Outlier Security Outlier
October 03, 2016
Starts at £30 per computer per year, all support and updates included.
- Ease of Use:
- Value for Money:
- Overall Rating:
- Strengths: Powerful analytics and straightforward operation once it is deployed. No fluff, just solid endpoint forensics.
- Weaknesses: Deployment could be smoothed out a bit.
- Verdict: We liked this one a lot. We’re intrigued by how it has taken forensics to the endpoint and then added next-generation analytics along with lots of conveniences, such as string and binary downloads.
This one is a bit of a different beast from the other forensic tools we've seen. Frankly, we had a little trouble placing it in a review group because it is one of those next-generation tools that gives a lot of bang for the buck. One of its biggest bangs is its ability to analyse what's going on at an endpoint in a forensically sound manner. So here it is and we were really impressed with it.
Outlier describes its product as "an endpoint security analytics platform. The system automatically collects files hashes, metadata, binaries and endpoint artifacts that are analysed and examined by the multi-dimensional security analytics to create alerts." It is appropriately named since it looks for outliers in the data that passes into and out of the endpoint. It's the outliers that tell the tale of an attack attempt. Put another way, it is "an agentless threat hunting system in the endpoint detection and response (EDR) product category, used for threat assessment, continual monitoring and incident response investigations."
The forensic key, of course, is that it is collecting evidence at the endpoint. However, it is agentless so we were a bit curious about how it might gather forensic evidence without an agent. We have lots of bad stuff running around our test bed so we started our install with full confidence that Outlier would have something to hunt.
There are two components: the Security Analytics Portal and the Data Vault. The Vault lives on your network and the Portal can be in the cloud or on premises. We took the cloud (SaaS) approach and ran the setup. Lots of prerequisites here, not the least of which is a current version of the .NET Framework. Once you have the pre-reqs in place you can finish the install and start scanning your network. The scans are done by the Vault, which also collects the scanned data. The scans use native Windows network services.
The only downside we found was the requirement for Silverlight. However, that is being changed, so we're told, and we didn't let it bother us much. Interaction is via web browsing. The overall setup process is rather extensive and we wondered if it could not be simplified somewhat. You can have multiple Vaults so covering an enterprise is straightforward. Everything involving Vault installation is wizard-driven.
Outlier uses the concept of channels. Channels are predefined - by you - scan definitions with credentials, IP ranges, schedules and so forth. You have a lot of granular control over the type of data you want to collect. For example, you can opt to look at event logs, the Registry and scheduled tasks. You can set scan tasks to run once at a specified time, run once on demand or run daily at a specified time. You also can run repeatedly at pre-determined timing intervals.
The Vault runs "jobs," and you have a dashboard that helps you to visualise job progress on the specified channels. Once a job is done, you can review the results. There are different types of artifacts, such as file artifacts (a binary that is tracked), memory artifacts (anomalous PE code running in memory) and user artifacts (an account that is behaving strangely - the goal here is to identify lateral movement).
Obviously there is a lot of good reporting, but we liked the ability to download the artifacts (binaries or strings) for further analysis and to preserve as evidence. Malicious executables can be removed using Outlier remediation.
We liked this one. The documentation is solid and complete as is the website. Pricing is attractive, especially when you consider that support is included.
SC Webcasts UK
Information Security Manager
Infosec People - Hammersmith, West London
Junior Penetration Tester, Hertfordshire, to £35k + benefits
Infosec People - England, Hertfordshire
Cyber Security Architect
CYBER EXECS - London (Greater)
SOC Analyst, Aldershot, £47-56k + package
Infosec People - Hampshire, England, Aldershot
Senior Security Engineer
Loveworklife Recruitment - United Kingdom
Sign up to our newsletters
SC Magazine UK Articles
- Tesco Bank allegedly ignored warnings of hack from Visa
- Investigatory Powers and Digital Economy Bills could threaten economy
- Updated: A million German routers knocked offline by failed Mirai botnet attack
- Gooligan ad fraud malware infects 1.3M Android users, installs over 2M unwanted apps
- Microsoft update left Azure Linux virtual machines open to hacking
- SC Awards Europe 2016 winners announcements!
- ISIS radicalises 'lone wolves' through strong social media presence
- Updated: How will Brexit affect the cyber-security industry in UK and Europe?
- ICYMI: CEO Sacked; MS Zero-day; Passwords dropped; Ransomware wild, charging hack
- 9.2 million medical records for sale on darkweb
- ICYMI: Tesco warned; IP Bill threatens economy; German routers offline; Azure trojan; Gooligan fraud
- Data centres are on the move - where will they end up?
- 90% of ITDMs believe IAM is crucial to digital transformation success
- Research: Hacked companies could see customer exodus if breached
- Misconfigured drive exposes locations of explosives used by oil industry