-
SOAR Playbooks27 Topics
-
SOAR Platform
-
Configuration Refresh
-
Vulnerability Management
-
Issue Management
-
SOC Program Management
-
Incident Response
-
Air-Gapped Implementation
-
Non-Functional Requirements (NFR)
-
Business Case for SOAR
-
Functional Requirements
-
Technical Building Blocks
-
Operational Building Blocks
-
Platform Maintenance
-
Threat Hunting
-
SOAR Vendors
Participants3
Architecture
- Detail the requirements of the infrastructure that Iberdrola must use to implement the solution.
- Detail the pre-production (non-operational) environment included in the offer.
- The solution must be integrated with corporate IT processes. Please provide details
- Backup management.
- Availability and capacity management.
- Possible integration of other agents.
Accessibility
- The orchestrator will be accessed by several security teams, spread globally.
- All tickets must be considered restricted information with access according to the need to know (defined by the personal profile).
- Tickets must be able to be created:
- Directly by any of the company’s employees, eliminating the need for a small team of intermediaries to modify them.
- Through a web menu, this menu being configurable by the tool administrators.
- From the BMC Remedy solution from Iberdrola.
- From the Servicenow solution that Iberdrola is deploying this year.
- By e-mail.
- From the following SIEMS: ArcSight, QRadar, Splunk.
- It should be possible to schedule ticket creation automatically for recurring tasks. For example, an automatic monthly ticket to manage and trigger a set of actions.
- Tickets can be updated by anyone with access to the ticket as determined by the user profile. Ticket closing will also be determined by user profile.
- The solution must be integrated with Active Directory.
- Access to the system shall be controlled through Active Directory groups.
- The system administrator shall assign the persons to their respective roles: Security equipment from Spain, security equipment from UK, security equipment from USA, security equipment from Brazil, GLOBAL security equipment with access to all of the above.
- Job roles will have defined access levels to perform predefined functions; e.g. Admin, read-only, read-write, etc.
- Global business lines and functions shall be defined hierarchically in such a way that a member of a global’ team has access to all local, regional or national entries.
1.1 WORKFLOW
1.1.1 The system will dynamically capture data automatically and associate it with each ticket:
- A unique reference number per ticket.
- The ticket opening time and the timestamp of the date.
- The name of the creators.
- Ticket resolution / closing time and date timestamp.
- Mailbox monitoring.
1.1.2 Any entry of end-user data against the required fields shall be validated against the valid options allowed, with the exception of free-form fields such as title and incident details, etc.
1.1.3 The system should be easily adaptable to capture company specific event and event information from data provided by the company; e.g. priority, line of business, function, type of incident, other ticket references, etc.
1.1.4 The system should allow for the classification of the incident or potential incident by adding the fields:
1.1.1 Depending on the level of impact of the ticket, the solution will require one level of notification or another (immediate, daily, monthly…) and a different set of recipients. The solution should enable and assist the above-mentioned notification and situational awareness process.
1.1.2 A ticket may be categorized and re-categorized as many times as necessary.
1.1.3 The ticket creation process will use predefined algorithms to automatically calculate a priority and a ticket risk based on the data entered by the user.
1.1.4 The tool should allow the creation of’action’ or’root cause’ or’problem’ records to track specific follow-up actions for individual groups or users and allow them to be linked to’parental’ records such as incidents.
1.1.5 The tool will allow automatic ticket production through direct integration with other systems, such as a SIEM, or the provision of an API that can be used.
1.1.6 Enrichment of events. Each potential incident will be enriched according to the information provided (hostname, IPs, URLs, hashes, etc.). Enrichment will be done via API versus: - An Open Source Threat Intelligence Platform (MISP) solution.
- IBM X-Force.
- An Excel sheet (can be imported to another format manually on a regular basis) for asset classification with regulatory requirements (LOPD, GDPR, PCI, SOX….).
1.1.7 The system shall allow for the intelligent direct processing of notifications and ticket ownership to the appropriate equipment in the correct circumstances, based on the information provided in the ticket and the predefined logic. - Type of event / incident.
- Priority.
- Region.
1.1.8 The system will support the online workflow to allow easy monitoring and management of tickets based on criteria defined as priority, line of business, etc.
