Technical Proposal

SOC Build and Enablement Services

PSD Document
SOC Build and Enablement Services – PSD

Document Control

Document Title
SOC Build and Enablement Services

Document Code

Document Classification
Confidential

Revision
01

Date
2022-8-21

Copyright © 2022 Data Consult. All Rights 2/3

SOC Build and Enablement Services – PSD

Table of Content
Table of Content 3
1. Proposed Solution description 4
A. Service Description and Scope of Work 4
B. SOC Monitoring Solution Architecture provided to the customer 7
C. Data Consult Deployment Approach 9
1. SOC Implementation and Integration 9
2. SOC Operations 10
D. Project Deliverables 13
E. Roles and Responsibilities 14
F. Project Schedule and Timeline 16
G. Service Level Agreements and Responsibilities 17
H. Minimum Hardware Requirements for SOAR Solution 20
2. Project Management Principles 23
3. Client Engagement Process 25
A. Phase 1: Coordinate/Plan/Prepare 25
B. Phase 2: Kick-off Meeting 25
C. Phase 3: Project Delivery 26
D. Phase 4: Results 27
E. Phase 5: On-going Support 27
F. Managed SOC Services Period 27
G. Continuous Quality Assurance 27
H. Account Management 27
4. Bill of Quantities 29
5. Pricing 30
Payment Terms Error! Bookmark not defined.
Payment Plan Error! Bookmark not defined.
6. Document Approval 32

Copyright © 2022 Data Consult. All Rights 3/3

SOC Build and Enablement Services – PSD

1. Proposed Solution description

A. Service Description and Scope of Work

Data Consult is proposing a solution that entails the following components:

SOC Implementation Package

Data Consult engineering and security teams will work closely with the customer
security and project management team to enable a smooth implementation
of the components required for the delivery of the services. These components
include a variety of technologies, and engineering activities, and we describe at a
high-level here:

 Information gathering about the monitored environments, usage patterns,

existing solutions placement, networks layouts, traffic flows, existing security
integrations and monitoring capabilities.
 Alignment to requirements and expectations from Managed Security Services.
 Implementation of SIEM, Ticketing System and EDR.
 Implementation of SOAR platform that will act as a central fusion point for all
technologies through integration with SOC solutions to augment the capabilities
of the MSS operations.
 Integration of installed SOC Systems in place to achieve efficient
interoperability.
 Enablement and Optimization of use cases and rules of detection on SIEM and
EDR.
 Proposition of new use cases and detection rules to cover more attack vectors.
 Elaborating Security Operations Processes, and Incident Handling workflows for
a better alignment with designated MSS services.
 Configuration of SIEM solution for 3 months online logs retention and 12 months
Offline.
Once complete, the material and documentation elaborated/reviewed will
be passed to service delivery team and used by the security operations team
for both SOC security operations, and engineering activities.

Copyright © 2022 Data Consult. All Rights 4/3

SOC Build and Enablement Services – PSD

8x5 SOC Monitoring Services (Level 2 Operations) using SIEM, SOAR and
security technologies. We will carry out this service on an 8x5 basis remotely from
the Data Consult Security Operations Center, using SOAR solution as a primary
point for operations and going through customer network to reach SOC
infrastructure.
In addition to the existing tools, Data Consult team will be relying on the
EDR solution of the monitored environment(pre-requisite) and will
provide the installation of an on-premises SOAR solution to act as a central hub
for security investigations and case management.

The service wrapper will include the following:

 8x5 Level 2 Cyber Defense Analyst Services.

 Classification and Prioritization of security incidents and generation of tickets.
 Triage and prioritization of detected incidents.
 Root cause analysis of detected incidents.
 Alarms and notifications via the Case Management System in general, and
by phone for critical incidents.

For the SOC augmentation Data Consult is proposing the following resources:

 2x Level 2 Cyber Defense Analyst - Full Time Employees (FTEs) from 8x5
 1x Level 3 Lead Cyber Defense Analyst - Full Time Employee (FTE) from 8x5

Further augmentation can take place after having insights about the
environments covered during monitoring.

120 Hours/Year Remote Incident Response Retainer (Reactive

Security
Operations)
The Incident Response retainer services include:
 Receipt of escalated incidents from L2 SOC analysts.
 Identification, and Advisory on Isolation and Containment procedures
for occurring incidents in close collaboration with the customer team.
 Forensics and Root cause analysis of detected incidents.
 Conduction of real-time and post-mortem remote incident analysis and
remediation.
 Reporting related to Cyber Security Incidents (occurring incidents, common
causes, most exposed systems, analytics, solved/unsolved tickets, etc.).

