FORWARD

Shortlisting the right security solution out of the multitude of available options is a challenging journey.
In order to save decision makers’ time and efforts, we have compiled a definitive RFP template that
summarizes all key functionalities that a given solution must comply with to provide sound protection.

In this RFP we have put to action years of accumulated knowledge in regard to what is essential for sound
breach protection, and its purpose is to make it available to decision makers, enabling them to save
research time and speed.

The RFPs were crafted to address the needs of two different groups:

 Endpoint Detection & Response (EDR)– this template addresses the needs of those who seek this
specific product category. This group is also referred as EPP.

 Advanced Persistent Threat (APT) Protection - this template addresses the needs of those who
don’t necessarily constrain their search to a certain product category but seek to gain overall protection
from APTs.
There is a certain degree of overlap between these two groups, since in many cases the initial motivation
to an EDR project is seeking APT protection.
The RFP comprises five sections:

 Monitoring & Control – routine activities to gain visibility and proactively discover and reduce
attack surfaces.

 Prevention & Detection - mechanism to thwart the wide array of commodity and advanced attack
vectors.

 Investigation & Response – overall toolset for efficient reaction to a detected live attack.

 Infrastructure (EDR only) - architecture, deployment, data collection and communication.

 Operation – ongoing management of the solution.

These RFPs aim to map what can be regarded as essential security common denominators. It goes without
saying that each individual decision maker will make adjustments in respect to its organization’s specific
needs and existing products and practices.
How to use the RFP:

 Cut the RFP you need (EDR\EPP or APT Protection).

 Send the RFP you chose to the vendors you evaluate.
 Instruct the vendors to complete the ‘Solution’ column in each section with either ‘Yes,’ ‘No’ or
a verbal description.

The Definitive RFP Templates for EDR/EPP/APT Protection 1

ENDPOINT DETECTION & RESPONSE RFP
This RFP is for organizations that strictly seek EDR solution and divides EDR capabilities into two
groups:

 Basic EDR capabilities are marked in GREEN.

 Advanced EDR capabilities are marked in BLUE.

IMPLEMENTATION SOLUTION

EDR - PREVENTION &

DETECTION
ATTACK TYPE

The solution must identify malicious Signature-based malware protection

files and prevent them from
execution, including viruses, trojans,
ransomware, spyware, cryptominers
and any other malware type.
The solution must identify malicious
behavior of executed files\running
processes\registry modifications\
memory access and terminate them
at runtime, or raise an alert (exploits,
fileless, Macros, Powershell, WMI
etc.).
The solution must support the
creation of rules to exclude specific
addressed/IP ranges.
The solution must identify and block
privilege escalation attacks.
The solution must identify and block
reconnaissance attacks (scanning).
The solution must identify, and block
credential theft attempts form either
memory (credential dump, brute
force) or network traffic (ARP
spoofing, DNS Responder).
Machine Learning static analysis
Dynamix analysis (a.k.a real time
Sandbox)
Threat intelligence (VT)
Threat intelligence (non-VT feeds)
Memory access monitoring
Process behavioral analysis (heuristics)
High similarity (a.k.a. fuzzy hashing)
Threat intelligence
Blacklisting malicious IPs and domains
Process monitoring
Network traffic monitoring
Memory monitoring
User account monitoring (login
attempts)
Network traffic behavioral analysis

The Definitive RFP Templates for EDR/EPP/APT Protection 2

ATTACK TYPE
The solution must identify and
block/alert on lateral movement
(SMB relay, pass the hash).
The solution must identify user
account malicious behavior,
indicative of prior compromise.
The solution must identify malicious
interaction with data files.
The solution must identify data
exfiltration via legitimate protocols
(DNS tunneling, ICMP tunneling).
The solution must identify and block
usage of common attack tools
(Metasploit, Empire, Cobalt etc.).
The solution must have an internal
protection mechanism against access
and manipulation of unauthorized
users.
IMPLEMENTATION SOLUTION
Network traffic monitoring.
Deception via fake nodes.
Deception via fake user accounts.
Deception via fake network
connections.
Configure user activity policies (policy
violation).
Profiling user account baseline
(anomaly detection).
Deception via decoy files.
Network traffic monitoring.
File access monitoring.
Process monitoring.
Alert and block upon any tampering or
disabling attempt.
The Definitive RFP Templates for EDR/EPP/APT Protection 3