1.1.9 Tickets will be presented at different stages of the life cycle, including: - Open’ – newly opened but not assigned.
- In progress’ – being worked on and assigned to an owner.
- Resolved’ – incident resolved.
- Closed’ – the resolution has been verified and the ticket is closed. (Optional step).
1.1.10 Ability to link additional information to a ticket, e.g. a Microsoft Office document. If the attached information is embedded within the application, you must follow the rules for classifying company information, restrict access to the required audience and encrypt’highly restricted’ information.
1.1.11 Recognition of predefined SLAs for ticket resolution within defined time scales, compared to ticket type, priority and seniority.
1.1.12 Creating specific fields (templates) for predefined events and event types. Specific event types will generate specific data fields for that type; for example, a hardware loss will request different data fields required for a phishing attack.
1.1.13 Customizable dashboards that allow easy and intuitive ticket management at all stages, including lists and graphical views.
1.1.14 Modify ticket recipients. Creation and storage of predefined technical procedures, so that they can be assigned automatically or manually to the tickets that, by their nature, correspond to them.
1.2 REPORTS
1.2.1 The tool will have a search function that allows the search of ticket metadata and keywords.
1.2.2 Audit trails of all actions taken manually by individuals or automatically by the system.
1.2.3 The solution will automatically produce an activity report on a monthly basis.
1.2.4 The solution will make it easy to create new reports.
1.2.5 The platform will be in production with the following reports implemented: - Security analyst activity report. Jobs/tickets managed by each analyst and grouped by security team (Spain, UK, USA, Brazil).
- Report of services consumed / requested (incidents, vulnerabilities,…) grouped by security team (Spain, UK, USA, Brazil).
- SLA report and management and resolution times by security team (Spain, UK, USA, Brazil).
1.2.6 Reports may be generated on demand and the period of time to be applied shall be variable (month, four-month period, six-month period, year) or the start and end dates of the period shall be selectable.
| Domain | Functionality |
| Core function | Does the solution allow the client the creation of own workflows |
| Core function | Can the solution query external websites and aggregate the results? Please indicate for VirusTotal, Alexa.com, etc. |
| Core function | Can the solution remove / edit identifying information (based on Regex or similar) from data before sending it to external websites? |
| Core function | Can the solution create emails and send through SMTP/Exchange? |
| Core function | Can the solution automate security incident case handling? |
| Core function | Can the solution correlate related tickets by checking IP adresses against previous tickets by Service NOW (e.g. finding repeat offenders) |
| Core function | Can the solution aggrerate phishing campaigns based on the same sender address? (i.e. by querying Service NOW for previous cases) |
| Integration | Can the solution combine external information with internal databases (e.g. SQL/LDAP/ AD) to target VIP/HPU? |
| Integration | Does the solution integrate with FireEye HX? |
| Integration | Does the solution trigger an automatic quarantine using Fireeye HX and/or McAffee ePolicy Orchestrator? |
| Integration | Can the solution be used to synchronize IOC between different HX instances (please outline how)? |
| Integration | Does the solution integrate with Service Now? |
| Integration | Does the solution integrate with FireEye EX? |
| Integration | Does the solution integrate with FireEye CMS? |
| Integration | Does the solution integrate with Splunk? |
| Integration | Please indicate with which other products the solution can be interconnected |
| Integration | Can the solution use different playbooks / run books based on the kind of initial event (i.e. DDOS, Phishing, Malware) |
| Data Architecture, Integration and Communications | |
| Specific Requirements for Cloud | |
| Technical Architecture | |
| Data Protection | |
| Access Control |
| Security | ||
| Provide a secure data layer | e.g. Encrypt the data in database so that it’s not exposed to external users | Threat Intelligence, Forensics |
| Provide a secure environment with supported functionality and processes relevant to C3/C4 data | Specifically to ensure that handling procedures mean that successful mitigation and resulting procedures are catered for | Threat Intelligence, Forensics |
| All Email notifications should be sent with digital signature for security so that recipient ensure legitimacy of email source | To prevent spoofing an email address | Threat Intelligence, Service Management, Forensics |
| Service Desk administrators will not have access to sensitive data | This is separation of duties. Service Desk and Service Support personnel will not be able to view sensitive data which has been identified as a result of security alerts | Threat Intelligence, Forensics |
| The system shall provide role based access rights | This enables the restriction of users &/or administrators to access areas of the system. (Role based access control) | Threat Intelligence, Data Hacking, Forensics |