Copyright © 2022 Data Consult. All Rights 5/3

SOC Build and Enablement Services – PSD

Security Engineering and Use Case Management:

Data Consult team will be optimizing existing use cases and rules of
detection. Moreover, the engineering team will be proposing newly required
use cases and detection rules to allow coverage of more attack vectors.
Service Coverage: 2 new use cases per quarter (8 tuned use cases per
year).

Location of Services

Data Consult will deliver services remotely from its Security Operations
Center facility in KSA.

Further details about the approach, assumptions and responsibilities can be found
in section “Data Consult Deployment Approach”.

Copyright © 2022 Data Consult. All Rights 6/3

SOC Build and Enablement Services – PSD

B. SOC Monitoring Solution Architecture provided to the customer

Data Consult will be relying on a VPN and a hypervisor at the customer end to connect to
the Master SIEM, Master SOAR, Case Management, Ticketing System and EDR at
the Costumer end.

Copyright © 2022 Data Consult. All Rights 7/3

SOC Build and Enablement Services – PSD

To enable the augmentation of Managed SOC services, the remote IR services, and the
SIEM use cases engineering and reporting the following connections, integrations
and controls are needed:

1. Secure VPN Tunnel from Data Consult KSA Tenant to the

Customer location:
A VPN tunnel should be implemented between Data Consult tenant in Azure
and the Customer site, then from Customer site to designated monitored
environment. The connectivity provided should be able to allow the SOC
assets and analysts endpoints of Data Consult in KSA to communicate with
designated monitored environment (SIEM, SOAR, Ticketing System, EDR).

2. Audited Access:
Monitoring should be enforced on the tunnels established from Data Consult KSA to
designated monitored environment.

3. Encryption is always required:

Encryption and any other supporting encryption mechanisms will be enforced to
guarantee the minimal level or traffic exposure possible during network travel.

4. Thorough Monitoring of the MSS Supporting Infrastructure:

Apart from the internally monitored Managed Security Infrastructure at Data
Consult, all the nodes and systems between Data Consult Infrastructure, customer
end and the designated monitored infrastructure will be thoroughly monitored with
regular timely reporting on findings and security KPIs.

Copyright © 2022 Data Consult. All Rights 8/3

SOC Build and Enablement Services – PSD

C. Data Consult Deployment Approach

The Data Consult SOC program includes two distinct capabilities we will deliver:

 SOC Implementation & Integration.

 SOC Operations.

1. SOC Implementation and Integration

During the SOC Implementation phase, Data Consult will carry out the following
tasks:

 IT infrastructure survey and detailed Information gathering from sites to

be monitored which will allow the SOC team to understand the existing
critical assets, network topologies, configurations and restrictions on any
asset under the SOC scope of monitoring.
 Coordination with the customer security team to receive detailed list of
critical assets to be monitored and included under the scope.
 Establish connectivity/policy requirements from the customer and
designated environment.
 SOC Monitoring architecture and technology stack design.
 Remote Implementation of Security Technologies needed for the
Managed Security Services. including SIEM solution (Splunk), SOAR
solution (Palo Alto XSOAR), Endpoint Detection and Response (Carbon
Black) and ticketing system (JIRA On-Premise).
 Customization and tailoring of above installed Security Technologies to
cope with the needs and objectives of the project.
 Deployment and Configuration of services needed for logs and flow
collection of the monitored assets.
 Fine tuning of the production environment after the understanding
of traffic normal patterns.
 Configuration of SOC use cases and correlation rules for specified kill
chains.
 Creation of dashboard suggested by Data Consult SOC team.
 Assignment of playbooks for triage and escalation pre-developed by Data
Consult.
 Commissioning and Testing of the configurations and actions executed
for a one-month pilot before launching the Managed Services into steady
state operation.
 Alignment to SLAs and deliverables.
 Provide daily updates to the customer on mobilization of SOC Monitoring.
 Create / set up reports to measure SOC Monitoring.

Copyright © 2022 Data Consult. All Rights 9/3

 SOC Build and Enablement Services – PSD

2. SOC Operations

During the SOC Operations phase, Data Consult will provide the
following capabilities and technical services to the customer:
8x5 Security Monitoring:

This service delivers real-time monitoring, correlation, and expert analysis

of security activity across your enterprise. The service improves the
effectiveness of your security maturity by actively analyzing the logs and
alerts from your infrastructure, 8x5. Our certified Security Analysts will
have the context needed to eliminate false positives and respond to the
true threats to your information assets.

