Step Step Guide Procuring Next Generation Antivirus 38185

May 14, 2018 | Author: jeff | Category: Request For Proposal, Computer Virus, Antivirus Software, Procurement, Usability
Share
Report this link


Comments



Description

Interested in learningmore about security? SANS Institute InfoSec Reading Room This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission. Step by Step Guide for Procuring Next-Generation Antivirus This document outlines a procurement process you can use and customize when upgrading to NGAV. The key steps to successful procurement do not change and should apply to any NGAV procurement project. Copyright SANS Institute Author Retains Full Rights SANS Step-by-Step Guide for Procuring Next-Generation Antivirus A SANS Whitepaper Written by Barbara Filkins December 2017 Sponsored by Carbon Black ©2017 SANS™ Institute Request for Proposals vendors overall solution. The key steps to successful procurement do not change and should apply to any NGAV procurement project. implementing a next-generation antivirus (NGAV) solution can be a costly undertaking. The steps are outlined in Figure 1. Investing time and brainpower in a disciplined procurement process helps your organization make the most informed decision regarding the solution. NGAV Procurement Process and Decision Tree SANS ANALYST PROGRAM 1 SANS Step-by-Step Guide for Procuring Next-Generation Antivirus . Introduction If procurement requirements are not established and met before purchase. Prepare and Plan POC Execute POC Evaluate POC Does Vendor Meet Expectations? Award Contract to Vendor Figure 1. Doing this also puts your organization in a better position to understand and mitigate any risks associated with moving the selected solution into production. support services and the ability of the Evaluate Responses • Rank vendors vendor to effectively partner with your organization. These Select Vendor for are all critical elements to Proof of Concept (POC) a successful technology/ software implementation. This document outlines a procurement process you can use and customize when upgrading to NGAV. Start NGAV Procurement • Select 2 to 3 vendors to Obtain Short List of invite to complete RFP Vendors/Solutions • Refine requirements TAKEAWAY: Using a POC approach enables Create Detailed • Release RFP to invited evaluation of the technology. In with the New: Replacing Traditional Antivirus” paper. SANS ANALYST PROGRAM 2 SANS Step-by-Step Guide for Procuring Next-Generation Antivirus . Working from the top down to identify the right vendors and products the first time around is achievable. and then access the “NGAV RFP Evaluation Master Template” spreadsheet. This document. which provides an overall evaluation framework and procurement process for upgrading to NGAV. Introduction (CONTINUED) This paper actually begins at the start of the procurement process and augments the updated “Out with the Old. Be sure to use the request for proposal (RFP) provided in Appendix A and as a standalone file. together with the additional tools provided. outlines a step-by-step approach to selecting your top solutions and vendors. together with high-level requirements. Our end users are going to have to live with the protections this solution provides.” SANS ANALYST PROGRAM 3 SANS Step-by-Step Guide for Procuring Next-Generation Antivirus . We need a solution that will have low impact on our users: no execution delays. Getting Started Merely selecting a final solution by performing a review of vendor products on paper does not address the resources. may look you can use in a POC. operational requirements and business requirements. In with the New: Replacing Traditional Antivirus” product The RFP form asks vendors features/capabilities. your organization and the vendor should clearly understand their commitments to this project. • O  perational Requirements. you don’t need to provide detailed requirements. low CPU involvement and low memory utilization. such as when an attacker uses PowerShell to execute a ransomware attack. We seek a solution that combines the advantages of ‘best-of- each vendor envisions its breed’ technology with the benefits of an integrated. The first step is to get down to a short list: those vendors you are willing to evaluate further by inviting them to respond to your RFPs. Moreover. start with a statement of purpose that incorporates a high-level summary of each requirement TAKEAWAY: category in “Out with the Old. We are seeking a solution vendor that meets our ongoing business needs and can be counted on as a true business partner. the SANS approach incorporates a proof of concept (POC). Our goal is to acquire and implement a robust enterprise solution. to provide test scenarios For example. The solution must address the following: more timely fashion. For this round. but that still provides you to prepare for the POC in a effective and efficient centralized administration. dollars and risks your organization may face in actually moving the selected product into production. Instead. and that gives our operational and security teams the most direct path to remediation and recovery. your top vendor has the opportunity to demonstrate what it is selling when the contract is signed. This something like this: can be valuable to gain a better understanding of how “We are seeking an NGAV solution that can provide uniform standards for our entire organization. • B  usiness Requirements. Here. We also seek an easier solution to manage—one that presents the greatest visibility into the indicators of compromise (IOCs) and events that occur. environments and to allow flexible enough to support individual user and device needs. For this reason. scalable and manageable solution will work in your solution. We need to understand the vendor’s licensing and pricing structure. • P  roduct Features/Capabilities. as well as its ongoing support and maintenance capabilities. management and recovery. a statement of purpose. Step 1: Obtain a Short List of Possible Vendors/Solutions. by following this process. Our NGAV solution must address the greatest range of modern attacks and threats—malwareless attacks and the malicious use of good software. and conversations with other colleagues and clients. be sure to download the “NGAV RFP Evaluation Master Template. which includes instructions for customization and directing vendor responses. For the most promising vendors. You will use the product and vendor information gathered to inform and refine your detailed requirements in each category. Sources of information can include trade shows (RSA). sending your statement of purpose to the contact for each selected vendor. such as how the vendors support their customers and how compatible the product may be with your infrastructure. calculating ratings and comparing vendors. preferably two to three. You will have identified a short list of vendors. preferably conducted over the Internet. SANS ANALYST PROGRAM 4 SANS Step-by-Step Guide for Procuring Next-Generation Antivirus . 