Professional Documents
Culture Documents
RFP Templates EDR EPP APT
RFP Templates EDR EPP APT
Shortlisting the right security solution out of the multitude of available options is a challenging journey.
In order to save decision makers’ time and efforts, we have compiled a definitive RFP template that
summarizes all key functionalities that a given solution must comply with to provide sound protection.
In this RFP we have put to action years of accumulated knowledge in regard to what is essential for sound
breach protection, and its purpose is to make it available to decision makers, enabling them to save
research time and speed.
The RFPs were crafted to address the needs of two different groups:
Endpoint Detection & Response (EDR)– this template addresses the needs of those who seek this
specific product category. This group is also referred as EPP.
Advanced Persistent Threat (APT) Protection - this template addresses the needs of those who
don’t necessarily constrain their search to a certain product category but seek to gain overall protection
from APTs.
There is a certain degree of overlap between these two groups, since in many cases the initial motivation
to an EDR project is seeking APT protection.
The RFP comprises five sections:
Monitoring & Control – routine activities to gain visibility and proactively discover and reduce
attack surfaces.
Prevention & Detection - mechanism to thwart the wide array of commodity and advanced attack
vectors.
Investigation & Response – overall toolset for efficient reaction to a detected live attack.
IMPLEMENTATION SOLUTION
EDR – RESPONSE:
INVESTIGATION
& REMEDIATION
CAPABILITY
The solution must support the Search-based on behavioral patterns in all fields of
display of entity and activity coverage (users, files, machines, and network
data. traffic).
Determination of the rules and/or the creation of
warning and/or the determination of the risk level,
based on a response to the search pattern and in
real-time.
EDR –
MONITORING
& CONTROL
CAPABILITIES
The solution must Enforce policy on fixed environments to alert on any file
support File Integrity change.
Monitoring (FIM).
The solution must Discover missing security updates within systems and
have built-in applications.
vulnerability
assessment .
The solution must Map and correlate all assets within the environment such
provide the means to as endpoints, servers, installed apps, user accounts and
conduct Inventory generated periodic reports.
Management.
The solution must Collect authentication and activity logs, and retain them
provide log collection for the period of time that is required by various
and retention. regulations.
The solution must Search for malicious presence by known IOC.
include threat hunting.
The solution must Search for risk susceptible files, processes, network
support the discovery connections and user accounts with unchanged passwords.
of unattended attack
surfaces.
EDR -
INFRASTRUCTURE
CAPABILITIES
SOLUTION
EDR - OPERATION
CAPABILITIES
The solution must have the ability to specify a list of alert exclusion rules for the
selected objects.
The solution must support deployment on multiple sites that report into a single
management console.
The solution must have the ability to export the current configuration of the
program in order to later be imported to the same or another computer.
The solution must have the ability to enable/disable certain types of notifications.
The solution must have the ability to rate the severity of security alerts.
The solution must provide a central collection and processing of alerts in real-time.
The solution must have the ability to block access to the program settings for end
users.
The solution must provide a central distribution of updates without need of user
intervention and of restarting the endpoint/server.
The solution must have the ability to specify a schedule for downloading updates,
including the ability to disable automatic update.
The solution must assign a risk score to all objects within the protected
environment.
The solution must support the logging of events, alerts and updates.
The solution must support integration with email infrastructure to notify security
personnel in case of alerts.
The solution must support integration with common SIEM products.
The solution must support standardized and customizable reports.
IMPLEMENTATION SOLUTION
APT PROTECTION -
PREVENTION &
DETECTION
ATTACK TYPE
APT PROTECTION
– RESPONSE:
INVESTIGATION
& REMEDIATION
CAPABILITY
IMPLEMENTATION SOLUTION
APT
PROTECTION –
MONITORING & The Definitive RFP Templates for EDR/EPP/APT Protection 12
CONTROL
CAPABILITIES
The solution must support Enforce policy on fixed environments to alert on any
File Integrity Monitoring file change.
(FIM).
The solution must have Discover missing security updates within systems and
built-in vulnerability applications.
assessment.
The solution must provide Map and correlate all assets within the environment
the means to conduct such as endpoints, servers, installed apps, user accounts
Inventory Management. and generated periodic reports.
The solution must provide Collect authentication and activity logs and retain them
log collection and for the period of time that is required by various
retention. regulations.
The solution must include Search for malicious presence by known IOC.
threat hunting.
The solution must support Search for risk susceptible files, processes, network
the discovery of connections and user accounts with unchanged
unattended attack passwords.
surfaces.
The solution must have the ability to specify a list of alert exclusion rules for the
selected objects.
The solution must support deployment on multiple sites that report into a single
management console
The solution must have the ability to export the current configuration of the
program in order to later be imported to the same or another computer.
The solution must have the ability to enable/disable certain types of
notifications.
The solution must have the ability to rate the severity of security alerts.
The solution must provide a central collection and processing of alerts in real
time.
The solution must have the ability to block access to the program settings for
end users.
The solution must provide a central distribution of updates without need of user
intervention and of restarting the endpoint/server.
The solution must have the ability to specify a schedule for downloading
updates, including the ability to disable automatic update.
The solution must assign a risk score to all objects within the protected
environment.
The solution must support the logging of events, alerts and updates.
The solution must support integration with email infrastructure to notify security
personnel in case of alerts.
The solution must support integration with common SIEM products.
The solution must support standardized and customizable reports.