Technical Proposal

SOC Build and Enablement Services

PSD Document
SOC Build and Enablement Services – PSD Document

Document Control

Document Title
SOC Build and Enablement Services

Document Code

Document Classification
Confidential

Revision
01

Date
2022-8-21

Copyright © 2022 Data Consult. All Rights Reserved. 2/32

SOC Build and Enablement Services – PSD Document

Table of Content
Table of Content 3
1. Proposed Solution description 4
A. Service Description and Scope of Work 4
B. SOC Monitoring Solution Architecture provided to the customer 7
C. Data Consult Deployment Approach 9
1. SOC Implementation and Integration 9
2. SOC Operations 10
D. Project Deliverables 13
E. Roles and Responsibilities 14
F. Project Schedule and Timeline 16
G. Service Level Agreements and Responsibilities 17
H. Minimum Hardware Requirements for SOAR Solution 20
2. Project Management Principles 23
3. Client Engagement Process 25
A. Phase 1: Coordinate/Plan/Prepare 25
B. Phase 2: Kick-off Meeting 25
C. Phase 3: Project Delivery 26
D. Phase 4: Results 27
E. Phase 5: On-going Support 27
F. Managed SOC Services Period 27
G. Continuous Quality Assurance 27
H. Account Management 27
4. Bill of Quantities 29
5. Pricing 30
Payment Terms Error! Bookmark not defined.
Payment Plan Error! Bookmark not defined.
6. Document Approval 32

Copyright © 2022 Data Consult. All Rights Reserved. 3/32

SOC Build and Enablement Services – PSD Document

1. Proposed Solution description

A. Service Description and Scope of Work

Data Consult is proposing a solution that entails the following components:

1. SOC Implementation Package

Data Consult engineering and security teams will work closely with the customer
security and project management team to enable a smooth implementation of
the components required for the delivery of the services. These components include
a variety of technologies, and engineering activities, and we describe at a high-level
here:

 Information gathering about the monitored environments, usage patterns,

existing solutions placement, networks layouts, traffic flows, existing security
integrations and monitoring capabilities.
 Alignment to requirements and expectations from Managed Security Services.
 Implementation of SIEM, Ticketing System and EDR.
 Implementation of SOAR platform that will act as a central fusion point for all
technologies through integration with SOC solutions to augment the capabilities
of the MSS operations.
 Integration of installed SOC Systems in place to achieve efficient
interoperability.
 Enablement and Optimization of use cases and rules of detection on SIEM and
EDR.
 Proposition of new use cases and detection rules to cover more attack vectors.
 Elaborating Security Operations Processes, and Incident Handling workflows for
a better alignment with designated MSS services.
 Configuration of SIEM solution for 3 months online logs retention and 12 months
Offline.
Once complete, the material and documentation elaborated/reviewed will be
passed to service delivery team and used by the security operations team for
both SOC security operations, and engineering activities.

Copyright © 2022 Data Consult. All Rights Reserved. 4/32

SOC Build and Enablement Services – PSD Document

2. 8x5 SOC Monitoring Services (Level 2 Operations) using SIEM, SOAR and
security technologies. We will carry out this service on an 8x5 basis remotely from
the Data Consult Security Operations Center, using SOAR solution as a primary point
for operations and going through customer network to reach SOC infrastructure.
In addition to the existing tools, Data Consult team will be relying on the EDR
solution of the monitored environment(pre-requisite) and will provide the
installation of an on-premises SOAR solution to act as a central hub for security
investigations and case management.

The service wrapper will include the following:

 8x5 Level 2 Cyber Defense Analyst Services.

 Classification and Prioritization of security incidents and generation of tickets.
 Triage and prioritization of detected incidents.
 Root cause analysis of detected incidents.
 Alarms and notifications via the Case Management System in general, and by
phone for critical incidents.

For the SOC augmentation Data Consult is proposing the following resources:

 2x Level 2 Cyber Defense Analyst - Full Time Employees (FTEs) from 8x5
 1x Level 3 Lead Cyber Defense Analyst - Full Time Employee (FTE) from 8x5

Further augmentation can take place after having insights about the
environments covered during monitoring.

3. 120 Hours/Year Remote Incident Response Retainer (Reactive Security

Operations)
The Incident Response retainer services include:
 Receipt of escalated incidents from L2 SOC analysts.
 Identification, and Advisory on Isolation and Containment procedures for
occurring incidents in close collaboration with the customer team.
 Forensics and Root cause analysis of detected incidents.
 Conduction of real-time and post-mortem remote incident analysis and
remediation.
 Reporting related to Cyber Security Incidents (occurring incidents, common
causes, most exposed systems, analytics, solved/unsolved tickets, etc.).

