tagging of media. General Network Sensor Capabilities The Network Sensor may have the capability to: report its status, provide a heartbeat, be remotely administered, and be remotely updated; THE NETWORK SENSOR SHALL CAPTURE THE SOURCE AND DESTINATION IP ADDRESS FOR ALL MONITORED TRAFFIC; The Network Sensor may capture the source MAC address for all monitored traffic. Network Sensor Protocol Monitoring Capabilities The Network Sensor may: support the capability to detect spoofed IP or MAC addresses; support the capability to detect network interface cards operating in promiscuous mode; have the capability to capture these sessions: Telnet, FTP, TFTP, SecureFTP, Instant Messaging, Secure Shell, mIRC, SMTP, POP, IMAP, Peer-To-Peer, RPC, DNS, SNMP, XWindows, Rlogin, SSL, and Voice-Over-IP; provide a mechanism to allow capturing analyst-specified protocols. Network Sensor Printer Monitoring Capabilities The Network Sensor may have the capability to capture the: content of printing by users; printer and print-server name information; printer comment information; printed document name information; source machine information for print jobs; user name information for print jobs; printed data type information, such as text, graphics, and PostScript. Network Sensor Data Access Capabilities THE NETWORK SENSOR SHALL HAVE THE CAPABILITY TO MONITOR NETWORK TRAFFIC FOR ANALYST DEFINED PHRASES OR PATTERNS; The Network Sensor may have the capability to capture and provide network account information such as users and groups. 2.0 SAMPLE RESPONSE OUTLINE This outline is intended to minimize the effort of the respondent and structure the responses for ease of analysis by the government. Respondents are free to develop their response accordingly, but should answer the fundamental questions provided. Section 1 - Product (limited to 15 pages, including diagrams and spreadsheets) Describe a working product as a possible solution to meet the Insider Threat Detect capabilities. Delineate how the product currently meets any number of the stated capabilities and whether the solution is mature or in developmental stage. Please address the following: 1) Specify if the product solution comprises hardware (e.g., an appliance), software, or both. Include minimum and optimum hardware requirements, descriptions of any fail-over capabilities, and database requirements. 2) Describe the type of functions performed by the product solution. Per capability, indicate in a spreadsheet which ones the proposed solution: currently meet, is currently being developed, planned future development, or does not plan to meet. 3) List the Operating System (s) the product(s) supports to include patch and service pack levels. 4) Describe how the solution suites will be managed and provide logical data flow. 5) Describe the recommended deployment architecture and strategy to include installation and maintenance (life cycle support). 6) Describe the scalability of the product(s) for an Enterprise-wide deployment. 7) Describe any testing that has been or will be conducted for compliance, such as the Common Criteria for Information Technology (IT) Security Evaluation and/or the Cryptographic Module Validation Program (CMVP) described in the National Institute of Standards and Technology (NIST) Federal Information Processing Standard (FIPS) 140-2. 8) Provide descriptions and certification of current software security assurance practices used. Include a discussion of common criteria and FIPS certifications on the proposed solution. 9) Provide information on existing and planned IPv6 compatibility. Section 2 - Feasibility Assessments (limited to 3 pages, including diagrams and spreadsheets) 1) Describe how the solution is network managed (the appliance/software and the data flow) and the estimated amount of manpower required. 2) Describe the feasibility assessment of the proposed Insider Threat Detect solution deployment scenario. If the McAfee HBSS 3rd party integration program is not available, describe how the proposed solution should be deployed. 3) Include data on the amount of network traffic generated between product solution sets and those to and from the management console. Section 3 - Cost and Schedule Estimates (limited to 3 pages, including diagrams and spreadsheets) 1) Describe a DOD Enterprise-wide solution cost estimate (software only and/or appliance). 2) Provide a cost estimate when describing the licensing agreement, support, training, and maintenance for non-recurring and annual recurring costs. It is estimated that the number of network end-points that requires a host-agent is approximately five millions. Section 4 - Corporate Experience (limited to 4 pages, including diagrams and spreadsheets) 1) Briefly describe the company or team, your products and services, history, ownership, financial information, and any other information deemed relevant. 2) Describe any projects the company has been involved in that are similar in concept to what is described in this RFI, including management and operational approach, requirements, processes, and any relevant lessons learned (1-2 pages per project). List government and commercial clients. If for any reason clients cannot be discussed, describe the number of seats deployed for each client. Section 5 - Additional Materials 1) Provide any other materials, suggestions, and discussions deemed appropriate. DISCLAIMER: THIS RFI IS NOT A REQUEST FOR PROPOSAL (RFP) AND IS NOT TO BE CONSTRUED AS A COMMITMENT BY THE GOVERNMENT TO ISSUE A SOLICIATION OR ULTIMATELY AWARD A CONTRACT. RESPONSES WILL NOT BE CONSIDERED AS PROPOSALS NOR WILL ANY AWARD BE MADE AS A RESULT OF THIS SYNOPSIS. All information contained in the RFI is preliminary as well as subject to modification and is in no way binding on the Government. FAR clause 52.215-3, Request for Information or Solicitation for Planning Purposes is incorporated by reference into this RFI. The government does not intend to pay for information received in response to this RFI. Responders to this invitation are solely responsible for all expenses associated with responding to this RFI. This RFI will be the basis for collecting information on products available. This RFI is issued solely for information and planning purposes only and does not constitute a solicitation. All information received in this RFI that is marked proprietary will be handled accordingly. Responses to the RFI will not be returned nor will receipt be confirmed. In accordance with FAR 15.201(e), responses to this RFI are not offers and cannot be accepted by the Government to form a binding contract. Again, responders are solely responsible for all expenses associated with responding to this RFI. 3.0 SUBMISSION INSTRUCTIONS RFI responses should be submitted via email (time stamped & not exceed 5 MB) to: Sonoka.Ho@disa.mil; Manprit.Singh@disa.mil; peo_ianacquisition@disa.mil 4.0 CONTACT INFORMATION All inquires & questions related to this RFI should be sent to the following Points of Contact: Mr. Sonoka Ho, Program Manager, (703) 882-1064, Sonoka.Ho@disa.mil or Mr. Mickey Singh, Alternate Program Manager, (703) 882-1057, Manprit.Singh@disa.mil
 
Record
SN01313375-W 20070610/070608220139 (fbodaily.com)
 
Source
FedBizOpps Link to This Notice
(may not be valid after Archive Date)
FSG Index  |  This Issue's Index  |  Today's FBO Daily Index Page |
ECGrid: EDI VAN Interconnect ECGridOS: EDI Web Services Interconnect API Government Data Publications CBDDisk Subscribers
 Privacy Policy  Jenny in Wanderland!  © 1994-2024, Loren Data Corp.