Guidance Software EnCase Endpoint Security
Strengths: A unique forensic approach to endpoint security – effective especially when investigating an incident.
Weaknesses: Some limitations based on the way the analytics are done. However, for the most part, these limitations, such as exfiltration on a USB stick, are manageable in other ways. A bit pricey.
Verdict: We have liked the innovations from Guidance in the past and this no exception. If you are an EnCase shop already, do not hesitate to add this tool to your quiver. If not, give it a close look. It can tell you things about an attack that nothing else can.
Now here was a surprise. We are used to seeing EnCase in the forensics world but for some reason - call us asleep at the switch if you want - we never saw this coming. The deeper we looked into the product the more it looked like forensics to us. Guidance Software has traditionally had a good look into the internals of computers as part of its forensic analysis tools. Why not extend that to endpoint protection? Why not, indeed?
That is exactly what Guidance has done. Everything is based on the observations of a kernel-level agent at the endpoint. This prevents an attacker or malware from obfuscating its activities. "Given enough data, we can learn anything," as an old colleague used to say. The whole purpose of the agent is to collect those data.
EnCase Endpoint Security really has two parts: Threat Detection and Incident Response. Threat Detection is the analytics piece of the puzzle and it focuses on signature-less analysis of zero-days, APTs, insiders, etc. Incident Response is the cybersecurity side. It validates that an event actually has happened, assesses its potential impact, triages and remediates. Because of the way the kernel-level agent works it is operating system agnostic and, as one would expect, it takes a forensic approach to analytics. That is, it sees beyond the top layer and does not damage the files under its scrutiny.
The agent can see the results of such things as attached devices, file systems and memory. This gets the analytics under the operating system, applications, native files and encrypted data. Again, as one would expect, this is a purely forensic approach to data gathering and analysis. A side benefit of this approach is that you can perform periodic security audits at a deep level. Once a baseline is established on a particular device, periodic audits will expose changes in critical functionality of the device and its applications.
EnCase Endpoint Security plays very well with others. For example, it can exchange information with such organizations as Splunk, QRadar, FireEye, Palo Alto, Intel Security, Sourcefire and Cisco ThreatGrid. Agents can be managed using Intel Security's McAfee ePolicy Orchestrator.
The solution uses a process the company calls "response automation" to respond to an event. First, as soon as an attacker triggers a response from the agent, the agent communicates with EnCase Endpoint Security to provide a listing of such things as running processes, open ports and their connections, existence of sensitive data and how exposed it is to the attacker.
That information also might come from another source, such as an IDS/IPS or a firewall, through some sort of alerting device such as a SIEM.
When the investigator/administrator logs into the system, they are presented with a landing dashboard. The landing page has the usual top level information but it is presented in anything but the usual way. One pane shows the status of ongoing investigations, another pane shows the source of alerts and, finally, the most interesting, the machines with alerts active. This last pane shows a cluster of colored bubbles of different sizes. The user can see at a glance what level of alerting exists on each device. If there is an especially large bubble, that means that there is a serious alert at that address. Clicking on a bubble starts a drill-down process. The entire detection process can be enhanced with blacklists and whitelists that the user can create. Drill-down gets you a complete picture of what's going on at that IP and why it's alerting.
We mentioned baselining earlier. EnCase Endpoint Security has an explicit function just for that. This is the file compare. The file can be compared to an earlier scan of the same file - the baseline - and changes detected. Reporting is complete. DLP is a forensic task and is performed on data at rest only. Because of the reliance on forensic techniques, EnCase Endpoint Security acts much like a tool for digital forensic incident response at the endpoint.
Price is a bit high for this one. Documentation is strong, as is typical from Guidance Software, and a basic support package is included as well as more advanced packages, many based on high level engineering support. The product interacts with ThreatGRID from Cisco for deep malware analysis.