Procurement of Endpoint Security Solution (LLFC-CAP-25-026)

active

SCOPE OF WORK• Quantity: 130 units• Subscription Period: One (1) Year / Twelve (12) Months• Supported Operating System: Windows Server 2016 to 2022 (and Core), Windows 11 Update (23h2) and earlier, Windows 10 Update (22h2) and earlier, Windows 10 IoT Enterprise.• Server license allowed up to 35% and Mailboxes for up to 150% of the total devicesEndpoint Protection• The solution must have a local and cloud machine learning that provide predictive detection of unknown malware, dynamic file analysis trained on billions of samples, local machine learning trained on 80,000 malware features, and threat intelligence from over 500 million endpoints globally.• Shall provide advanced anti-exploit that focuses on attack tools and techniques to detect both known and zero-day exploits that target browser and popular software applications.• Shall provide fileless attack protection to detect and block fileless malware at pre-execution, including terminating PowerShell running malicious command line, blocking malicious traffic, analyzing memory buffer prior to code injection, and blocking the code injection process.• Shall provide network attack defense that focuses on detecting network attacks designed to gain access on endpoints through specific techniques such as: brute-force attacks, network exploits, password stealers, drive-by-download infection vectors, bots, and trojans.• Shall provide ransomware vaccine that immunizes machines against known ransomware blocking the encryption process even if the computer is infected. • Shall provide ransomware mitigation that uses detection and remediation technologies to keep files from ransomware attack. • Shall provide the capability to automatically create backup copies of the files up to 15 MB in size, or smaller and restores them to their original location in case of ransomware infection. • The proposed solution must have a dedicated virtual machine that deduplicates and centralizes most of the antimalware functionality of antimalware agents, acting as a scan server. • Shall provide a next-gen tunable machine learning technologies designed specifically to detect advanced attacks and suspicious activities in the pre-execution phase.• Shall provide web threat protection that scans incoming web traffic, including SSL, HTTP and HTTPSs traffic, to prevent the download of malware to the endpoint. Automatically blocks phishing and fraudulent web pages. Displays search ratings signaling trusted and untrusted pages• The solution shall prevent sensitive data leakage and malware infection on attached devices by applying rules and exclusions via policy such as block, allow, and via custom rules. • The solution shall provide full visibility and control of running applications by blacklisting unwanted software. Helps limit the risk of malicious code running undetected. • The solution shall provide fully-featured two-way firewall that controls applications access to the network and to the internet. Furthermore, the firewall can protect the system against port scans, restrict ICS and warn when new nodes join a Wi-Fi connection. • The solutions shall provide data protection that allows blocking of confidential data (pin card, bank account, etc.) for both HTTP and SMTP, by creating specific rules. • Shall provide protection against highly sophisticated cyber-attacks using multiple stage signature-less technologies. • Shall provide layered architecture that includes endpoint visibility, controls, prevention, detection, and remediation. • Shall provide process inspection that provides behavior-based real time detection; monitors all processes running in the operating system and if the process is deemed malicious, will terminate it. • Must have integrated root cause analysis that highlights the attack vector, the attack entry point, and how the attack originated. Helps pinpoint the origin node of attack, highlighted in the Incident page. The confidence score provides context for security events.Sandbox Analyzer• The proposed solution must provide integrated sandbox analyzer to enhance targeted attack detection. • Shall provide pre-execution detection of advance attacks by automatically sending files that require further analysis to cloud sandbox and taking remediation action based on the verdict. • The Sandbox module will be able to automatically send files to the Sandbox from the manufacturer’s cloud where they can be detonated” for an in-depth analysis. • The Sandbox module includes two analysis options: only monitoring or blocking. In monitoring mode, the user will be able to access the desired file, while in blocking mode, the user will be blocked from running the file until the Sandbox in the manufacturer’s cloud gives the verdict.• The Sandbox module includes two types of remedial actions: default and safety. For the default action, it will be possible to set: only reporting, disinfection, deletion and quarantine. For the safety action, it will be possible to establish: deletion or quarantine. • The Sandbox module also includes the possibility of manually sending files to the Sandbox from the manufacturer’s cloud. Thus, if the administrator suspects a file to be malicious, he can manually send it to the Sandbox to be „detonated” and find out the verdict. Administrator will be able to send several files at once, with the possibility to specify whether they will be „detonated” individually or all at the same time. • The Sandbox module can support „detonation” of the following types of files: Batch, CHM, DLL, EML, Flash SWF, HTML, HTML/script, HTML (Unicode), JAR (archive), JS, LNK, MHTML (doc), MHTML (ppt), MHTML (xls), Microsoft Excel, Microsoft PowerPoint, Microsoft Word, MZ/PE files (executable), PDF, PEF (executable), PIF (executable), RTF, SCR, URL (binary), VBE, VBS , WSF, WSH, WSH-VBS, XHTML. • The previously mentioned files will be able to be detected correctly even if they are included in archives of the type: 7z, ACE, ALZip, ARJ, Bzip2, cpio, Gzip, LHA, Linux TAR, LZMA Compressed Archive, MS Cabinet, MSI, PKZIP, RAR , Unix Z, ZIP, ZIP (multivolume), ZOO, XZ. • The proposed Sandbox analyzer must be the same brand as the proposed Endpoint• Protection and manageable in the same console without the need for additional virtual/physical hardware and license.Endpoint Risk Analytics (ERA)• The proposed solution must provide integrated Endpoint Risk Analytics (ERA) that identifies, assesses, and remediates Windows endpoints weaknesses via security risk scans either on-demand or scheduled via policy, considering a vast number of indicators of risk. • Shall provide the ability to scan your network with certain indicators of risk and obtain an overview of network risk status via Risk Management dashboard, available from the Cloud Management Console. • Must have the ability to provide an overview of the company risk score and score evolution. • Must have