Guidance Software today said its computer forensics tool is now capable of automated collection of data on endpoint devices, including computers and smartphones, based on a security information and event management (SIEM) alert.
The Guidance product, EnCase Cybersecurity version 4.3, can now take action to collect forensics data on endpoints after receiving a security alert from the HP SIEM, ArcSight Enterprise Security Manager. According to Anthony Di Bello, Guidance product marketing manager, the goal is to immediately collect forensics data as a security incident may be in progress, perhaps in the middle of the night, if the SIEM issues an alert based on its own compilation of security information from various sources.
"The purpose could be to see who logged into a machine, what ports were open, and other information that could easily decay and not be detected again," says Di Bello. "It's the ability to immediately grab a snapshot of an endpoint when that alert comes in through a SIEM." This could be a way to collect evidence of the type of intrusion today often referred to as an advanced persistent threat.
The snapshot of that kind of forensics information would be immediately sent to the SIEM, which correlates information collected from various sources, and could be used for remediation. The types of endpoints supported in EnCase client software are various versions of Windows, as well as Linux, Solaris and HP-UX, plus smartphones and mobile devices that include Apple iOS devices, Android, Microsoft Mobile 7 and Palm and Symbian.
This is the first time that Guidance has linked its EnCase forensics tool to a SIEM by building a connector for it, says Di Bello. It selected ArcSight in part because several Guidance customers today have it. On its future roadmap, Guidance wants to integrate EnCase Cybersecurity with the SIEM from Q1 Labs (which is being acquired by IBM, a deal expected to close by year-end).
Guidance is also exploring how EnCase Cybersecurity could be integrated into an automated collection mode through other types of security monitoring and detection tools, including those from FireEye and Damballa.