2. winnow down the list. is based on the “Out with the Old. “Evaluating Responses. to participate in the more in-depth RFP process. The RFP form.” an Excel spreadsheet you can use for vendor scoring. background research via the Web. Getting Started (CONTINUED) First. assessing the product’s durability against modern-day attacks • Operational requirements. Next. In with the New: Replacing Traditional Antivirus. Ask for written responses and product literature.” aligned with the evaluation approach outlined in Step 3. You might also consider a short set of questions that address key concerns. perform a systematic search to identify potential products and vendor contacts. addressing how stable the vendor is. Step 2: Create a Detailed Request for Proposal In-depth evaluation and analysis of responses from this short list of vendors should include the means and methods to review: • Product features and capabilities. what services it offers and its product pricing These areas are all covered in a template SANS has developed as an RFP form for NGAV evaluation (see Appendix A for a copy). focusing on how your end users and administrators will interact with the NGAV solution • Business requirements. identifying those factors that directly affect what the product will cost to deploy and its potential to accrue benefits • Vendor background and pricing information. you may want to request a product demonstration.” As you move forward. The outcomes from this step are twofold: 1. SANS ANALYST PROGRAM 5 SANS Step-by-Step Guide for Procuring Next-Generation Antivirus . The RFP template in Appendix A contains mandatory pass/fail requirements. TAKEAWAY: Clear communication is key: Table 1. and how you will .0 through 4. program and project goals.Requirements Evaluation Matrix Response Complete (Note: Spreadsheet Pass/Fail associated with Section 5. Getting Started (CONTINUED) Step 3: Evaluate Responses The next step is to develop an evaluation plan. as well as industry best practices. The evaluation plan includes a comprehensive evaluation of the qualifications of the vendors.Operations Overview be communicating your final .Business Support Overview choice to your top vendors. where applicable.Narrative Response Complete (Note: Sections 1. requirements that can be scored. NGAV Evaluation Criteria and Scoring Approach Explain to your vendors how Evaluation Categories Method/Weight • Content Validation–Requirements Complete Pass/Fail you will be evaluating their .Matrix will result in a specified number of points that will be normalized to 50% of the total score lost time. Table 1 provides a brief outline of the proposed evaluated elements and the proposed weighting for each. . • Proof of Concept Demonstration (Leading Vendor) Pass/Fail • Cost Negotiated Tailor the evaluation standards SANS has developed for each of the above categories based on your internal team’s input. desirable requirements and pricing options.Vendor Background and Pricing Information Promoting transparency in the • Requirements Evaluation Matrix 50% procurement process prevents .Product Features and Capabilities Overview . how you will be RFP Template) narrowing your selections to . Please review the instructions in the first tab for how to combine the individual vendor worksheets for comparison. the business solution being offered and the solution cost.0 in the RFP template) the top vendor(s) for further • Narrative Response 50% evaluation.0 in the associated Pass/Fail responses. The “NGAV RFP Evaluation Master Template” worksheet allows you to compare the top three vendors. during an actual implementation? The vendor should be prepared to test a variety of “what-if” scenarios. • Gain insight into how the vendor will affect your organizational change management process. what effort will be required. a POC is a win-win for all involved. TAKEAWAY: Many organizations have issues involving infrastructure restrictions. and 4) how to document all outcomes. similar to an actual test plan. SANS ANALYST PROGRAM 6 SANS Step-by-Step Guide for Procuring Next-Generation Antivirus .g. a lab that will provide a scaled- down version of the production environment). inability to simulate advanced multistage attacks or limitations SANS suggests conducting the related to involving multiple parties (e. This provides both you and the vendor with insight into the effort and additional costs associated with change requests that might occur during the implementation project. and what the RFP process. IT. testing). issues and problems for further consideration during implementation. 2) the approach to evaluation (e. red POC in a serial fashion. Conducting the Proof of Concept When well-executed.. which is critically important to the long-term success of any technology initiative. If this vendor portions are or could be particularly challenging. how? with your leading vendor from • Discuss the details of all key processes. then move on to your next vendor. POC Step 1: Prepare Before you develop your POC plan of action. Will these limitations affect implementation and if so. go back to the scenarios the vendor provided with its proposal. as they most likely will. malware/ Given the investment in a POC.e. 3) roles and responsibilities (yours and the vendor’s) needed to conduct the POC.. security operations center [SOC]. The POC should include a well-developed plan of action. especially those details that fails to meet your expectations cannot be fully addressed in the POC.. sample acquisition. especially from the perspective of resources and associated costs. What might happen if the requirements should change. representing typical changes that end users might request. and criteria for the POC.g. Work with the vendor to: • Confirm that the scenario addresses all the requirements during the POC or understand the limitations that will prevent all requirements being addressed. that identifies 1) the design of the test environment (i. Start and blue teams). ensuring that you set the right expectations at the beginning of the client-vendor relationship. POC Plan Outline Checklist Have you defined the scope of the POC? S pecify the goals/objectives. Note: This should be the responsibility of the vendor. A POC is considered a pass/fail test that is extremely important for your vendor to pass. Have you clarified the approach to the POC? S pecify the testing levels and how they will be accomplished. features not in scope of the RFP).g. Your plan should document the pass/fail criteria—similar to a product test plan—and provide clarity on what is considered a pass versus a fail.. from both your organization and your vendor. Have you documented testing criteria?  ocument the anticipated performance and outcomes based on your D preliminary review of the product’s features. What assumptions have you made for the POC? What dependencies are you missing that may affect a move into production? Have you clarified the features to be tested?  eference the requirements in the RFP. Conducting the Proof of Concept (CONTINUED) Next. Specify any constraints and assumptions. especially those related to product R features and capabilities and organizational requirements. S pecify the criteria: Has the feature passed or failed? Should the testing be suspended? What testing activities must be redone when the POC is resumed?  rovide role-specific acceptance criteria: P Endpoint user Administrator How have you defined the testing documentation?  