Beginners’ Guide to Evaluating Endpoint Response Tools

There are lots of incident response tools out there, but it’s tricky to find the one that fits best the needs of your organization.

Learn more about three considerations suggested by Brian Carrier, VP Digital Forensics at Basis Technology,  to make when evaluating the incident response tools:

  • Evolution based on new threats
  • Needs of your security team
  • IT Endpoint Considerations

Download Cyber Triage Now!

Try our agentless & automated incident response tool for free.

Evolution based on new threats

Attackers are constantly changing their techniques and looking for different ways of getting in, staying in, and hiding. So, your triage techniques must evolve too. If your tools are largely manual, then you may be responsible for bringing in new tools and techniques. If they are automated, then find out how they stay up to date and if you can customize them if you need to look for something that it doesn’t know about.

Security Team Considerations

There are no points buying tools your team doesn’t have the experience or resources to use. Have tools that your team can use and don’t bother with things that your outside help or expert teams will bring in. When identifying your team’s needs, think about:

  • Collaboration
  • Automation
  • Investigation Depth
  • Integration
  • Preservation

IT Endpoint Considerations

The next criterion is making sure that your incident response tools are consistent with the culture of your organization.
For instance, if the security team does not have administrator-level access to hosts and there are no agents running, then make sure that your collection solution is easy to use by the local IT person who will likely need to do the collection. Also, If you have remote offices, then take into account what connectivity you have between the security team computers and the remote hosts.

Comparison of Incident Response Tools

Let’s evaluate some tools against these criteria.

Criteria SysInternals Command Line Tools SysInternals Graphical Interface Tools Cyber Triage Live Response Collection Kansa Volatility General EDR
Automated No No Yes Partially Partially Partially Depends
Updates Yes
(but up to you to find.)
Yes
(but up to you to find.)
Yes Yes
(but up to you to find.)
Yes
(but up to you to find.)
Yes
(but up to you to find.)
Depends
Collaboration No No Yes
(The Team Version)
No No No Often
Depth Triage
(Do not go deep enough.)
Triage
(Do not go deep enough.)
Triage
(But can be integrated with Autopsy forensics tool for a deep dive analysis.)
Triage
(Do not go deep enough.)
Triage
(But PowerShell could be used to do a deep dive analysis.)
Triage & Deep Dive Depends
Integration None None Yes
(The Team Version)
No No No Often
Preservation Yes Partial Yes Yes Yes Yes Often
Administrator Access Run Time Run Time Run Time Run Time Run Time None Agents
Remote Connectivity Difficult to remotely run. No Yes, including USB Drive. Difficult to remotely run. Yes No Yes

Get Your Free Evaluation Copy

Cyber Triage is agentless, automated, thorough and practical. Get your free copy today and try it out to investigate your endpoints.