Search results for:
Endpoint Detection and Response (EDR) is a key part of your endpoint protection strategy, and can help your analysts investigate and respond to attacks as they happen. If you’re evaluating EDR security solutions, it can be valuable to have a well organized list of capabilities, and ask each vendor what exactly their solution provides.
If you are interested in learning about the emerging solution category called Extended Detection and Response (XDR), click here.
This Request for Proposal (RFP) template provides just that – a list of capabilities you can submit to your vendors, to get a detailed comparison of their comparative offerings.
Our RFP template is comprised of five sections:
Submit this RFP to the vendors of your favorite EDR tools, to ensure their EDR solution has a robust offering in each of our five target areas. The solution should provide complete visibility over endpoint threats, able to prevent them on the device, offer the tools to investigate and respond to attacks as they occur, and provide practical deployment and administration options.
Scope of template
Our template covers EDR solutions for:
The template does not cover EDR for:
How to use the template:
Throughout the template:
An EDR solution should offer comprehensive protection against common and advanced attack vectors. It should offer a combination of signature-based malware protection, behavioral analysis and machine-learning static analysis to detect unknown threats and compromised accounts, dynamic analysis of threats using a sandbox, and monitoring of memory access, running processes and network traffic.
| Attack Type | Implementation | Solution |
|---|---|---|
| The solution must identify malicious files and prevent them from execution, including viruses, trojans, ransomware, spyware, cryptominers. | Signature-based malware protection | |
| Machine Learning static analysis | ||
| Dynamic analysis (real time Sandbox) | ||
| Threat intelligence (VT) | ||
| Threat intelligence (non-VT feeds) | ||
| The solution must identify malicious behavior of executed files, running processes, registry modifications, or memory access and terminate them at runtime, or raise an alert (exploits, fileless, Macros, Powershell, WMI, etc.) | Memory access monitoring | |
| Process behavioral analysis (heuristics) | ||
| High similarity (a.k.a. fuzzy hashing) | ||
| Threat intelligence | ||
| The solution must support the creation of rules to exclude specific addresses/IP ranges. | Blacklisting malicious IPs and domains | |
| The solution must identify and block privilege escalation attacks. | Process monitoring | |
| The solution must identify and block reconnaissance attacks (scanning). | Network traffic monitoring | |
| The solution must identify, and block credential theft attempts occuring in memory (credential dump, brute force) or network traffic (ARP spoofing, DNS Responder). | Memory monitoring | |
| User account monitoring (login attempts) | ||
| Network traffic behavioral analysis | ||
| The solution must identify and block/alert on lateral movement (SMB relay, pass the hash). | Network traffic monitoring. | |
| Deception via fake nodes. | ||
| Deception via fake user accounts. | ||
| Deception via fake network connections. | ||
| The solution must identify user account malicious behavior, indicative of prior compromise. | Configure user activity policies (policy violation). | |
| Profiling user account baseline (anomaly detection). | ||
| The solution must identify malicious interaction with data files. | Deception via decoy files. | |
| The solution must identify data exfiltration via legitimate protocols (DNS tunneling, ICMP tunneling). | Network traffic monitoring. | |
| File access monitoring. | ||
| The solution must identify and block usage of common attack tools (Metasploit, Empire, Cobalt etc.). | Process monitoring. | |
| The solution must have an internal protection mechanism against access and manipulation of unauthorized users. | Alert and block upon any tampering or disabling attempt. |
EDR tools should collect highly granular data about what is happening on the endpoint, at the file system, operating system, authentication and network level, and also allow security staff to easily view this data, search it, define security rules based on the data, and launch forensic investigations, whether on a single endpoint or across the organization. They should also allow automated response via incident response playbooks.
| Capability | Implementation | Solution |
|---|---|---|
| The solution must continuously collect data on all the entities and their activities within the environment. |
|
|
| The solution must support the display of entity and activity data. | Search on behavioral patterns in all fields of coverage (users, files, machines, network traffic). | |
| Ability to set rules and/or raise warnings and/or determine risk level, based on a response to the search pattern and in real-time. | ||
| Enabling multiple EDR users to carry out activities in parallel, based on user permissions. | ||
| The solution must support dynamic analysis (sandbox). | Manually submit files to sandbox analysis. | |
| The solution must support cross-organization queries. | Search for the occurrence of process, file, network, or user activities across all endpoints. | |
| The solution must support cross-organization queries. | Search for the occurrence of process, file, network, or user activities across all endpoints. | |
| The solution must support the means to execute forensic investigation. |
|
|
| The solution must support isolation and mitigation of malicious presence and activity on the endpoint, via remote operations. | Ability to run a coordinated command (such as CMD interface). | |
| Running scripts or files from a network location, or mapping a drive. | ||
| Shutting down an endpoint or server. | ||
| Isolating an endpoint or server from the network. | ||
| Deleting a file (including active run files). | ||
| Quarantine a file (including active run files). | ||
| Kill a process. | ||
| Remove or delete a service or scheduled task. | ||
| Lock a local user account or domain user. | ||
| Reset user password. | ||
| Block telecommunications based on destination (domain address or IP address). | ||
| Disconnect of network cards. | ||
| Change IP address. | ||
| Edit HOST file. | ||
| Renewed operation of an end station and/or a server. | ||
| The solution must support isolation and mitigation of malicious presence and activity globally across the entire environment. | Active Directory: disable user, reset password
Firewall or proxy: block IP, block domain, block port. |
|
| The solution must support incident response automation. | Incident response playbooks for common scenarios available off-the-shelf as part of the solution. | |
| Ability to define customized response playbooks. |
Beyond attack prevention and response to live attacks, an EDR solution should allow security staff to manage security concerns on endpoints, and proactively reduce the attack surface. This should include vulnerability assessments, endpoint inventory management, a mechanism to retain and access logs on devices, threat hunting, and the ability to search for files, processes, passwords or other aspects of an endpoint which may be susceptible to attack.