rovide the following: P Plan and procedures (including this checklist) Test cases/scripts Test reports (Continued on next page) SANS ANALYST PROGRAM 7 SANS Step-by-Step Guide for Procuring Next-Generation Antivirus . Figure 2 provides a representative plan outline you can use to evaluate your POC plan. L ist the features of the software/product that will not be tested and specify the reasons these features won’t be tested (e. develop your POC plan of action and obtain approval. POC Plan Outline Checklist SANS ANALYST PROGRAM 8 SANS Step-by-Step Guide for Procuring Next-Generation Antivirus . meterpreter. the vendor’s lab versus yours.. writing to disk. I dentify any behaviors that deviate from normal baseline activities. given D that you will be emulating current malware and ransomware techniques (e. Conducting the Proof of Concept (CONTINUED) Have you documented the test environment? S pecify the properties of the test environment. if not already acquired. S pecify the mitigation plan and the contingency plan for each risk. veil. code execution. PowerShell empire) to emulate the general malware techniques being used by malware families (e. S pecify staffing needs by role and required skills. based on the standard configuration for the organization’s endpoint. Have you defined the project plan and schedule?  rovide a summary of the schedule. monitoring egress to public IP addresses during testing)..g. P H  ave you defined roles and responsibilities across your internal team and the vendor.g. 8 and 10 workstations. Pick a sample of the different types of machines that you manage (e. laptops and any other representative devices.  ho has final approval for accepting the result of the POC? W Are you anticipating potential deployment risks? L ist the risks that have been identified. such as off-the-shelf tools (e. script execution). including staffing and training needs? L ist the responsibilities of each team/role/individual. L ist any testing or related tools to be used. Figure 2.g. specifying key test milestones. such as smartphones and tablets.  ocument how you manage risk to your organization’s infrastructure.g. Approvals: S pecify the names and roles of all persons who must approve the plan. I dentify training necessary to provide those skills. E valuate whether you should consider a base image. Windows 7. dynamic-link library (DLL) injection. separation between the POC lab and the corporate network... Consider techniques such as these: • Run a known sample of malware and verify that the antivirus application is able to detect and prevent the sample successfully. encode the same sample of malware using freely available packing software. then confirm that the antivirus application is able to detect all of the viruses successfully. such as unknown malware variants or zero-day threats. you may want to use some of the tools provided by independent test labs to evaluate features and capabilities. Then. Conducting the Proof of Concept (CONTINUED) POC Step 2: Execute The POC needs to address three broad evaluation categories with proper testing: • Functionality. also consider how the NGAV solution handles unanticipated situations. • Introduce any external media device with a file embedded with a virus. answering the question: “Does the product do what it says it will do?” • Compatibility (i. Run this new sample and verify that the antivirus application is able to detect and prevent it successfully. However.. integration) • Usability Functionality Build functional tests that will evaluate the product against the requirements in the RFP sections and evaluation matrix related to product features and capabilities. SANS ANALYST PROGRAM 9 SANS Step-by-Step Guide for Procuring Next-Generation Antivirus . The test environment can be fairly simple. • Introduce a file without any virus and confirm that the message “No error detected” is displayed on the screen.e. • Introduce any external media device with a file embedded with more than one virus. then verify that the antivirus application is able to detect the virus successfully. this creates an “unknown” sample. by blocking its access to individual applications need to? does the resource memory and file system and/or a system. whether prevent the applications access to the necessary at system or network from starting normally? If the NGAV detects resources for a driver. where you would document and prioritize any issues with system or applications performance in a test environment that simulates the production environment. Conducting the Proof of Concept (CONTINUED) Check Compatibility Perform a compatibility evaluation. denied while scanning). resource levels? locked files during whether for some Does it affect scanning (i. media content. does it block some time..g. an NGAV could introduce a lot of variability into your production environment. streaming video)? Potentially. You might consider essentially repeating the system integration testing you performed for one or more of your major production systems in the POC lab environment. because every system or application may be different. Learn what impact the NGAV would have on your production environment. causing a crash? in abnormal system components from the system files during resource usage (CPU Internet or contacting scanning.e. which can and RAM)? network-based cause a production licensing? service or application to Does the NGAV affect react improperly? network interaction speed for different file types (e. Impacts to Consider in Compatibility Testing Installation Process Application Behavior Driver Behavior Performance Does the NGAV stop Does the NGAV Does the NGAV allow When production further installation of a negatively influence production-level drivers products and the NGAV product or application the normal work of to do everything they work simultaneously. Table 2 shows major impacts and some of the issues you should consider during compatibility testing.   Table 2. or the consumption of each resources? Does it network as a whole? Does the NGAV block remain normal. SANS ANALYST PROGRAM 10 SANS Step-by-Step Guide for Procuring Next-Generation Antivirus .. This evaluation is essentially akin to the system integration testing phase during the software development life cycle. Internet- pages. file access security reason or Does the NGAV initialization or startup. because it uses these interacting with a such as preventing does it log this silently resources itself and production service an application from and continue scanning? cannot unlock them in or application result downloading additional Or. but if it has a negative impact on user productivity. during the initial deployment phase? Does the end user see any performance degradation during regular business hours? Administrator Verify that the management Are the menus easily accessible console is easy to navigate. You should develop usability tests that mirror the typical workflows of your end users and administrators. or in concert with. Your selected NGAV product may meet all your functional requirements. as well as any managers to whom you may need to present results. Conduct a formal UAT after you validate functionality and after. SANS ANALYST PROGRAM 11 SANS Step-by-Step Guide for Procuring Next-Generation Antivirus . at all levels? How many levels are needed to provide access to major features in an emergency? Is the help function accessible from all levels? Is it context- specific?   