| Application should be able to show different information to different users according to their roles | E.g. GSIM + SPOC (full detail); Management (high level, times, open tasks); … needs definition | Threat Intelligence, Service Management, Data Hacking, Forensics |
| Two factor authentication for login and access | supported through DUO directly on the platform | Threat Intelligence |
| All content needs to be encrypted on database level | Threat Intelligence, Forensics | |
| User review/audit function will report/disable not used accounts after X days | General | |
| IF C4, then limited search capability, reports and with requirements of NDA Checkbox upfront for even authorised users | for C4 a user will need to be specifically invited | Forensics |
| Interface | ||
| Capability for interface build to key security tools such as Remedy, ArcSight and Splunk Platforms | General, SIEM, Service Management, Data Hacking | |
| Data from ArcSight (CEF, …) can be imported/exported | General, SIEM, Data Hacking | |
| Data from Outlook can be imported/exported | Import emails, generate calendar items | General, Incident Management |
| Data from Remedy can be imported/exported | General, Incident Management, Data Hacking | |
| Data from Splunk platforms can be imported and exported | Exchange + Certificate Signing, PGP, SMIME | General, Incident Management |
| Files can be uploaded through an API (moderated) | customisation commands from ArcSight, Remedy, other | General, Data Hacking |
| The system shall be capable of combining data from other security related systems | Interfaces available with other systems and data can be imported | General |
| A new instance can be added directly in the tool by any authorized user | User can manually enter new information to the application | General |
| New instances can be added by an customisation command from ArcSight | customisation commands can trigger a new instance | General |
| A new instance can be added with dedicated emails from Outlook | Emails can be received and automatically turn into an instance. Email Needs to have a standard tag to highlight that it is an incident | General |
| New instances can be added with an customisation command from Remedy | Tickets in ticket que can automatically turn into an instance. Can assign a due date/time to each task. | General |
| The application can export information in STIX or other security related IOC documentation | TI, Data Hacking | |
| Access to application through mobile platform (statistical, management report, other) | Console is mainely browser based, but mobile apps to be available | Genearal/Management, Threat Intelligence, Service Management, Data Hacking |
| The application to work properly on browsers (Firefox, Chrome, Internet Explorer) | General, Threat Intelligence | |
| Accessible via organisation standard web interface IE9 & IE10 & IE11 | The system dashboard and other system tools to be accessible using IE9 & IE10 | General |
| The application must not need any special libraries to run (client side) | No local java, no local flash, no Silverlight | General |
| An administration panel for the user rights can be enabled for special groups/users | New user, edit user, edit rights, edit roles, edit groups will be controlled by a master Administrator | General |
| An administration panel for reporting can be enabled for special groups/users | New report, selection of fields, scheduled reports, export file types will be controlled by a master Administrator. A user can only run reports on incidents that they can see. | Genaeral/manager |
| The application provides an admin interface to place help texts to functions or choices in the application | E.g.. Help text for instance creation, help text for different severity levels including links to URLs | General, Data Hacking |
| User information can be retrieved from active directory | General | |
| User access controls should be based on groups, individuals and functions | General, Threat Intelligence | |
| External users can be set up by a special user group | Non-Vodafone users can be created/disabled | General |
| An administrative function for ADDING/EDITING/DISABELING users (» THREE DEDICATED ENTRIES) | General, Incident Management | |
| Every instance can be assigned to an individual | General, Incident Management, Threat Intelligence, Data Hacking | |
| Every instance can be assigned to a group | General, Incident Management, Data Hacking | |
| Each Incident can be assigned to a resolver group | This to ensure that no incident remains unallocated. | General, Incident Management |
| Every instance should have an owner | Each incident will have a creator, owner and members | General, Threat Intelligence |
| Every instance can be assigned to one or more entities | Group and individual | General, Threat Intelligence, Data Hacking |
| Every new instance will be assigned to the GSOC 1st line. | General | |
| All unassigned instances will be assigned to the GSOC 1st line within 2 hours | DEPRECATED/REVIEW IN REGARDS TO ASSIGNMENT. n/a see above, FR12 | General |
| Member of a cyber security group able to accepts/rejects instance | This would give a feedback loop to manually opened instances to the customer. A user can ‘resolve’ an issue and add a reason for closure in order to reduce false positives. | General |