EDR – RESPONSE:
INVESTIGATION
& REMEDIATION
CAPABILITY
The solution must
continuously collect data on
all the entities and their
activities within the
environment.
The solution must support the
display of entity and activity
data.
The solution must support
dynamic analysis (a.k.a
sandbox).
The solution must support
cross-organization queries.
The solution must support the
means to execute forensic
investigation.
IMPLEMENTATION SOLUTION
 File interaction - create, open, rename, delete,
execute.
 Process execution (including process tree display).
 User login.
 Network traffic.
 Registry changes.
 Installed software.
Search-based on behavioral patterns in all fields of
coverage (users, files, machines, and network
traffic).
Determination of the rules and/or the creation of
warning and/or the determination of the risk level,
based on a response to the search pattern and in
real-time.
Enabling number of users to carry out activities in
parallel, based on user permissions, and without
the need for disconnection of another user for
execution of the activity.
Manually submit files to sandbox analysis.
Search for the occurrence of
process/file/network/user activities across all
endpoints in the environment .
 Running process\file.
 Machine level.
 Memory activities.
 Obtain memory dump.
The Definitive RFP Templates for EDR/EPP/APT Protection 4
CAPABILITY
The solution must support
isolation and mitigation of
malicious presence and
activity, locally on the
endpoint.
The solution must support
isolation and mitigation of
malicious presence and
activity globally across the
entire environment.
The solution must support
response automation.
IMPLEMENTATION SOLUTI
ON
Capability of running a coordinated command
(such as CMD interface).
Running script or a file from a network location or
mapping a drive.
Shutting down an endpoint and/or a server.
Isolation of an endpoint/ server from the network.
Deletion of a file (including active run files).
Puta file into quarantine (including active run
files).
Kill a process.
Removal and/or deletion of a service/scheduled
task.
Locking a local user account or a domain user.
Zeroing user password.
Blocking telecommunications based on destination
(domain address or IP address).
Disconnection of network cards.
Change of IP address.
Capability of editing a HOST file.
Renewed operation of an end station and/or a
server.
Active Directory: disable user, reset password
Firewall/proxy: block IP, block domain, block
port.
Preset response playbooks that are shipped off-the-
shelf.
Customized response playbooks that are crafted by
the operator.
The Definitive RFP Templates for EDR/EPP/APT Protection 5
 IMPLEMENTATION SOLUTION

EDR –
MONITORING
& CONTROL
CAPABILITIES

The solution must Enforce policy on fixed environments to alert on any file
support File Integrity change.
Monitoring (FIM).
The solution must Discover missing security updates within systems and
have built-in applications.
vulnerability
assessment .
The solution must Map and correlate all assets within the environment such
provide the means to as endpoints, servers, installed apps, user accounts and
conduct Inventory generated periodic reports.
Management.
The solution must Collect authentication and activity logs, and retain them
provide log collection for the period of time that is required by various
and retention. regulations.
The solution must Search for malicious presence by known IOC.
include threat hunting.
The solution must Search for risk susceptible files, processes, network
support the discovery connections and user accounts with unchanged passwords.
of unattended attack
surfaces.

The Definitive RFP Templates for EDR/EPP/APT Protection 6

 IMPLEMENTATION SOLUTION

EDR -
INFRASTRUCTURE
CAPABILITIES

The solution must have flexible On-prem

server deployment options to
match various types of
environments.
The solution must support rapid
and seamless installation across
all endpoints/servers in the
environment.
The solution must support
automated distribution on
endpoints/servers that were
joined to the environment
following the initial
installation.
The solution must have a light
footprint for minimal impact on
the endpoint/server
performance.
The solution must provide an
encrypted communication
between the management
server and the agents on the
endpoints/servers.
The solution must support all
commonly used Operating
Systems.
The solution must support
connection to Active Directory.
The solution must co-exist with
all commodity and proprietary
software on the endpoints\
servers.
SaaS
Hybrid
Require time for deployment across 5000
endpoints.
Autonomously discover newly added machines
and have the agent installed on them without
need of manual configuration.
~25 MB of system memory (RAM) consumed on
each endpoint/server.
~2-5% amount of system CPU processing
capacity consumed on each endpoint platform.
EOL systems: Windows XP\Vista, Server 2003
Windows 7 and above
Windows server 2008 R2 and above
Linux main distros: Fedora, Ubuntu, Debian,
Centos, Red Hat, Suse
MAC OSX Maverick and above
Granular authentication to the UI.
Deployment to various OU groups with AD.
Seamless operation of the protected
endpoint/server without bluescreens or process
crashes.

