Information Security Continuous Monitoring (ISCM) projects can be expensive, data and network intensive implementations which often end in frustration for global organizations. Common approaches to continuous monitoring require bloated agents, put a burden on network traffic and may open a company to the risk of privacy violations through over-collection of endpoint telemetry.
The National Institute of Standards and Technology (NIST) Special Publication (SP) 800 137, Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations, defines ISCM as “maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.”
Today, Endpoint Detection and Response solutions (EDR) have become the primary tool leveraged to provide ISCM capabilities for endpoints such as employee devices, file and email servers, and even IoT devices such as ATMs and point-of-sale machines. EDR product executives and marketers have latched on to data quantity and transmission intervals (real-time-ness) as the primary metrics used to demonstrate dominance in the competitive marketplace. A by-product of this has been over-collection, placing a burden on endpoint and network resources and leading to scalability issues for larger, dispersed enterprises.
With the release of OpenText™ EnCase™ Endpoint Security 6.05, we are pleased to announce the availability of a continuous monitoring solution that scales to the largest of global enterprises.
The challenges to scalability introduced by other solutions have two main root causes:
- A lack of understanding as to *what* data and data relationship is important for ongoing security awareness at the endpoint; and,
- An “all-or-nothing” approach to enterprise endpoints.
The use of the word “ongoing” in the NIST definition has been twisted to imply “collect all the data all the time” due to a lack of vendor ability to address these root causes.
What makes the EnCase approach to ISCM better?
EnCase Endpoint Security’s detection and response capabilities are built upon our experience working with customers and responding to hundreds of incidents over the past 15 years across every industry vertical. Our customers and security consultants have worked incidents involving a countless variety of threats and threat actors from external threat actors to insider threats. This experience has educated both our engineers and incident responders as to exactly what data is important and when that data is important to gathering timely and relevant security insights from endpoints.
In understanding what data is important, and when that data is required to gather security insights, we have architected an approach designed to institutionalize the knowledge amassed by our incident response and compromise assessment teams to deliver ISCM with agility and speed at scale.
How it works
Unlike systems that pull back all endpoint telemetry all the time, EnCase Endpoint Security ISCM relies on conditions representing potential threats at the endpoint agent level, pulling back relevant information only when prerequisite conditions exist at the endpoint. Further, EnCase Endpoint Security allows you to segment your enterprise by risk factor, passing different conditions to different classes of devices, and even setting up different scan intervals depending on the criticality of any given grouping of endpoints.
With EP5 EnCase Endpoint Security 6.05 there is finally an approach to endpoint ISCM that will scale to the largest global enterprises. The EnCase approach to continuous monitoring addresses scalability challenges while maintaining adherence to NIST’s definition and delivers the efficacy you would expect from a solution built on forensic principals and underpinnings.
This, coupled with enhancements to our threat intelligence engine, policy and rule builder, RESTful API development, and new options for telemetry collection make EnCase Endpoint Security one of the most powerful EDR solutions on the market.
To learn more about OpenText Security solutions, visit our website.