Copyright © 2022 Data Consult. All Rights Reserved. 5/32

SOC Build and Enablement Services – PSD Document

4. Security Engineering and Use Case Management:

Data Consult team will be optimizing existing use cases and rules of
detection. Moreover, the engineering team will be proposing newly required
use cases and detection rules to allow coverage of more attack vectors.
Service Coverage: 2 new use cases per quarter (8 tuned use cases per
year).

Location of Services

Data Consult will deliver services remotely from its Security Operations
Center facility in KSA.

Further details about the approach, assumptions and responsibilities can be found
in section “Data Consult Deployment Approach”.

Copyright © 2022 Data Consult. All Rights Reserved. 6/32

SOC Build and Enablement Services – PSD Document

B. SOC Monitoring Solution Architecture provided to the customer

Data Consult will be relying on a VPN and a hypervisor at the customer end to connect to
the Master SIEM, Master SOAR, Case Management, Ticketing System and EDR at the
Costumer end.

Copyright © 2022 Data Consult. All Rights Reserved. 7/32

SOC Build and Enablement Services – PSD Document

To enable the augmentation of Managed SOC services, the remote IR services, and the
SIEM use cases engineering and reporting the following connections, integrations and
controls are needed:

1. Secure VPN Tunnel from Data Consult KSA Tenant to the

Customer location:
A VPN tunnel should be implemented between Data Consult tenant in Azure
and the Customer site, then from Customer site to designated monitored
environment. The connectivity provided should be able to allow the SOC
assets and analysts endpoints of Data Consult in KSA to communicate with
designated monitored environment (SIEM, SOAR, Ticketing System, EDR).

2. Audited Access:
Monitoring should be enforced on the tunnels established from Data Consult KSA to
designated monitored environment.

3. Encryption is always required:

Encryption and any other supporting encryption mechanisms will be enforced to
guarantee the minimal level or traffic exposure possible during network travel.

4. Thorough Monitoring of the MSS Supporting Infrastructure:

Apart from the internally monitored Managed Security Infrastructure at Data
Consult, all the nodes and systems between Data Consult Infrastructure, customer
end and the designated monitored infrastructure will be thoroughly monitored with
regular timely reporting on findings and security KPIs.

Copyright © 2022 Data Consult. All Rights Reserved. 8/32

SOC Build and Enablement Services – PSD Document

C. Data Consult Deployment Approach

The Data Consult SOC program includes two distinct capabilities we will deliver:

 SOC Implementation & Integration.

 SOC Operations.

1. SOC Implementation and Integration

During the SOC Implementation phase, Data Consult will carry out the following
tasks:

 IT infrastructure survey and detailed Information gathering from sites to

be monitored which will allow the SOC team to understand the existing
critical assets, network topologies, configurations and restrictions on any
asset under the SOC scope of monitoring.
 Coordination with the customer security team to receive detailed list of
critical assets to be monitored and included under the scope.
 Establish connectivity/policy requirements from the customer and
designated environment.
 SOC Monitoring architecture and technology stack design.
 Remote Implementation of Security Technologies needed for the Managed
Security Services. including SIEM solution (Splunk), SOAR solution (Palo
Alto XSOAR), Endpoint Detection and Response (Carbon Black) and
ticketing system (JIRA On-Premise).
 Customization and tailoring of above installed Security Technologies to
cope with the needs and objectives of the project.
 Deployment and Configuration of services needed for logs and flow
collection of the monitored assets.
 Fine tuning of the production environment after the understanding of
traffic normal patterns.
 Configuration of SOC use cases and correlation rules for specified kill
chains.
 Creation of dashboard suggested by Data Consult SOC team.
 Assignment of playbooks for triage and escalation pre-developed by Data
Consult.
 Commissioning and Testing of the configurations and actions executed for
a one-month pilot before launching the Managed Services into steady state
operation.
 Alignment to SLAs and deliverables.
 Provide daily updates to the customer on mobilization of SOC Monitoring.
 Create / set up reports to measure SOC Monitoring.

Copyright © 2022 Data Consult. All Rights Reserved. 9/32

 SOC Build and Enablement Services – PSD Document

2. SOC Operations

During the SOC Operations phase, Data Consult will provide the
following capabilities and technical services to the customer:

8x5 Security Monitoring:

This service delivers real-time monitoring, correlation, and expert analysis

of security activity across your enterprise. The service improves the
effectiveness of your security maturity by actively analyzing the logs and
alerts from your infrastructure, 8x5. Our certified Security Analysts will
have the context needed to eliminate false positives and respond to the
true threats to your information assets.

