Startup Outlier grabs endpoint forensic data without agent software

Outlier, a startup with a sound pedigree in network security, is launching an endpoint threat-detection system that sets itself apart from competitors by working without the need for an agent on every machine.

Outlier, a startup with a sound pedigree in network security, is launching an endpoint threat-detection system that sets itself apart from competitors by working without the need for an agent on every machine.

Rather than installing software on every endpoint to gather forensics, the system uses data gathered by Windows Network Services and Windows Management Instrumentation to glean information about what endpoints are up to, says co-founder Greg Hoglund.

He says the system analyzes the data and triggers alerts if it discovers likely incursions by attackers. A goal of the company is to lighten the load on analysts who respond to incidents by reducing the number of false positives the have to deal with and by presenting them immediately with the evidence the system used to send an alert in the first place so they can figure out what, if any action, to take.

+[Also on Network World: 10 security start-ups to watch; Is "Bring Your Own Identity" a security risk or advantage?; Bot-herders can launch DDoS attacks from dryers, refrigerators, other Internet of Things devices]+

Outlier automates the process, Hoglund says, and by reducing false positives and saving time, can also have a return on investment. He says he's hopeful the system can reduce false positives 10% below the 10% to more-than 20% false positives registered by endpoint anti-virus.

The company launched today at the Gartner Symposium/ITxpo in Orlando, Fla.

Outlier's co-founders are Hoglund, who is CEO, COO Penny Leavy and Chief Revenue Officer Bob Slatnik, all of whom were key players in HBGary, a firm that created software to detect advanced persistent threats and was sold to Mantech International.

Mike Rothman president of security advisory and research firm Securosis says Outlier competes against the likes of Bit 9, Mandiant and CrowdStrike in the endpoint forensics market. It's set apart by not relying on client software. "Most of them have a pretty heavy client that gathers the data," he says. "Folks are resistant to rolling out agents."

He says the forensic nature of the tool means its technology is made to respond to compromised systems, so businesses using Outlier should already have mature security environments that employ defenses such as SIEM, next-gen firewalls and the like that try to block attacks.

Within the Outlier system, endpoint monitoring is managed by an on-premises device called the Data Vault, software that runs on a Windows machine and uses algorithms to find suspicious activity and rank it. The Data Vault assigns possible intrusions a suspicion value from minus 1 to plus 1, with anything over .5 triggering an alert. An analyst could also look at incidents scoring 0 to .5 if they "want to look at the haystack" for more, Hoglund says.

The company gets its name from the fact that its algorithms look for events that are statistical outliers that might indicate they are malicious.

The system can be used to monitor endpoints, provide support to incident response teams and double check alerts generated by other defenses such as SIEM systems, next-generation firewalls and IDS/IPS systems, the company says.

For each device it gathers data about running processes, dlls and the like and creates a hash of the results that are stored in the Data Vault. It checks what programs are configured to launch at startup, and looks at registry entries.

The system creates timelines of when files are modified to reveal that malware might be installed on a device. The payload of such an install might be stealthy, but the installation is noisy, Hoglund says. It looks for suspicious patterns of user behavior, such as how many machines one use account logs into, which could indicate a compromised account or machine.

Hoglund describes Outlier as software as a service (SaaS). The cloud portion of the service gathers metadata about individual malicious activities and updates and configures Data Vaults.

Outlier is in beta now but should ship by the end of this month, Hoglund says. It has three pricing models: a site license, a price per endpoint and a time-frame license for consulting analysts who want the tool for a particular engagement.

Tim Greene covers security and keeps an eye on Microsoft for Network World. Reach him at and follow him on Twitter@Tim_Greene.

Join the CSO newsletter!

Error: Please check your email address.

Tags Gartnersecurity

More about GartnerIPSMantech InternationalMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Greene

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place