Home >
Enterprise >
Participants >
Open Text > Carbanak+FIN7 Configuration
|
OpenText EnCase Endpoint Security Configuration
Product Versions
Product Description
OpenText™ EnCase™ Endpoint Security provides security teams with 360-degree endpoint visibility to validate, analyze, scope and respond to incidents quickly and completely. EnCase Endpoint Security includes over 250 out-of-the-box detection rules aligned with the 2020 MITRE ATT&CK matrix. As a best-of-breed Endpoint Detection and Response (EDR) solution, it empowers organizations to tackle the most advanced forms of attack at the endpoint, whether from external actors or internal threats. EnCase Endpoint Security is designed with automation and operational efficiencies that help incident responders find and triage security incidents faster to reduce the risk of loss or damage.
Earlier detection of endpoint security threats
EnCase Endpoint Security enables security teams to redefine their workflow from passive ‘alerting’ mode to proactive ‘threat hunting’, actively scanning for anomalies indicative of a security breach.
Faster response to malicious activity
EnCase Endpoint Security accelerates response time, significantly reducing the risk of data loss and damage to systems. It reduces triage time by up to 90%, helping incident response (IR) teams validate and assess the impact of malicious activity – even polymorphic or memory-resident malware.
More efficient recovery from security incidents
Once a threat is identified, EnCase Endpoint Security surgically contains and remediates malicious files, processes and registry keys without the need to conduct a full wipe-and-reimage. This approach avoids the costly system downtime, loss in productivity and lost revenue associated with traditional forms of remediation, reducing the time to remediate a threat by approximately 77%.
Greater visibility via continuous monitoring of endpoints
Today’s security teams require the ability to capture endpoint data on an ongoing basis to quickly identify changes and create a historical timeline of activity for root-cause analysis. Configurable real-time, continuous monitoring capabilities provide the necessary level of visibility and insight required to monitor all network endpoints at any scale.
Product Configuration
Initial configuration (Day 1 and Day 2)
- Detection Enhancement Pack applied: 2020-09-28
- Enhanced agent deployed to all endpoints
- Default telemetry and anomaly detection filters enabled for all endpoints
- Telemetry streaming enabled for all endpoints
Summary of configuration changes (Day 3)
-
Data Sources
- Windows Defender was disabled on the logging host to enable collection of detection data
- All telemetry filters were enabled (including high volume filters)
-
Detection Logic
- Several new telemetry filters and anomaly detection filters were created (these are included in 20.4)
- Duplicate event suppression was turned off