Guidance Software has announced EnCase Endpoint Security v5.12, the latest version of its security software solution. This upgrade is intended to provide consistent support across multiple platforms, Windows, Mac OS and Linux as well as enabling security teams to speed up their analysis and response to cyber threats.
According to Ken Basore, senior vice president at Guidance Software: “The sophistication of today’s cyber threats and adversaries continue to increase, as does the number of successful intrusions. Coupled with our complete 360-degree visibility, the innovations in EnCase Endpoint Security version 5.12 empower security teams to detect, respond to and neutralize these threats faster and more efficiently across all platforms. Guidance can help our customers ensure an intrusion doesn’t lead to a major cyber incident or breach.”
Like other security companies Guidance Software has integrated its endpoint security tools into a larger security suite. What isn’t clear from this release is exactly how many parts of the complete security suite are required to get the new benefits that Guidance is claiming for EnCase Endpoint Security. The press release and the statement above by Basore both talk about workflow which indicates that there is a requirement to buy into the wider Guidance Software solution.
New features for EnCase Endpoint Security promise much
The press release lists five features that Guidance Software is delivering with EnCase Endpoint Security v5.12. It also claims that the focus of these features is around synthesizing workflow for security teams. Those features are:
- IoC Search Support for STIX definitions – Structured Threat Information eXpression (STIX) definitions can now be imported globally and used as filtering criteria in any investigation. Customers will be able to root out indicators no matter how well they might be hidden from other technologies, reducing the time it takes to detect and respond security to breaches in their network.
- Support for OS X 10.11 (El Capitan) – Guidance customers can deploy EnCase Endpoint Security agents across the newest OS for Macs. As the adoption of Apple desktops and laptops increase, the ability to detect and respond to threats targeting Apple’s OS becomes even more important.
- Accelerated Malware Analysis – Users can move selected files directly from web reports into a watch folder for a sandbox or malware analysis engine to retrieve and detonate. This greatly accelerates the malware analysis process.
- Improved VirusTotal Support – The VirusTotal workflow is better integrated into the incident response workflows provided by EnCase Endpoint Security. This makes it easier to identify malware incursions by comparing suspect data to an existing database of known threats.
- Bulk Import of YARA Rules – Customers will be able to combine scans against multiple YARA rules into a single search. This helps ensure security operation teams can spend more time analyzing data, and less time pushing workflows.
There is no question that this is a very interesting set of new features. Support for STIX is growing across security companies from the largest to the smallest. The majority of companies using STIX are also putting in place their own community initiatives to ensure that reports filed through them are reliable and not manipulated by the cybercriminal community.
What appears to be missing from this release is exactly what Guidance Software are going to offer their community. There doesn’t seem to be a community reporting site nor does there seem to be any rush by the company to engage customers in a social environment that would introduce many of them to STIX.
Adding in support for YARA rules is a nice feature but is only likely to appeal to larger security teams. This is because YARA is used primarily by malware researchers to identify and classify malware samples. However, with the amount of information around malware now being delivered by security vendors, it is possible for enterprise security teams to use YARA rules to do quick searches across their entire IT estate once a vendor publishes a malware analysis.
Recognition of the increased threat to Apple devices and their growth inside the enterprise is also important. Oddly the positioning here is about support for El Capitan, which has been out for a while now, rather than iOS which has had a number of refreshes lately, not all of them successful. In Guidance Software’s defence they are at least making Apple a core platform to protect unlike many vendors who still treat Apple as a special case.
The question here will be how close to Apple are Guidance Software going to get? It would be interesting to see if they can do a better job of releasing in future in line with Apple updates across all its platforms. This would put Guidance Software in the same league, at least as far as Apple is concerned, as the IBM Security division which is no bad thing.
Conclusion
This is an interesting update from Guidance Software. A single platform that treats all operating systems equally will appeal to many organisations who are struggling with a mish-mash of products at the moment. Extending support for STIX is a great move although there will be a lot of education required to help customers contribute and understand the benefits that can be gained from sharing threat information.
It will be interesting to see just how far customers can go with the workflow support built into EnCase Endpoint Security v5.12 before they have to buy into the rest of the Guidance Software product line. If it is too limited then many customers will feel that they are unable to get the most out of the product.