SOC Operations
Capabilities Data Consult Advanced Cyber Fusion Center
SOAR Automated Tier 1 Data Consult Team will leverage the SOAR with created playbooks and
automation to allow the SOC tier 1 activities to be completed in
an automated fashion by the SOAR, allowing the SOC analysts to focus
on more meaningful events and tasks.
Human based Tier 2 - Data Consult seeks the brightest outside of the box thinkers and
Triage Analysis analytics-focused security experts to work within the SOC across the
different cells. We ensure that their skill sets are updated and in use
with regular SANS training and certification. SOAR handles the
time- consuming and more mundane process and procedures with
our internally developed playbooks giving our senior SOC analysts
the needed resources and freedom to investigate enriched tickets and
gather enough evidence to identify true positive abnormalities detected
in the client’s environments.
SOC Management & Data Consult brought in recognized leaders into operational and
Reporting technical roles to establish a solid foundation from which security
operation is handed. These leaders understand the needs and have
real- world experience; this allows for enhanced client handling and
reporting by creating meaningful client customized reporting and
leadership engagements. Additionally, Data Consult produces
regular (weekly, monthly and quarterly) SOC scorecard reports
to demonstrate continuous improvement in the operation and to
highlight any area that needs to be addressed by the client or Data
Consult on an urgent basis. Detailed reporting scope is provided in
deliverables section.
Outputs Data Consult is creating meaningful client customized outputs, including
automatic reporting and delivery and on-demand reporting and
delivery. Data Consult works directly with client stakeholders to
understand the output needs and best address them in the most
effective approach.

Copyright © 2022 Data Consult. All Rights 10/

 SOC Build and Enablement Services – PSD

Incident Response Retainer – Remote Services (Costumer responsible for

on-site tasks)

This service allows the customer team to have a trusted partner on

standby supporting incident investigations, digital forensics, and malware
analysis. Additionally, the retainer allows the customer to proactively
prepare for cyber security incidents by conducting tabletop exercises or
testing of the incident
response plan

Incident Response Retainer (120 hours per year)

Criteria Data Consult Advanced Cyber Fusion Center
Reactive Services: Data Consult will be rolling out an advanced malware and forensic
Forensics + Malware lab from the KSA location. This lab will enable the IR cell and the
Analysis malware analyst to support greater capacity and more
complex artifacts collected from the client environment or research
into threat landscapes. The lab will host a malware repository that
will provide historical samples and allow for the creation of
internal malware
intelligence to be combined with our 3rd party malware intelligence.

Incident Response Retainer (120 hours per year)

Criteria Data Consult Advanced Cyber Fusion Center
Reactive Services: Data Consult Incident Response consultants provide remote
Incident Handling incident handling roles. Our Incident responders act as an
escalation point for the SOC analysts, provide guidance and
support, and technical subject matter expertise. The cell works out
of two hubs covering the Levant and GCC territories. Data Consult
will also be rolling out an incident handling and forensic lab from
the KSA location to support more complex IR needs.

Copyright © 2022 Data Consult. All Rights 11/

 SOC Build and Enablement Services – PSD

Security Use Cases Engineering

Security Engineering and Use Case Management (2 use case per

month) Criteria Data Consult Advanced Cyber
Fusion Center
Use Case Engineering  Data Consult will provide Customer with SIEM Content Planning,
Development and Tuning. As such, the focus of this activity is
on the identification and implementation of use cases via
the development of rules based on Data Consult proprietary
threat intelligence and understanding of the customer
environment.
 Observe rule operation, once implemented and review/monitor
performance of the use case content;
 Tune content, as needed, and with Customer approval, to
achieve a balance that will minimize “false positives” and
maximize the detection of security threats;

Continuous Improvement

To deliver this successfully, Data Consult will allocate a Team Leader to the SOC
Operations team to look after the customer and provide a single point of interface
between Data Consult operations and the costumer. The Team Leader will have strong
management experience in the SOC and will support other teams such as
Consulting, Engineering, Product Development, Sales, and Presales teams. This role will
act as a Trusted Advisor to the customer security management team and will also act as
Data Consult’s Customer Services Manager. As we deliver the SOC Operations we will
identify on an on-going basis, areas for continuous improvement in the overall SOC
design, build and operation, including areas for automation, process optimization, use
case development, introduction of new services / solutions to the portfolio.

This role will manage the following capabilities:

 Manage quality of SOC operations delivery by Data Consult SOC team.

 Manage Data Consult SOC metrics and reports and present them regularly
to customer management team.
 Recommend improvements to SOC people, process and technologies to the
customer senior management team.
 Manage training for Data Consult SOC team members, including time to
take training and when to conduct the training.

