SECURITY DEVICE MANAGEMENT

19

G-CLOUD SERVICE DEFINITION

SECURITY DEVICE MANAGEMENT

Security Device Management Service Page 1 of 15

Table of contents

1 Introduction .....................................................................................................................2

2 Service Overview ............................................................................................................3 2.1 Security Device Management .......................................................................................3 2.2 Service Description .......................................................................................................4 2.3 Supported technologies ................................................................................................6 2.4 Partner Certifications ....................................................................................................7 2.5 Scenario: Basis for price ...............................................................................................7 2.6 Technical Overview ......................................................................................................7 2.7 Customer Responsibilities ............................................................................................8 2.8 Optional Additional Services .........................................................................................8 2.9 Associated BAE Systems Managed Security Services .................................................8

3 Service Delivery ............................................................................................................ 10 3.1 Service management .................................................................................................. 10 3.2 Service constraints ..................................................................................................... 10 3.3 Service Levels ............................................................................................................ 10 3.4 Information assurance ................................................................................................ 11 3.5 Backup/Restore & Disaster Recovery ......................................................................... 11 3.6 On-boarding ............................................................................................................... 11 3.7 Training ...................................................................................................................... 11

4 Commercial Arrangements .......................................................................................... 12 4.1 Pricing ........................................................................................................................ 12 4.2 Ordering and invoicing process .................................................................................. 12 4.3 Customer responsibilities ............................................................................................ 12 4.4 BAE Systems Managed Security Protective Monitoring Terms and Conditions .......... 13 4.5 Termination terms....................................................................................................... 13 4.6 Financial recompense model for not meeting service levels ....................................... 13 4.7 Intellectual Property .................................................................................................... 13

5 Applied Intelligence: Information Intelligence ............................................................ 14

BAE Systems Applied Intelligence


1 Introduction

BAE Systems Applied Intelligence (formerly known as BAE Systems Detica) Cyber

Security capabilities within G-Cloud are drawn from our portfolio of services and solutions

which are designed to assist organisations in making cyber space safe for business and

governments. Our capabilities are organised into the four principal areas of Prepare,

Protect, Monitor and Respond as shown in Figure 1 below.

Business and technical services that

help our customers understand and

manage their cyber risk, make

informed investment decisions and

drive through improvements.

Repeatable products and solution

integration to protect business critical

information from cyber attack and

enable secure collaboration with

partners, clients and employees

Products and services that monitor

networks to identify malicious

behaviour, understand its intent and

prevent it from achieving its goal.

Consulting services which minimise

the business impact of a successful

cyber security attack through

remediation and crisis management

Figure 1 - BAE Systems Cyber Security Services

BAE Systems Cyber Security offering to G-Cloud is based on elements from the Prepare

and Monitor capability areas as described in the following Service Description documents:

BAE Systems Managed Security: Protective Monitoring Service

BAE Systems Managed Security: Advanced Threat Detection Service

BAE Systems Managed Security: Security Device Management (this document)

BAE Systems Managed Information Assurance Services

BAE Systems Security and Information Risk Services



2 Service Overview

2.1 Security Device Management

The BAE Systems Security Device Management service provides lifecycle management

of devices on behalf of the customer, focussed on devices that are used in the delivery of

network security solutions such as firewalls, IDS/IPS, web proxies, mail proxies,

vulnerability scanners, VPN devices, UTM devices and multi-factor authentication

systems. This service covers the full management lifecycle including configuration,

change control, break-fix, backups, availability & performance monitoring, software

upgrades and patching. This service is provided in conjunction with the Protective

Monitoring Service.

BAE Systems will configure devices within the scope of the service according to

manufacturer guidelines and best practice informed by our operational experience. We

will perform changes in response to threat intelligence (such as the delivery of custom

IPS signatures in addition to those supplied by the vendor), security remediation informed

by our monitoring services, general maintenance and in response to agreed service

requests raised by the Customer.

Capabilities provided by the SDM service include:

Proactive remediation – in response to a security incident remediation advice that

would otherwise be delivered to the customer’s resolver and IT management teams

is instead proactively carried out by BAE Systems security staff.

Custom signature deployment – in addition to maintaining vendor-supplied

signatures, rules, whitelists and blacklists BAE Systems, informed by our Threat

Intelligence service, will deploy custom content based on new threats.

