Monday, December 06, 2010

Cyber Defence Management System

The Australian Government has issued a Request for Information for a Cyber Event Management and Reporting System (DISG ITR 2010/18, 3 December 2010). The RFI was issued by the Defence Intelligence and Security Group of the Department of Defence, for the DSD Cyber Security Operations Centre (CSOC):

DESCRIPTION OF REQUIREMENT

  1. The Defence Signals Directorate (DSD) is seeking expressions of interest from industry relating to commercially available software applications capable of providing a Cyber Event Management and Reporting System (CEMaRS) capability. The CEMaRS application will provide support to the DSD Cyber Security Operations Centre (CSOC) and its’ role in defending Australian Government information networks.
  2. The CEMaRS application will provide the CSOC with a capability to view all reported or identified cyber events, to consolidate information relating to events, and to make informed decisions in responding to events.
  3. The system must:
    1. provide a capability to view all reported or detected cyber events including the ability to:
      1. ingest identified cyber events with the ability to handle substantial data rates;
      2. support flexible data ingest allowing for the addition of new sources of information and data in a variety of formats, including the ability to modify and customise these data sources;
      3. support manual entry of events reported;
      4. ingest event and system logs provided by other sources and customer organisations;
      5. support multi-dimensional prioritisation across all events including, but not limited to, source, target and level of success; and
      6. support analysis of cyber events including viewing of all associated data to draw analytical conclusions,
    2. provide a tasking and workflow capability to consolidate event information and enable informed decisions to be made to coordinate and assist with operational responses to cyber events. This include the ability to:
      1. create new tasks relating to cyber events, assign tasks to staff or teams, and link tasks to a workflow;
      2. manage all aspects of a workflow associated with cyber event management, including for specific policy workflows; and
      3. support user access controls restricting or providing access to tasks and workflows,
    3. support context searching across tasks, workflows, all associated event data, or any other ingested data;
    4. support correlation and association between events, tasks, and existing knowledge-bases enabling staff to draw comprehensive analytical conclusions;
    5. provide the ability to store data over a significant and customisable time period allowing for historical event and task correlation;
    6. provide seamless integration between event management and associated tasking and workflows;
    7. support flexible interfaces and system customisation to support evolving business processes, integration to other systems (such as an existing knowledgebase), and the addition of new custom analytic tools;
    8. support the creation of tailored statistical report of managed events, tasks and workflows;
    9. support a scalable and extensible architecture;
    10. support user authentication to the corporate LDAP service; and
    11. support the use of commodity hardware. ...
From: Cyber Event Management and Reporting System, RFI DISG ITR 2010/18, Defence Intelligence and Security Group, Australian Department of Defence, 3 December 2010

No comments: