Madera Unified is currently looking to expand its security posture by implementing a SOAR (Security Orchestration, Automation and Response) and SIEM (Security Information and Event Management) platform. At minimum, the District is looking for services that integrate with an XDR platform already in place (Palo Alto Cortex XDR), however bids may be submitted for a solution that incorporates all three services within a single platform (XDR, SOAR, SIEM). SOAR and SIEM service bids may be submitted on an individual basis, an all-in-one solution would be preferred. Bids for an XDR only solution will not be considered. Solutions should have the following general features. This list is not exhaustive: Industry Standards will be required. XDR Service requirements (If bidding on All-in-One solution) ● Behavior and hash based local analysis and threat prevention ● Exploit prevention mapped to MITRE ATT&CK framework ● Kernel-based exploit prevention ● Network inspection to prevent network based attacks ● Utilize advanced AI and Machine Learning for evolving threats ● Credential gathering protection ● Host Firewall Protections ● USB Device Controls ● Secure Remote Access ● Full CMD, Bash, Powershell and Python scripts or shell access ● Device Isolation while maintaining contact with Service ● Behavioral and Identity analytics ● Customized detections and IoCs ● Ability to ingest and act on data from District Infrastructure ● Ability to ingest threat intelligence feeds from third-party sources ● Incident management and investigation ● Asset and IP inventory ● Root cause analysis of alerts ● Querying of log data from all ingested sources ● Ability to coordinate on incidents with other team members ● Remote file detection and deletion ● Notification response for alerts and incidents ● Minimum 30 day hot storage for logs and incidents ● Notifications sent via multiple channels ● Role-based access control (RBAC) SOAR Service requirements ● Ability to integrate with listed District Infrastructure ● Customizable automated playbooks(Workflows) ● Ability to run playbooks(Workflows) based on ingested events as well as on-demand ● Case management for events ● Ability to coordinate with other team members within case management ● Threat Intelligence integrations ● API based integrations available ● Automated data enrichment (e.g., WHOIS, VirusTotal, Sandboxing) ● Approval workflows for higher risk actions ● Role-based access control (RBAC) ● Notifications sent via multiple channels ● Cloud Hosted SIEM Service requirements ● Support log ingestion from listed District Infrastructure ● Out-of-the-box correlation rules ● Flexible or automated log parsing ● Ability to create custom correlations ● Real-Time and scheduled alert creation ● Visual customizable dashboards ● Customizable reporting ● API based integrations available ● Utilize User & Entity Behavior Analytics ● Support for open detection sharing rules (e.g., Sigma, YARA, Snort) ● Notifications sent via multiple channels ● Role-based access control (RBAC) ● 90 day minimum “Hot” log retention ● 180 day minimum “Cold” log retention