| Assigned user can add and edit but not change the information log of the instances | Fields need to be defined. Observers should not be able to change any information. (Unable to link to any other databases with types or categories of incidents/threats etc.) | General, Data Hacking |
| Incident manager can mark data in instance as deprecated/hidden/false | Fields need to be defined. Incident manager can indicate who can see what in terms of users, but not based on specific fields for an incident | General, Incident Management |
| All state changes need timestamps and the actual user information, on who performed which action | General, Data Hacking | |
| Incident manager can invite/block users to view/edit the instance. | Not only GSOC but also GSOC internally (e.g.. C4 instances) | General, Incident Management |
| Several users can append information to the instance at the same time but not able to overwrite each other comments | New information is moderated by Incident Management. Dialogue will notify users that they are not working on the latest version of an incident if any given field is being edited at the same time. | General, Threat Intelligence, Data Hacking |
| Updates to an instance need to be notified to responsible incident manager and assignee(s) | General, Data Hacking | |
| An instance has information fields, which can/cannot be altered or edited by anyone | Fields need to be defined. Only ‘created by’ and ‘date created’ cannot be changed. | General, Incident Management, Data Hacking |
| An instance can be categorized by a severity. | Examples: S1, S2, S3, … | General, Incident Management, Data Hacking |
| An instance can be categorized by an internal complexity category | Examples: 1 client vs. 50 clients; 1 server vs. 30 servers, … (only internal measurements) | General, Incident Management, Data Hacking |
| An instance can be linked to another instance | Parent/Child relationship. Can be done Manually and automaticaly | General, Data Hacking |
| An instance can be cloned to a new instance | Fields, which are taken over, can be defined | General |
| An instance can be assigned to another group within cyber security community | GSIM to DE CSIRT to EH back to GSIM … // Ownership | General |
| Users outside the cyber security community can be invited to the instance with limited rights | Authorized by the instance manager | General |
| Files can be uploaded by a user (moderated) | User can manually upload new files to the application | General |
| Uploaded files will be handled in a protected way (malicious files have to be marked) | Password protection, alert before downloading, encryption, Can be uploaded manually | General |
| Uploaded files will be hashed/analysed | Timestamp, uploaded by user, file hash, file size, Can Have manual actions associated with attachment & then for added attachment can be sent to another system. | General, Incident Management, Data Hacking (generate the hash) |
| Attachments can be commented | General Data Hacking | |
| Interface to Exchange or SMTP interface to generate emails | Sending (signed) emails from information fields from instance | General |
| Active Directory data to be maintained at 99.98% accuracy | Nothing is stored in AD – it is only queried | General |
| Active directory access for address book | General | |
| An instance can be set to “request to close” | General | |
| With categorizing an instance, a task list according to the use case action plan is initiated | Incident Management | |
| An instance has different stages, which cover the lifecycle of an incident (may change in the future) | E.g.. Identification, Containment, Eradication, Recovery, Lessons Learned, Closed, Archived | General, Incident Management |
| The system shall enable grouped searches which result in targeted notifications and reporting. Those uninterested in a search, or set of searches, do not receive notifications or reports resulting from them | This avoids the ‘data dump’ method of reporting requiring recipients to sift and filter to find the items of interest. Equally it also precludes one set of users viewing reported items which they should not be privy to. | General |
| Search for previous/duplicated instances, additional information | Users from the cyber security community can search through all information on full text. Able to search on a variety of fields and text. | General, Data Hacking |
| An instance has different status, which cover the ticket lifecycle | E.g.. Assigned, in process, rejected, closed | General, Incident Management |
| An instance can be reassigned by dedicated people, even if the original owner is not available | Re-assignment if owner/manager is sick. Only an Administrator can reassign | General, Incident Management |
| An instance can be escalated to another person/manager manually | No feedback after time, No feedback on requested information | General, Incident Management |
| The system shall provide metrics to determine progress towards continuous improvement targets | General, Incident Management, Data Hacking | |
| An instance can be escalated to another person/manager automatically | SLA times | General, |
| The service capacity shall be able to manage max number of users/network assets | 500-1000 scalability required | General, |