Change control – standard change control as required by the customer e.g.

updating web proxy filter whitelists or adding/changing firewall policy configuration.

Device maintenance and update – updates of vendor-supplied patches and

content update packs ensuring your devices are always up to date.

Break-fix support – some customers prefer to retain break-fix support however

BAE Systems service desk and support teams can liaise and support break-fix

arrangements with vendors and suppliers on the customer’s behalf.



BAE Systems Operational service is depicted in the figure below and comprises the

Security Device Management service in addition to a number of supporting services

which enable this service, such as, Service Desk, Service Management, Threat Co-

ordination and Technology Support.

The following Service Request Catalogue is provided within the scope of Security Device

Management:

1. Firewall Management Service

2. IPS/IDS Management Service

3. Web Proxy Management Service

4. UTM Management Service

5. Vulnerability Scanning Service

6. Reactive Service Updates

2.2 Service Description

The Security Device Management service includes re-configuring of managed devices, in

response to either customer service requests or in response to identified security

incidents, This includes software updates/patches which may need to be applied in order

to maintain the effectiveness and availability of the devices. BAE Systems shall in

addition monitor the devices for service availability and performance.

BAE Systems will pro-actively update devices in response to identified security incidents

or known threats, for example, through the update of proxy white or black lists and

deployment of signatures. For these updates BAE Systems would be provided with pre-

approval for this change type.

2.2.1 Firewall Management Service

BAE Systems will configure and lockdown firewalls according to manufacturer guidelines

and will configure firewall rules, Network Address Translation (NAT), and site to site

Virtual Private Network (VPN) settings based on service requests raised by the customer,

in response to threat intelligence or in response to an incident discovered within the

monitoring services.



2.2.2 IPS/IDS Management Service

The BAE Systems IPS management service provides management of the IPS

infrastructure, in terms of configuration, policy creation, software upgrades, patching and

provision of vendor & BAE Systems signature updates.

In the event that a security incident that can be remediated via a custom deployed

signature BAE Systems will create and apply the signature as an internally generated

service request.

2.2.3 Web Proxy Management Service

BAE Systems will configure and lock down web proxies according to manufacturer

guidelines and will update blacklist or whitelist configuration based on service requests

raised by the customer.

Incidents that are raised as part of the monitoring services, or as a result of threat

intelligence, will also inform and result in changes to the devices.

2.2.4 UTM Management Services

For UTM devices (or “UTM like” devices such as NextGen Firewalls) BAE Systems

provides a combination of activities encompassing the firewall, IPS/IDS, proxy and VPN

functionality descriptions above in addition to the specialist capabilities provided by the

vendor device. Where the product provides sand-box anti-malware capabilities BAE

Systems threat intelligence informed malware information will be added to the vendor

detection capabilities in addition to performing platform extensions such as the definition

of rules.

2.2.5 Vulnerability Scanning Service

Execute vulnerability scans at an agreed periodic interval and interpret the scan results

on behalf of the Customer and produce remediation advice based on the output. Where

BAE Systems monitoring services are also procured by the customer the output of

vulnerability scanning is integrated with asset context information contained within the

monitoring toolsets.

2.2.6 Reactive service updates

The customer may request pre-agreed and defined configuration changes either via

contacting the BAE Systems service desk or by the BAE Systems customer portal. BAE

Systems shall categorise each request, ensure it is suitably authorised and then the

appropriate member of the operations team shall fulfil the request.

Requests are categorised as standard or emergency changes with appropriate response

SLAs for each. Typical requests include the modification of white or black lists,

configuring new site to site VPNs or modifying firewall rule-sets to allow application or

protocol traffic to be blocked or permitted.

As part of the delivery of this service the following are standard management activities to

ensure that the general health, availability and integrity of the devices can be maintained:

Software/Policy updates

Policy/Rule Auditing and Optimisation

Interface Statistics Capture



Bandwidth Statistics Capture

Resource Usage Statistics (e.g. CPU, Memory)

The customer may also request updates to the devices that are not predefined as set out

above, however these shall be treated as a change request and subject to the BAE

Systems change control process. To provide greater efficiency the outcome of this

process shall include where possible agreement with the customer on additional pre-

approved changes.