Consider using user acceptance testing (UAT). Examples of Usability Tests Role Test Evaluation Criteria End user Verify that an end user does not Does the end user see any feel an impact that may affect performance degradation his or her productivity. but can work for your users as well. Conducting the Proof of Concept (CONTINUED) Evaluate Usability Usability evaluation is a bit more subjective. which consists of a set of tests that verify whether a solution not only meets your specific functional and technical requirements. Table 3. it won’t be a win for your organization. You are evaluating whether the end users and administrators will like how the product works. compatibility testing. Examples of such tests are shown in Table 3. working as a team through the POC should serve as the foundation of the good relationship and clear communications required for a long-term. Business Requirements Risk: Vendor’s ability to meet long-term support and maintenance demands is questionable. plus robust change management and control. Table 4. Remediation: Contractual issues and vendor management need to be resolved before a contract is executed. Conducting the Proof of Concept (CONTINUED) Document Results Regardless of the level of evaluation being undertaken. as detailed as possible POC Step 3: Moving On to Production At the conclusion of the POC process. Table 4 shows a possible format for visualizing results that is easily replicated in Excel or Word. Capabilities Remediation: None at this point. integration or other considerations. as detailed as possible TC3 BR3 Four words mm/dd/yyyy Steps required to execute the Description Description Description max test case. Table 5 presents a representative summary table of the risk areas identified during a POC and a general approach to remediation determined by the POC. SANS ANALYST PROGRAM 12 SANS Step-by-Step Guide for Procuring Next-Generation Antivirus . all parties will (or should) have the same understanding of the requirements. how well the vendor solution performs. Risks Associated with Integration Approaches Risk Area Risk/Remediation Product Features and Risk: Product will not meet all required features and capabilities. and its strengths and weaknesses. as detailed as possible TC2 BR2 Four words mm/dd/yyyy Steps required to execute the Description Description Description max test case. In addition. Remediation: POC has identified those areas of highest risk and allows remediation through a product acceptance procedure that includes ongoing compatibility testing processes. successful partnership. solution appears to meet all production requirements Operational Requirements Risk: Not all NGAV requirements can be met without development. Table 5. Make a deployment plan that addresses some of the support risk. Sample Evaluation Format Product name: NGAV Version: Environment: POC Lab Tester name: Associated Test Case Requirements Evaluation Execution Execution Actual ID RFP IDs Case Name Date Description Result Result Recommendations TC1 BR1 Four words mm/dd/yyyy Steps required to execute the Description Description Description max test case. results should be documented from the POC as succinctly as possible. evaluating how you will approach such questions as: • How can you use a phased rollout to minimize impact and risk to your organization? • How should you stagger your deployment to your endpoints and servers within each rollout phase? • What rulesets will cause minimal impact to your organization? • How should you plan on reacting to false positives. making necessary exceptions and ensuring careful monitoring as you take your deployment wider? • At what intervals should you plan regular reviews of rules and events in the management console?   SANS ANALYST PROGRAM 13 SANS Step-by-Step Guide for Procuring Next-Generation Antivirus . Words of Advice Be sure to evaluate your plan for deployment during the POC. Appendix A: RFP/RFI for NGAV Selection This section is the second document you need in the procurement process.0 December 4. Request for Proposal (RFP) / Request for Information (RFI) Checklist for NGAV Product Vendor Selection Version 1. 2017 . be sure to download the “NGAV RFP Evaluation Master Template” spreadsheet posted in conjunction with this step-by-step guide and the RFP template itself. In addition. Note: In this RFP checklist.0 in this document. Request for Proposal (RFP) / Request for Information (RFI) Checklist for NGAV Product Vendor Selection Version 1.] Vendor Response This RFP is in two parts. number of users and any other information that may be relevant to the vendor. tailor or update areas contained in [brackets]. and determine whether requirement is “required” (i. whether products. along with any supporting materials such as data sheets or other documentation.” including type of business.. seeks a Dynamic Application Security Testing (DAST) solution. [Insert brief description of “Organization. 2017 General Information Our organization.0 through 4. “desired” DOES NOT mean the same as “optional. number and type of web-based applications. please provide a narrative. high-level network topology. scalable and manageable solution. that can provide uniform standards for the entire enterprise. management and recovery. [Review the evaluation matrix package. can get a feel for our deployment scenario and use this information to establish a basis for your response to Section 5.0. Refer to the instructions on the evaluation matrix package.0. Our goal is to acquire and implement a robust enterprise solution that is flexible enough to support individual user and device needs but also provides effective and efficient centralized administration.] Contact Information [Provide contact information for the RFP. We seek a solution that combines the advantages of best-of-breed technology with the benefits of an integrated. software-as-a-service (SaaS) or a hybrid.org/reading-room/ whitepapers/analyst/ngav-rfp-evaluation-master-template-38195.” since a configuration option can be a “mandatory” requirement. geographic placement of offices. the vendor.e. [insert name of organization seeking the DAST solution (or “Organization”)]. please complete the requirements matrix according to the instructions. Organization Description The following section describes our organization so you. development methodology followed. 2) Requirements matrix (50% of score): For Section 5. Each part will be weighted equally: 1) Narrative (50% of score): For Sections 2. Pricing and Components. addressing the questions in each section.sans. mandatory) or “desired” as assigned P1 through P3 or N/A.)] SANS ANALYST PROGRAM 15 ©2017 SANS™ Institute . Note: The “NGAV RFP Evaluation Master Template” spreadsheet is available at the following www.0 December 4. such as other types of tests we have not mentioned or the detection of known malware. and • Its ability to interoperate with other response/remediation tools 8. etc.0 December 4. addressing the specific concerns for each area in your narrative as outlined below. What is your overall success rate? 3.. response and remediation. Describe how your NGAV architecture delivers detection. what? • Are there holes I should close? 