| The capability to tailor make end user communications using messages template for alert to be sent to end users in order to take action | Notifications can be created according to the recipients own needs i.e. how the notification is formatted, what it contains and who it goes to | General, Forensics, Data Hacking |
| Quality Assurance functions | ||
| An instance can be reopened (and reassigned) with a given reason. | General | |
| An instance has to be closed with a given exit code | Examples: Resolved, Unresolved, Duplicated, Merged, Rejected, … | General |
| Ability to create policies and the application needs to be compliant to these existing policies within Group | PCI, SOX, ISO, other (full set of policies need to be defined) | General |
| The application needs to accept exceptions to the policies for the local markets | Customers/local markets might not need to apply for the Group policies Exemptions can be applied to local markets/OpCos | General |
| An instance can be investigated/monitored/reviewed before closure | General, Data Hacking | |
| QUERY FUNCTION / SEARCH CAPABILITY / FILTERING OVERALL | No query, but filter and search is available. | General |
| A DEDICATED FACILITY TO VIEW WORKING QUEUE / BACKLOG | backlog is a list of low severity or long running incidents | General |
| ISO 9001 SUPPORT CAPABILITY | ISO 9001 is an International Standard that gives. requirements for an organization’s quality manage- ment system (QMS). It is part of a family of standards. published by the International Organization for Stand- | General |
| Use of the system shall not adversely affect the performance of any other integrated systems or services nor the network upon which it resides | No degradation of other services and network functions during normal operation | General |
| Management and control functions | ||
| Incident manager needs dedicated view on all instances and their authorized users | Incident Management, Threat Intelligence | |
| All information in the application needs to be classified with C1-C4 level statement | C3 is default setting | General, Threat Intelligence, Data Hacking |
| A user can have one to many different roles (SPOC, CTSO, CTO, other) for assignment purposes | General | |
| The application can import and process IOC definitions e.g.. written in STIX | Yes for artefacts, otherwise no for anything importing manually | Incident mangement, TI, Forensics |
| Admin role with ability to add, edit or delete Users | Incident mangement, TI, Forensics | |
| External Users can be set up by a special User Group | General, Incident Management | |
| Keep reliable and accurate records and have the ability to track them with a full audit log | General | |
| Improve the sharing of knowledge and best practices stemming from incidents and investigations | General | |
| An instance can be categorized by one security category. | Examples: malware infection, Compromised host, … 19 Out of the Box categories already exist. Can also be assigned to more than a single category (e.g. malware and phishing) | General |
| Alerting | ||
| New instance triggers notification (email, internal popup, other) to assigned function | General, Threat Intelligence, Service Management, Data Hacking | |
| SMS notification will be send for high critical instances. | General, Threat Intelligence, Service Management | |
| Notifications contain instance number and URL to instance (no confidential information) | General, Service Management | |
| Users must log in to the application to see any content/information | General, Threat Intelligence, Service Management | |
| All notifications will be logged with the recipients, timestamp and content | General | |
| An escalation mechanism shall enable the alerting and notification to be extended according to a user driven hierarchy. | General | |
| An escalation workflow embedded in the communications function to allows auto escalation to a named line manager or team | This applies to both infrastructure failures remediated by VSSI, or Security Alerts. Built in (customisable) escalation paths ensure that where SLAs have been, or are about to be breached, a suitable team or manager is alerted. | General |
| Notification way can be configured per individual (email, internal, other) | General | |
| The system shall provide alerts by log and alternative mechanisms and channels depending on a configurable range of alert types | Depending on the type of alert a pre-determined mechanism or channel can be used e.g. system log, screen, text, email etc. | General |
| A dashboard provides information and status about all queued instances & tasks | General, Service Management, Data Hacking | |
| Reporting | ||
| The application can create reports manually (click by users) | 5 standard templates are available and further customisable reports are available. | General, Threat Intelligence, Service Management, Data Hacking |
| The application provides different SLA times and KPIs based on the severity, category and status | General, Threat Intelligence, Service Management, Data Hacking | |
| The application will create reports based on schedules (time or event trigger) | General, Service Management, Data Hacking | |
| The application can create PDF reports from single instances | Containing all information, like a log, containing all related events, files, people | General, Threat Intelligence, Service Management, Data Hacking |