Copyright © 2022 Data Consult. All Rights 12/

SOC Build and Enablement Services – PSD

D. Project Deliverables

The services to be delivered out of this project are the following:

 Augmentation of Managed Security Operations and Monitoring Services for
designated monitored environment, on an 8x5 basis through SIEM, SOAR and
other security monitoring relevant tools.
 L2 Analysts Capacity for identification and analysis of events
 Incident response capacities on an hourly retainer delivered remotely from
KSA (120 hours per year)
 2 New Use cases development per month
 As for the documents to be delivered out of this project:
 Detailed Project Plan after Project Kick-off
 Detailed Communications Plan after Project Kick-off
 Weekly Status Report: gives summary of Security health, On-going activities,
completed tasks, risk maps, Risk identification and mitigation plan, Action
items across different application areas, delivered at not less than seven
calendar day intervals.
 Monthly Review Meeting and Status Report: Tracking any issues impacting the
SLA, Update about risks and enhancements suggested, capturing agreements
and disagreements and items needing escalation, delivered at monthly
intervals and not less than two business days before scheduled review meeting
 Quarterly Review Meeting: Review overall project status, issues list, metrics
reporting, supporting reasons for metrics deviation, and items that need
adjustment within SLA, delivered at quarterly intervals and not less than five
business days before scheduled review
 SLAs documents

Copyright © 2022 Data Consult. All Rights 13/

SOC Build and Enablement Services – PSD

E. Roles and Responsibilities

General Assumptions
 Data Consult is not responsible for managing and configuring the
logging setup for each of the various data sources that are
collecting logs and sending them to SIEM, but will advise the
customer team on the best practices and procedures to apply
needed data sources configuration.
 Data Consult will optimize the configuration of the existing SIEM,
SOAR and EDR solutions as per the scope of work in this proposal.
The extent of the optimization and enablement of existing
solutions and operations will depend on the functionalities and
features in the designated systems
 Data Consult will provide the customer with 8x5 alert monitoring,
triage, analysis and investigation services under this SOW via a
team of remote security analysts based in our Security Operation
Center in KSA.
 The content packs (i.e., searches, reports and dashboards) for
security monitoring and investigation will be implemented based
on the availability of relevant data sources from the designated
environment.

Note: The Management and Administration of the data sources/devices

that are, or will be, sending logs to SIEM is not included in this service,
however Data Consult team will advise the customer on the
appropriate configuration of the data sources.
Data Consult
Responsibilities:
 Data Consult will configure the local SOAR solution within the
designated monitored infrastructure. The capabilities of SOAR
solution and operations will depend on the functionalities allow by
the integration with SIEM solution.
 Data Consult will provide 8x5 Level 2 monitoring and security
incident management.
 Data Consult will provide a well streamed and matured process and
procedures for SOC operations and incident management.
 Data Consult will provide 8x5 Level 2 alerting and assistance for incident
management to the customer.
 Data Consult will provide regular scheduled reports on security operations
postures related as per the explained scope in deliverables section.
 Data Consult will create specific Business use cases and implement the
same in the SOC offered as per the SOW in this proposal.
 Data Consult will provide Proactive and Reactive inputs to the customer for
ensuring the best Cyber Security spectrum.

Copyright © 2022 Data Consult. All Rights 14/

SOC Build and Enablement Services – PSD

Throughout the engagement with the customer Department, Data

Consult will ensure the confidentiality and integrity of the
customer perceptiveness and properties.
Customer Responsibilities:
 The customer will provide Data Consult with the required
administrative interfaces for monitoring event streams and log
collection activities of all in-scope components of security
technology infrastructure, if required.
 The customer team will be in charge of the solutions management,
patching, health checks, backups, and other related
security, performance and maintenance tasks on SOC
solutions after deployment.
 The customer will provide necessary action, assistance and support in
the installation and configuration of necessary infrastructure,
network components and assets to guarantee achieving security,
availability, and accessibility for SOC Monitoring team access to the
designated monitored environment infrastructure to perform in-
scope services.
 The customer will inform Data Consult within three calendar days (72
hours) of any change in Point of Contact (POC) information for this
service to perform SOC monitoring services in scope.
 The customer agrees to work collaboratively with Data Consult in
defining the various user groups and roles and related
incident handling and response procedures.
 The customer will inform Data Consult of any change within security
technology and/or IT environment that are relevant to the Service.
 The customer will review the Monthly service reports and provide
Data Consult with any relevant feedback or questions pertaining to
the report.
 The customer will configure data source instances (i.e.,
Firewalls, IDS/IPS devices, etc.) to collect logs and send the data to
the SIEM.
 The customer will provide needed technical and human resources to
achieve the integrations desired and connectivity between the
existing SOC solutions and remote SOC when enabled
 The customer will troubleshoot data sources that are not collecting
the desired events/fields within the logs that the data sources are
sending to SIEM. (For Example: If a firewall is not logging all desired
events, the customer is responsible for editing the logging
policy/configuration settings for that specific firewall).
 The customer will identify and prioritize relevant data sources for the
use case development based on the important of the assets,
business associated risks, and operational impact of potential attacks
 The customer will help Data Consult to coordinate with the appropriate data
source owners within Customer organization, as needed.

