The Encase product is actually an amalgam of three previous products that do very different things and have been bolted together:
- Alert triage, where you can discover and prioritize handling of security events and make sure you are tackling the biggest issues first.
- Incident response, where you can bring the full collection of tools to prevent an infection from spreading or continuing to confound your network.
- Threat detection and remediation, where you can visualize what is happening to your network. This is still a work in progress.
These three products have a series of menus and tasks that bring up separate tabbed dialogs in the Encase Windows client. In addition to this are a series of Web-based reports. That is a lot of information to absorb, which is one reason why you will be spending a lot of time in training initially to understand the scope of the product.
We mentioned the analytics portion of the product. The ideal use case is to run these weekly on a large network, and start working through the indicated changes that are flagged. The Tableau business intelligence analysis schema means customers can integrate their own tools around it, and write your own analysis routines to complement what Guidance has already done.
One irony of Guidance Encase is because few of its competitors have the trifecta of Mac/Windows/Linux coverage, you notice that it doesn’t have agents for non-desktop operating systems such as iOS, Android and embedded devices. Those are in the works but not yet available.
To begin your investigation, you would first start with a snapshot of your network, and start making simple queries of your domain. This polls the endpoint agents and delivers about 10kbytes of information per agent. You can then proceed to look at processes that are running on each endpoint, and gather hashes for anomalies.
This is a tool that can be used by both an incident responder and to monitor security operations. It supports both feeds from Virus Total and the open-source YARA rules to match malware patterns, as an example of one such discovery tool available, which you can also import en masse too. This is where the UI issues that we mentioned earlier are a real hindrance. If you are going to get good at using Encase you are going to have to spend a lot of time inside its various interfaces and understand its peculiar workflows.
Once you figure out what is wrong with your endpoint, there are numerous remediation options available, including being able to back out of a particular endstate, wipe various Registry keys or kill particular processes. Encase also has tons of pre-set incident response reports that are very detailed, yet hard to parse.
Sign up for MIS Asia eNewsletters.