On January 24, the Defense Information Systems
Agency (DISA) posted a sources sought notice for Endpoint Detection and
Response (EDR). Responses are due by 4:00 p.m. Eastern on February 17.
The Endpoint Security Portfolio is seeking
information for potential sources for Endpoint Detection and Response (EDR)
capability allowing cyber defenders to quickly detect and investigate security
incidents and automatically detect malicious system activities and
behaviors. EDR capabilities continuously record significant events
occurring on managed systems for the purpose of identifying, reporting, and
investigating malicious activity; thereby reducing and adversary’s dwell time
on DoD networks. Recorded data accessible through a management console
query interface. The EDR capability complements other endpoint security
measures and capabilities; the ability to restrict execution of high-risk
applications and computer processing.
For the purposes of this Sources Sought, endpoints
are described as follows:
- Thick Client – Network clients running on fully-capable systems – Local storage and processing capability; can operate independently if not connected to a network.
- Thin Client – Network client running on minimally-capable system – Minimal local storage and processing capability.
- Zero Client – Client with no capability outside of network context.
- Server – Respond to client requests; provide enterprise services (typically in data centers). Users are System Administrators.
- Virtual Client – Client running virtually on a host platform; no physical resources.
The target is an endpoint (excluding devices like phones and tablets) security and management solution that mitigates prevalent adversary attack vectors, tactics, and techniques used to compromise a system. The proposed solution must automatically isolate the execution of high risk applications interacting with untrusted content from more trusted portions of the endpoint (e.g. host operating system); and/or the solution must facilitate incident detection, investigation, response and threat hunting.
Any proposed solution must continue to be effective in disconnected, virtual, intermittent, and low bandwidth network conditions without a dependence upon regularly recurring (e.g. daily, weekly, monthly) content updates. The proposed solution must be capable of scaling to millions of endpoints and provide information in near real-time. Any proposed solution must be ready for testing and subsequent deployment.
Full information is available here.
Source: SAM
By 