Copyright © 2022 Data Consult. All Rights 15/

SOC Build and Enablement Services – PSD

 The customer will provide needed assistance and support means,

where required, to allow Data Consult to fulfill the service requirements as
per the SOW in this proposal.
Prerequisites
 The customer must already have prepared the required Hardware
equipment to install the SOC systems to be provided as per
the minimum requirements provided by Data Consult.
 The customer should provide valid licenses of the proposed systems
(SIEM, EDR, SOAR, Ticketing System, Hypervisor, OS, etc.) for the
duration of services contract, and the required infrastructure for
storage and backups.
 The customer should provide valid SIEM license for the duration of
services contract, and the required infrastructure for tickets storage.
 Designated infrastructure to be monitored must have an active and
functional Endpoint Detection and Response system.
 Stable Network Connectivity between the Data Consult
Managed SOC, the customer and the designated
infrastructure to be monitored.
 The customer should install in place a suitable setup for the remote
connection of Data Consult team, through a secure and monitored
VPN tunnel with MFA allowing the SOC team to reach a hypervisor
for central access (such as CITRIX).
 For remote incident response services, the customer should provide
and deploy, with the advice and guidance from Data Consult,
Velociraptor master server with the SOC infrastructure (usually
required a mid-tier server for deployment. Velociraptor is an open-
source solution used for forensics and incident response at a scale.
The master server will be connected to tenants on client premises
whenever an incident response process and forensics activities are
carried.

F. Project Schedule and Timeline

Data Consult team has concluded from the identification of

requirements that the following efforts and timeline will be needed for
the execution
of this project:
Milestone Phase Description Duration Month (s) of
# Project
1 Project initiation and planning 1 Month 1 st Month
2 Network, Systems and MSS
Design

Copyright © 2022 Data Consult. All Rights 16/

SOC Build and Enablement Services – PSD

3 SOC Solution Implementation, 2 Months 2nd and 3rd Month

Configuration and
Commissioning
4 SOC Service Implementation 1 Month 3rd Month
and Transition
5 SOC Operation and 12 Months 4th to 12th Month
Improvement

G. Service Level Agreements and Responsibilities

Responsibilities:

Data Consult will handle all the Security Events generated by the
customer’s security controls and sent to the SIEM solution.

After the Triage/Investigation/Classification performed by Data Consult’s

analyst/Automated Systems, if required, the case will be escalated to
the Customer’ Point of Contact as security incident or Policy Violation.

Policy Violation Use Cases will be shared by the customer according to

their internal Policies and Procedures.

Copyright © 2022 Data Consult. All Rights 17/

SOC Build and Enablement Services – PSD

Task ownership in scope of the Incident Response function is outlined below using a Model:

Capability Customer Data

Consult
Security Events Detection by Customer Security Controls RA IC
Security Events Detection by Data Consult Correlation Rules RA IC
Initial Incident Identification & Analysis RA IC Initial
Incident Investigation, Triage and Classification RA IC Incident
Notification and Escalation RA IC Initial Incident
Containment recommendations RA IC Recurrent Incident
Mitigation Strategy recommendation I RAC Escalated Incident
Response & Investigation I RAC
Escalated Incident Forensic Analysis (IR & Forensics I RAC
Investigation)
Post Mortem Analysis (within the determined retainer period) I RAC

Copyright © 2022 Data Consult. All Rights 18/

SOC Build and Enablement Services – PSD

Escalation Guidelines

The process of correcting incidents requires that detection, disruption,

resolution, and mitigations disciplines be established and practiced by all levels
of the ACFC. This process can and should be mapped to the customer’s phases
in their incident response plan, where applicable. A structured progression
of recommended actions that directs individuals to perform the appropriate
meaningful analysis and actions while troubleshooting is required. The ACFC
staff must also have guidelines from the customer for referring incidents to the
proper specialists when
they cannot be resolved within the ACFC.

Detection (With Distribution Resolution Mitigation

the Customer L1 (With the Customer
intervention) L1 intervention)
XSOAR RA RA
CDA L2 IC RA
CDA L3 IC RC

Notice the phases of the incident resolution process evolve from left to right and
from Level 1 to Level 2. When activities at one skill level have been exhausted on an
incident, the incident should be escalated to the next skill level for further action.