| Standard Reporting for each group | e.g. Incident management, Treat Intelligent, etc. | General, Forensics, Threat Intelligence, Service Management, Data Hacking |
| The application can create statistical reports | Opened/Closed cases per category/local market over timeframe (week/month/year). Additional analytical reports | General, Threat Intelligence, Service Management, Data Hacking |
| The application provides an interface to select fields for export. | each field can have a condition associated with it before it gets populated, i.e. a filed will only appear if a condition is met. | General, Data Hacking |
| The application can create report of several instances in CSV, XML, PDF | E.g.. Predefined reports can be used to extract 5 out of 20 fields in CSV for reporting. XML only via API | General, Service Management, Data Hacking |
| The system shall create configurable management information reports | General, Service Management | |
| Event based ad hoc reporting | NEW REPORT, IF X > 10 or TIME LONGER THAN Y | General, Service Management |
| Dedicated facility for dedicated access via Mobile (e.g. Statistics) | Responsive UI | General |
| The system shall provide event/time ‘stamps’ for use in general and audit reporting. | General, Data Hacking | |
| Reporting for role based, management information and ‘customer’ required. | Daily report. E.g. Availability of environment and status of control checks and reporting (Service Operations) I.e. not security alerts (Content and format to be determined) | General |
| The format of reports shall be configurable | In terms of style and layout and suitable as evidence of evaluation as required by operational managers, users as well as internal and external auditors e.g. high-level dashboards and technical reports | General, Service Management, Data Hacking |
| The system shall be able to send pre-determined reports to recipients | Either by email or other business standard mechanisms | General, Service Management |
| The system shall provide reports which support the service levels and key performance indicators devised to inform management of the service and satisfy auditors | General, Service Management, Data Hacking | |
| The system shall provide reporting formats which allow targets and tolerances to be depicted. | This enables users to set target levels and acceptable tolerances which can be easily shown and analysed by recipients of reports. | General, Service Management |
| The service shall provide data access and reporting sufficient for external auditing needs | Provision of non-sensitive data and associated reports to provide external auditors with their requirements without transgressing data protection, or similar regulatory and legal standards | General |
| Management Reports of trend analysis | Real-time stats dashboard to show activity and progress of the live view of the incidents and related team and resolver activities for management purposes | General, Forensics, Threat Intelligence, Service Management, Data Hacking |
| The system shall provide a reporting package enabling operational and management information reports | Reporting from the database by standard, pre written reports, or by customisable query driven reports in an intuitive, graphical user interface | General, Service Management |
| General | ||
| The system shall be capable of modular improvements and additions to provide further capability via formal change and release control mechanisms | Provision for staged approach to system and service improvements in the form of additional capability supporting the security evaluation, reporting and remediation activities | General |
| The reporting service shall be capable of being driven by predetermined service level agreements e.g. date driven | This enables the scheduling of reports according to differing service level agreements and reporting calendars. | General, Service Management |
| Exception Reporting “OUT OF SLA / KPI” EVENTS | General, Service Management, Data Hacking | |
| Report on fact and duration of each issue | To illustrate how long it takes for each action to be dealt with | General, Forensics, Service Management, Data Hacking |
| Shiftlog functions | ||
| The system shall support Shiftlog entries | Require an analyst Shiftlog to make notes about occurrences etc. | General |
| The application provides a Shiftlog log function, where more information on What\How is required | General | |
| Any information from the Shiftlog can be used as the core of a new instance at any time | Information like author, timestamp, content is taken over to new instance | General |
| Time limited Edit Function» Better versioning of all versions\Logs | For example we need a forum style comments log which allows a time limited change to be made for example if a comment has been made or a to made a correction. After 60 minutes all comments will be locked. | General |
| Mark evidence as DEPRECATED/INVALID | Resilient’s primary function is to provide an IR platform. Our use cases do not cover case management incluidng chain of custody | General |
| Workflow management functions | ||
| The application should be able to adopt and change “quickly” to the workflows. | Incident type can be changed at any time and dynamic changes are possible | General, Threat Intelligence, Service Management |
