
Host Forensics

We’ve Got Your Endpoint Forensics Covered

Oftentimes in larger infrastructures, it’s difficult to keep a sprawling inventory up to date. Effective inventories include more than just hardware. They account for the software, patches, users, and files installed on that hardware. Without automation, keeping this data up-to-date is near impossible.
This makes InfoSec defenders’ lives much harder since, in turn, it means that they cannot answer questions like:
-
Which machines do we need to patch due to the vulnerability in ABC software?
-
What other servers is the machine communicating with?
-
Did someone install or activate a rogue service?
-
Did an admin mistakenly/maliciously install a package they shouldn’t have?
-
A security advisory details some indicators of compromise. Are any of them present in our infrastructure?
The above questions highlight the need for sysadmin and SOC analysts to be able to dynamically create queries to their infrastructure and review the answers in a single place.
Tutela Host Forensics stands on the shoulders of the Osquery giant, but what does Tutela itself bring to the table?
Easy deployment
No need for extra agents; everything is bundled into a single installer and executed by the Tutela agent. Host filters in the query editor allow you to selectively execute queries across your infrastructure.
Easy queries
The dashboard provides a visual “query editor” which guides analysts through setting up queries in a quick and easy way, while advanced users are still afforded the full power of Osquery through the custom query editor.
Prebuilt osquery queries which monitor your endpoints on every run for changes
This is the basis of our “Host Forensics IDS”.
Integration into the Tutela dashboard
The dashboard gives you a single place to view host queries, along with the vulnerabilities detected, compliance checks, and a lot more.
Integration with CyberSift SIEM
Keeps a historical record of forensic queries, alerts, custom dashboards, and a lot more.

The Benefits of Tutela Host Forensics


Visibility Over Any Threat

The Tutela agent is able to report back on any “Active Window” that a user sees. An administrator can “go back in time” and see what a user was up to.
For example:
10:00 User David V opened Thunderbird Email
10:01 User David V opened Chrome and went to the CyberSift website
10:30 User David V opened file 123.doc in Word
This is an extremely powerful tool especially when you have to investigate insider threats.