SOC Operations
Capabilities Data Consult Advanced Cyber Fusion Center
SOAR Automated Tier 1Data Consult Team will leverage the SOAR with created playbooks and
automation to allow the SOC tier 1 activities to be completed in an
automated fashion by the SOAR, allowing the SOC analysts to focus on
more meaningful events and tasks.
Human based Tier 2 - Data Consult seeks the brightest outside of the box thinkers and
Triage Analysis analytics-focused security experts to work within the SOC across the
different cells. We ensure that their skill sets are updated and in use with
regular SANS training and certification. SOAR handles the time-
consuming and more mundane process and procedures with our
internally developed playbooks giving our senior SOC analysts the
needed resources and freedom to investigate enriched tickets and gather
enough evidence to identify true positive abnormalities detected in the
client’s environments.
SOC Management & Data Consult brought in recognized leaders into operational and
Reporting technical roles to establish a solid foundation from which security
operation is handed. These leaders understand the needs and have real-
world experience; this allows for enhanced client handling and reporting
by creating meaningful client customized reporting and leadership
engagements. Additionally, Data Consult produces regular (weekly,
monthly and quarterly) SOC scorecard reports to demonstrate
continuous improvement in the operation and to highlight any area that
needs to be addressed by the client or Data Consult on an urgent basis.
Detailed reporting scope is provided in deliverables section.
Outputs Data Consult is creating meaningful client customized outputs, including
automatic reporting and delivery and on-demand reporting and delivery.
Data Consult works directly with client stakeholders to understand the
output needs and best address them in the most effective approach.

Copyright © 2022 Data Consult. All Rights Reserved. 10/32

 SOC Build and Enablement Services – PSD Document

Incident Response Retainer – Remote Services (Costumer responsible for

on-site tasks)

This service allows the customer team to have a trusted partner on standby
supporting incident investigations, digital forensics, and malware analysis.
Additionally, the retainer allows the customer to proactively prepare for cyber
security incidents by conducting tabletop exercises or testing of the incident
response plan

Incident Response Retainer (120 hours per year)

Criteria Data Consult Advanced Cyber Fusion Center
Reactive Services: Data Consult will be rolling out an advanced malware and forensic
Forensics + Malware lab from the KSA location. This lab will enable the IR cell and the
Analysis malware analyst to support greater capacity and more complex
artifacts collected from the client environment or research into threat
landscapes. The lab will host a malware repository that will provide
historical samples and allow for the creation of internal malware
intelligence to be combined with our 3rd party malware intelligence.

Incident Response Retainer (120 hours per year)

Criteria Data Consult Advanced Cyber Fusion Center
Reactive Services: Data Consult Incident Response consultants provide remote incident
Incident Handling handling roles. Our Incident responders act as an escalation point
for the SOC analysts, provide guidance and support, and technical
subject matter expertise. The cell works out of two hubs covering
the Levant and GCC territories. Data Consult will also be rolling out
an incident handling and forensic lab from the KSA location to
support more complex IR needs.

Copyright © 2022 Data Consult. All Rights Reserved. 11/32

 SOC Build and Enablement Services – PSD Document

Security Use Cases Engineering

Security Engineering and Use Case Management (2 use case per month)
Criteria Data Consult Advanced Cyber Fusion Center
Use Case Engineering  Data Consult will provide Customer with SIEM Content Planning,
Development and Tuning. As such, the focus of this activity is on
the identification and implementation of use cases via the
development of rules based on Data Consult proprietary threat
intelligence and understanding of the customer environment.
 Observe rule operation, once implemented and review/monitor
performance of the use case content;
 Tune content, as needed, and with Customer approval, to
achieve a balance that will minimize “false positives” and
maximize the detection of security threats;

Continuous Improvement

To deliver this successfully, Data Consult will allocate a Team Leader to the SOC
Operations team to look after the customer and provide a single point of interface between
Data Consult operations and the costumer. The Team Leader will have strong management
experience in the SOC and will support other teams such as Consulting, Engineering,
Product Development, Sales, and Presales teams. This role will act as a Trusted Advisor
to the customer security management team and will also act as Data Consult’s Customer
Services Manager. As we deliver the SOC Operations we will identify on an on-going basis,
areas for continuous improvement in the overall SOC design, build and operation, including
areas for automation, process optimization, use case development, introduction of new
services / solutions to the portfolio.

This role will manage the following capabilities:

 Manage quality of SOC operations delivery by Data Consult SOC team.

 Manage Data Consult SOC metrics and reports and present them regularly to
customer management team.
 Recommend improvements to SOC people, process and technologies to the
customer senior management team.
 Manage training for Data Consult SOC team members, including time to take
training and when to conduct the training.