Escalation Matrix

Copyright © 2022 Data Consult. All Rights 19/

 SOC Build and Enablement Services – PSD

Service Level Agreements (SLAs) within determined working hours

Incident Incident Mean Time to Mean Time to Mean Time to
Priority Title Detect Investigate (MTTI) Respond
(MTTD) After escalation to (MTTR)
L2
P1 Critical Data Consult 10 min 90 min P2
High Data Consult 20 min 90 min P3
Medium Data Consult 30 min 120 min P4
Low Data Consult 24 hours 48 hours

H. Minimum Hardware Requirements for SOAR Solution

We provide below the minimal requirements for the suggested SOC setup. The
setup below does not include physical or virtual high availability; If high
availability is required the equipment count should be duplicated as mentioned in
last slot of the below table.

I. Minimum Technical Requirements

Item Name Functional Aspect Minimum Specifications or Quantity
Equivalent

Master SIEM Server 1x VM for Splunk Computational Power:

Master ES Search 2x18 Cores CPU-64 bit->2.0 GHz
Head
Memory: 6x32 GB RAM
1x VM for Splunk
License Master Network: 4x 10GbE Base-T RJ45

1x VM for ESXI Storage – Retention 365 days:

Hypervisor 4x 3840GB SSD Hot Swap 2x
1920 GB SSD Hot Swap

Raid Controller:
Hardware Raid Controller

Licensing:
1x Splunk MSS License
(15 GB/Day to server customer SOC
only, for any further expansion 1
license requires upgrade)

1x ESXi Hypervisor License

(Matching CPU number)

Power Supply:

Copyright © 2022 Data Consult. All Rights 20/

 SOC Build and Enablement Services – PSD

Hot Plug Dual Power Supply

Master SOAR Server 1x VM for XSOAR Computational Power:
+ Splunk Indexer Solution 2x24 Cores CPU-64 bit->2.0 GHz

XSOAR Solution + Splunk 1x VM for Splunk Memory: 6x32 GB RAM

Indexer Indexer
Network: 4x 10GbE Base-T RJ45
1x VM for ESXI 1
Hypervisor Storage – Retention 365 days:
6x 3840GB SSD Hot Swap 2x 960
GB SSD Hot Swap

Raid Controller:
Hardware Raid Controller

Licensing:
1x Palo Alto XSOAR MSSP License
(multi-Tenant)
1x ESXI License (Matching CPU)

Power Supply:
Hot Plug Dual Power Supply

Additional SOC 1x VM for EDR Computational Power:

Console
Systems Server 2x24 Cores CPU-64 bit->2.0 GHz
1x VM for Syslog
Carbon Black EDR Server Memory: 8x32 GB RAM

Ticketing System 1x VM for ESXi Network: 4x 10GbE Base-T RJ45

Hypervisor
Syslog Sever Storage – Retention 180 days: 8x
1x VM for JIRA 3840GB SSD Hot Swap
VCenter Ticketing System
Raid Controller:
1x VM for Vcenter 1
Hardware Raid Controller

Licensing:

Carbon Black EDR Server license

covering 50 Endpoints

1x JIRA On-Premise License

1x ESXi License

1x VCenter License

Copyright © 2022 Data Consult. All Rights 21/

 SOC Build and Enablement Services – PSD

Power Supply:

Hot Plug Dual Power Supply

Physical Splunk, Carbon Black Computational Power:
and XSOAR
Redundancy Redundancy 2x24 Cores CPU-64 bit->2.0 GHz

Servers Memory: 8x32 GB RAM

(for high- Network: 4x 10GbE Base-T RJ45

availability) Storage – Retention 365 days: 8x 3

3840GB SSD Hot Swap

Raid Controller:

Hardware Raid Controller

Licensing: ESXi Licenses

Power Supply: Hot Plug Dual Power

Supply

Copyright © 2022 Data Consult. All Rights 22/

SOC Build and Enablement Services – PSD

2. Project Management Principles

2.1 Service Description and Scope of

Work

Data Consult has developed a unique approach to security and risk

consulting: the “FACTS” methodology. Based on our consulting years
of experience, as well as research conducted by the Harvard Business
School, FACTS focuses on what consistently leads to consulting success. The
FACTS method emphasizes where your security program currently stands
and what improvements are possible moving forward.

Data Consult concentrates on your long-term path to a more effective

security posture:

Figure 1 - FACTS Project Methodology

Flexible

Our projects are always diligently scoped, but at times we uncover information that
suggests some shift in focus or emphasis will be most helpful to you. We will confer
with you and adjust our process accordingly.

