Procurement details: Sentinel Security Engineer
-
1. Context and requirements
-
Terms and acronyms
-
Term or acronym
-
SecurePlace
-
Definition
-
DWP iteration of ServiceNow Security Modules (VR, SIR and IRM)
-
Term or acronym
-
SMI
-
Definition
-
Security Monitoring and Investigations
-
Term or acronym
-
SOC
-
Definition
-
Security Operations Centre
-
Term or acronym
-
C and C
-
Definition
-
Communication and Collaboration - Internal team responsible for comms and collab technical solutions
-
Summary of work
-
We required third-party expertise in Microsoft Sentinel skills to define, build and test security use cases in collaboration with the wider security functions defined in the operating model. These third-party engineering services will coordinate with team members across SecurePlace, Comms and Collab, and SMI, as these are the key stakeholders defined in the Cyber SOC Factory Model, they are the primary contributors/users of its inputs/outputs along with various other product and operational teams to discover and prioritise security use cases achieved through analysis of data sources being ingested into our Microsoft Sentinel instance. This will ensure we have relevant mitigating controls in place for risks and control gaps defined as part of our Security Risk Management process. Following contract award, upon commission of a statement of work the Department reserves the right to hold a discussion with any workers the supplier may provide, alongside a CV review, to ensure the suitability of skills and experience of the worker. The Department therefore will reserve a right to reject a worker that it seems to not have the appropriate skills or cultural fit to deliver under the given statement of work.
-
Where the supplied staff will work
-
No specific location (for example they can work remotely)
-
Who the organisation using the products or services is
-
Why the work is being done
-
Access to DWP critical services and its data remains at constant risk of exposure to internal and external threats. Significant investment is made to continually assess the risk likelihood and impact across all of the Departments Digital services, lead by the Digital Security Risk Management team. The Cyber SOC Factory process aims to apply mitigating controls against identified risks by bringing together security experts across Digital and SandDP, to collectively review the residual risks to prioritise and scope risk treatment activities. Within the Cyber SOC Factory process exists a federated Sentinel SOC Factory, which takes outputs from the holistic operating model and enables a virtual team of cross functional security SME's to to design, build and test security use cases to effectively manage the identified risks. We require a security engineer with advanced Microsoft Sentinel skills to collaborate with team members across SecurePlace, Comms and Collab, Security Monitoring and various other product and operational teams to build security use cases, achieved through analysis of data sources being ingested into our Microsoft Sentinel instance. This will ensure we have relevant mitigating controls in place for risks and control gaps defined as part of our Security Risk Management process.
-
The business problem
-
Procure Security Engineering support to undertake the tasks to define and build security use cases within MS Sentinel, by analysing data sources and events from across all of our integrating products. With a built-in knowledge transfer element to pass knowledge and skills to DWP engineering colleagues. Work will be outcome based and payments will be tied to delivery milestones. Strategic: - Analyse our requirements and priorities to collaborate in delivering against our wider strategic roadmap - Help configure and develop our Azure Subscription that hosts our Sentinel production instance - Mature our monitoring, alerting, hunting, reporting based on data ingested into Sentinel (specifically on Azure/M365 logs) - Improve our security status by reducing risks and attacks against our Azure / M365 environments - Help discover threat vectors to our Azure / M365 environments - Provide guidance on how to best meet industry best practices for the deployment and operational live service of Sentinel Tactical: - Co-Design, Develop, Deploy and Review Sentinel Analytics rules - Co-Design, Develop, Deploy and Review Sentinel Workbooks and Notebooks - Co-Design, Develop, Deploy and Review Sentinel automation and integration playbooks - Configure and optimise (health and cost) our Sentinel connected Log Analytics Workspace - Co-Design, Develop, Deploy and Review our SysLog Connector
-
The people who will use the product or service
-
User type
-
Security Incident Manager
-
Definition
-
I need to understand the security use cases required for monitoring so that I can respond to them effectively
-
User type
-
Security Risk Manager
-
Definition
-
I need a vehicle to progress risk treatment activities so that identified risks are managed
-
User type
-
Sentinel Product Owner
-
Definition
-
I need engineering skills in my team so that identified use cases can be scoped, designed and built
-
User type
-
Cyber SOC Factory Model Process Owner
-
Definition
-
I need a process to manage the identified risks so that mitigating controls can be identified and applied
-
User type
-
Service Owner
-
Definition
-
I need a process to submit identified security risks to so that mitigating controls can be defined and implemented
-
Any pre-market engagement done
-
Work done so far
-
This is an operational service, where various security use cases built from various Sentinel data sources have been developed and actively in use by CRC. The work required here will be to assess the effectiveness of some of these active use cases in terms of their ability to provide mitigating controls to observed security risks, as well as define additional use cases based on additional data sources available.
