Issue technical requirements for information security incident detection and response products on terminals

The Ministry of Information and Communications has issued a decision to issue basic technical requirements for Endpoint Detection and Response (EDR) products.

Accordingly, 7 groups of basic technical requirements for EDR products include: Documentation requirements, system administration requirements, error control requirements, log requirements, and resource requirements. processing, system availability requirements, and detection and response functionality requirements.

For each requirement, the Ministry of Information and Communications also sets out the criteria and conditions that EDR products need to meet to ensure quality. Specifically, in the system administration requirements group, the EDR product needs to allow operation management to meet the following requirements: Allow setting, changing, applying and undoing changes in system configuration, configure remote administration, configure user authorization and authentication accounts, configure protection rule sets; Allows changing the system time; Allows changing session retention time; Allow logging out of user accounts with active sessions; Allow to delete log; Allows sending alerts via email or text message…

The EDR product that enables secure remote administration meets the following requirements: Use an encrypted protocol such as TLS or equivalent; Automatically log out of the account and abort the remote administration session when the session timeout expires.

With a group of requirements for detection and response functions, according to the recommendations of the Ministry of Information and Communications, EDR products need to have incident detection functions that meet the following requirements: Allowing detection of attacks, malicious codes based on information IP address, domain name, hash value and by behavior; Allow users to actively perform scans at suspicious files and folders on their machines; Allows management of alerts; view detailed warning information; supplement and enrich warning information; Enables reactive investigation on a single centralized interface.

Along with that, the product needs to have incident investigation and response functions that meet the following requirements: Allows analysis of processes running remotely on the server/workstation; Allow log search on server/workstation; Allows setting a policy to block malicious applications from operating on the server/workstation by defining the path/hash value; Allows to block malicious connections from server/workstation by controlling OS firewall on server/workstation or built-in firewall on EDR.

The Ministry of Information and Communications assigns the Information Security Department to lead and guide the application of the requirements in “Basic technical requirements for EDR products” (Artwork: securityintelligence.com)

The Information Security Administration said that the purpose of developing and issuing basic technical requirements for EDR products is to recommend agencies and organizations involved in research and development activities, select and use information security products in the country.

At the same time, creating common standards for information security products in the country, towards international standards; piloting, evaluating the actual application of technical requirements as a basis for elaboration and promulgation of standards and technical regulations for each product in the next stage.

Subjects of application of groups of basic technical requirements to EDR products are agencies and organizations involved in research, development, evaluation and selection of EDR products when they are put into use in the future. information systems.

Developing a safe and secure product ecosystem in Vietnam is one of the important and long-term tasks of the Ministry of Information and Communications, directly the Department of Information Security.

From June 2021, in order to contribute to the realization of the above goal and to serve the assessment and verification of information security products and services, the Information Security Department has proposed the development of a list of requirements for information security. Basic technical requirements for 11 domestic information security products.

Up to now, the Ministry of Information and Communications has issued basic technical requirements for 8/11 products and recommended agencies and organizations to apply, including: Web Application Firewall products; Security Information and Event Management (SIEM) products; Products Threat Intelligence Platform (TIP); Network-based Intrusion Prevention System (NIPS); Virtual Private Network (VPN) Products; Security Orchestration, Automation and Response (SOAR) Products; Anti-Malware products (Anti-Virus – AV); Endpoint Detection and Response (EDR) product.

Van Anh