Copyright © 2022 Data Consult. All Rights Reserved. 12/32

SOC Build and Enablement Services – PSD Document

D. Project Deliverables

The services to be delivered out of this project are the following:

 Augmentation of Managed Security Operations and Monitoring Services for

designated monitored environment, on an 8x5 basis through SIEM, SOAR and
other security monitoring relevant tools.
 L2 Analysts Capacity for identification and analysis of events
 Incident response capacities on an hourly retainer delivered remotely from
KSA (120 hours per year)
 2 New Use cases development per month
 As for the documents to be delivered out of this project:
 Detailed Project Plan after Project Kick-off
 Detailed Communications Plan after Project Kick-off
 Weekly Status Report: gives summary of Security health, On-going activities,
completed tasks, risk maps, Risk identification and mitigation plan, Action
items across different application areas, delivered at not less than seven
calendar day intervals.
 Monthly Review Meeting and Status Report: Tracking any issues impacting the
SLA, Update about risks and enhancements suggested, capturing agreements
and disagreements and items needing escalation, delivered at monthly
intervals and not less than two business days before scheduled review meeting
 Quarterly Review Meeting: Review overall project status, issues list, metrics
reporting, supporting reasons for metrics deviation, and items that need
adjustment within SLA, delivered at quarterly intervals and not less than five
business days before scheduled review
 SLAs documents

Copyright © 2022 Data Consult. All Rights Reserved. 13/32

SOC Build and Enablement Services – PSD Document

E. Roles and Responsibilities

General Assumptions

 Data Consult is not responsible for managing and configuring the

logging setup for each of the various data sources that are collecting
logs and sending them to SIEM, but will advise the customer team
on the best practices and procedures to apply needed data sources
configuration.
 Data Consult will optimize the configuration of the existing SIEM, SOAR
and EDR solutions as per the scope of work in this proposal. The extent
of the optimization and enablement of existing solutions and
operations will depend on the functionalities and features in the
designated systems
 Data Consult will provide the customer with 8x5 alert monitoring,
triage, analysis and investigation services under this SOW via a
team of remote security analysts based in our Security Operation
Center in KSA.
 The content packs (i.e., searches, reports and dashboards) for security
monitoring and investigation will be implemented based on the
availability of relevant data sources from the designated environment.

Note: The Management and Administration of the data sources/devices that

are, or will be, sending logs to SIEM is not included in this service, however
Data Consult team will advise the customer on the appropriate
configuration of the data sources.
Data Consult Responsibilities:

 Data Consult will configure the local SOAR solution within the
designated monitored infrastructure. The capabilities of SOAR
solution and operations will depend on the functionalities allow by
the integration with SIEM solution.
 Data Consult will provide 8x5 Level 2 monitoring and security
incident management.
 Data Consult will provide a well streamed and matured process and
procedures for SOC operations and incident management.
 Data Consult will provide 8x5 Level 2 alerting and assistance for incident
management to the customer.
 Data Consult will provide regular scheduled reports on security operations
postures related as per the explained scope in deliverables section.
 Data Consult will create specific Business use cases and implement the same
in the SOC offered as per the SOW in this proposal.
 Data Consult will provide Proactive and Reactive inputs to the customer for
ensuring the best Cyber Security spectrum.

Copyright © 2022 Data Consult. All Rights Reserved. 14/32

SOC Build and Enablement Services – PSD Document

Throughout the engagement with the customer Department, Data

Consult will ensure the confidentiality and integrity of the customer
perceptiveness and properties.
Customer Responsibilities:

 The customer will prov ide Da ta Consult with the requ ired
adm in istra t ive interfaces for monitoring event streams and log
collection activities of all in-scope components of security technology
infrastructure, if required.
 The customer team will be in charge of the solutions management,
patching, health checks, backups, and other related security,
performance and maintenance tasks on SOC solutions after
deployment.
 The customer will provide necessary action, assistance and support in
the installation and configuration of necessary infrastructure,
network components and assets to guarantee achieving security,
availability, and accessibility for SOC Monitoring team access to the
designated monitored environment infrastructure to perform in-scope
services.
 The customer will inform Data Consult within three calendar days (72
hours) of any change in Point of Contact (POC) information for this
service to perform SOC monitoring services in scope.
 The customer agrees to work collaboratively with Data Consult in
defining the various user groups and roles and related incident
handling and response procedures.
 The customer will inform Data Consult of any change within security
technology and/or IT environment that are relevant to the Service.
 The customer will review the Monthly service reports and provide
Data Consult with any relevant feedback or questions pertaining to
the report.
 The customer will configure data source instances (i.e., Firewalls,
IDS/IPS devices, etc.) to collect logs and send the data to the SIEM.
 The customer will provide needed technical and human resources to
achieve the integrations desired and connectivity between the
existing SOC solutions and remote SOC when enabled
 The customer will troubleshoot data sources that are not collecting
the desired events/fields within the logs that the data sources are
sending to SIEM. (For Example: If a firewall is not logging all desired
events, the customer is responsible for editing the logging
policy/configuration settings for that specific firewall).
 The customer will identify and prioritize relevant data sources for the
use case development based on the important of the assets, business
associated risks, and operational impact of potential attacks
 The customer will help Data Consult to coordinate with the appropriate data
source owners within Customer organization, as needed.