2.2.7 People

This service is operated by BAE Systems security specialists located in our UK based

Security Operations Centre (SOC), with access to our subject matter experts based in

BAE Systems BAE Systems offices worldwide and selected vendor support partners.

2.2.8 Technology

BAE Systems operates a centralised device monitoring platform where health monitoring

logs and events from managed devices are aggregated and triaged by the Operations

Centre. In order to effectively monitor the customer devices(s) without adding risk to the

customer environment, BAE Systems will require Customer Provided Management

Devices(s) (CPMD) to act as a management host that can be remotely accessed from the

BAE Systems SOC environment from which management activities will be performed.

The CPMD need to be authorised by the customer to conduct health monitoring activities

on the devices within scope for support. This same CPMD are used as a staging platform

for BAE Systems to conduct all changes from, and would also be used to host any local

configuration backups and a software repository.

BAE Systems maintain sole management access to the managed devices and only read

access may be granted to the customer if explicitly requested as a customer dependency.

BAE Systems maintains secure connectivity (e.g. via IPSEC VPN) to the CPMD using

either the customer internet connectivity and/or an out of band circuit.

The network model and the assets that comprise the customer network are modelled

within the centralised monitoring platform allowing the business criticality of systems to be

defined. This allows proposed changes to take into consideration any effects on the

customer environment.

2.2.9 Tuning

Tuning of the service involves the continual update of thresholds used to inform alerting

based on the trends identified as the service progresses and the effects of changes to the

customer environment.

2.2.10 Reporting

Service Performance shall be managed by the BAE Systems service management

service. This includes the provision of regular service reports, which shall include a

summary of all service requests opened, closed or which have remained open over the

previous service period, including a report on the performance against applicable service

levels. The Service Relationship Manager will offer to disseminate the regular service

reports with the customer during a face-to-face service review.

2.3 Supported technologies

Supported security point solutions and devices include:



Firewalls – products & vendors include: Cisco, Checkpoint, Juniper

UTM Devices, NextGen Firewalls and Specialist Devices – products & vendors

include: Palo Alto, FireEye MAS

IPS/IDS – products & vendors include: SourceFire, HP TippingPoint, SNORT, IBM

Proventia, Checkpoint, Cisco

Web Proxies & Security Gateways – products & vendors include: FireEye Email,

FireEye Web, Bluecoat Web and AV proxies, Websense Web and Email proxies

(inclusive of Triton)

Vulnerability Scanning and Monitoring – products & vendors include: ISS Site

Protector, Outpost24

DLP Solutions – ClearSwift DLP, WebSense DLP, McAfee DLP

VPN, Radius and Multi-factor Authentication Devices– products & vendors

include: Juniper, Checkpoint, Cisco, RSA, Swivel

The list above is provided as an indicator of the capabilities within the Security Device

Management service and not an exclusive list of device types or vendors supported.

2.4 Partner Certifications

BAE Systems have the following partner relationship certifications:

• Juniper Portfolio Elite Partner

• Cisco Gold Partner

• Blue Coat Global Systems Integrator

2.5 Scenario: Basis for price

The price of £470.00 per day provided has been generated using the following scenario:

2 x Checkpoint Firewall

10 x Juniper SRX210 Firewalls

1 x Juniper SRX220 Firewall



4 x Proventia GX6116 IPS

12 x Proventia GX4004 IPS

6 x Bluecoat AV 510-A Web Proxy

3 x Bluecoat SG 810-20 AV



2x ISS Site Protector management servers

2x RSA appliances

2.6 Technical Overview

Within the defined scope provided above BAE Systems will manage the devices in

accordance with the service definitions explained previously in this document. In addition

to this custom additions are made to the Bluecoat blacklists from our Threat Intelligence

service to supplement the vendor supplied information. Vulnerability scans are carried out



on a fortnightly scheduled basis across IP addresses both internally and externally within

the organisation in scope. The IPS management provided includes the provision of

custom IPS signatures/rules informed by our Threat Intelligence service and in response

to required security incident remediation over and above any vendor supplied content.

