Job #2296: IT
Title:IT Security Consultant
STATEMENT OF WORK
ISD – ACTIVE THREAT ANALYTICS (ATA) SECURITY INCIDENT RESPONSE
The Los Angeles County (County) Internal Services Department (ISD) seeks to obtain the services of one (1) full-time Consultant to perform security incident response (IR) for incident tickets opened by ISD’s managed security service provider (MSSP). The primary responsibility of the Consultant will be working to remediate security incidents identified by the ATA service from “end-to-end” once received from ISD’s twenty-four hours, seven (7) days a week, three hundred sixty-five days a year (24x7x365) MSSP.
The contractor will also help to refine the security incident response process for ATA security incident tickets by analyzing the current process to reduce the number of steps, handoffs, and bottlenecks due to many factors – including constrained availability of ISD security analysts. This contractor will perform at the level of a Senior Network Systems Administrator (Sr. NSA).
In addition, the contractor will be responsible for all aspects of user support, system configuration, system administration, customer interaction/notification, working with the MSSP vendor, working with internal and external customer departments, working with internal and external customer Department Information Security Officers (DISOs) and providing weekly ATA incident ticket status to Security Division management and Executive Management.
In October 2015, ISD procured an MSSP to act as its Security Operations Center (SOC) and provide 24x7x365 around the clock expert security monitoring services for the Los Angeles County Enterprise Data Centers and Enterprise Network under the purview of ISD. As the MSSP service grew to encompass multiple remote security sensors at key sites around the County, ISD determined that it needed to refine and grow its security incident response processes to better respond and remediate identified security incidents.
ISD directly and indirectly supports 100,000+ users throughout the County organization. Additionally, it supports various local and state agencies throughout the entire County area. The Security Division (SD) supports IBM mainframe security, IT Shared Services (ITSS) desktop security, County Enterprise Data Center server security, secured email gateways, Countywide security registration, network security with application assessments and remote access, Countywide security incident response, Chief Information Security Office (CISO) virus efforts, network intrusion detection/prevention systems, business recovery fallback plans, and assists with ISD’s compliance with Board-approved information technology (IT) policies. The County has complex local and wide area networks. The County is constantly developing/expanding network-based and public-facing applications that require support from SD for use from the Internet, Intranet, through Virtual Private Networks (VPN), and through Extranets with business partners.
As one of the nation’s largest governmental agencies, the complexities of the County create great challenges for the County’s central IT security organization including:
• A wide area network with the core centrally managed, but the edge LANS and desktops (50,000+) managed by the individual departments and commissions.
• Decentralized IT with many of the 35+ departments and 7+ commissions running their own applications outside the County’s data center, although there is a current project underway to consolidate most County data centers to one centralized enterprise data center.
Active Threat Analytics (ATA) is ISD’s 24x7x365 managed security service. Around the clock, ATA monitors ISD’s network and data centers for security threats and attacks, and issues alerts to ISD when trouble is found. However, ISD Security Operations Section (SOS) is not 24x7x365 and does not have staff dedicated to investigating ATA cases, often requiring staff overtime to address the volume of ATA cases and to meet response time objectives. Moreover, ATA’s identification of County sources/destinations are sometimes incomplete or incorrect, requiring SOS to chase down IP addresses and the responsible County departments.
Additionally, the current security incident response process requires the Enterprise Operations Section (EOS) to manually enter ATA cases into ISD’s Cherwell (ticketing system), and requires SOS to manually update both ISD Cherwell and the ATA portal. Altogether, these challenges impact the cycle time for SOS to investigate and close ATA cases.
C. DESCRIPTION OF DUTIES
The Consultant shall perform the following:
• Work ATA tickets assigned from ISD’s 24x7x365 managed security service expeditiously (includes reviewing and working on cases on the portal and providing details for case closure).
• Provide in-depth support for information security incidents, including, but not limited to, internal violations, hacker attacks, viruses, unauthorized system access, and identifying and recognizing incidents of compromise (IOC’s) and how they are used at the network level.
• Provide recommendations to improve information security incident response processes related to host and network security in accordance with County policies and procedures.
• Analyze and interpret system, security, and application logs in order to diagnose faults and spot abnormal behavior.
• Experience with maintaining a secure network through configuring and managing typical security enforcing devices (i.e., firewalls, IDS/IPS, Internet proxy, etc.), knowledge of the type of events they produce, in depth experience with other common devices such as routers and switches, and the ability to troubleshoot Windows, Linux, UNIX and Midrange environment security incidents.
• Identify issues/problems and coordinate with customers regarding recommendations and resolution to security incidents.
• Analyze threat intelligence feeds received, and correlate ATA cases and investigations with affected customer departments.
• Work with customer departments to facilitate the telemetry ingestion into the ATA managed security service.
• Participate in regularly scheduled project review meetings and conference calls.
• Work with the MSSP vendor to review documents and information collected, and assist in the process of documenting the identification, classification, and prioritization of critical systems and data.
• Setup and execute on-demand reports requested by customer and management.
• Provide knowledge transfer and/or training to Security Operations Section staff and ATA portal customers/users.
• Provide after-hours and weekend support on an as-needed basis.
D. MINIMUM QUALIFICATIONS
The Consultant must meet all of the following minimum qualifications:
1. One (1) year of experience within the last three (3) years managing and/or supporting a production security incident response environment, including working with end-users to investigate, analyze, troubleshoot, and resolve security incident issues.
2. Two (2) years of experience within the last four (4) years as a security incident handler with experience detecting, responding, resolving, and managing computer and network security incidents, including, but not limited to, detecting malicious applications and network activity, detecting and analyzing system and network vulnerabilities, determining root causes, performing computer and network forensic investigations and leading a computer security incident response team.
3. Two (2) years of experience within the last four (4) years as a systems administrator or network engineer supporting a networked environment with at least 100 servers, 2,000 or more users and multiple firewalls, switches, and routers. The network environment must consist of multiple VLANs in a single location AND multiple physical locations connected through routers or similar layer-3 routing devices.
4. Two (2) years of experience within the last four (4) years creating and managing projects with project management tracking tools such as Microsoft Project.
5. Three (3) years of experience within the last five (5) years in developing clear and precise process, workflow, and/or network diagrams using Microsoft Visio or similar tools, and technology-related documents such as operating procedures/guidelines, incident reports, technology standards, and knowledge base articles.
6. Two (2) years of experience within the last four (4) years in a security monitoring role.
If called for an interview, Consultants will be required to present samples of their own work and provide at least two (2) verifiable work references. Partial months of experience will not be accepted as a full year.