DIU Solicitation: Intelligent Security Operations Center (AI/ML driven solution)

******************************NC DEFTECH*******************************

 

Intelligent Security Operations Center

Responses Due By     5 Mar 2020 23:59 EST

 

The Department of Defense (DoD) seeks to transform its defensive cyber operations by reducing a large number of single-purpose, human-intensive tools to a seamless operator console of multi-purpose, Artificial Intelligence/Machine Learning (AI/ML)-driven solutions. This effort will allow analysts to gain deeper expertise in their mission while leveraging machine-speed to aid in decision-making against persistent threats to the DoD Information Network (DODIN). 

Background

Cybersecurity industry estimates suggest it takes an average of 18 minutes and 49 seconds for a foreign nation-state actor to pivot to other areas of a network after gaining initial access to a system. With cyber operators processing up to 8 million alerts per day, this type of malicious activity can easily get lost in noise. New solutions will reduce the complexity of day-to-day operations by leveraging machine speed and automation to tackle lower-level analytical tasks and allow analysts to focus on the big picture and decisions which require human intervention.  

Elements of the DoD are in the process of employing new Security Information and Event Management (SIEM) and Security Orchestration, Automation and Response (SOAR) solutions. These systems automate some of the front-end (aggregation and correlation of security events) and back-end (incident response playbooks) tasks involved in cyber defense; however, there is still a requirement for a platform that automates the key analysis tasks that are involved in alert triage.  This platform should prioritize alerts based on automated triage and present the analyst recommended actions whether it be detection mechanisms, patching, firewall configuration changes, etc. Additionally, the solution should have the ability to take immediate action independently if given prior permission. This solution should reduce the cognitive burden on an analyst, providing the ability to quickly take action on newly discovered events.

Our Ask 

The DoD seeks an innovative commercial solution that can harness the power of AI/ML to drastically reduce the time it takes for cyber operators to address malicious activity on the DODIN by acting as a “virtual tier one operator.” The solution should be aimed at automating some of the triage, analytical, and investigative work that make up the bulk of an analyst’s workload.  Solutions should be commercial “off-the-shelf” products that leverage a successful deployment track record and wide customer base. 

Vendors selected for phase two will deliver an in-person pitch, which should include a live product demonstration. NOTICE: The Government will not provide funding for company participation in the pitch.

The proposal should provide an innovative product and/or SaaS offering including:

  • Seamless integration with existing SIEM/SOAR and user-selected Threat Intelligence Platforms (ex. MISP)
  • Present the analyst recommended actions whether it be detection mechanisms patching, firewall configuration changes, etc. 
  • Correlate indicators of compromise, threats and attacks using external and internal feeds
  • Automated, AI/ML-based analysis of user activities and behaviors; typical uses focus on detecting compromised user accounts and endpoints, detecting data exfiltration, detecting insider access abuse, and providing additional context and information for investigations
  • Solution should support Single Sign On and Role Based Access Control
  • Support machine-to-machine communication through product integrations or Application Programming Interface (API) calls
  • Full audit trail of network and application access
  • Demonstrate, through synthetic workloads or verifiable customer references, the ability to scale to a minimum of up to 1 million endpoints in production.

Notes:

  • Product/SaaS offering should be readily available, demonstrably innovative, and have commercial viability.
  • We are seeking a product or SaaS offering, not a development platform or an infrastructure revamp.
  • The focal point for the project is AI/ML based automated decision making, not workflow orchestration.  Solutions that are solely signature-based or require manual writing of rules need not apply. Solutions that do not require additional network appliances or endpoint agents will be viewed more favorably.
  • An augmentative product/SaaS offering working with existing commercial SIEM and SOAR products is highly preferred.  The goal is not to replace the incumbent SIEM/SOAR elements of the system.
  • If applicable, companies should be prepared to answer questions regarding company ownership, controlling interests, principal place(s) of business, supply chain, and citizenship of key officers or employees who would contribute materially to this effort.  DIU reserves the right to take any and all of the above considerations into account when determining the feasibility of a company’s submission to meeting the specific need of the Department of Defense.
  • Vendor must provide assurance of data confidentiality built into the design of the product.          
  • If delivered in the form of a SaaS offering vs. dedicated-server, the vendor should be able to speak to a roadmap to or existing DoD IL4 certification.
  • The Government may facilitate teaming arrangements among foundational product/SaaS offering developers to achieve desired effect. Companies are also welcome to present their own teaming arrangements in their solution briefs. 
  • Companies without a CAGE code will be required to register in SAM if selected. The Government recommends that prospective companies begin this process as early as possible.
  • Password-protected hyperlinks to product documentation of currently-shipping product such as administrators guide and integration guides are strongly encouraged.

Governing Documentation

This solicitation will be awarded in accordance with the Commercial Solutions Opening (CSO) process detailed within HQ0034-19-9-DIU (WHS CSO), available at https://beta.SAM.gov.

 

Solution Brief Requirements

We strongly recommend that Solution Briefs not exceed 5 written pages using 12-point font or 15 briefing slides. These limits are not requirements but are strongly recommended. Please save your document or brief as a PDF before you include it in your online response to a DIU solicitation.

Suggested Contents

  • Title Page: Please include a title referencing the DIU solicitation name; company name; date; and a point of contact name, e-mail address, phone number, and address (this will not count against the page limit)
  • Executive Summary: A short summary of the technology.
  • Technology Concept: Describe the unique aspects of your technology and the proposed work as it relates to the solicitation to which you are responding. Identify whether the effort includes the pilot or demonstration of existing commercial technology (identified as commercially ready and viable technology), or the development of technology for potential defense applications. If development or adaptation is proposed, identify a suggested path to mature your technology. Lastly, identify which aspects of your technology may be considered proprietary. Diagrams or graphics depicting the essence of the proposed solution are strongly encouraged.
  • Company Information: Provide a brief overview of your company, including a summary of gross sales/revenue and investors/funding rounds (if applicable). Provide a summary of product history, roadmap, and go-to-market strategy. Including an existing customer list and/or customer case studies is encouraged.

Unnecessarily elaborate brochures or proposals are not desired.

Additional Information

  • Companies may submit multiple solution briefs in response to any single solicitation if each submission represents a separate and distinct concept. Individual solution briefs may only address one concept based on the open DIU solicitation.
  • Submissions must be submitted electronically via the DIU website. Submissions sent through other channels or after the solicitation period has ended will not be reviewed or evaluated.
  • Solution briefs that are not chosen for the in-person pitch phase will be notified in writing as soon as practicable.
  • Solution briefs selected for the next phase (pitches) will be notified via email with further details and instructions.

 

 

 

North Carolina Defense Technology Transition Office (DEFTECH)

 

Dennis Lewis

lewisd@ncmbc.us

703-217-3127

 

Bob Burton

burtonr@ncmbc.us

910.824.9609

 

https://deftech.nc.gov/