2024 - 0272 Support For SIEM (splunk) (NS) - MON 29 Sep Relaunch

Support In Siem (Splunk) Infrastructure Management And Log Collection

The NATO Cyber Security Data Engineering Cell, in charge of managing a large scale SIEM deployment composed of hundreds of servers running Splunk components, collecting a wide variety of data sources from more than 20,000 devices and supporting the SEC007 service in its daily operations, is facing a heavy workload and a lack of manpower.

This situation is impacting the Cyber Security Monitoring and Detection service (SEC007) supported by the CSDE and the numerous projects which are required by internal policies to be monitored via SEC007.

The aim of this SOW is to support NCSC with technical expertise specifically related to the operation and maintenance of CYBER SECURITY Support in SIEM (Splunk) infrastructure management and log collection with a deliverable based (completion-type) contract to be executed in 2025.

Under the direction of the CSDE Cell Head, SEC007 SDM or delegated authority, a contractor will be part of the NCSC Team supporting the following activities:

• Manage log collection of new data log sources in SIEM which includes, but is not limited to, log ingestion process from various data sources located on premise or in the cloud, data mapping to Splunk Common Information Model, integration with existing Splunk data models, testing log ingestion, validating log ingestion quality with stakeholders.

• Document all relevant information in Confluence in accordance with CSDE standards

• Coordinate such activity with CSDE team and T3 customers

Outcome:

• Assigned tasks shall be completed within the time allocated for this task by the requestor in the NCSC ticketing system(s). In case of an external request, the time to consider will be the time allocated by the CSDE cell head, the SDM or one of their delegated authorities.

• Quality of log collection shall be reviewed by Security Analysts and confirmed as in line with expectations in the ticket

• Act as one of the engineers and Subject Matter Expert (SME) for SIEM and Log Collection services within the Cyber Security Data team

• Monitoring the availability and performance of the SIEM environment including log collection

• Detecting and reporting to SDM any service degradation

• Taking appropriate actions to restore the environment to a fully operational state when a problem is detected.

• Following best practices for maintaining the Splunk environment in a stable and reliable state with the objective of preventing any service degradation

• Ensure that data security systems are installed, configured, and operating correctly and in line with dependencies with others systems or applications required

• Ensure that data security systems operate within any KPI's, as defined in Service Level Agreements with NCSC customers

Outcome:

• Service degradation must be detected in less than 2 hours during standard working hours. This measure will be based on the ticket creation time compared to the issue occurrence time.

• Availability of the splunk environment must stay above 99.8% uptime in a fully operational state

• SDM shall be informed by email less than 2 hours after problem occurrence. This shall be measured based on the information provided in the related ticket and time email has been sent.

• Implement changes to the SIEM environment including but not limited to: software upgrades, new applications deployment, deploying new servers, modifying existing configuration of the SIEM environment, collecting new data sources, deploying new software.

• Follow NCSC Change management process to get approval before implementing changes. This includes, but is not limited to, creating the change request, ensure all necessary information is provided in due diligence, following up the change request to ensure quick approval, attending to CAB meeting when necessary, providing impact assessment when required.

• Coordinate all these changes with CSDE and external teams.

• Develop and maintain documentation guidelines, standard operating procedures, system and service design documents and other relevant documentation that support management of the data security systems.

Outcome

• Assigned tasks shall be completed within the time allocated for this task by the requestor in the NCSC ticketing system(s). In case of an external request, the time to consider will be the time allocated by the CSDE cell head, the SDM or one of their delegated authorities.

• Less than 1 working day after the meeting, an email containing the meeting minutes, all the relevant information and the required actions shall be sent to the relevant people including SDM and CSDE Cell Head.

• Quality of the reporting to be assessed by the Cell Head or the SDM.

• Provide support to customers (mainly security analysts but not limited to them) facing issues or needing technical assistance

• Tickets should be closed within the time allocated by the Cell Head, the SDM or their delegated authorities

• Problem resolution shall be confirmed by the requestor in the ticket.