Copyright © 2022 Data Consult. All Rights Reserved. 15/32

SOC Build and Enablement Services – PSD Document

 The customer will provide needed assistance and support means, where
required, to allow Data Consult to fulfill the service requirements as per the
SOW in this proposal.

Prerequisites

 The customer must already have prepared the required Hardware

equipment to install the SOC systems to be provided as per the
minimum requirements provided by Data Consult.
 The customer should provide valid licenses of the proposed systems
(SIEM, EDR, SOAR, Ticketing System, Hypervisor, OS, etc.) for the
duration of services contract, and the required infrastructure for
storage and backups.
 The customer should provide valid SIEM license for the duration of
services contract, and the required infrastructure for tickets storage.
 Designated infrastructure to be monitored must have an active and
functional Endpoint Detection and Response system.
 Stable Network Connectivity between the Data Consult Managed
SOC, the customer and the designated infrastructure to be
monitored.
 The customer should install in place a suitable setup for the remote
connection of Data Consult team, through a secure and monitored
VPN tunnel with MFA allowing the SOC team to reach a hypervisor for
central access (such as CITRIX).
 For remote incident response services, the customer should provide
and deploy, with the advice and guidance from Data Consult,
Velociraptor master server with the SOC infrastructure (usually
required a mid-tier server for deployment. Velociraptor is an open-
source solution used for forensics and incident response at a scale.
The master server will be connected to tenants on client premises
whenever an incident response process and forensics activities are
carried.

F. Project Schedule and Timeline

Data Consult team has concluded from the identification of requirements

that the following efforts and timeline will be needed for the execution
of this project:

Milestone Phase Description Duration Month (s) of

# Project
1 Project initiation and planning 1 Month 1st Month
2 Network, Systems and MSS
Design

Copyright © 2022 Data Consult. All Rights Reserved. 16/32

SOC Build and Enablement Services – PSD Document

3 SOC Solution Implementation, 2 Months 2nd and 3rd Month

Configuration and
Commissioning
4 SOC Service Implementation 1 Month 3rd Month
and Transition
5 SOC Operation and 12 Months 4th to 12th Month
Improvement

G. Service Level Agreements and Responsibilities

Responsibilities:

Data Consult will handle all the Security Events generated by the
customer’s security controls and sent to the SIEM solution.

After the Triage/Investigation/Classification performed by Data Consult’s

analyst/Automated Systems, if required, the case will be escalated to the
Customer’ Point of Contact as security incident or Policy Violation.

Policy Violation Use Cases will be shared by the customer according to

their internal Policies and Procedures.

Copyright © 2022 Data Consult. All Rights Reserved. 17/32

SOC Build and Enablement Services – PSD Document

Task ownership in scope of the Incident Response function is outlined below using a Model:

Capability Customer Data

Consult
Security Events Detection by Customer Security Controls RA IC
Security Events Detection by Data Consult Correlation Rules RA IC
Initial Incident Identification & Analysis RA IC
Initial Incident Investigation, Triage and Classification RA IC
Incident Notification and Escalation RA IC
Initial Incident Containment recommendations RA IC
Recurrent Incident Mitigation Strategy recommendation I RAC
Escalated Incident Response & Investigation I RAC
Escalated Incident Forensic Analysis (IR & Forensics I RAC
Investigation)
Post Mortem Analysis (within the determined retainer period) I RAC

Copyright © 2022 Data Consult. All Rights Reserved. 18/32

SOC Build and Enablement Services – PSD Document

Escalation Guidelines

The process of correcting incidents requires that detection, disruption, resolution,

and mitigations disciplines be established and practiced by all levels of the ACFC.
This process can and should be mapped to the customer’s phases in their incident
response plan, where applicable. A structured progression of recommended
actions that directs individuals to perform the appropriate meaningful analysis
and actions while troubleshooting is required. The ACFC staff must also have
guidelines from the customer for referring incidents to the proper specialists when
they cannot be resolved within the ACFC.

Detection Distribution Resolution Mitigation

(With the Customer (With the Customer
L1 intervention) L1 intervention)
XSOAR RA RA
CDA L2 IC RA
CDA L3 IC RC

Notice the phases of the incident resolution process evolve from left to right and from
Level 1 to Level 2. When activities at one skill level have been exhausted on an
incident, the incident should be escalated to the next skill level for further action.

