Sentinel Security Engineer

Description

Summary of work We required third-party expertise in Microsoft Sentinel skills to define, build and test security use cases in collaboration with the wider security functions defined in the operating model. These third-party engineering services will coordinate with team members across SecurePlace, Comms and Collab, and SMI, as these are the key stakeholders defined in the Cyber SOC Factory Model, they are the primary contributors/users of its inputs/outputs along with various other product and operational teams to discover and prioritise security use cases achieved through analysis of data sources being ingested into our Microsoft Sentinel instance. This will ensure we have relevant mitigating controls in place for risks and control gaps defined as part of our Security Risk Management process. Following contract award, upon commission of a statement of work the Department reserves the right to hold a discussion with any workers the supplier may provide, alongside a CV review, to ensure the suitability of skills and experience of the worker. The Department therefore will reserve a right to reject a worker that it seems to not have the appropriate skills or cultural fit to deliver under the given statement of work. Where the supplied staff will work No specific location (for example they can work remotely) Why the work is being done Access to DWP critical services and its data remains at constant risk of exposure to internal and external threats. Significant investment is made to continually assess the risk likelihood and impact across all of the Departments Digital services, lead by the Digital Security Risk Management team. The Cyber SOC Factory process aims to apply mitigating controls against identified risks by bringing together security experts across Digital and SandDP, to collectively review the residual risks to prioritise and scope risk treatment activities. Within the Cyber SOC Factory process exists a federated Sentinel SOC Factory, which takes outputs from the holistic operating model and enables a virtual team of cross functional security SME's to to design, build and test security use cases to effectively manage the identified risks. We require a security engineer with advanced Microsoft Sentinel skills to collaborate with team members across SecurePlace, Comms and Collab, Security Monitoring and various other product and operational teams to build security use cases, achieved through analysis of data sources being ingested into our Microsoft Sentinel instance. This will ensure we have relevant mitigating controls in place for risks and control gaps defined as part of our Security Risk Management process. The business problem Procure Security Engineering support to undertake the tasks to define and build security use cases within MS Sentinel, by analysing data sources and events from across all of our integrating products. With a built-in knowledge transfer element to pass knowledge and skills to DWP engineering colleagues. Work will be outcome based and payments will be tied to delivery milestones. Strategic: - Analyse our requirements and priorities to collaborate in delivering against our wider strategic roadmap - Help configure and develop our Azure Subscription that hosts our Sentinel production instance - Mature our monitoring, alerting, hunting, reporting based on data ingested into Sentinel (specifically on Azure/M365 logs) - Improve our security status by reducing risks and attacks against our Azure / M365 environments - Help discover threat vectors to our Azure / M365 environments - Provide guidance on how to best meet industry best practices for the deployment and operational live service of Sentinel Tactical: - Co-Design, Develop, Deploy and Review Sentinel Analytics rules - Co-Design, Develop, Deploy and Review Sentinel Workbooks and Notebooks - Co-Design, Develop, Deploy and Review Sentinel automation and integration playbooks - Configure and optimise (health and cost) our Sentinel connected Log Analytics Workspace - Co-Design, Develop, Deploy and Review our SysLog Connector The people who will use the product or service User type: Security Incident Manager Definition: I need to understand the security use cases required for monitoring so that I can respond to them effectively User type: Security Risk Manager Definition: I need a vehicle to progress risk treatment activities so that identified risks are managed User type: Sentinel Product Owner Definition: I need engineering skills in my team so that identified use cases can be scoped, designed and built User type: Cyber SOC Factory Model Process Owner Definition: I need a process to manage the identified risks so that mitigating controls can be identified and applied User type: Service Owner Definition: I need a process to submit identified security risks to so that mitigating controls can be defined and implemented Work done so far This is an operational service, where various security use cases built from various Sentinel data sources have been developed and actively in use by CRC. The work required here will be to assess the effectiveness of some of these active use cases in terms of their ability to provide mitigating controls to observed security risks, as well as define additional use cases based on additional data sources available. Which phase the project is in Live Existing team The supplier will be working with multiple teams spanning across Digital and S and DP to utilise their vast knowledge of security products, governance mechanisms, data sources, outputs and requirements. These teams come together as part of a Cyber SOC Factory Operating Model; who's aim is to identify mitigating controls off the back of security risks assessments that are carried out across DWP's business services. This includes Security Analysts, Security Engineers, Security Architects, Business Analysts, Product Owners, Risk Managers, all of whom have a stake in identifying the required mitigating controls across these services and working together to manage the risk to them as effectively as possible. Address where the work will be done No specific location, although occasional travel to the Digital Hubs may be requested to assist with workshop activities. Working arrangements No specific location, although occasional travel to the Digital Hubs may be requested to assist with workshop activities. Security and vetting requirements Security Check (SC) Latest start date 15 November 2024 Expected contract length Contract length: 2 years 0 months 0 days Optional extension: 1 years 0 months 0 days Special terms and conditions special term or condition: DWP Minimum Security Schedule - Attached special term or condition: DWP Offshoring Clauses - Attached Budget Indicative maximum: £2300000 Indicative minimum: £650000 Contracted out service or supply of resource? Supply of resource: the off-payroll rules may apply Terms and acronyms Term or acronym: SecurePlace Definition: DWP iteration of ServiceNow Security Modules (VR, SIR and IRM) Term or acronym: SMI Definition: Security Monitoring and Investigations Term or acronym: SOC Definition: Security Operations Centre Term or acronym: C and C Definition: Communication and Collaboration - Internal team responsible for comms and collab technical solutions Questions and Clarifications 1. Do “logging policies” or standards exist already within the organisation? Yes Last Updated : <strong>17/09/2024</strong> 2. Please could you confirm whether an example of previous experience is required for every essential/nice to have question response (as is usual for DOS bids) or just those where it is specified? Yes an example of previous experience is required for every essential/ nice to have question Last Updated : <strong>17/09/2024</strong> 3. Is there a list of data sources being considered? Yes, M365 and Azure Entra logs - XDR logs. Last Updated : <strong>17/09/2024</strong> 4. Skills cross Sentinel and M365/Azure security. Can this be addressed by multiple individuals in an outcome-based model? No, any single individual should have deep knowledge required of the XDR logs. Last Updated : <strong>17/09/2024</strong> 5. Has threat-modelling been conducted upstream, within the Security Risk Management process? Is there a specific framework being used? No Last Updated : <strong>17/09/2024</strong> 6. Other than ServiceNow and Microsoft XDR/Sentinel, are there a lot of technologies that may require integration for security automation? Sentinel Analytics Rules and Azure automation - Logic Apps. Last Updated : <strong>17/09/2024</strong> 7. Do any systems already exist, such as micro-simulation for assurance purposes? They may, however the individual will not have access to these. Last Updated : <strong>17/09/2024</strong> 8. Can it be confirmed that the response limit is per requirement? i.e. 17 x 750 character responses for 'Essential Skills and Experience' and 9 x 750 character responses for 'Nice-to-have Skills and Experience'? Correct. The word count is 750 characters per skill/ experience. Last Updated : <strong>17/09/2024</strong>