| Capability | Implementation | Solution |
|---|---|---|
| The solution must support File Integrity Monitoring (FIM). | Enforce policy on fixed environments to alert on any file change. | |
| The solution must have built-in vulnerability assessment. | Discover missing security updates within systems and applications. | |
| The solution must provide the means to conduct Inventory Management. | Map and correlate all assets within the environment such as endpoints, servers, installed apps, user accounts, and generate inventory reports. | |
| The solution must provide log collection and retention. | Collect authentication and activity logs on endpoints and enable central access to log data. | |
| The solution must retain logs for a sufficient period. | Retain logs for the period of time required by compliance standards, regulations, or organizational policies. | Log retention supported: _________ |
| The solution must include threat hunting. | Search for malicious presence by known Indicators of Compromise (IoC). | |
| The solution must support the discovery of unattended attack surfaces. | Search for risk-susceptible files, processes or network connections. Identify user accounts with unchanged passwords. |
Ease of deployment is a critical part of EDR effectiveness. An EDR platform should offer flexible deployment options, should be rapidly deployable on all operating systems used by the organization, and should consume minimal system resources on endpoints to avoid negatively affecting the user experience.
| Capabilities | Implementation | Solution |
|---|---|---|
| The solution must have flexible server deployment options to match various types of environments. | On-prem | |
| SaaS | ||
| Hybrid | ||
| The solution must support rapid and seamless installation across all endpoints and servers in the environment. | Specify required time for deployment across 5000 endpoints. | Time for deployment: _________________ |
| The solution must support automated distribution on endpoints or servers added to the environment following the initial deployment. | Autonomously discover newly added machines and have the agent installed on them without manual configuration. | |
| The solution must have a light footprint for minimal impact on the endpoint/server performance. | Minimal system memory (RAM) consumed on each endpoint/server. Up to 25MB is advised. | RAM used on each endpoint: ___ MB |
| Minimal CPU processing capacity consumed on each endpoint platform. Up to 2-5% is advised. | % CPU used on endpoints: ___ % |
|
| The solution must provide encrypted communication between the central EDR server and the agents on the endpoints or servers. | ||
| The solution must support all commonly used Operating Systems. | EOL systems: Windows XP, Vista, Server 2003 Windows 7 and above Windows server 2008 R2 and above Linux main distros: Fedora, Ubuntu, Debian, Centos, Red Hat, Suse MAC OSX Maverick and above |
Supported Operating Systems: 1. _______________ 2. _______________ 3. _______________ 4. _______________ 5. _______________ 6. _______________ |
| The solution must support connection to Active Directory. | Granular authentication to the UI. Granular deployment by Organizational Unit (OU) groups with AD. |
|
| The solution must co-exist with all commodity and proprietary software on the endpoints or servers. | Seamless operation of the protected endpoint or server without bluescreens or process crashes. | |
| The solution must provide full protection for endpoints and servers that are offline (do not connect to the organization’s network). | Threat protection mechanism that do not rely on connectivity to the EDR management server. | |
| The solution must collect endpoint, file, process, user activity and network traffic in a fully self-sustained manner. | Eliminate the need for manual configuration of rules or policies or reliance on additional devices. |
Below we list management and operations functions that are important for convenient daily operations of an EDR solution by your security staff.
| Capabilities | Solution |
|---|---|
| Specify a list of alert exclusion rules for selected objects. | |
| Enable deployment on multiple sites that report into a single management console. | |
| Export the current configuration and import it later to the same or another computer. | |
| Enable/disable certain types of notifications. | |
| Rate the severity of security alerts. | |
| Centrally collect and process alerts in real-time. | |
| Block access to the program settings for end users. | |
| Central distribution of updates with no user intervention and no need to restart endpoint or server. | |
| Specify a schedule for downloading updates, with the ability to disable automatic updates. | |
| Automatically assign a risk score to all objects in the protected environment. | |
| Support the logging of events, alerts and updates. | |
| Support integration with email infrastructure to notify security personnel in case of alerts. | |
| Support integration with common SIEM products. | |
| Support standardized and customizable reports. |
Let’s get started
Ready to extend visibility, threat detection and response?
Prefer a one-on-one demo? Click here
By clicking next I consent to the use of my personal data by Cynet in accordance with Cynet's Privacy Policy and by its partners
