This one is a bit of a different beast from the other forensic tools we've seen. Frankly, we had a little trouble placing it in a review group because it is one of those next-generation tools that gives a lot of bang for the buck. One of its biggest bangs is its ability to analyze what's going on at an endpoint in a forensically sound manner. So here it is and we were really impressed with it.
Outlier describes its product as "an endpoint security analytics platform. The system automatically collects files hashes, metadata, binaries and endpoint artifacts that are analyzed and examined by the multi-dimensional security analytics to create alerts." It is appropriately named since it looks for outliers in the data that passes into and out of the endpoint. It's the outliers that tell the tale of an attack attempt. Put another way, it is "an agentless threat hunting system in the endpoint detection and response (EDR) product category, used for threat assessment, continual monitoring and incident response investigations."
The forensic key, of course, is that it is collecting evidence at the endpoint. However, it is agentless so we were a bit curious about how it might gather forensic evidence without an agent. We have lots of bad stuff running around our test bed so we started our install with full confidence that Outlier would have something to hunt.
There are two components: the Security Analytics Portal and the Data Vault. The Vault lives on your network and the Portal can be in the cloud or on premises. We took the cloud (SaaS) approach and ran the setup. Lots of prerequisites here, not the least of which is a current version of the .NET Framework. Once you have the pre-reqs in place you can finish the install and start scanning your network. The scans are done by the Vault, which also collects the scanned data. The scans use native Windows network services.
The only downside we found was the requirement for Silverlight. However, that is being changed, so we're told, and we didn't let it bother us much. Interaction is via web browsing. The overall setup process is rather extensive and we wondered if it could not be simplified somewhat. You can have multiple Vaults so covering an enterprise is straightforward. Everything involving Vault installation is wizard-driven.
Outlier uses the concept of channels. Channels are predefined - by you - scan definitions with credentials, IP ranges, schedules and so forth. You have a lot of granular control over the type of data you want to collect. For example, you can opt to look at event logs, the Registry and scheduled tasks. You can set scan tasks to run once at a specified time, run once on demand or run daily at a specified time. You also can run repeatedly at pre-determined timing intervals.
The Vault runs "jobs," and you have a dashboard that helps you to visualize job progress on the specified channels. Once a job is done, you can review the results. There are different types of artifacts, such as file artifacts (a binary that is tracked), memory artifacts (anomalous PE code running in memory) and user artifacts (an account that is behaving strangely - the goal here is to identify lateral movement).
Obviously there is a lot of good reporting, but we liked the ability to download the artifacts (binaries or strings) for further analysis and to preserve as evidence. Malicious executables can be removed using Outlier remediation.
We liked this one. The documentation is solid and complete as is the website. Pricing is attractive, especially when you consider that support is included.