Align

Our recommendations take into account your personnel, your current

capabilities, the maturity of your security program and unique business
objectives. Our job is to align our recommendations with what is possible
for your organization. One-year consumable chunks of progress, in
our experience, are what work. We concentrate on effective progress that
is aligned to your team and organization and can be accomplished within
12 months.

Communicate

A report is not enough; communication between consultant and customer must be

interactive. As

Copyright © 2022 Data Consult. All Rights 23/

SOC Build and Enablement Services – PSD

It is practical; our consultants will meet with you at the end of every day. We want
to review preliminary findings and recommendations to ensure our findings
are accurate (this will be your opportunity to provide us with feedback and
corrections). We can give you an evolving view of our opinions and
recommendations; this way there are no surprises in the report. We also look
for key issues that impede progress and discuss these in particular; that way we
can break bottlenecks. Our objective is to communicate beyond report
writing. By ensuring solid communication, we can focus on remediation
effectiveness and focus on your current capabilities, obstacles to progress and
true needs.

Transfer

Knowledge transfer will help expedite progress. Although this part of our
methodology is optional, we encourage your team to shadow and work closely with
our consultants. We will share with your tools and techniques, how we interpret
results and other tips to help you realize ongoing value. In our experience, the
more you understand about security, the more improvements you will make
in your security efforts.

Support

After we deliver the final report, you are likely to have follow-up questions.
Problems may arise or new options may present themselves as you begin your
remediation. Please contact us. Our consultants can provide support for your
report-related questions even after the engagement is over and at no additional
cost to you.

Copyright © 2022 Data Consult. All Rights 24/

SOC Build and Enablement Services – PSD

3. Client Engagement Process

Data Consult Consulting engagement is unique. The following diagram

illustrates our typical engagement process, followed by detailed descriptions:

Figure 2 - Our Client Engagement Approach in Consulting

A. Phase 1: Coordinate/Plan/Prepare

Data Consult consulting leadership will discuss the project at a high level with
your organization. We will review the contract and clarify requirements
and expectations. We will match a consultant or team of consultants to you,
based on qualifications, timing requirements and personality. We will
establish secure communication channels and provide contact information
and associated notification processes.

Data Consult security consultant or project lead will contact you before your
project commences. This ensures that we address any additional questions
or concerns you may have, determine if the schedule is still appropriate,
facilitate document or knowledge transfer, and confirm your project can
proceed as planned. At this time, key stakeholders are identified, and
appropriate meetings are tentatively scheduled, and any travel plans
confirmed.

B. Phase 2: Kick-off
Meeting

All consulting engagements begin with a project kick-off meeting. Key personnel
and teams are introduced. A primary focus of the meeting is to gain alignment and
agreement between both sides on the direction and goals of the engagement. This allows
Data Consult security consultants to discuss your expectations and inputs and
address any pre- engagement questions. During this meeting, we will address:

Copyright © 2022 Data Consult. All Rights 25/

SOC Build and Enablement Services – PSD

 Stated goals of the project

 Project scope, methodology and rules of engagement
 Escalation procedures on each side
 Expectations for timeline, scheduling, coordination needs,
milestones and deliverables
 Areas of special focus or interest
 Information specific to your organization or industry
 Clarification or changes in scope or needs
 Document exchange
 Personnel and team roles and responsibilities
 Organizational risk and security practices, tolerances and requirements

C. Phase 3: Project
Delivery

Data Consult consultants gathers and analyses data in order to draw

conclusions about the security of your environment and any risks to
your organization. We will work closely with your team and give you regular
updates on our progress.

We encourage you to shadow our consultants to facilitate knowledge transfer.

This approach makes customers more comfortable with the results, removing
potential surprises at the end of the engagement as well as improving your
ability to interpret and act upon the findings. If we find a critical issue, we will
notify you immediately.

Copyright © 2022 Data Consult. All Rights 26/

SOC Build and Enablement Services – PSD

D. Phase 4: Results

We will review with you the scope and requirements, methods and activities,
and our findings and recommendations. This information will be
presented formally in a draft report, and upon concurrence and
resolution of any comments, we will prepare and distribute a final report.

E. Phase 5: On-going
Support

We view our relationship as on going and want to ensure you get the most out
of our engagement. We are available for advice on what actions to take,
questions about a particular product or vendor, or time with a security
professional. Please contact your Data Consult account representative for more
information and support options.

F. Managed SOC Services

Period

After the implementation and commissioning of the required infrastructure for

the Managed SOC services, we provide high quality delivery of SOC monitoring,
forensics investigations and IR retainer, SIEM engineering and other services as defined
in the scope of work of the proposal.

