Announcing OpenText EnCase Advanced Detection

New service enables detection of active breaches, not just malware

Malware detection, while important, is a daily occurrence. As the cyber security industry shifts from legacy anti-virus to Endpoint Protection Platforms (EPPs), we’re in danger of falling into an ocean of noise. While EPP does provide better ways to detect adware, commodity viruses and Potentially Unwanted Programs (PUPs), the ultimate goal is to locate active breaches and prevent malicious access to assets.

That’s why we are pleased to announce OpenText™ EnCase™ Advanced Detection, a new add-on for new or existing users of OpenText™ EnCase™ Endpoint Security. Together, they provide true 360° threat detection, with malware detection on par with EPP platforms and tamper-proof continuous monitoring. Most importantly, EnCase Advanced Detection is refocusing the Endpoint Detection and Response (EDR) industry on its true essence: locating ongoing breaches.

Malware detection on par with next-gen antivirus

EnCase Advanced Detection includes the next-gen antivirus techniques of EPP. This means detecting polymorphic malware with machine learning, file heuristics and behavioral analysis. EnCase also detonates malicious samples into an emulated sandbox. Further, it subjects memory to the best-in-breed analysis, spotting injection attacks, advanced rootkits and so called “diskless malware.”

Tamper proofing continuous monitoring

360° threat detection means a layered defense-in-depth approach. EnCase Endpoint Security’s real-time monitoring is now paired with enhanced abilities to threat score residue of past malware and behaviors. It even detects long-since-deleted malware.

Whether you’re relying on continuous monitoring from EnCase Endpoint Security, or your EPP product, EnCase Advanced Detection’s agentless scan provides “air support” over the battle inside your endpoint. Cyber-armaments are designed to evade EPP agents; by contrast , agentless scans come from above and run only ephemeral code that dissolves upon completion.

Active breach detection and orchestration

EnCase Advanced Detection focuses on enabling Digital Forensic and Incident Response (DFIR) practitioners and security analysts to see targeted attackers. Now responders can rise above the noise of malware that’s untethered from threat actors. When adversaries fly below the radar with adware or PUPs, context aware analytics can spot C2 behaviors and elevate our unified score, providing you the confidence you need when escalating any given incident.

EnCase Advanced Detection determines an active breach is in progress by combining malware detection with two broad approaches:

  1. Advanced User and Entity Behavioral Analytics (UEBA) – Going beyond incomplete logfile-based UEBA, EnCase Advanced Detection correlates endpoint telemetry and live system artifacts to uncover active breaches.  Once a “learning phase” is completed, anomalies are captured and are threat scored against their greater context. Over time, the system learns the peculiarities of your threat profile, further decreasing time-to-detection.
  2. Bulk Forensic Processes – Tier 3 DFIR personnel, given the time and data set, can locate the signs of a breach. Until EnCase Advanced Detection, DFIR teams were resource bound. This offering automates and orchestrates forensic threat hunting across the enterprise, threat scoring artifacts like an advanced DFIR practitioner.

End-to-end orchestration

EPP products mainly block or quarantine malicious programs, but active breaches require the attention of humans for response and investigation. EnCase Advanced Detection’s tight integration with EnCase Endpoint Security provides end-to-end orchestration out-of-the-box. EnCase Advanced Detection operates at enterprise scale, performing scans and bulk forensics across all endpoints. Important alerts are ingested into Endpoint Security to provide best-in-breed response capabilities. This means automating response, investigation tracking, enabling validation and triage, remediation and preservation.

Try before you buy

Guidance Software has long offered a 360° Threat Assessment Service; today this popular offering continues under OpenText Professional Services (PS). With the addition of EnCase Advanced Detection, this popular service now effectively delivers a “try before you buy” option. Since this cloud-based offering does not require agent deployment (thus avoiding lengthy version control, change management or agent testing approvals), OpenText PS can begin scanning customer environments within days and, after triaging the results, provide a comprehensive Threat Assessment Report.

Consider the depth of investigation provided: advanced malware analysis, user behavioral analytics, registry, disk and memory forensics. Yet OpenText PS can triage and assess at the rate of 2,000 endpoints per week!

Learn More: Don’t waste resources chasing malware. EnCase Endpoint Security, with our new EnCase Advanced Detection add-on, can locate active breaches and provide end-to-end orchestration to reduce dwell time and terminate breaches before disaster ensues. To learn more, watch this webinar or read the solution overview.

Notes:
360° threat detection means judging malicious programs in the context of surrounding activities. It means finding signs of lateral movement and Command and Control (C2). It means finding the unknown with user and endpoint behavioral analytics, and orchestrating bulk forensics.

Organizations will appreciate EnCase Advanced Detection’s frictionless deployment; though it touts best-in-breed scalability, this cloud offering requires only negligible hardware. EnCase Advanced Detection is agentless, thus avoiding new endpoint deployments or installations. It doesn’t even require opening new network ports.

Paul Shomo

Paul Shomo is a senior technical manager for third party technologies at OpenText. A veteran of cybersecurity, Paul Shomo has spent more than 15 years as a software engineer with experience working in security and forensics, networking and storage, and several years in his current role managing strategic partnerships and advising on M&A activity. Paul is a regular contributor to Dark Reading. He has been extensively quoted on cybersecurity issues by outlets like FoxNews, Network World, eWeek, SC Magazine, CSO Online, etc.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Close