2.7 Customer Responsibilities

The customer shall:

Provide required information including: asset model, code of connection, nominated

contacts and network diagrams

Agree any non-standard device management scenarios / use cases which are to be

included within the service scope

Provide BAE Systems with access and credentials for security devices in scope

Agree scenarios and work instructions for incident mitigation with delegated

authority to perform emergency changes as required

Provide site-to-site connectivity with BAE Systems

Take appropriate remediation actions from vulnerability scanner results

2.8 Optional Additional Services

BAE Systems have not scoped the following services into the above scenario as they are

not core to Security Device Management. If these services are required, BAE Systems

will discuss your requirements and propose a suitable service and associated prices.

Security Log Retention: Collected security data, and historical correlation/analysis

(as well as associated alerts) for any duration from months to years, both online,

near-line and offline as required.

Response services: BAE Systems Cyber Response services are one of only four

CESG Cyber Incident Response Scheme providers and we have responded to

many varied and complex targeted attacks, ‘insider’ attacks and more over several

years and have a proven methodology. Services include forensics (including

emails, servers, network data and logs) and incident management services. These

services are available as per-incident services or on an annual retention basis.

Threat Intelligence: BAE Systems Managed Security services are built upon and

continuously improved by our Threat Intelligence research and collaboration.

Elements of this service are also available as an advisory service to further help UK

Government customers prepare for and response to cyber security incidents.

BAE Systems Managed Security Advanced Threat Detection (as detailed below)

BAE Systems Managed Security Protective Monitoring (as detailed below)

2.9 Associated BAE Systems Managed Security Services

Protective Monitoring provides holistic protection through the ingest and analysis of live

log data, and delivers real time alert of security incidents leveraged from data available

from existing security infrastructure and known threat signatures and likely indicators of

compromise.

The Protective Monitoring Service is part of the wider BAE Systems Managed Security

service portfolio, and complements the Advanced Threat Detection service.



Advanced Threat Detection complements and extends your security monitoring by

focussing on network and application behaviour from collected data, providing deep

insight into sophisticated threats using metadata gathered from network traffic, emails,

web traffic and DNS lookups.

Our monitoring for advanced threats identifies deep rooted and complex threats which

may lay dormant for many years, slowly gathering IPR or sensitive confidential data in

preparation for future exfiltration. These threats are rarely identifiable using traditional

security tooling and are designed to not be detected through monitoring of gateways and

firewalls.

Together, the BAE Systems Managed Security monitoring services offer unparalleled

confidence in security posture and on-going protection against the full spectrum of cyber

security threats.

When taken together, there are also operational benefits and overlaps that lead to

operational cost reductions – please contact BAE

Systems for more information on procuring a

combined service as opposed to individual lots.



3 Service Delivery

3.1 Service management

BAE Systems manages the delivery of Services to the Customer using ITIL v3 aligned

Service Management practices. This includes Service governance, escalation and

continual Service improvement.

Standard Service Reports will be provided as part of the Operational Services.

Name Description Format Due

Service Delivery

Management

Report

A report delivered to the Customer

detailing the Incidents detected, as

well as performance against all

Customer Service Levels

PDF report via

(encrypted) email

Monthly

Monthly/Quarterly

Service Review

Face to face review of Service

Delivery with the BAE Systems

Service Delivery Manager and the

Customer Account Manager

Slide deck for

discussion at

Customer or BAE

Systems offices

Quarterly

Annual Service

Review

Face to face review of Service

Delivery with the BAE Systems

Service Delivery Manager, the

Customer Account Manager and the

Customer Director(s)

Slide deck for

discussion at

Customer or BAE

Systems offices

Annually

The pricing assumes customer site visits within the M25 or BAE Systems Guildford office

3.2 Service constraints

The service and corresponding pricing has been sized to the scenario contained in

section 0 in order to offer a representative price for comparison purposes.

BAE Systems can however operate the Security Device Management service for larger

estates and a wide variety of devices.

3.3 Service Levels

The scenario and corresponding pricing has been based on the scenario contained in

section 0 and on the following indicative service measures:

Service Measure Channel Threshold

Emergency request response

Email sent from BAE Systems systems to the Customer

30 minutes (95% within Target Emergency Request Response Time if 20 or more Requests or no more than one failure if less than 20 incidents)

Emergency request fulfilment


4 Working Hours (95% within Target Emergency Request Fulfilment Time if 20 or more incidents or no more than one failure if less than 20 incidents)

Service request fulfilment


5 Working Days (95% within Target Service Request Fulfilment Time if 20 or more incidents or no more than one failure if less than 20 incidents)



The service measures above are an illustrative subset of the standard set of measures.