Escalation Matrix

Copyright © 2022 Data Consult. All Rights Reserved. 19/32

 SOC Build and Enablement Services – PSD Document

Service Level Agreements (SLAs) within determined working hours

Incident Incident Mean Time to Mean Time to Mean Time to

Priority Title Detect Investigate (MTTI) Respond
(MTTD) After escalation to (MTTR)
L2
P1 Critical Data Consult 10 min 90 min
P2 High Data Consult 20 min 90 min
P3 Medium Data Consult 30 min 120 min
P4 Low Data Consult 24 hours 48 hours

H. Minimum Hardware Requirements for SOAR Solution

We provide below the minimal requirements for the suggested SOC setup. The
setup below does not include physical or virtual high availability; If high availability
is required the equipment count should be duplicated as mentioned in last slot of
the below table.

I. Minimum Technical Requirements

Item Name Functional Aspect Minimum Specifications or Quantity

Equivalent

Master SIEM Server 1x VM for Splunk Computational Power:

Master ES Search 2x18 Cores CPU-64 bit->2.0 GHz
Head
Memory: 6x32 GB RAM
1x VM for Splunk
License Master Network: 4x 10GbE Base-T RJ45

1x VM for ESXI Storage – Retention 365 days:

Hypervisor 4x 3840GB SSD Hot Swap 2x
1920 GB SSD Hot Swap

Raid Controller:
Hardware Raid Controller

Licensing:
1x Splunk MSS License
(15 GB/Day to server customer SOC
only, for any further expansion
license requires upgrade) 1

1x ESXi Hypervisor License

(Matching CPU number)

Power Supply:

Copyright © 2022 Data Consult. All Rights Reserved. 20/32

 SOC Build and Enablement Services – PSD Document

Hot Plug Dual Power Supply

Master SOAR Server + 1x VM for XSOAR Computational Power:

Splunk Indexer Solution 2x24 Cores CPU-64 bit->2.0 GHz

XSOAR Solution + Splunk 1x VM for Splunk Memory: 6x32 GB RAM

Indexer Indexer
Network: 4x 10GbE Base-T RJ45
1x VM for ESXI 1
Hypervisor Storage – Retention 365 days:
6x 3840GB SSD Hot Swap 2x 960
GB SSD Hot Swap

Raid Controller:
Hardware Raid Controller

Licensing:
1x Palo Alto XSOAR MSSP License
(multi-Tenant)
1x ESXI License (Matching CPU)

Power Supply:
Hot Plug Dual Power Supply

Additional SOC 1x VM for EDR Computational Power:

Console
Systems Server 2x24 Cores CPU-64 bit->2.0 GHz
1x VM for Syslog
Carbon Black EDR Server Memory: 8x32 GB RAM

Ticketing System 1x VM for ESXi Network: 4x 10GbE Base-T RJ45

Hypervisor
Syslog Sever Storage – Retention 180 days: 8x
1x VM for JIRA 3840GB SSD Hot Swap
VCenter Ticketing System
Raid Controller:
1x VM for Vcenter 1
Hardware Raid Controller

Licensing:

Carbon Black EDR Server license

covering 50 Endpoints

1x JIRA On-Premise License

1x ESXi License

1x VCenter License

Copyright © 2022 Data Consult. All Rights Reserved. 21/32

 SOC Build and Enablement Services – PSD Document

Power Supply:

Hot Plug Dual Power Supply

Physical Splunk, Carbon Black Computational Power:

and XSOAR
Redundancy Redundancy 2x24 Cores CPU-64 bit->2.0 GHz

Servers Memory: 8x32 GB RAM

(for high- Network: 4x 10GbE Base-T RJ45

availability) Storage – Retention 365 days: 8x 3

3840GB SSD Hot Swap

Raid Controller:

Hardware Raid Controller

Licensing: ESXi Licenses

Power Supply: Hot Plug Dual Power

Supply

Copyright © 2022 Data Consult. All Rights Reserved. 22/32

SOC Build and Enablement Services – PSD Document

2. Project Management Principles

2.1 Service Description and Scope of Work

Data Consult has developed a unique approach to security and risk

consulting: the “FACTS” methodology. Based on our consulting years of
experience, as well as research conducted by the Harvard Business School,
FACTS focuses on what consistently leads to consulting success. The FACTS
method emphasizes where your security program currently stands and what
improvements are possible moving forward.

Data Consult concentrates on your long-term path to a more effective

security posture:

Figure 1 - FACTS Project Methodology

Flexible

Our projects are always diligently scoped, but at times we uncover information that
suggests some shift in focus or emphasis will be most helpful to you. We will confer
with you and adjust our process accordingly.

Align

Our recommendations take into account your personnel, your current

capabilities, the maturity of your security program and unique business
objectives. Our job is to align our recommendations with what is possible
for your organization. One-year consumable chunks of progress, in our
experience, are what work. We concentrate on effective progress that is
aligned to your team and organization and can be accomplished within 12
months.

