Greg Hoglund is no stranger to the world of security startups. Hoglund was previously a co-founder at Cenzic (which Trustwave acquired) and at HBGary (which ManTech Cyber Solutions acquired), and is now the CEO of a startup called Outlier, which launched a new-product offering on Oct. 7.
At Outlier, Hoglund has developed an endpoint security technology that does not require a software agent to be installed on user machines. The Outlier platform leverages a combination of on-premises and software-as-a-service (SaaS) capabilities to help detect and analyze potential security threats.
“We’re not intercepting any traffic; we’re in the same spot that you would find a network appliance, but instead of facing outward, we’re facing inward,” Hoglund told eWEEK. “So instead of sniffing packets, we’re making connections to the endpoints over existing Microsoft Windows APIs.”
Outlier is focused on Microsoft Windows workstations that are often the target of attacks. The connection to the Outlier platform is made over server port 445, which is typically associated with Microsoft Directory Services.
Outlier has an on-premises component that it calls the Data Vault, which does all the customer data processing. The Outlier Data Vault is software that is installed on a Windows Server. The other element of the Outlier platform is the Cloud SaaS component, which is used for management and provisioning. Additionally, the SaaS component is leveraged to check suspicious files.
“Statistical information is calculated, and things like hashes are uploaded to the SaaS component,” Hoglund said. “But the connection over port 445 is from the on-premises component.”
Hoglund emphasized that the endpoint provides a wealth of information that can be analyzed by Outlier to identify any potential hacking activity that might be occurring on a system.
“On the endpoint, you have all the forensic evidence available that could show the installation of a particular threat and all the user behavior patterns,” Hoglund said. “What we’re looking for is a pattern that shows there may have been an intrusion on a given host.”
The Outlier system has a scoring profile that it assigns to events to help identify possible malware and hacking attacks. Hoglund commented that the collection of data on an endpoint is essentially a big data source. The Outlier platform then automates the best practices associated with security incident response.
The analysis includes looking at all of the loaded modules and auto-run functions on a given endpoint. The Outlier system also looks for evidence of memory that has been injected with unauthorized code. By comparing what is actually running on a system to a white list of safe and known applications and processes, outliers can be identified.
The Outlier platform does have some limitations. For one, it’s not a reverse engineering technology that can figure out which specific exploit is being used in an attack. Rather, what Outlier does is it can identify what was downloaded by a system and what that item is doing. Currently, Outlier is structured as a detection solution and does not have its own remediation capabilities.
Outlier is focused on the detection problem and is not trying to build a full incident response system, Hoglund said. “We’re a detection-only solution,” he said. “Once we’re integrated with other devices in the protection ecosystem that a customer has, those other devices would be able to take actions.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.