6. Address the following in developing your response to this section: 1.) • False positive rate across each platform for all attacks 2.0. including the number and types of data sources used. Describe how you incorporate threat intelligence in your product. SSD or hard disk drive space) consumed on each endpoint platform Are there any additional capabilities that we should be aware of regarding your offering. advanced threats that are unknown. 2017 1.g. as well as those that are known.0. Provide the following for each endpoint platform specified in this RFP and be prepared to demonstrate these rates during the POC: • Catch rate for known malware (e. Describe your product’s response and remediation capabilities. 7. participate in the threat intelligence community. and how the related updates have an immediate impact on NGAV efficacy. Describe the capability of your solution to integrate with other tools for greater visibility into and context of security events. 4. Provide representative reports and snapshots of your dashboard that support these key questions. addressing: • How well automated your solution is for these processes • The ease of manual intervention when required. Request for Proposal (RFP) / Request for Information (RFI) Checklist for NGAV Product Vendor Selection Version 1. a signature file exists) • Catch rate for unknown malware (e. including: • How did the attack start? • What happened prior to detection? • Where else does this attack apply? • What could the impact have been? • Should I do anything to recover? If so..e. Describe how your product provides answers to key questions related to detection. What is the impact of your solution on endpoint user productivity? Use metrics that include system memory (RAM) consumed on each endpoint platform. and system storage (i. Describe how your product discovers and disrupts potential attacks related to critical vulnerabilities. system CPU processing capacity consumed on each endpoint platform. Describe how well the architecture of your solution blocks sophisticated. including gathering input from users and conducting research? 5.g. intelligence and analytic capabilities. uses PowerShell. Describe any additional capabilities of your NGAV offering not covered in Section 3. such as an infected executable? SANS ANALYST PROGRAM 16 ©2017 SANS™ Institute . how you evaluate and re-use the data. How do you. uses macros..0 Product Features/Capabilities Overview Provide a comprehensive narrative overview of your solution’s functions and capabilities and describe how you can meet our specific requirements as provided in the attached requirements matrix. Requested Topics Describe the architecture of your NGAV solution. as a vendor.. summarizing as appropriate the specific requirements in Section 3.g. no known signature. and how you disseminate the information. zero-day attacks) • Catch rate for nonmalware (file-less) techniques (e. such as through the cloud. Provide at least three customer references. Demonstrate the operation of your solution.) • Are ongoing updates to signature packs and attack packs included with standard maintenance. on-demand online) • Mentoring of individual end users by role Testing certifications: Provide a list of any security certifications you offer or support that is related to your product. Describe how your product/service scales. addressing the specific requirements in Section 3. scalability and growth.] • Training for [insert number of ] end users • Training for [insert number of ] system administrators • Certification program for [insert number of ] designated staff • Implementation services • Maintenance/Update services • [Specify level needed for] support services • Customization [Specify details if known. including the number of users in each category and training-delivery method (e. including: • What services are included in your software maintenance/update program? • What is your normal revision cycle for standard releases/updates? • What is the normal distribution path for standard releases? Is it the same path for emergency releases/hot fixes? • What documentation is provided with your standard releases? (Provide example(s). addressing the following: • Location/method of delivery for training (i. Request for Proposal (RFP) / Request for Information (RFI) Checklist for NGAV Product Vendor Selection Version 1. scope and complexity to our organization. service providers) that you have certified to provide implementation services on your behalf.e.0 December 4. live at your location. In developing your costs in Section 4. that are authorized to administer the certification. List third parties. Implementation services: Describe your offerings for supporting the initial configuration and installation of your product or service.. please consider the following information: [Tailor this list to meet the needs of “Organization” seeking the NGAV solution.g. what do you consider to be your top three differentiators from competitors? 3.g. If applicable. Maintenance/update services: Describe your offerings. consultants.3 as to endpoint types.. Reference current customers/installations of similar size. provide a list of third parties (e. What is the largest implementation for your product/service? Does your product/service automatically maintain performance with increased workload? In general.] Requested Topics Training: Describe the end user/administrator training courses or options you offer. live on-site.0 Operational Overview Provide a comprehensive overview of your product(s)/services and how you can meet our specific requirements as provided in Section 3.0. addressing the specific concerns for each area in your narrative as outlined below. as well as the third-party products with which the NGAV solution should integrate.0 Business Support Overview To meet implementation objectives. 2017 2. online. if any.0. instructor-led). Requested Topics Describe the overall architecture of your solution and its ability to support and integrate with our current environment. live online. our organization may require specific information from you for the services listed below.. or are they charged separately? SANS ANALYST PROGRAM 17 ©2017 SANS™ Institute . including membership(s) in industry organizations. detailing how your customers can interact throughout the community. 2017 Support services: Describe your offerings. please provide your list. Provide a list of your solution partners.. SANS ANALYST PROGRAM 18 ©2017 SANS™ Institute . specific URLs). Provide overall statement of revenue with breakdown as follows: • Percent attributable to NGAV product(s) • Percent attributable to NGAV services Provide total number of years in business with specific details: • Number of years providing NGAV product(s) • Number of years providing NGAV services Describe your NGAV customer base: • NGAV product(s): Number of customers. industries • NGAV services: Number of customers.g. number of websites tested via the service. • Do you provide consulting services on the process changes necessary to adopt your tools into the software life cycle? Do you provide any supplemental services in addition to your primary product offering that we should be aware of. Indicate your industry involvement. What is your perception of market direction. 