ForeScout CounterACT appliances are available in a range of sizes starting from $4,995 to $182,000.
Guidance Software’s Encase has been around in the forensics business for more than a decade, and has a product that is both mature (for functionality) and still needs work (for its usability). It is a crazy quilt collection of both Web-based and Windows dashboards and controls, software routines and seemingly endless menus-within-menus.
With millions of instrumented endpoints, including some very large installations, it is a worthy contender. However, installing this product on a Windows Server is more a professional services situation: you have a series of different servers, including a license for Tableau for its analytics, and bits and pieces of Microsoft infrastructure including IIS and SQL Server and .Net framework. It will take days if not longer to get your arms around the product, and get everything tuned up and functioning. Overall, the goal of Encase is to provide context to your security events and understand what is going on with your endpoints.
On the upside, Encase has a full complement of endpoint agents for Windows, Mac, and Linux machines. These endpoints are mostly passive elements and only called up to provide details very infrequently. If you are looking for a real-time security monitor, this isn’t the tool for you. Encase assumes that an infection spreads gradually and can be contained with careful analysis, rather than set off a fire drill and near-immediate response. It isn’t designed to be watching every millisecond over your endpoints, or even daily. What it does well is be able to reach deep inside your collection of endpoints to understand what has been changed as a result of a bad actor or a piece of malware.
The Guidance folks have put together assessment tools that mimic the underlying OS so closely that you can see exactly what kind of “residue” is left behind by a piece of malware: what Windows Registry items have changed, what is now in your browser or file cache, what has been added to the file system, and so forth. As one support engineer told me, “We don’t trust the underlying OS to tell us anything that we can’t verify on our own.” Unlike some other tools that try to run malware in a sandbox, they run malware in their own OS simulators, with the hope that they can catch what is going on by using their various instruments and analyses.
In addition to the endpoint behavior collection, Encase also culls security alerts and log files from a large group of appliances and applications, including FireEye, SourceFire, Radar, ArcSight, BlueCoat, Palo Alto Networks, Splunk and McAfee – just to name a few. But what is missing from this is a way to interact with a series of threat feeds that other products offer. That isn’t their strength either.
Sign up for CIO Asia eNewsletters.