Managed Detection and Response and Security Information and Event Management and Security Orchestration and Automation and Response Solution

The Vendor is required to provide for the provision of a managed detection and response (MDR), security information and event management (SIEM) and security orchestration, automation and response (SOAR) solution by county.
- The platform should have machine learning capabilities and other advanced analytics of structured as well as unstructured security and network data.
- The platform shall have an executive dashboard to demonstrate the overall security posture of the agency organization and improvements over time. 
- Provide examples from other successful engagements.
- Service provider shall assist in building the Standard Operating Procedures (SOPs) / Playbook for security incidents.
- Vendor shall provide bi-annual 6 month company roadmap under NDA Service provider shall provide 24x7x365 monitoring and response service using the tools that are already in use in agency. 
- Agency tools include but are not limited to Freshservice, Office 365, Ping (ForgeRock), Google workspace, Fortinet, Mist, Verosint, Solarwinds, Cisco, Oracle, Windows, Linux, F5, Crowdstrike EDR, Cloudflare, Lightspeed.
- Solution should support integration for cloud SaaS applications such as O365, Amazon Workspace, and Microsoft Desktop as a Service.
- Solution provide a web interface where all integrated assets from different environments such as data centers, cloud, and cloud SaaS can be viewed.
-The solution should be able to support enrichment of data with contextual information such as Geo Data, malicious IPs, Domains, URLs, Threat Intel and custom specified tags and annotations. The enrichment fields should be indexed along with the event in real-time at an individual event level and not done as a separate lookup process.
- Solution shall use algorithms and tools to actively hunt attacks in large volumes of data and create alerts that are passed on to analysts. Solution shall support use of big data platform for collection and analysis.
- The analytics service shall able to detect threats from various attacks vectors such as malware, web application attacks, network attacks, watering hole attacks, DNS attacks, insider threat, and data exfiltration.
- Solution shall have capabilities to collect user data from variety of sources such as Directory Services, IAM, VPN, Proxy, Ping (ForgeRock), Google Workplace, GCP and O365.
- The service shall incorporate multiple baseline behavioral models which cover behavioral risk categories such as Data Exfiltration, Malicious Users, Illicit Behavior, compromised credentials.
- Log Collection and Normalization    
•    Comprehensive Log Support: Ability to ingest logs from diverse sources such as firewalls, servers, applications, databases, endpoints, and cloud environments.
•    Normalization: Standardize disparate log formats into a common schema for ease of analysis. The solution must also have the ability to create custom parsing and normalization rules to address unique log sources and formats.
•    Scalability: Support for high-volume log ingestion to accommodate enterprise environments. In cases where an events per second (EPS) licensing model is used, the solution must have the capability to handle temporary EPS overloads exceeding the licensed limit for short periods.
•    Retention Policy and Data Compression: The solution must include capabilities for defining retention policies and employing data compression techniques to effectively manage storage space.
- Real-Time Threat Detection and Correlation    
•    Real-Time Monitoring: Continuously monitor security events to identify potential threats.
•    Correlation Rules: Leverage advanced rule engines to identify patterns indicative of malicious activity across multiple sources. The solution must include a built-in predefined ruleset or provide the ability to download custom rulesets from a marketplace.
•    Customizable Rules: Support for custom rule creation to meet unique organizational needs.
- Advanced Analytics and Machine Learning    
•    Behavioral Analytics: Detect anomalies by establishing baselines of normal user and system behavior. This feature is mandatory for effective threat detection.
•    Threat Intelligence Integration: Incorporate threat feeds to identify known Indicators of Compromise (IoCs).
•    Machine Learning: Automate threat detection and reduce false positives through adaptive algorithms. 
- Incident Response and Workflow Automation    
•    Incident Management: Provide a centralized dashboard for triaging and managing security incidents.
•    Automated Workflows: Facilitate rapid responses with playbooks and automated remediation steps.
- Compliance and Reporting    
•    Predefined Compliance Reports: Generate reports for frameworks such as GDPR, PCI DSS, and ISO 27001. 
•    Custom Reporting: Allow organizations to create tailored reports specific to their requirements.
•    Audit Trails: Maintain detailed logs for audit and forensic purposes.
- Scalability and Performance    
•    Elastic Architecture: Ensure scalability to handle growing data volumes and increased processing demands.
•    High Availability: Support for failover mechanisms and redundancy to maintain uptime.
•    Cloud and Hybrid Compatibility: Operate seamlessly in on-premises, cloud, and hybrid environments.
- User and Entity Behavior Analytics (UEBA)    
•    User Monitoring: Detect suspicious user activities that deviate from established baselines.
•    Entity Monitoring: Identify threats originating from devices, applications, or systems.
•    Risk Scoring: Assign risk scores to prioritize investigation and response efforts. 
- Integration Capabilities    
•    Third-Party Integration: Compatibility with existing security tools such as firewalls, EDR, IDS/IPS, and cloud security solutions. 
•    Log Reception: The solution must possess the capability to collect logs from Event Log and via the Syslog protocol.
- Security and Privacy    
•    Data Encryption: Ensure encryption of data in transit and at rest.
•    Access Controls: Role-based access controls to restrict unauthorized access.

- Contract Period/Term: 1 year
- An Optional Pre-Proposal Conference Date: December 2, 2025
- Questions/Inquires Deadline: December 10, 2025