-
Which phase the project is in
-
Live
-
Existing team
-
The supplier will be working with multiple teams spanning across Digital and S and DP to utilise their vast knowledge of security products, governance mechanisms, data sources, outputs and requirements. These teams come together as part of a Cyber SOC Factory Operating Model; who's aim is to identify mitigating controls off the back of security risks assessments that are carried out across DWP's business services. This includes Security Analysts, Security Engineers, Security Architects, Business Analysts, Product Owners, Risk Managers, all of whom have a stake in identifying the required mitigating controls across these services and working together to manage the risk to them as effectively as possible.
-
Address where the work will be done
-
No specific location, although occasional travel to the Digital Hubs may be requested to assist with workshop activities.
-
Working arrangements
-
No specific location, although occasional travel to the Digital Hubs may be requested to assist with workshop activities.
-
Security and vetting requirements
-
Security Check (SC)
-
Latest start date
-
15 November 2024
-
Expected contract length
-
Contract length
-
2 years 0 months 0 days
-
Optional extension
-
1 years 0 months 0 days
-
Special terms and conditions
-
special term or condition
-
DWP Minimum Security Schedule - Attached
-
special term or condition
-
DWP Offshoring Clauses - Attached
-
Budget
-
Indicative maximum
-
£2300000
-
Indicative minimum
-
£650000
-
Further information
-
Contracted out service or supply of resource?
-
Supply of resource: the off-payroll rules may apply
-
2. Assessment criteria
-
How many suppliers to evaluate
-
3
-
Technical Competence
-
60%
-
Cultural fit
-
10%
-
Social values
-
10%
-
Price
-
20%
-
Technical competence
-
Essential skills and experience
-
15%
-
Nice-to-have skills and experience
-
5%
-
Technical questions
-
80%
-
Essential skills and experience
-
Description
-
Analyse our requirements and priorities to collaborate in delivering against our wider strategic roadmap
-
Weighting
-
5%
-
Description
-
Help configure and develop our Azure Subscription that hosts our Sentinel production instance
-
Weighting
-
5%
-
Description
-
Mature our monitoring, alerting, hunting, reporting based on data ingested into Sentinel (specifically on Azure/M365 logs)
-
Weighting
-
5%
-
Description
-
Improve our security status by reducing risks and attacks against our Azure / M365 environments
-
Weighting
-
5%
-
Description
-
Help discover threat vectors to our Azure / M365 environments
-
Weighting
-
5%
-
Description
-
Co-Design, Develop, Deploy and Review Sentinel Analytics rules
-
Weighting
-
5%
-
Description
-
Co-Design, Develop, Deploy and Review Sentinel Workbooks and Notebooks
-
Weighting
-
5%
-
Description
-
Co-Design, Develop, Deploy and Review Sentinel automation and integration playbooks
-
Weighting
-
5%
-
Description
-
Configure and optimise (health and cost) our Sentinel connected Log Analytics Workspace
-
Weighting
-
5%
-
Description
-
Co-Design, Develop, Deploy and Review our SysLog Connector
-
Weighting
-
5%
-
Description
-
Experience using security products such as XDR, EDR, IDS/IPS, SOAR
-
Weighting
-
5%
-
Description
-
Deep understanding of risk assessment and management methods
-
Weighting
-
5%
-
Description
-
Experience working with various multi-disciplined teams in an agile manner
-
Weighting
-
5%
-
Description
-
Regulatory compliance experience such as GDPR, NIST, ISO 27001
-
Weighting
-
5%
-
Description
-
Proficiency in KQL for advanced query writing
-
Weighting
-
10%
-
Description
-
Proven ability in designing, developing and automation incident response playbooks
-
Weighting
-
10%
-
Description
-
Experience securing environments across multiple cloud providers
-
Weighting
-
10%
-
Nice-to-have skills and experience
-
Description
-
Producing technical documentation in alignment with organisational standards
-
Weighting
-
10%
-
Description
-
Taking lead during technical workshops to define specific use case requirements
-
Weighting
-
10%
-
Description
-
Highlighting technical or process dependencies and working with business stakeholders to negotiate resolutions
-
Weighting
-
10%
-
Description
-
Proposing optimal reporting methods of delivered security use cases to demonstrate control effectiveness
-
Weighting
-
10%
-
Description
-
Knowledge of ITSM products such as ServiceNow
-
Weighting
-
15%
-
Description
-
Experience in designing and implementing machine learning models or advanced analytics for anomaly detection
-
Weighting
-
10%
-
Description
-
Knowledge of other SIEM platforms
-
Weighting
-
10%
-
Description
-
Experience in leading or managing a SOC, with a deep understanding of SOC workflows, KPI's and operational challenges
-
Weighting
-
15%
-
Description
-
Knowledge of securing containerised environments
-
Weighting
-
10%
-
Technical questions
-
Question
-
Describe a recent project where you have implemented Microsoft Sentinel in an enterprise environment. What challenges did you face, and how did you overcome them?