The Definitive RFP Templates for EDR/EPP/APT Protection 7

The solution must provide full Threat protection mechanism that do not rely on
protection for endpoints and connectivity to the management server.
servers that are offline from the
organization’s network.
The solution must collect Eliminate the need of manual configuration of
endpoint, file, process, user rules or policies or reliance of additional devices.
activity and network traffic in a
fully self-sustained manner.

SOLUTION

EDR - OPERATION
CAPABILITIES

The solution must have the ability to specify a list of alert exclusion rules for the
selected objects.
The solution must support deployment on multiple sites that report into a single
management console.
The solution must have the ability to export the current configuration of the
program in order to later be imported to the same or another computer.
The solution must have the ability to enable/disable certain types of notifications.
The solution must have the ability to rate the severity of security alerts.
The solution must provide a central collection and processing of alerts in real-time.
The solution must have the ability to block access to the program settings for end
users.
The solution must provide a central distribution of updates without need of user
intervention and of restarting the endpoint/server.
The solution must have the ability to specify a schedule for downloading updates,
including the ability to disable automatic update.
The solution must assign a risk score to all objects within the protected
environment.
The solution must support the logging of events, alerts and updates.
The solution must support integration with email infrastructure to notify security
personnel in case of alerts.
The solution must support integration with common SIEM products.
The solution must support standardized and customizable reports.

The Definitive RFP Templates for EDR/EPP/APT Protection 8

APT PROTECTION RFP
This RFP is meant to assist those who seek protection from Advanced Persistent Threats without
confining to a single product category (EDR, Network Analytics, UEBA, etc.).

IMPLEMENTATION SOLUTION

APT PROTECTION -
PREVENTION &
DETECTION
ATTACK TYPE

The solution must identify malicious Signature-based malware protection.

files and prevent them from
execution, including viruses, trojans,
ransomware, spyware, cryptominers
and any other malware type.
The solution must identify malicious
behavior of executed files/running
processes/registry modifications/
memory access and terminate them
at runtime or raise an alert (exploits,
fileless, Macros, Powershell, WMI
etc.).
The solution must support the
creation of rules to exclude specific
addressed/IP ranges.
The solution must identify and block
privilege escalation attacks.
The solution must identify and block
reconnaissance attacks (scanning).
The solution must identify and block
credential theft attempts form either
memory (credential dump, brute
force) or network traffic (ARP
spoofing, DNS Responder).
Machine Learning static analysis.
Dynamix analysis (aka real time
Sandbox).
Threat intelligence (VT).
Threat intelligence (non-VT feeds).
Memory access monitoring.
Process behavioral analysis (heuristics).
High similarity (a.k.a. fuzzy hashing).
Threat intelligence.
Blacklisting malicious IPs and
domains.
Process monitoring.
Network traffic monitoring.
Memory monitoring.
User account monitoring (login
attempts).
Network traffic behavioral analysis.

The Definitive RFP Templates for EDR/EPP/APT Protection 9

ATTACK TYPE
The solution must identify and
block/alert on lateral movement
(SMB relay, pass the hash).
The solution must identify user
account malicious behavior,
indicative of prior compromise.
identify malicious interaction with
data.
The solution must identify data
exfiltration via legitimate protocols
(DNS tunneling, ICMP tunneling).
The solution must identify and block
usage of common attack tools
(Metasploit, Empire, Cobalt etc.).
The solution must have internal
protection mechanism against access
and manipulation of unauthorized
users.
IMPLEMENTATION SOLUTION
Network traffic monitoring.
Deception via fake nodes.
Deception via fake user accounts.
Deception via fake network
connections.
Configure user activity policies (policy
violation).
Profiling user account baseline
(anomaly detection).
Deception via decoy files.
Network traffic monitoring.
File access monitoring.
Process monitoring.
Alert and block upon any tampering or
disabling attempt.
The Definitive RFP Templates for EDR/EPP/APT Protection 10