24x7x365)? • Is on-site support available? Provide the terms as outlined in your standard agreement. and how does this affect your technology road map? Describe your anticipation of industry/customer trends. Platinum Support means 2-hour response to all users. participation in standards bodies and participation in the threat intelligence community. Request for Proposal (RFP) / Request for Information (RFI) Checklist for NGAV Product Vendor Selection Version 1. Note: Provide your definition of a website (e. number of websites tested per client. • Is a knowledge base accessible to end users? To system administrators? • What are the various levels of standard service that you provide in terms of category of users supported. Please provide the following background information: Requested Topics Provide pertinent contact information for your business. with whom they can interact. location of headquarters and major field offices.0 Vendor Background and Pricing Information Our organization is looking for a long-term relationship with our NGAV vendor.0 December 4. and your approach to ensure that your solution can adapt and improve while continuing to provide value to an existing customer base. describe your community platform. Do you provide a community exchange for your customers? If so.g. how your product plans will meet these trends. response time and hours of availability (e. including: • What services are included in your support service program? Provide information for both products and services if you provide both. such as availability of a community platform for interaction with your client base? 4. and what type of content and training materials are available within the community. Do you work with regional partners/value-added resellers that can provide implementation support for your solution? If so.. number of user licenses. please indicate the appropriate code in the Score/Priority column of the requirements matrix. For SaaS solutions. Describe your pricing/licensing model for enterprise solutions. including any discount tiers. such as for lightweight. Requested Topics Provide a catalog of all items. important features that deserve attention but are not mandatory P3 1 Interesting features that may be worthy of focus and attention N/A 0 Not in scope: Does not apply or is not needed SANS ANALYST PROGRAM 19 ©2017 SANS™ Institute . per application. backed by the detail used for developing prices for 5. fully automated tests versus more complex testing that requires manual intervention by your staff? Do you provide penetration testing (which includes testing outside of the application under test)? Describe any standard discounting that you provide. whether or not it is optional. critical features that must be considered essential P2 2 Optional. Also. describe how you price the service. such as GSA. for each requirement. describe how it is licensed (per user. Provide a total cost for each proposed solution. 5.). software and support services.0 December 4. Provide a copy of your standard contract. Request for Proposal (RFP) / Request for Information (RFI) Checklist for NGAV Product Vendor Selection Version 1. how the requirement meets our business need. per URL. that are included in your solution(s). customization and certification training (if applicable).0. 2017 Please provide all solution pricing for the total. proposed solution according to the information provided in this RFP. end user training. or product capabilities. THIS SHOULD NOT BE COMPLETED BY THE VENDOR.] Follow these steps to complete this requirements matrix. and its associated list price.5. For each product above. such as on-site. Provide prices for any additional special services. along with our prioritization of scope and priority. that is. including hardware. according to the information provided in Section 2. etc. SCOPE AND PRIORITY (BUSINESS NEED) Code Value Explanation P1 3 Mandatory. Please indicate any and all limitations to your enterprise pricing. [Make sure that you have completed each element of the requirement matrix/table indicated in blue text and enclosed by [brackets]. First. providing a description of each item.4 and 5. 1. Is it by size of application? Is it by contract period? Are there pricing tiers. together with your typical SLA for availability or quality of customer service. review each area and Scope/Priority assigned to each requirement according to the codes shown in the “Scope and Priority (Business Need)” table.0 Requirements Matrix The following table contains the explicit requirements for the NGAV solution we are seeking. For example: Score = P1 x Standard x Middle = 3 x 5 x 1 = 15. based on your solution road map. 2017 2. Then. The following table is the NGAV Requirements Matrix.5 Demonstrable in the short term (30 to 60 days) Middle 1 Demonstrable in the midterm (60 days to 6 months) Long 1 Demonstrable in 6 months to a year 4. The “NGAV RFP Evaluation Master Template” spreadsheet is available at the following www. Calculate the score for each requirement by the following equation: Score = Scope and Priority x How Met x Demonstrability. Add the scores for each major section together to arrive at the total score for your solution. Section 3) Business Requirements. 5. Total the scores for each major section: Section 1) Functionality. use the codes in the table entitled “How Met (Support)” to let us know how your solution will meet or support each requirement. Again. let us know whether you can currently demonstrate that requirement or when that requirement can be demonstrated. Section 2) Operational Requirements. 6. DEMONSTRABILITY (MATURITY/ROAD MAP) Code Value Explanation Now 2 Demonstrable now Short 1. and Section 4) Organizational Background and Pricing Considerations. Finally.0 December 4.org/reading-room/whitepapers/analyst/ngav-rfp-evaluation-master-template-38195. an Excel-based workbook based on these instructions and the following table is available to simplify completion of the requirements matrix.sans. HOW MET (SUPPORT) Code Value Explanation Standard 5 Capability available out of the box Tailored 3 Capability met by extending the product through vendor-supported methods such as scripting 3rd Party 2 Capability met through partnership with third party Custom 1 Capability only available through custom changes to the solution code base N/A 0 Capability not supported 3. Request for Proposal (RFP) / Request for Information (RFI) Checklist for NGAV Product Vendor Selection Version 1. SANS ANALYST PROGRAM 20 ©2017 SANS™ Institute . 1 Protection/Detection: Determine how the NGAV product protects against and/or detects modern attacks.. • Deliver updated analytic capabilities through cloud-based resources.6 Protection Policies • Create different groups of endpoints by role (e.] [Provide example #4. 1. • Other (list vendor defined ______________) 1. • Establish protection policies for each group that are independent of each other.2 Threat Intelligence • Incorporate threat intelligence in the NGAV product.1. [Provide example #1.. workstations).] 1. • Create different groups of endpoints by type (e.1.7 Tamper Protection • Prevent NGAV software from being disabled or altered by an unauthorized user. • Gather threat intelligence from the following sources: • Internal [List relevant.2 Attack Intelligence and Analytics: Determine whether the vendor can “future-proof” its product against new attacks by enhanced and extensible analytic capabilities without requiring local endpoint updates.1. knowledge workers).] • External [List relevant. 