3.4 Information assurance

This service is available for customer estates assured to IL3 and below.

For IL4 and above (where the security meta-data is of the same impact level), or GPG13

compliance levels above ‘detect’ please contact BAE Systems to discuss your

requirements further.

3.5 Backup/Restore & Disaster Recovery

Disaster Recovery is included in the scope of this proposed scenario, the RPO for this

scenario is 4 hours and the RTO is 48 hours.

BAE Systems maintain a Business Continuity Plan should a scenario arise that affects

the ability of our analysts to operate from the Security Operations Centre, at which point

the operation of the service shall be from an alternate BAE Systems site.

3.6 On-boarding

During the Transition phase BAE Systems will work closely with the Customer to align the

processes delivered by BAE Systems with the Customer business processes required to

deliver the Operational Service.

BAE Systems will deliver the following deliverables as part of transition phase:

Deployment Plan;

Operational Service Pack,

During the transition phase there will be two key delivery milestones:

Interim Operational Capability (IOC): The point at which there is an operational

service executing and service charges become effective.

Full Operational Capability (FOC): The point at which the service is fully operational

and has completed Operational Acceptance Test (OAT) and all SLAs become

effective.

Transition is dependent on individual customer requirements; It is estimated that the

transition will be approximately 4-6 weeks duration.

3.7 Training

Not applicable.



4 Commercial Arrangements

4.1 Pricing

4.1.1 Price to operate

The price (excluding VAT) for the service is £470 per day, which equates to

approximately £170,000 per annum, for a one year commitment.

For a price which meets your specific requirements please contact BAE Systems.

4.1.2 Scenario restrictions

Break-fix contract is retained by the customer and the cost is excluded from the

operate price

All devices are included under a valid support and maintenance agreement for the

provision of vendor upgrades and updates.

The system within the scope of the service is at Impact Level 2.

Operation: 24x7 service

Service operation only: See the On-Boarding section above for an indicative

timescale for transition.

Service handover from an incumbent supplier is not included – this will be included

in the transition cost as is dependent on the incumbent supplier service

Exit costs are not included in this price.

4.2 Ordering and invoicing process

The Customer shall pay Supplier for the G-Cloud Services in the amount or at the rates

set out in section 4.1 together with all reasonable travel and subsistence expenses and

any other direct, non-labour charges as may be applicable. Supplier will invoice the

Customer quarterly in advance. All sums payable by the Customer to Supplier shall be

paid, without discount, set-off, counterclaim or other deduction within 30 days from the

date of Supplier’s invoice. Applicable taxes (including value added tax) shall be payable

additionally by the Customer at the prescribed rate at the time of invoicing.

The Customer shall notify Supplier in writing within 7 days of receipt of an invoice if the

Customer considers all or part of such invoice incorrect or invalid for any reason and the

reasons for disputing payment failing which the Customer will raise no objection to any

such invoice and will make full payment in accordance with it.

4.3 Customer responsibilities

The Customer shall provide to Supplier at no charge and in a timely manner, all such

documents information, materials, facilities, support, services and co-operation relating to

the G-Cloud Services including (without limitation) computer programs, data, reports and

specifications and other information (together “Customer Material”) as Supplier may

reasonably require for the proper performance of the G-Cloud Services and within

sufficient time to enable Supplier to perform those G-Cloud Services and the Customer

shall ensure that such are accurate and complete, and Supplier shall be entitled to rely

upon such as being accurate and complete without seeking to verify or check it.



The Customer shall provide Supplier, its agents, subcontractors, consultants and

employees, in a timely manner and at no charge, with access to any of the Customer's

premises, office accommodation, equipment, systems, networks, software, data and other

facilities as reasonably required by Supplier.

4.4 BAE Systems Managed Security Protective Monitoring Terms and Conditions

The full terms and conditions for this service can be found in ‘BAE Systems Applied

Intelligence MSS MSA’.

4.5 Termination terms

Not Applicable

4.6 Financial recompense model for not meeting service levels

Not applicable.