APT PROTECTION
– RESPONSE:
INVESTIGATION
& REMEDIATION
CAPABILITY
The solution must
continuously collect data on
all the entities and their
activities within the
environment.
The solution must support the
display of entity and activity
data.
The solution must support
dynamic analysis (aka
sandbox).
The solution must support
cross-organization queries.
The solution must support the
means to execute forensic
investigation.
IMPLEMENTATION SOLUTION
File interaction - create, open, rename, delete,
execute.
Process execution (including process tree display).
User login.
Network traffic.
Registry changes.
Installed software.
Search based on behavioral patterns in all fields of
coverage (users, files, machines, and network
traffic).
Determination of the rules and/or the creation of
warning and/or the determination of the risk level,
based on a response to the search pattern, and in
real-time.
Enabling number of users to carry out activities in
parallel, based on user permissions, and without
the need for disconnection of another user for
execution of the activity.
Manually submit files to sandbox analysis.
Search for the occurrence of
process/file/network/user activities across all
endpoints in the environment.
Running process/file.
Machine level.
Memory activities.
Obtain memory dump.
The Definitive RFP Templates for EDR/EPP/APT Protection 11
CAPABILITY
The solution must support
isolation and mitigation of
malicious presence and
activity, locally on the
endpoint.
The solution must support
isolation and mitigation of
malicious presence and
activity globally across the
entire environment.
The solution must support
response automation.
IMPLEMENTATION
APT
PROTECTION –
MONITORING &
CONTROL
IMPLEMENTATION SOLUTION
Capability of running a coordinated command
(such as CMD interface).
Running script or a file from a network location or
mapping a drive.
Shutting down an endpoint and/or a server.
Isolation of an endpoint/ server from the network.
Deletion of a file (including active run files).
Puta file into quarantine (including active run
files).
Kill a process.
Removal and/or deletion of a service/scheduled
task.
Locking a local user account or a domain user.
Zeroing user password.
Blocking telecommunications based on destination
(domain address or IP address).
Disconnection of network cards.
Change of IP address.
Capability of editing a HOST file.
Renewed operation of an end station and/or a
server.
Active Directory: disable user, reset password.
Firewall/proxy: block IP, block domain, block
port.
Preset response playbooks that are shipped off-the-
shelf.
Customized response playbooks that are crafted by
the operator.
SOLUTION
The Definitive RFP Templates for EDR/EPP/APT Protection 12
CAPABILITIES

The solution must support Enforce policy on fixed environments to alert on any
File Integrity Monitoring file change.
(FIM).
The solution must have Discover missing security updates within systems and
built-in vulnerability applications.
assessment.
The solution must provide Map and correlate all assets within the environment
the means to conduct such as endpoints, servers, installed apps, user accounts
Inventory Management. and generated periodic reports.
The solution must provide Collect authentication and activity logs and retain them
log collection and for the period of time that is required by various
retention. regulations.
The solution must include Search for malicious presence by known IOC.
threat hunting.
The solution must support Search for risk susceptible files, processes, network
the discovery of connections and user accounts with unchanged
unattended attack passwords.
surfaces.

The Definitive RFP Templates for EDR/EPP/APT Protection 13

 SOLUTION

APT PROTECTION - OPERATION

CAPABILITIES

The solution must have the ability to specify a list of alert exclusion rules for the
selected objects.
The solution must support deployment on multiple sites that report into a single
management console
The solution must have the ability to export the current configuration of the
program in order to later be imported to the same or another computer.
The solution must have the ability to enable/disable certain types of
notifications.
The solution must have the ability to rate the severity of security alerts.
The solution must provide a central collection and processing of alerts in real
time.
The solution must have the ability to block access to the program settings for
end users.
The solution must provide a central distribution of updates without need of user
intervention and of restarting the endpoint/server.
The solution must have the ability to specify a schedule for downloading
updates, including the ability to disable automatic update.
The solution must assign a risk score to all objects within the protected
environment.
The solution must support the logging of events, alerts and updates.
The solution must support integration with email infrastructure to notify security
personnel in case of alerts.
The solution must support integration with common SIEM products.
The solution must support standardized and customizable reports.

The Definitive RFP Templates for EDR/EPP/APT Protection 14