the ability to provide an overview of statistics broken down into misconfigurations, vulnerable applications, and affected devices. • Must have the ability to provide a description of each indicator of risk and the recommended remediation actions. • Must have the ability to provide a Risk Management Dashboard that provides an overview of your network security and risk assessment information such aso Company Risk Scoreo Health Industry Modifiero Score Over Timeo Top Misconfigurationso Top Vulnerable Appso Top User Behavior Riskso Servers by Severityo Workstations by Severityo Top Devices at Risko Top Users by Behavior Risk• Must have the ability to resolve certain security risks automatically from the Cloud Management Console, and view recommendations for endpoint exposure mitigation. o The proposed ERA must be the same brand as the proposed Endpoint Protection and manageable in the same console without the need for additional virtual/physical hardware and license.Endpoint Detection and Response (EDR)• The proposed solution must provide integrated Endpoint Detection and Response (EDR). • The proposed solution shall be a unified platform for preventative protection, post-breach detection, automated investigation, and response. • It shall offer pre and post compromise attact visibility, alert triage, investigation, advanced search, and one-click resolution capabilities. • The proposed EDR solution must includes the collection of data and events related to each workstation, bringing detailed map of them as well as automatic actions and integration with the Sandbox module and the advanced security module. • Must have the ability to evaluate the typical activity of an endpoint from the perspective of its security according to MITRE (“baselining”) attack techniques and can report any deviation from this behavior in the form of an incident. Third Party Rating, Evaluation, Compatibility, and other requirements• The solution should be able to integrate with Microsoft Active Directory. • The proposed solution must be in the Leaders Part of Forrester Wave™: Endpoint Security provider, Q4 2023 or later. • The proposed solution must be in the Strong Performers or Leaders Part of Forrester Wave™: Extended Detection and Response Platform, Q2 2024. • The proposed solution participates in annual MITRE ATT&CK Evaluations 2022 or later for EDR conducted by MITRE Engenuity ATT&CK Evaluations. • The proposed solution must be a visionary player in the recent Gartner Magic Quadrant of 2024 for EPP. • Shall provide the capability to retrieve and download quarantined files for further analysis to Sandbox Analyzer, from Windows, Linux, or macOS endpoints. The files available for download are restricted to 25MB each and have a maximum of 10 retrieved files per company. • Shall provide the capability to grant power user rights to access and modify the policy applied on the endpoints without the need to access the management console. • The administrator can customize installation packages including only desired modules: firewall, content control, device control, power user, EDR sensor.• The proposed solution must allow downloading of full kit installer packages that don’t requires an internet connection upon installation.• The EDR module allows the filtering of incidents from the graphic interface depending on the time interval, based on a confidence score ("confidence score"), attack indicators, attack techniques (ATT&CK) respectively affected operating system as well as by IP, file name, station name. • The EDR module provides full visibility on the techniques, tactics, and procedures (TTPs) being used in active attacks while providing comprehensive search capabilities for specific indicators of compromise (IoCs), MITRE ATT&CK techniques and other artifacts to discover early-stage attacks. • The proposed EDR must be compatible with any pre-installed endpoint protection and will function as EDR (Report Only). • The proposed EDR must be the same brand as the proposed Endpoint Protection and manageable in the same console without the need for additional virtual/physical hardware and license.Unified Management Console• The proposed solution must provide a single cloud-based centralized management console that manages the following proposed security features:o Endpoint Protection o Sandbox Analyzero Endpoint Risk Analyticso Endpoint Detection and Response (EDR)• The proposed solution must use a one-to-one license scheme and a transferable license wherein each endpoint device must have a dedicated license (1:1 ratio). • The proposed solution should avoid kernel-mode deployment, utilize a lightweight agent instead, and allow staging to test new kits or updates in a controlled environment that mirrors production, helping identify issues before deployment. • The solution must have built-in two-factor authentication (2FA) that works with authenticator apps (Google and Microsoft) and does not require additional hardware and license to setup. • Must have the capability to add, remove, arrange, configure, and customize the dashboard report, and does not limit the IT admin to a fixed dashboard. • Single policy template to manage the configuration of all the proposed security features. • Policy can be automatically changed depending on:o IP or IP class of the stationo The assigned gatewayo Assigned DNS server.o WINS assigned server.o DNS suffix for DHCP connectiono The client is/is not in the same network as the management infrastructure (the workstation can implicitly resolve the hostname)o Network type (LAN, wireless) • Quarantined files can be stored for up to 180 days and can be remotely restored with a configurable location or deleted from the management console. Supplier Maintenance and Support• Have a reputable local vendor representative in the Philippines that has been active in cybersecurity trade for at least 10 years now.• Supplier of the solution have at least two (2) certified engineers for end-point solution• Able to provide 3-Tier support (1st local, 2nd Distributor and 3rd Principal)• Provides regular call or email check-up for concerns and product health monitoring even after sales.• Available support through phone, email, web-remote assistance and on-site/on-call support.• The solution must be able to provide comprehensive after-sales agreement options• Conducts quarterly preventive maintenance for endpoint protection• Regular pattern updates and firmware upgrade in co-term with the years of subscription• Includes installation and configuration• Includes Knowledge Transfer with completion and configuration report. Onsite conducted by Certified Professional Engineer for product served• Includes vulnerability assessment for one (1) server on quarterly basis for Windows/Linux operating system.• Includes Cybersecurity Awareness Training (1-Day Virtual Session) Delivery Period• Fifteen (15) working days upon receipt of Purchase Order and Notice to Proceed (NTP).