DISA posts EDR sources sought

On January 24, the Defense Information Systems Agency (DISA) posted a sources sought notice for Endpoint Detection and Response (EDR). Responses are due by 4:00 p.m. Eastern on February 17.

The Endpoint Security Portfolio is seeking information for potential sources for Endpoint Detection and Response (EDR) capability allowing cyber defenders to quickly detect and investigate security incidents and automatically detect malicious system activities and behaviors.  EDR capabilities continuously record significant events occurring on managed systems for the purpose of identifying, reporting, and investigating malicious activity; thereby reducing and adversary’s dwell time on DoD networks.  Recorded data accessible through a management console query interface.  The EDR capability complements other endpoint security measures and capabilities; the ability to restrict execution of high-risk applications and computer processing. 

For the purposes of this Sources Sought, endpoints are described as follows:

  • Thick Client – Network clients running on fully-capable systems – Local storage and processing capability; can operate independently if not connected to a network.
  • Thin Client – Network client running on minimally-capable system – Minimal local storage and processing capability.
  • Zero Client – Client with no capability outside of network context.
  • Server – Respond to client requests; provide enterprise services (typically in data centers). Users are System Administrators.
  • Virtual Client – Client running virtually on a host platform; no physical resources.

The target is an endpoint (excluding devices like phones and tablets) security and management solution that mitigates prevalent adversary attack vectors, tactics, and techniques used to compromise a system.  The proposed solution must automatically isolate the execution of high risk applications interacting with untrusted content from more trusted portions of the endpoint (e.g. host operating system); and/or the solution must facilitate incident detection, investigation, response and threat hunting. 

Any proposed solution must continue to be effective in disconnected, virtual, intermittent, and low bandwidth network conditions without a dependence upon regularly recurring (e.g. daily, weekly, monthly) content updates.  The proposed solution must be capable of scaling to millions of endpoints and provide information in near real-time.  Any proposed solution must be ready for testing and subsequent deployment.

Full information is available here.

Source: SAM