4.7 Intellectual Property

Details of the terms and conditions of the foreground IPR, please see the BAE Systems

Applied Intelligence MSS MSA. The proposed service in this document encompasses

some elements of the Threat Intelligence service; in addition to the standard IPR terms

and conditions please be aware of the following additional IPR restrictions:

Ownership of copyright and all other intellectual property in the Threat Intelligence

Deliverables and Services shall remain with BAE Systems at all times. Subject to

payment in full of each instalment of the fees for the Services Customer is granted a non-

exclusive, non sub-licensable, non-transferable, non-assignable, limited royalty free

license to use and copy the Threat Intelligence Deliverables solely for the Customer’s

internal business purposes. The Customer shall expressly not:

(i) sublicense, distribute, publicly perform or display, or otherwise share or make

accessible any Threat Intelligence Deliverables, data-feed, signatures, metadata,

analysis, tools or results from the Services or portions thereof to a third party;

(ii) export the Threat Intelligence Deliverables, data-feed, signatures, metadata, analysis,

tools or results from the Services, in whole or in part, in violation of applicable laws or

regulations or;

(iii) use the Services to offer products and services competitive with those of BAE

Systems, as reasonably determined by BAE Systems. All rights pertaining to Threat

Intelligence, in all materials created by BAE Systems during its performance of the

Services shall vest in and be the sole property of BAE Systems.



5 Applied Intelligence: Information Intelligence

BAE Systems Applied Intelligence is an information intelligence specialist. We help

government and commercial organisations exploit information to deliver critical business

services more effectively and economically. We also develop solutions to strengthen

national security and resilience, enabling citizens to go about their lives freely and with

confidence.

By combining technical innovation and domain knowledge, we integrate and deliver

world-class solutions — often based on our own unique intellectual property — to our

customers’ most complex operational problems.

We recognise the importance of Cloud services to the realisation of HMG’s IT Strategy

and have optimised many of our most compelling IT service offerings for Government on

G-Cloud. Through these offerings we are at the forefront of realising the full benefits of

Information Technology for our customers. Below is a summary of our G-Cloud services.

For more details on our G-Cloud services for G-Cloud, visit

www.baesystemsdetica.com/g-cloud or send us an email at [email protected].

Applied Intelligence is part of BAE Systems, the premier global defence, security and

aerospace company. BAE Systems delivers a full range of products and services for air,

land and naval forces, as well as advanced electronics, security, information technology

solutions and customer support services.

G-Cloud Service Service Description

Consultancy

Providing Business and IT strategy and transformation consultancy

services, including requirements management, organisational change, and

business case & benefits management.

Service Integration and

Management (SIAM)

Covering all aspects of SIAM services, from target operating model design,

to service integration, supplier management, architecture and transition and

transformation management.

Information Security

Cyber security assessments, architecture and testing services; Threat

detection, protective monitoring and security management services; Cyber

incident response, and Industrial Protection, Secure Web Gateway and

Cross domain services.

Agile Design and Delivery Services delivered using the Agile method for design and development,

including Secure-by-Design services.

Architecture The design of end-to-end architecture solutions, including infrastructure,

operations, applications and service, as well as enterprise architecture.

Data Services

Data management, protection and exploitation services covering people,

process, data and technologies. Includes maturity assessments,

organisation design and provision of data analytics services.

Programme Management Provision of programme management and support experts to provide

delivery and/or assurance of internal and external programmes.

Digital Media Digital transformation, media development, including user experience, social

business and mobile media.

Secure Mobility &

MobileProtect

From mobile strategy, through to development of your secure mobile

proposition for your user base; Cloud based protection for your user base’

portfolio of mobile devices.

NetReveal® OnDemand Cl Cloud based delivery of the global leader in counter fraud software.

mailto:[email protected]



Applied intelligence Limited is a BAE Systems company, trading as BAE Systems Applied Intelligence. Applied Intelligence Limited is registered in England (No.1337451) with its registered office at Surrey Research Park, Guildford, England, GU2 7YP. Copyright © BAE Systems plc 2014. All Rights Reserved. BAE SYSTEMS, APPLIED INTELLIGENCE and the names of the BAE Systems Applied Intelligence products referenced herein are trademarks of BAE Systems plc and are registered in certain jurisdictions.

Documents

SECURITY DEVICE MANAGEMENT