| ABILITY TO INTRODUCE A NEW / EDIT / REVOKE A WORKFLOW | SM Note: Workflow changes should be applied to “open” instances as well (not only new) | General, Threat Intelligence |
| MAINTAINANCE OF HISTORY WORKFLOWS | General, Threat Intelligence | |
| STRATEGY OF WORKFLOW AMMENDMENT (CHANGES, TIMEFRAMES, OTHER) | General | |
| Architecture | ||
| The application is scalable to the amount of users / data | More servers in cluster, more performance | General |
| The application can be run in a high availability cluster (EXTEND TO SINGLE ITEMS) | High cluster availability will be provided through VMWare | General |
| The application is compliant to the data centre standards | Process monitoring, Hardware monitoring, port monitoring | General |
| The system will allow for differing administration access rights depending on the role of the user | Master Admin will control access of other types of users. | General |
| Administrator access rights shall only allow individuals to view and administrate data pertinent to their area of control | General | |
| Application should show different information to different roles | will be able to vary visibility for different user roles | General |
| An administration panel for the user rights can be enabled for special groups/users | General | |
| All state changes need timestamps and the actual user, who performed which action | General | |
| The application can be run in a high availability cluster (EXTEND TO SINGLE ITEMS) | General | |
| Flexibility of design to allow for an increase in scope and usage in future years | General | |
| The data retention period shall be: x Years, Y Months, Z days | nothing is deleted, and backups can be managed | General |
| The application is scalable to the amount of users / data | General | |
| ARCHIVING OVERALL? – PERFORMANCE, SPACE, OTHER | General | |
| Maintenance and support for environment | General | |
| Field defenition, usage of REGEX to PARSE IPS or other | General | |
| Runbook | ||
| Ability to create Play books/Run Books | General, Service Management | |
| Linking incidents to threat intelligence | General, Threat Intelligence, Data Hacking | |
| Support and simulation | General | |
| Ability to create report trend on how often each run book is used and where a certain run book has not been used for a certain period time | General | |
| Team Specific | ||
| Automated search facility and grouping results | To be able to search on related issues and create a dashboard/display of historic data on all related issues | Forensics, Data Hacking |
| If occurrence of an issue is greater than 1 to flag the issue and escalate the issue to responsible group | Create a report with number of occurrence and history of occurrences and escalate | Forensics |
| An automated security Marker(Classification) to lock down the issue to a certain/related team | So the issue won’t be open to unauthorised users | Forensics |
| Create new groups on functionality and lock down user accounts to the specific related functionality with fine grain security control | Forensics | |
| Customizable dashboards on group and individual basis depending on workload and roles and responsibility | Forensics, Data Hacking | |
| To enable to edit and have influence on the report | To be able to pull reports and edit it where applicable | Forensics |
| Task List with time stamps and action plans | Each individual can have a dashboard on their list of completed actions with the time taken to complete each action and a list of assigned actions in progress | Forensics |
| Enabled SharePoint and URL hyperlinks in the body of the incident which can be clicked on to take you to the related link | Forensics | |
| Adaptable to type of situations | Template fields to be displayed depending on types of incidents and some fields could be made mandatory actions to follow | Forensics |
| Ability to create watch list | Forensics, Data Hacking, Threat Intelligence | |
| Ability to assign group members to watch list | Forensics, Data Hacking, Threat Intelligence | |
| Email notifications to be sent out to all users in watch list each time the status of watch list changes or the issues get updated | Forensics, Data Hacking, Threat Intelligence | |
| A visual hierarchy to be displayed for Parent/Child tickets and issues | As well as linking related issues to enable visual hierarchy | Forensics, Data Hacking |
| Timer Widget to capture the time stamp and date of issues | Forensics | |
| To enable creating dedicated new user groups that can view sensitive data | Authority level for related Senior & Incident management | Forensics |
| To create a dedicated portal to be used for requesting an activity or service | To follow a process to raise ticket fro service request | Service Management |
| To have a centralised list of escalation contacts depending on role and responsibility | Service Management | |
| Secure central documentation/Service catalogue repository with enabled document versioning to be used and accessed by authorised users | Service Management | |
| Links to be provided or ability to attach documents from repository | Service Management | |
| Facilitate KPI and metrics reporting | Service Management | |
| Create and automate KPI & Dashboard for Service and operational reports | Service Management | |
| Enable product categorizations | E.g. Operational, Resolution, SLA for each ticket, customer and market categories | Service Management |