Communicate

A report is not enough; communication between consultant and customer must be

interactive. As

Copyright © 2022 Data Consult. All Rights Reserved. 23/32

SOC Build and Enablement Services – PSD Document

It is practical; our consultants will meet with you at the end of every day. We want
to review preliminary findings and recommendations to ensure our findings are
accurate (this will be your opportunity to provide us with feedback and corrections).
We can give you an evolving view of our opinions and recommendations; this way
there are no surprises in the report. We also look for key issues that impede
progress and discuss these in particular; that way we can break bottlenecks. Our
objective is to communicate beyond report writing. By ensuring solid
communication, we can focus on remediation effectiveness and focus on your
current capabilities, obstacles to progress and true needs.

Transfer

Knowledge transfer will help expedite progress. Although this part of our
methodology is optional, we encourage your team to shadow and work closely with
our consultants. We will share with your tools and techniques, how we interpret
results and other tips to help you realize ongoing value. In our experience, the more
you understand about security, the more improvements you will make in your
security efforts.

Support

After we deliver the final report, you are likely to have follow-up questions. Problems
may arise or new options may present themselves as you begin your remediation.
Please contact us. Our consultants can provide support for your report-related
questions even after the engagement is over and at no additional cost to you.

Copyright © 2022 Data Consult. All Rights Reserved. 24/32

SOC Build and Enablement Services – PSD Document

3. Client Engagement Process

Data Consult Consulting engagement is unique. The following diagram illustrates

our typical engagement process, followed by detailed descriptions:

Figure 2 - Our Client Engagement Approach in Consulting

A. Phase 1: Coordinate/Plan/Prepare

Data Consult consulting leadership will discuss the project at a high level with
your organization. We will review the contract and clarify requirements and
expectations. We will match a consultant or team of consultants to you, based on
qualifications, timing requirements and personality. We will establish secure
communication channels and provide contact information and associated
notification processes.

Data Consult security consultant or project lead will contact you before your
project commences. This ensures that we address any additional questions or
concerns you may have, determine if the schedule is still appropriate, facilitate
document or knowledge transfer, and confirm your project can proceed as
planned. At this time, key stakeholders are identified, and appropriate
meetings are tentatively scheduled, and any travel plans confirmed.

B. Phase 2: Kick-off Meeting

All consulting engagements begin with a project kick-off meeting. Key personnel and
teams are introduced. A primary focus of the meeting is to gain alignment and agreement
between both sides on the direction and goals of the engagement. This allows Data Consult
security consultants to discuss your expectations and inputs and address any pre-
engagement questions. During this meeting, we will address:

Copyright © 2022 Data Consult. All Rights Reserved. 25/32

SOC Build and Enablement Services – PSD Document

 Stated goals of the project

 Project scope, methodology and rules of engagement
 Escalation procedures on each side
 Expectations for timeline, scheduling, coordination needs, milestones
and deliverables
 Areas of special focus or interest
 Information specific to your organization or industry
 Clarification or changes in scope or needs
 Document exchange
 Personnel and team roles and responsibilities
 Organizational risk and security practices, tolerances and requirements

C. Phase 3: Project Delivery

Data Consult consultants gathers and analyses data in order to draw

conclusions about the security of your environment and any risks to your
organization. We will work closely with your team and give you regular updates
on our progress.

We encourage you to shadow our consultants to facilitate knowledge transfer.

This approach makes customers more comfortable with the results, removing
potential surprises at the end of the engagement as well as improving your
ability to interpret and act upon the findings. If we find a critical issue, we will
notify you immediately.

Copyright © 2022 Data Consult. All Rights Reserved. 26/32

SOC Build and Enablement Services – PSD Document

D. Phase 4: Results

We will review with you the scope and requirements, methods and activities,
and our findings and recommendations. This information will be presented
formally in a draft report, and upon concurrence and resolution of any
comments, we will prepare and distribute a final report.

E. Phase 5: On-going Support

We view our relationship as on going and want to ensure you get the most out
of our engagement. We are available for advice on what actions to take,
questions about a particular product or vendor, or time with a security
professional. Please contact your Data Consult account representative for more
information and support options.

F. Managed SOC Services Period

After the implementation and commissioning of the required infrastructure for the
Managed SOC services, we provide high quality delivery of SOC monitoring, forensics
investigations and IR retainer, SIEM engineering and other services as defined in the
scope of work of the proposal.

G. Continuous Quality Assurance

As a part of our commitment to delivering the highest level of service, Data Consult has
established formal processes for managing quality through survey metrics, lessons
learned, feedback and escalation processes, and deliverable reviews. This provides us
with a continual stream of feedback regarding our project management, methodologies
and customer handling procedures. In addition, all Data Consult deliverables are
reviewed for style, content and grammar before delivery.

Our consultants are evaluated on – and part of their compensation is tied to – customer
satisfaction. Customers have an opportunity to voice satisfaction and suggestions
through a survey sent at the completion of an engagement. We review every survey and
incorporate the feedback into our process to further improve our consulting efforts.

