JOB DESCRIPTION:
Job Title: Resident Engineer
Location: San Francisco, CA (Onsite)
Duration: 12 months with possible extension
Additional Information:
- Candidate MUST have at least 10 years of total IT experience*
- Resources are required to work onsite at SFO five days a week
- Resources shall be one (1) year for a minimum of 1000 hours (six months) each with the option to extend up to 2000 hours (six additional months) for the initial year (six months plus six months for total of up to 12 months).
Project Scope:
SFO ITT is seeking minimum of two professional service personnel “Resident Engineer” or “RE” to complete tasks as described in the Scope of Work section of this RFP. The initial term duration for proposed RE resources shall be one (1) year for a minimum of 1000 hours (six months) each with the option to extend up to 2000 hours (six additional months) for the initial year (six months plus six months for total of up to 12 months). Hereafter, “Resident Engineer” or “RE” term maybe extended annually for up to three (3) years
Roles/Responsibilities:
The Proposer shall deliver the following that meets SFO’s requirements specified in each Task and Deliverable of this RFP.
Task 1: CrowdStrike – The CrowdStrike resource will have at least three years of experience supporting large enterprise, customers maximize the efficiency of the Crowdstrike platform. This subject matter expert is expected to have and maintain all relevant Crowdstrike certifications. This SMA shall provide dedicated assistance with the deployment, configuration and integration of the Airport’s CrowdStrike Falcon Platform including, but not limited to:
- Assist with and makes changes to the CrowdStrike platform to better protect SFO networks and endpoints.
- Optimizes the Falcon Platform according to CrowdStrike and industry best practices.
- Enhance SFO change management and incident response procedures to align with capabilities and workflows provided by CrowdStrike “Falcon Complete.”
- Advise IT Operations how to best leverage CrowdStrike platform to minimize cybersecurity risks associated with unresolved patching and remediation tasks and assist in the implementation of same.
Task 1 Deliverables:
- Resident Engineer will be tasked with protecting resources on SFO networks by implementing conditional multi-factor authentication rules so that stolen (or easily guessed) authentication credential cannot, by themselves, be used to access to RDP and other services running on Microsoft Window and Microsoft Windows Server.
- Implement host-based firewall rules to further limit accessibility of network-facing services on Microsoft Windows, Microsoft Windows Server, macOS and Linux to only those individuals and networks with a valid business justification to access said services (“remote access”)
- The Resident Engineer must be able to explain how these enhancements might be implemented using a combination of CrowdStrike and Palo Alto Networks User-ID, Group-ID, GlobalProtect VPN, Azure VPN gateway, or some other remote access solution, as well as the strategic use of virtual routing and forwarding tables to ensure remote access cannot be achieved using stolen authentication credentials (e.g. Pass-the-Hash attacks).
- Improve the quality and entropy of memorized authentication secrets used to authenticate network services where MFA cannot be implemented; establish a baseline of said authentication events, and devise controls to detect atypical authentication requests outside of said baseline.
- Establish procedures to ensure authentication secrets used by services accounts which have been historically exempted from periodic password changes, are changed, baselined, and then subject to change every twenty-four months thereafter.
- Leverage the Falcon Agent real-time-response capabilities to execute audit scripts that compare endpoint configuration against desired “hardening” settings.
Task 2: Palo Alto Networks – The PAN-OS resource will have at least three years of experience assisting organizations with the design, implementation and support of enhanced cyber-security controls associated with the Palo Alto Networks firewalls, and to a lesser extent, Prima Cloud.
Task 2 Deliverables:
- Deploy controls needed to authenticate identify all persons accessing more trusted networks from less trusted networks, (e.g. User-ID and Group-ID)
- Coordinate and assist in the review of all firewall rules currently in use, ensure there is a documented business justification within ServiceNow for all traffic taking place between more trusted networksand less trusted networks, establish procedures to ensure said firewall rules are being periodically reviewed to determine need and efficacy of said rules, capture the results of these reviews in ServiceNow, and determine how to easily manage whether these reviews are taking place at least annually.
- Assist with the deployment of additional PAN-OS cyber-security controls, such as, but not limited to, DNS sinkhole, Captive Portal, and GlobalProtect HIP based policy enforcement.
Task 3: Microsoft Azure, Microsoft Intune, Entra ID identity management, SAML integration, and the implementation of conditional authentication policies that minimize the number of MFA interactions required during the working day.
Task 3 Deliverables:
- Establish processes and procedures for deployment and management of Entra ID roles, identity, and conditional access policies in alignment with new and evolving Azure services and industry best practice, including means to baseline expected Azure activity so that atypical actions can be flagged for renew.
- Assisting the design and deployment of mobile device management (MDM) using Microsoft Intune for both Microsoft Windows 10, Windows 11, and Apple iOS devices.
- Implement password-reset self-service capabilities for on-premises Active Directory using Microsoft Azure and conditional MFA.
- Designing and implementing policies and procedures to facilitate on boarding and off boarding of Entra identities through the use of the SCIM protocol
- Project Success CriteriaSelected proposer shall implement described Scope of Work requirements to achieve below success criteria.
- CrowdStrike’s features have been optimized for the SFO ITT environment where the Airport is getting full value from our investment in the product.
- Palo Alto Networks (PAN) Firewalls rules have been reviewed, fine-tuned and documented for future maintenance and support efforts.
- Microsoft Entra ID identity management, SAML integration, and the implementation of conditional authentication policies that have minimized the number of MFA interactions required during the working day.
Mandatory Skills:
- Proposer must provide at least three (3) similar projects in the past five (5) years.
- Client name and type of organization (government, private corporation, etc.);
- Project start and end dates.
- Candidates(s) must have a minimum of five (5) years of experience in the technologies with CrowdStrike, and/or Palo Alto Networks PAN-OS firewalls
- Candidates(s) must have current Certifications in the technologies (i.e., CrowdStrike, Palo Alto Networks firewalls, et al.) and their products the Airport has implemented and be able to provide a copy of certifications.
- Candidates must be a citizen of the United States, Canada, United Kingdom, Australia, or New Zealand with ability to work in the United States. Each resident engineer must also pass a TSA threat-assessment before they begin work at the Airport.
Desirable Skills:
- Experience designing and deploying simple Splunk environments.
- Experience with Microsoft Azure Entra ID features and capabilities.
- Experience with the design and deployment of Microsoft sensitivity labels.
- Working Knowledge of Wireshark and Tshark.
- Working Knowledge of Powershell, Python and Bash scripts.
- Familiarity with PCI DSS version 3 or version 4.