| Enable handling service, incident and change request | Service Management | |
| Handling different category and subcategories of ticket and status | Service Management | |
| Facility to create business continuity plan | Service Management | |
| Analytical too, understanding narratives | Threat Intelligence | |
| Searchable, searchable capability on individual fields | Threat Intelligence, Data Hacking | |
| Automated alerts in email or text format on assigned issues | Threat Intelligence | |
| Automated email alerts on priority issues and escalated issues | Threat Intelligence | |
| Ability to email contents of STIX reports | Threat Intelligence | |
| Simplification of data in STIX is enabled | E.g. Visual display at parent/child level in incidents | Threat Intelligence |
| Ability to have interface with other platforms | E.g. Silobreak | Threat Intelligence |
| Ability to create tailor made searching scenarios which can be saved for future use | multistring searching and search on specific fields | Threat Intelligence, Data Hacking |
| Creating a logical order of input to create a workflow process | Step by step logical flow to follow | Threat Intelligence |
| Creating and requesting automatic progress report on selected issues | Threat Intelligence | |
| Ability to create a specific dashboard to display your team’s individually assigned issues, details on actions taken and progress | Threat Intelligence | |
| Help & support option on process and required actions on set processes | Team to be able to edit, update and add new subject areas and process | Threat Intelligence |
| Email notifications each time assigned/raised issues status are updated/changed | Threat Intelligence, Data Hacking | |
| Create trend profiles of the types of attacks and issues and ability to link a user or groups of users or URL etc. to that profile as knowledge share | This should be restricted to be viewed by authorised users within the team | Threat Intelligence |
| Ability to viewing and checking the quality of created issues by level 1 & 2 | Data Hacking | |
| Granularity on reporting and ability to create detailed reporting on chosen fields | Data Hacking | |
| Trending capability reports and ability to search on issues that have same pattern or has a trend on same user | Data Hacking | |
| Ability to create tailor made dashboards and ability to create tailor-made metrics | Data Hacking | |
| Ability to search on related issues & creating a report of the list & summary of those issues | Data Hacking | |
| Capability to refine and customize notifications and alerts | Data Hacking | |
| To allow for external connectors for data import & export | Data Hacking | |
| Catering for hand over and providing information logs for analysts transitioning to next shift | Data Hacking | |
| Dedicated document storage repository for the use of authorised users only | Ethical Hacking | |
| Ability to send out vulnerability alert and notifications to local markets and different users | Ethical Hacking, Service Management | |
| Ability to create a record of vulnerability notifications and alerts | Ethical Hacking | |
| Reports, Alerts and Notifications should have customized Vodafone look & feel | General, Service Management | |
| Tool should have an integrated CMDB | SIEM Team |
Audit Logging
Requirement | Description |
| Confirm your application will log user access attempts (Pass/Fail)? | Failed and successful user log ins, including the user name, date, time they logged in |
| Confirm your application will log user sessions or user activity (if different to logon/logoff) ? | Tracking of user sessions on the application including user name, time and date of session |
| Confirm your application will log escalation of user privileges? | Application logging when a user has escalated privileges including the user who made the change and the user who’s rights have been altered |
| Confirm your application will log use of administrator accounts | Logging when an administrator account is used or escalated rights are used to perform functions such as SU Root on Unix |
| Confirm your application will log system changes/updates? | Application logging when new patches or changes have been deployed |
| Confirm your application will log system errors/ critical errors? | Logging of system and critical errors including error code, time and date |
| Confirm your application will log application stop / start / resets, error conditions, failures and threshold exceptions? | Creating a log entry when the settings for logging events has changed or logging has failed. Also log start / stop times |
| Confirm your application will log backup activity? | Logging when backups are taken and if they fail |
| Confirm your application will log changes in storage levels? | Logging when the storage levels for servers/databases have been altered |
| Confirm your application will log terms and condition accepts/declines by users | Logging when a user accepts or declines the terms and conditions for the application |
| Do you foresee any application specific events being raised to SIEM? | Does your system log specific security events which should be captured by SIEM? This is particularly relevant for systems which answered yes to question 19 (Provide security enabling functions) . Please enumerate answers |