As data breaches continue to escalate in both their frequency and severity, it is more critical than ever for security leaders to counter with increased monitoring and cyber defenses.
To meet this need, our newest release of OpenText™ EnCase™ Endpoint Security now includes new features that drastically improve its MITRE ATT&CK-based detection capabilities useful for threat hunting and incident response use cases. On top of these additions, EnCase Endpoint Security 20.3 will include a unified timeline to visualize threat activity, telemetry options, and expanded continuous monitoring to include the Windows Event log and other relevant threat artifacts.
EnCase Endpoint Security is the market-leading threat detection and incident response solution, enabling security teams to rapidly detect compromised endpoints and remediate non-commodity attacks. Compromised endpoints and environments can quickly and forensically be returned to a trusted state with comprehensive and surgical remediation. Security teams can further automate alert response, add context to detections with embedded threat intelligence and scoring, and completely investigate any threat that may be encountered in the modern SOC.
EnCase Endpoint Security 20.3 features
Expanded Continuous Monitoring & Detection Capabilities
This release contains major improvements to the enhanced agent in terms of continuous monitoring and efficiency (IO reduced 10x) and makes available to the user the full breadth of its capabilities by adding 400+ new fields to the anomaly detection builder – allowing analysts to build powerful detection rules with real-time alerting. New fields available for use in the anomaly builder include the Windows Event log, which is very relevant to deploying MITRE ATT&CK based detections. In addition to the expanded custom capabilities, 20.3 includes many new OOTB detection rules designed to detect TTPs from across MITRE’s ATT&CK framework*.
Real-time monitoring of persistence artifacts was made available in EnCase™ Endpoint Security CE 20.2.
Unified Threat Timeline
In the new release, security teams can visualize threat activity required for DFIR investigations, including root cause analysis, determining incident scope and impact, and visualizing the investigation process.
This release enables IT security teams to stream endpoint data captured by EnCase™ into a data lake for threat hunting use cases. Analysts can also maintain a database of historical data for post-event analysis, and other use cases.
Swimlane integration (SOAR) for orchestrated response (20.2)
Security Orchestration & Automated Response (SOAR) technologies are increasingly important to speed and scale incident response to meet modern demands. Information Security teams can automate response with EnCase via pre-built Swimlane runbooks – which deploy predetermined responses to encountered threats to automate security operations. Leverage the Swimlane UI/UX with EnCase as the trusted endpoint technology for collection, detection, response and investigation.
Visit our website to learn more about OpenText Security 20.3.
*MITRE ATT&CK Round 3 (Carbanak/FIN7) results will be available in February 2021.