2017 Vendor xx Section NGAV Requirements Scope How Priority Met? Demo Score 1 Functionality 1.2.g. 1. improvement) on NGAV efficiency at the endpoint.1.2 Unknown Malware Detection/Prevention • Identify and quarantine unknown malware and variants. • Provide immediate impact (i.] • Use cloud-based intelligence and analytics engine to evaluate and reuse new threat data.0 December 4. Score Subtotal: Attack Intelligence and Analytics SANS ANALYST PROGRAM 21 ©2017 SANS™ Institute . developers. 1. techniques and procedures (TTPs). • Deliver updated threat intelligence through cloud-based resources.] [Provide example #2.1 Known Malware Detection/Prevention • Identify and quarantine known malware and variants. 1. • Detect/protect against browser vulnerability exploits. • Perform behavioral analysis of binaries using tactics.1.g. Score Subtotal: Detection/Prevention 1.3 Malicious Process Detection/Prevention Recognize malicious patterns. cloud.1.1. • Kill or suspend processes that are executing malicious behaviors.5 Independent Controls Detection/Prevention • Provide separate controls for threat detection and attack prevention so that threats can be detected for later assessment. 1..2.] [Provide example #3.1 Extensible Analytics • Deliver updated detection capabilities through cloud-based resources. 1.e. servers.4 Exploit Detection/Prevention • Detect/protect against Flash exploits. Request for Proposal (RFP) / Request for Information (RFI) Checklist for NGAV Product Vendor Selection Version 1. • Other (list vendor defined ______________) 1. 5. registry access. • Log all results from the detection of malware/malicious behavior. • Present all logged information in human-readable format.g..g. 1.e.3 Quarantine an infected system or systems safely and accurately. • Log all resulting actions taken in response to detection of malware/malicious behavior.g. minimum) set of data elements for all logging. • Provide interface capability (e. 1.4.0 December 4. API) for integration with other tools.1 Logging: Data Elements • Establish a standard (e.4 Blacklist newly discovered malicious files.2 Stop malicious activity at the endpoint.. for broader detection and response support. 1. 1.1 Detect and delete malware or temporary files. all Windows) or cross-platform environment.g.3 Has lightweight impact on endpoint system resources to include: • the amount of system memory (RAM) consumed on each endpoint platform • the amount of system CPU processing capacity consumed on each endpoint platform • t he amount of system storage (i. 2017 Vendor xx Section NGAV Requirements Scope How Priority Met? Demo Score 1.2 Minimize false-positive events.3.g. regardless of whether it is in a homogenous (e.4. network connections). add new) of data elements to the standard set. 1. behavior). 1.3 Visualization Tools • Reveal the full chain of processes affected by the malware/malicious behavior. independent of the administrative interface. such as happens when the product blocks access to a legitimate program.5. 1.3 Visibility and Context: Determine how the product provides visibility into security events and attack context. Score Subtotal: Visibility and Context 1. • Collect activity for all binaries (e.. • Support development of custom queries to support reports related to activity across the entire organization. such as a SIEM system. Score Subtotal: Response and Remediation 1. • Allow customization (e. • Query and report across the entire organization.. 1. • P rovide reports for both end users and administrators that supply real-time visibility as well as retrospective analysis of events.3. potentially malicious. • Provide dashboards that support real-time visibility.3.1 Exhibit minimal impact on the endpoint user experience when providing protection (e.. SSD or hard disk drive space) consumed on each endpoint platform Score Subtotal: Performance TOTAL SCORE: FUNCTIONALITY SANS ANALYST PROGRAM 22 ©2017 SANS™ Institute ..g. Request for Proposal (RFP) / Request for Information (RFI) Checklist for NGAV Product Vendor Selection Version 1. using a defined set of data elements. 1.5. identification of new.. file changes.5 Performance: Deploy solution with little or no impact on endpoint user productivity or lightweight impact on endpoint system resources. 1. processes.4.4 Response and Remediation: Support response and remediation starting at the endpoint.2 Query Development • Provide standard queries to support reports related to activity across the entire organization. based on custom indicators of compromise (IOCs).4. 2. unresolved malware detection. simplicity of navigation.] 2.0 December 4.3 Support 50% growth in all endpoints during the next two years Score Subtotal: Endpoint Platform Coverage 2. 2.1 Management Console Architecture • Incorporate cloud-based console that runs on vendor servers.] • [Provide endpoint #2 and additional as needed. applications and protocols. [Specify specific tools organization uses.3.] • [Provide platform #2 and additional as needed. • Provide advice as how to remediate or fix a problem identified in an alert or warning (e.1 Endpoint Platform Coverage: Provide compatibility with and scalability across enterprise endpoints by type of endpoint and attributes for each type.3. 2. • Incorporate server-based console that runs on the organization’s server.2 Has standard specifications for interfacing solution with enterprise endpoint detection and response (EDR).. and richness of integrated help functions. workflow and security tools defined in the environment (e.2 Management Console User Interface • Provide user interface that has overall ease of use. protection disabled).3 Data Gathering • S upport collection of event data related to new and existing files.. • Require less than [XX] MB/day data transfer.1 Support named enterprise platforms: • [Provide platform #1. Score Subtotal: Enterprise Management SANS ANALYST PROGRAM 23 ©2017 SANS™ Institute .g. Request for Proposal (RFP) / Request for Information (RFI) Checklist for NGAV Product Vendor Selection Version 1. using new row for each.3. 2. 2017 Vendor xx Section NGAV Requirements Scope How Priority Met? Demo Score 2 Operational Requirements 2.g.] Score Subtotal: Interoperability and Interfaces 2. IT ticketing and Windows AV systems). 2.1.1.1 Support standard method to integrate/interface with other external tools or platforms.1.3.2 Support current number of endpoints in the enterprise: • [Provide endpoint #1. access to major features in an emergency.2. • L og health statistics. client out of date. deactivate or reactivate a device from the management console).2. 2.] 2. • Allow customization of the user interface and reporting feature. • Incorporate virtual appliance-based console (preconfigured by manufacturer). • Allow drilldown to review status of each individual endpoint (e. 2. using new row for each. remove.3 Enterprise Management: Meet organizational expectations concerning ease of use.3.g.2 Interoperability and Interfaces: Integrate with existing tools/security tools in the organization. 2..4 Status Monitoring • P rovide dashboard that reflects the overall status of connected endpoints. customization and interoperability with other enterprise tools.5 Audit Logging • Monitor system health statistics to provide proof of agent uptime and show policy compliance. including deployment.5 Other (list vendor defined ______________) Score Subtotal: Deployment Model 3.1.g. 3. 