The AGD needs to centralize its security monitoring capability.

We want to identify vendors with experience designing and implementing a centralized Security Information and Event Management system in a hybrid on-premises / multi cloud environment.

We deploy solutions in Microsoft Azure, Dynamics365, Amazon Web Services, and on-premises. We currently have limited use of Microsoft 365 (M365) but are expanding our adoption of the M365 security tools (M365 Defender). We currently leverage logging & monitoring tools within Azure (Log Analytics Workspaces) & AWS (CloudWatch). Splunk is used for on-premises logging as well as ingesting logs from Azure & AWS. These environments pose significant challenges to achieving a consistent security management posture across the different technologies, as they introduce more complexity and potential attack vectors.

Whilst alerting is setup for some events, the response, remediation, and correlation of logging information across the different sources is very labour intensive and time consuming. This increases the risk of not being able to effectively detect security incidents, support internal investigations, and discover fraudulent activity. Furthermore, the Department is on an unsustainable trajectory of increasing costs as log volumes grow and data continues to be ingested and exfiltrated between on-premises and cloud infrastructure.

Key problems to solve include:

• design a cloud hosted SIEM solution that provides a centralized security logging and audit functions that will improve the agency’s incident response capabilities
• design a cloud hosted SIEM solution that provides real-time analysis of security logs and alerts generated by network hardware, server hardware, Operating Systems, and applications & services hosted on-premises and in the cloud, including from existing security tooling such as M365 Defender and Defender for Cloud
• design a cloud hosted SIEM solution that integrates/accommodates centralized logging and archiving requirements from the PSPF, ISM, and National Archives Act
• developing key use cases that meet industry practice, the intent of the PSPF/ISM and also ones specific to the AGD
• developing an implementation plan to manage the onboarding of systems and data sources in a controlled manner to ensure only meaningful data is logged
• a solution design that is cost effective and maximizes our investments
• cost modelling to enable AGD forecast/project SIEM operating costs
• a solution that can provide a platform for incident response automation (SOAR)
• a solution that can provide a platform for extended detection and response (XDR)

Information on approximate timeframes to deliver similar solutions are requested. Vendors are also invited to provide information on SOC services they provide for customer SIEMs.

This RFI will be used to guide the RFQ requirements for an approach to a single Marketplace Panel.

This RFI will also be used to identify a shortlist of vendors that will be invited to respond.

To be eligible to respond to the RFQ, sellers must respond to this RFI.