Startup Outlier grabs endpoint forensic data without agent software

By automating intrusion analysis, its system can help cut costs or incident response.

Outlier, a startup with a sound pedigree in network security, is launching an endpoint threat-detection system that sets itself apart from competitors by working without the need for an agent on every machine.

Rather than installing software on every endpoint to gather forensics, the system uses data gathered by Windows Network Services and Windows Management Instrumentation to glean information about what endpoints are up to, says co-founder Greg Hoglund.

He says the system analyzes the data and triggers alerts if it discovers likely incursions by attackers. A goal of the company is to lighten the load on analysts who respond to incidents by reducing the number of false positives the have to deal with and by presenting them immediately with the evidence the system used to send an alert in the first place so they can figure out what, if any action, to take.

+[Also on Network World: 10 security start-ups to watchIs “Bring Your Own Identity” a security risk or advantage?Bot-herders can launch DDoS attacks from dryers, refrigerators, other Internet of Things devices]+

Outlier automates the process, Hoglund says, and by reducing false positives and saving time, can also have a return on investment. He says he’s hopeful the system can reduce false positives 10% below the 10% to more-than 20% false positives registered by endpoint anti-virus.

The company launched today at the Gartner Symposium/ITxpo in Orlando, Fla.

Outlier’s co-founders are Hoglund, who is CEO, COO Penny Leavy and Chief Revenue Officer Bob Slatnik, all of whom were key players in HBGary, a firm that created software to detect advanced persistent threats and was sold to Mantech International.

Mike Rothman president of security advisory and research firm Securosis says Outlier competes against the likes of Bit 9, Mandiant and CrowdStrike in the endpoint forensics market. It’s set apart by not relying on client software. “Most of them have a pretty heavy client that gathers the data,” he says. “Folks are resistant to rolling out agents.”

He says the forensic nature of the tool means its technology is made to respond to compromised systems, so businesses using Outlier should already have mature security environments that employ defenses such as SIEM, next-gen firewalls and the like that try to block attacks.

Within the Outlier system, endpoint monitoring is managed by an on-premises device called the Data Vault, software that runs on a Windows machine and uses algorithms to find suspicious activity and rank it. The Data Vault assigns possible intrusions a suspicion value from minus 1 to plus 1, with anything over .5 triggering an alert. An analyst could also look at incidents scoring 0 to .5 if they “want to look at the haystack” for more, Hoglund says.

The company gets its name from the fact that its algorithms look for events that are statistical outliers that might indicate they are malicious.

The system can be used to monitor endpoints, provide support to incident response teams and double check alerts generated by other defenses such as SIEM systems, next-generation firewalls and IDS/IPS systems, the company says.

For each device it gathers data about running processes, dlls and the like and creates a hash of the results that are stored in the Data Vault. It checks what programs are configured to launch at startup, and looks at registry entries.

The system creates timelines of when files are modified to reveal that malware might be installed on a device. The payload of such an install might be stealthy, but the installation is noisy, Hoglund says. It looks for suspicious patterns of user behavior, such as how many machines one use account logs into, which could indicate a compromised account or machine.

Hoglund describes Outlier as software as a service (SaaS). The cloud portion of the service gathers metadata about individual malicious activities and updates and configures Data Vaults.

Outlier is in beta now but should ship by the end of this month, Hoglund says. It has three pricing models: a site license, a price per endpoint and a time-frame license for consulting analysts who want the tool for a particular engagement.

Tim Greene covers security and keeps an eye on Microsoft for Network World. Reach him at and follow him on Twitter@Tim_Greene.


Copyright © 2014 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022