DISA seeks sources for application containment

On January 24, the Defense Information Security Agency (DISA) posted a sources sought notice for Application Containment. Responses are due by 4:00 p.m. Eastern on February 17.

The Endpoint Security Portfolio is seeking information for potential sources for Application Containment capability to restrict execution of high-risk applications and computer processing activities to an isolated environment.  High-risk applications and activities (e.g., web browsing, manipulating documents, and viewing portable document formats from untrusted sources) continue to be an avenue for adversaries to install malware and perform malicious actions within the Department of Defense (DoD). 

Containment capabilities use virtual computing environments running on the endpoint to execute untrusted content.  When untrusted content is processed within the virtual environment, any changes made to that virtual environment, malicious or benign, are completely discarded at the conclusion of that activity.  Optionally, suspicious changes may be forwarded to a common management server where detailed intelligence can be gathered of the changes made to the virtual computing environment.  This data can then inform analysis and facilitate threat sharing with other systems such as Security Information and Event Management (SIEMs) and perimeter based defenses.

 For the purposes of this Sources Sought, endpoints are described as follows:

  • Thick Client – Network clients running on fully-capable systems – Local storage and processing capability; can operate independently if not connected to a network.
  • Thin Client – Network client running on minimally-capable system – Minimal local storage and processing capability.
  • Zero Client – Client with no capability outside of network context.
  • Server – Respond to client requests; provide enterprise services (typically in data centers).  Users are System Administrators.
  • Virtual Client – Client running virtually on a host platform; no physical resources.

The target is an endpoint (excluding devices like phones and tablets) security and management solution that mitigates prevalent adversary attack vectors, tactics, and techniques used to compromise a system.  The proposed solution must automatically isolate the execution of high risk applications interacting with untrusted content from more trusted portions of the endpoint (e.g. host operating system); and/or the solution must facilitate incident detection, investigation, response and threat hunting. 

Any proposed solution must continue to be effective in disconnected, virtual, intermittent, and low bandwidth network conditions without a dependence upon regularly recurring (e.g. daily, weekly, monthly) content updates.  The proposed solution must be capable of scaling to millions of endpoints and provide information in near real-time.  Any proposed solution must be ready for testing and subsequent deployment.

Full information is available here.

Source: SAM