We tested Encase on a sample network of about 100 machines that Guidance had mostly setup for us in advance. We examined its analysis and reports that covered a variety of typical infections and exploits.
The product has a very complex pricing scheme but it starts at $44,000, including some professional services installation and consulting. There is also a wide array of training resources, both classroom and online, available here. Most of these will cost several thousand dollars per student.
Outlier Security has an interesting twist on EDR: they combine the best of both the SaaS and on premises worlds. The company has some very large installations, including a customer with more than 50,000 protected nodes. It can be brought up and run within a few minutes.
You first connect to its SaaS portal with your Web browser: before doing so you will need to install both Microsoft Silverlight and .Net framework. Then you download its “Data Vault.” This resides on a local Windows computer that is used to launch scans across your network using Windows networking services. The vault is provisioned by the SaaS portal and can be on any machine as long as it is joined to a Windows domain and is running .Net. The vendor recommends each vault contain information on no more than 10,000 endpoints for performance reasons.
Once you have a Data Vault installed, you next setup different “channels” that are used to delineate your various endpoint scans. These channels define your network IP address range, what you wish to scan for and automated schedules. You can setup different channels for particular classes of devices, such as all PCs in a specific department, or endpoints that handle sensitive data, or so forth. The scans take some time to complete, particularly on larger and more complex networks.
There are eight targets that are part of a scan, including processes, registry elements, network elements, users, and other items. Once these are specified, the software will begin looking for malware. It scores each item according to built-in weighting algorithms and presents them in a series of on-screen reports. You will want to spend some time understanding its filtering abilities, because it presents a lot of information to sift through.
Outlier starts out with a dashboard that is more a launch pad for particular actions, such as showing alerts, a summary of endpoint conditions, what malware has been discovered, and actions involving lateral movement or data loss. Once you get into one of these activities there are two sets of menu controls: First is a high-level series across the top of the screen that divides the actions among the main dashboard, results, investigations and administrative tasks. Then there is an interesting circular menu for other more specific actions: to run reports, to remediate the endpoint, and to filter information. When you run the remediation task, it asks you which files and Registry entries you wish to remove from your endpoint. These all will require endpoints to be rebooted, a somewhat cumbersome process but understandable given that there isn’t any agent software.
Sign up for CIO Asia eNewsletters.