G. Continuous Quality Assurance

As a part of our commitment to delivering the highest level of service, Data Consult has
established formal processes for managing quality through survey metrics,
lessons learned, feedback and escalation processes, and deliverable reviews. This
provides us with a continual stream of feedback regarding our project management,
methodologies and customer handling procedures. In addition, all Data Consult
deliverables are reviewed for style, content and grammar before delivery.

Our consultants are evaluated on – and part of their compensation is tied to – customer
satisfaction. Customers have an opportunity to voice satisfaction and suggestions
through a survey sent at the completion of an engagement. We review every survey
and incorporate the feedback into our process to further improve our consulting efforts.

Data Consult has a formal, documented process for feedback and

escalation before, during and after an engagement. Customers are encouraged
to contact us with comments, questions or concerns about process, timelines,
deliverables, scope or other topics.

H. Account Management

Account management refers to your relationship with your sales representative

and the process around your interactions with them. Your Account Manager is
your

Copyright © 2022 Data Consult. All Rights 27/

SOC Build and Enablement Services – PSD

single point of contact for billing, agreements or sales questions that may arise.
However, for any issues with service or delivery, we encourage you to use our
consulting feedback and escalation process.

Your Data Consult Account Manager will be in touch with you after the
engagement has been completed and all deliverables provided. He or she will
follow up with you to discuss any additional services we may be able to provide
you – either because of findings and recommendations, or just as a matter of
securing your organization.

The information we have learned about you is a vital part of determining the
scope of your environment for these future projects and allows us to tailor
future engagements better to you. In addition, any follow-up work is much more
cost effective since there is a far less steep learning curve in getting to know
your organization.

Copyright © 2022 Data Consult. All Rights 28/

 SOC Build and Enablement Services – PSD

4. Bill of Quantities

A. The proposed bill of Quantities for Customer is as per the below:

Item No. Service Scoping

1 SOC Implementation Package 40 Man-Days (One-Off)

2 L2 CDA SOC Services – 8x5 2 Full Time Employees

3 L3 SOC Services 1 Full Time Employee
4 Incident Response & Forensics 120 hours per year
Investigations (retainer-hours)
5 Security Engineering and Use 2 Use Case per quarter
Management 5 Customized Reports per month
6 MSSP License for Splunk 15 GB/Day
+ Enterprise Security (just covering SOC environment)
7 Palo Alto XSOAR MSSP Multi- 1
Tenant License
8 Carbon Black EDR License 50 Agents (1 server)

9 JIRA Ticketing System 1x On-Premises License

(customer facing Ticketing (Users covering SOC count)
System)
10 ESXI License + Vcenter License As describe in Minimum Requirements

11 Optional L1 On-Call Services To be provided by data consult

(Outside 8x5)

Copyright © 2022 Data Consult. All Rights 29/

SOC Build and Enablement Services – PSD

5. Pricing

A. The proposed bill of Quantities for customer is as per the below:

Item Service Scoping Yearly Pricing in
No. assumptions USD
1 SOC Implementation Package 40 Man-Days (One- 44,000
Off)

2 L2 CDA SOC Services – 8x5 Basis 2 Full Time Employees 430,000

3 L3 SOC Services 1 Full Time Employee 298,000
4 Incident Response & Forensics 120 hours per year 24,600
Investigations (retainer-hours)
5 Security Engineering and Use Case 2 Use Case per 15,896
Management quarter
5 Customized Reports
6 MSSP License for Splunk Enterprise per month 110,000
+ Enterprise Security License 15 GB/Day
Just covering SOC
environment
7 Palo Alto XSOAR MSSP Multi-Tenant 1 83,000
License
8 Carbon Black EDR License 50 Agents 1,500
(1 server)
9 JIRA Ticketing System 1x On-Premises
License (Users
covering SOC count)
10 ESXI License + Vcenter License As describe in
Minimum
Requirements Section
11 Optional L1 On-Call Services To be provided by
(Outside 8x5) Customer

Copyright © 2022 Data Consult. All Rights 30/

SOC Build and Enablement Services – PSD

Payment Terms

 All prices are in USD

 Prices exclude VAT or any additional Taxes
 The proposed fees are valid for 60 days.

Payment Plan

 Technology: payment upfront upon contract signature

 Services: Monthly payments that start from contract signature for 12
months duration

Copyright © 2022 Data Consult. All Rights 31/

SOC Build and Enablement Services – PSD

6. Document Approval

Version: 1.0

Date: 2022-8-21

The undersigned has reviewed and agreed the information contained in this action plan
document.

Name Name

Title Title

Company Company

Signature Signature

Date Date

Name Name

Title Title

Company Company

Signature Signature

Date Date

Name Name

Title Title

Company Company

Signature Signature

Date Date

Copyright © 2022 Data Consult. All Rights 32/