-
Weighting
-
15%
-
Question
-
How do you utilise Azure Security Centre and Azure Defender to enhance threat detection and response in conjunction with Sentinel?
-
Weighting
-
15%
-
Question
-
How do you ensure that security use cases and analytics rules in Sentinel are aligned with regulatory requirements?
-
Weighting
-
15%
-
Question
-
Can you provide an example of how you have integrated a security framework like MITRE ATTACK into Sentinel's detection rules?
-
Weighting
-
15%
-
Question
-
Explain how you have integrated Sentinel with other security tools such as EDR, IDS, or Vulnerability scanners. What were the key considerations and challenges?
-
Weighting
-
15%
-
Question
-
Describe your process for designing and implementing an incident response playbook in Sentinel. How do you ensure the playbook is effective and efficient?
-
Weighting
-
15%
-
Question
-
How do you typically integrate into an agile team working on security operations? Can you provide an example of how you collaborated with other teams, such as Security Monitoring, Platform and Data Owners, to achieve a security outcome?
-
Weighting
-
10%
-
Cultural fit questions
-
Question
-
How do you ensure clients get the highest level of value out of their Microsoft products?
-
Weighting
-
15%
-
Question
-
Advise how you ensure you are able to translate a client's compliance and risk requirements into technology deliverable using the power of the Sentinel platform
-
Weighting
-
15%
-
Question
-
Explain how you work as a team with our organisation and other third party suppliers
-
Weighting
-
15%
-
Question
-
Explain how you ensure transparency and collaboration when making daily decisions
-
Weighting
-
15%
-
Question
-
Do you have a no-blame culture that encourages learning from mistakes and high importance on feedback?
-
Weighting
-
10%
-
Question
-
Do you take responsibility for your work?
-
Weighting
-
10%
-
Question
-
How can you ensure you will share required knowledge with other team members?
-
Weighting
-
10%
-
Question
-
Are you willing to challenges the status quo?
-
Weighting
-
10%
-
Social value questions
-
Question
-
Please describe the commitment your organisation will make to ensure that opportunities under the contract deliver the Policy Outcome and Award Criteria listed below. Please include: Your ‘Method Statement’, stating how you will achieve this and how your commitment meets the Award Criteria. The model award criteria used to assess this is as follows: MAC2.1: Create opportunities for entrepreneurship and help new organisations to grow, supporting economic growth and business creation. MAC2.2: Create employment and training opportunities particularly for those who face barriers to employment and/or who are located in deprived areas, and for people in industries with known skills shortages or in high growth sectors. MAC2.3: Support educational attainment relevant to the contract, including training schemes that address skills gaps and result in recognised qualifications.
-
Weighting
-
100%
-
Pricing model
-
Time and materials
-
Additional assessment methods
-
None
-
Question and answer session details
-
N/A clarification questions will be answered in writing
-
How suppliers will be scored
-
Level
-
Not met
-
Score
-
0
-
Description
-
The response does not meet any of the requirements or no response has been provided. An unacceptable and / or non-compliant response with serious reservations, demonstrating no understanding of the requirement.
-
Level
-
Partially met
-
Score
-
1
-
Description
-
The response has met some, but not all elements of the requirement, which poses risk that the proposal will not meet the deliverables required. The response does not demonstrate a full understanding of the requirement posing major concerns.
-
Level
-
Met
-
Score
-
2
-
Description
-
The response is acceptable and meets all the basic requirements. However, the response is not sufficiently detailed to minimise risk and / or the proposed approach may require additional support (in addition to that outlined in the Statement of Requirements) from the Contracting Authority to meet its deliverables.
-
Level
-
Exceeded
-
Score
-
3
-
Description
-
The response exceeds requirements, providing detail that minimises risks to delivery. The response is comprehensive and unambiguous, demonstrating a thorough understanding of the requirements and providing details of how the requirement will be met in full without additional support from the Contracting Authority, other than that outlined within the Statement of Requirements.
-
3. Timeline
-
Publication of stage 1
-
06/09/2024
-
Clarification period closes
-
12/09/2024 14:00
-
Deadline for suppliers to submit their stage 1 responses
-
20/09/2024 16:00