8 a.0 December 4.g. configuration and maintenance. 3. Score Subtotal: Endpoint Management TOTAL SCORE: ENDPOINT MANAGEMENT 3 Business Requirements 3.m. excluding national holidays • 24x7.4. • E mailing link to users with local installation on endpoint..4.3 Support virtual appliance. centrally administered).2 Support SaaS.m.) • 24x7. • Remote push. • Support locally (e. 2.] Score Subtotal: Support Structure TOTAL SCORE: BUSINESS REQUIREMENTS SANS ANALYST PROGRAM 24 ©2017 SANS™ Institute . • Support automated methods for initial deployment of endpoint protection agents.1 Support Qualified Security Assessor (QSA) validation.1 Support on-premises.. 2017 Vendor xx Section NGAV Requirements Scope How Priority Met? Demo Score 2.3 Provide project management services: • Project planning/management • Interface development • Managed security service provider (MSSP) or security operations center (SOC) services 3.4 Endpoint Management: Support ease of endpoint management.2 Other (list vendor defined ______________) Score Subtotal: Regulatory Requirements 3. 3. including national holidays • Expedited service 3.2 Endpoint Configuration and Update • Support automated methods (e.2 Deployment Model: To ensure that the NGAV solution meets expectations as to how it can be supported in the enterprise.2.2.3.4 Provide documentation: • Role-based (admin. 3.3.g. end user) • Delivery methods [specified by client] 3.1. 3. 3. doesn’t have to be connected to the enterprise network).3 Support Structure: To evaluate the best support structure for NGAV in the organization.1 Provide various support tiers: • Standard business hours (M-F.3. end user) • Technical specifications • API guides for integration • Formats available [Specify formats required. controlled by endpoint users).2. 3. 2. to 5 p.1 Endpoint Deployment • Support manual methods for initial deployment of endpoint protection agents.2 Provide product training • Role-based (admin.. Request for Proposal (RFP) / Request for Information (RFI) Checklist for NGAV Product Vendor Selection Version 1.2.3. • Protect against user-initiated uninstall (either intentional or unintentional). • S upport offline (e.1 Regulatory Requirements: Ensure that the solution meets regulatory or corporate compliance requirements. 5 Track record of adapting to market-critical requirements 4.1 Vendor Background: To verify vendor experience and stability regarding NGAV 4.2.1. installation. etc.4 Market direction of company aligned with client technology roadmap 4.1 Pricing model (per user.2.2 Software Upgrade Policy (maintenance only.4 Breadth of support services (on-site.3 Sound financial standing 4.3 Pricing: To determine vendor costs associated with NGAV deployment 4.6 Established value and approach Score Subtotal: Company Profile 4. manageability.2 Comprehensive technology partnerships (relevance to larger frameworks as well as smaller individual points) 4.1 Breadth of professional services (e. training.) Score Subtotal: Pricing TOTAL SCORE: COMPANY PROFILE AND PRICING Total Score: SANS ANALYST PROGRAM 25 ©2017 SANS™ Institute .2.2.3 Service Level Agreement 4.2 Value add (integration. device) 4. 2017 Vendor xx Section NGAV Requirements Scope How Priority Met? Demo Score 4 Organizational Background and Pricing Considerations 4.1. configuration) 4. group. Request for Proposal (RFP) / Request for Information (RFI) Checklist for NGAV Product Vendor Selection Version 1.g.1 Comparable/compatible customer base 4.1.2 Maintenance and Support: To confirm ability of vendor to meet enterprise expectations regarding maintenance and support 4.3.3..1.1. help desk for end users) 4. maintenance and major releases) 4.0 December 4.5 Accessible knowledge base Score Subtotal: Maintenance and Support 4.1.2. with clients ranging from federal agencies to municipalities and commercial businesses. identity theft and exposure to fraud. particularly in the health and human services industry. She has done extensive work in system procurement. the CISSP. holds several SANS certifications. About the Author Barbara Filkins. GLEG and GICSP. and an MS in information security management from the SANS Technology Institute. plus the legal aspects of enforcing information security in today’s mobile and cloud environments. vendor selection and vendor negotiations as a systems engineering and infrastructure design consultant. SANS ANALYST PROGRAM 26 SANS Step-by-Step Guide for Procuring Next-Generation Antivirus . including the GSEC. a senior SANS analyst. SANS would like to thank Carbon Black for its support of this project. Barbara focuses on issues related to automation—privacy. GCIH. GCPM. Jan 20. SG Mar 12. 2018 Live Event Northern VA Winter . 2018 . 2018 Live Event SANS Secure Osaka 2018 Osaka.Feb 10. GB Feb 05. VAUS Mar 17. 2018 .Feb 24. GB Feb 27.Tysons 2018 McLean. 2018 .Mar 10. 2018 Live Event SANS Scottsdale 2018 Scottsdale. 2018 Live Event SANS Secure Japan 2018 Tokyo. NL Jan 15. 2018 Live Event SANS London February 2018 London. 2017 Upcoming SANS Training Click Here for a full list of all Upcoming SANS Events by Location SANS Security East 2018 New Orleans. 2018 Live Event ICS Security Summit & Training 2018 Orlando. NYUS Feb 26. 2018 .Feb 05. CAUS Mar 12. 2018 . 2018 Live Event SANS Paris March 2018 Paris. 2018 .Jan 13. 2018 . 2018 Live Event SANS OnDemand Books & MP3s OnlyUS Anytime Self Paced . 2018 Live Event SANS Secure Canberra 2018 Canberra. 2018 . TXUS Mar 19. VAUS Jan 15.Jan 20. 2018 Live Event SANS Las Vegas 2018 Las Vegas.Jan 20.Feb 03.Mar 17.Feb 24. CAUS Jan 15. 2018 Live Event SANS Southern California. 2018 Live Event SANS Secure Singapore 2018 Singapore. 2018 .Feb 17.Reston 2018 Reston. CAUS Feb 12. DE Mar 19. JP Feb 19. 2018 .Mar 26. 2018 Live Event Cyber Threat Intelligence Summit & Training 2018 Bethesda.Jan 13. 2018 .Mar 17. 2018 . 2018 Live Event SANS Dubai 2018 Dubai. 2018 . 2018 Live Event SANS Pen Test Austin 2018 Austin.Mar 03. 2018 . 2018 Live Event SANS Dallas 2018 Dallas. 2018 Live Event SANS Munich March 2018 Munich.Feb 01. FLUS Mar 19. 2018 Live Event SANS Secure India 2018 Bangalore.Feb 28. 2018 Live Event SANS Amsterdam January 2018 Amsterdam. 2018 . AE Jan 27. 2018 Live Event SANS Miami 2018 Miami. 2018 . 2018 Live Event SANS SEC460: Enterprise Threat Beta OnlineCAUS Jan 08. 2018 . 2018 . 2018 Live Event SANS San Francisco Spring 2018 San Francisco. 2018 . IN Feb 12. 2018 .Anaheim 2018 Anaheim.Mar 03.Mar 24. 2018 .Mar 24. 2018 .Mar 24. CAUS Feb 19. AU Mar 19. NVUS Jan 28. 2018 . 2018 Live Event SANS New York City Winter 2018 New York.Mar 24. 2018 Live Event SEC599: Defeat Advanced Adversaries San Francisco. AZUS Feb 05.Feb 02. FLUS Jan 29. Last Updated: December 21st. 2018 Live Event SANS Brussels February 2018 Brussels. 2018 . LAUS Jan 08. FR Mar 12. 2018 . 2018 .Mar 17. 2018 Live Event SANS London March 2018 London. GB Mar 05. 2018 Live Event SANS Northern VA Spring . 2018 . 2018 Live Event Cloud Security Summit & Training 2018 San Diego. TXUS Feb 19. 2018 .Feb 26. JP Mar 12.Mar 24.Feb 17. MDUS Jan 29. 2018 . 2018 Live Event CyberThreat Summit 2018 London.Feb 10. BE Feb 19.
Copyright © 2024 DOKUMEN.SITE Inc.