Data Consult has a formal, documented process for feedback and escalation
before, during and after an engagement. Customers are encouraged to contact
us with comments, questions or concerns about process, timelines, deliverables,
scope or other topics.

H. Account Management

Account management refers to your relationship with your sales representative

and the process around your interactions with them. Your Account Manager is your

Copyright © 2022 Data Consult. All Rights Reserved. 27/32

SOC Build and Enablement Services – PSD Document

single point of contact for billing, agreements or sales questions that may arise.
However, for any issues with service or delivery, we encourage you to use our
consulting feedback and escalation process.

Your Data Consult Account Manager will be in touch with you after the engagement
has been completed and all deliverables provided. He or she will follow up with
you to discuss any additional services we may be able to provide you – either
because of findings and recommendations, or just as a matter of securing your
organization.

The information we have learned about you is a vital part of determining the scope
of your environment for these future projects and allows us to tailor future
engagements better to you. In addition, any follow-up work is much more cost
effective since there is a far less steep learning curve in getting to know your
organization.

Copyright © 2022 Data Consult. All Rights Reserved. 28/32

 SOC Build and Enablement Services – PSD Document

4. Bill of Quantities

A. The proposed bill of Quantities for Customer is as per the below:

Item No. Service Scoping

1 SOC Implementation Package 40 Man-Days (One-Off)

2 L2 CDA SOC Services – 8x5 2 Full Time Employees

3 Basis
L3 SOC Services 1 Full Time Employee
4 Incident Response & Forensics 120 hours per year
Investigations (retainer-hours)
5 Security Engineering and Use 2 Use Case per quarter
Case
Management 5 Customized Reports per month
6 MSSP License for Splunk 15 GB/Day
Enterprise
+ Enterprise Security (just covering SOC environment)
7 License
Palo Alto XSOAR MSSP Multi- 1
Tenant License
8 Carbon Black EDR License 50 Agents (1 server)

9 JIRA Ticketing System 1x On-Premises License

(customer facing Ticketing (Users covering SOC count)
System)
10 ESXI License + Vcenter License As describe in Minimum Requirements
Section
11 Optional L1 On-Call Services To be provided by data consult
(Outside 8x5)

Copyright © 2022 Data Consult. All Rights Reserved. 29/32

SOC Build and Enablement Services – PSD Document

5. Pricing

A. The proposed bill of Quantities for customer is as per the below:

Item Service Scoping Yearly Pricing in

No. assumptions USD
1 SOC Implementation Package 40 Man-Days (One- 44,000
Off)

2 L2 CDA SOC Services – 8x5 Basis 2 Full Time Employees 430,000

3 L3 SOC Services 1 Full Time Employee 298,000
4 Incident Response & Forensics 120 hours per year 24,600
Investigations (retainer-hours)
5 Security Engineering and Use Case 2 Use Case per quarter 15,896
Management 5 Customized Reports
per month
6 MSSP License for Splunk Enterprise 15 GB/Day 110,000
+ Enterprise Security License Just covering SOC
environment
7 Palo Alto XSOAR MSSP Multi-Tenant 1 83,000
License
8 Carbon Black EDR License 50 Agents 1,500
(1 server)
9 JIRA Ticketing System 1x On-Premises
License (Users
covering SOC count)
10 ESXI License + Vcenter License As describe in
Minimum
Requirements Section
11 Optional L1 On-Call Services To be provided by
(Outside 8x5) Customer

Copyright © 2022 Data Consult. All Rights Reserved. 30/32

SOC Build and Enablement Services – PSD Document

Payment Terms

 All prices are in USD

 Prices exclude VAT or any additional Taxes
 The proposed fees are valid for 60 days.

Payment Plan

 Technology: payment upfront upon contract signature

 Services: Monthly payments that start from contract signature for 12 months
duration

Copyright © 2022 Data Consult. All Rights Reserved. 31/32

SOC Build and Enablement Services – PSD Document

6. Document Approval

Version: 1.0

Date: 2022-8-21

The undersigned has reviewed and agreed the information contained in this action plan
document.

Name ___________________________ Name ___________________________

Title ___________________________ Title ___________________________

Company ___________________________ Company ___________________________

Signature ___________________________ Signature ___________________________

Date ___________________________ Date ___________________________

Name ___________________________ Name ___________________________

Title ___________________________ Title ___________________________

Company ___________________________ Company ___________________________

Signature ___________________________ Signature ___________________________

Date ___________________________ Date ___________________________

Name ___________________________ Name ___________________________

Title ___________________________ Title ___________________________

Company ___________________________ Company ___________________________

Signature ___________________________ Signature ___________________________

Date ___________________________ Date ___________________________

Copyright © 2022 Data Consult. All Rights Reserved. 32/32