The Guidance product, EnCase Cybersecurity version 4.3, can now take action to collect forensics data on endpoints after receiving a security alert from the HP SIEM, ArcSight Enterprise Security Manager. According to Anthony Di Bello, Guidance product marketing manager, the goal is to immediately collect forensics data as a security incident may be in progress, perhaps in the middle of the night, if the SIEM issues an alert based on its own compilation of security information from various sources.

"The purpose could be to see who logged into a machine, what ports were open, and other information that could easily decay and not be detected again," says Di Bello. "It's the ability to immediately grab a snapshot of an endpoint when that alert comes in through a SIEM." This could be a way to collect evidence of the type of intrusion today often referred to as an advanced persistent threat.

The snapshot of that kind of forensics information would be immediately sent to the SIEM, which correlates information collected from various sources, and could be used for remediation. The types of endpoints supported in EnCase client software are various versions of , as well as , Solaris and HP-UX, plus smartphones and mobile devices that include iOS devices, , Mobile 7 and Palm and Symbian.

This is the first time that Guidance has linked its EnCase forensics tool to a SIEM by building a connector for it, says Di Bello. It selected ArcSight in part because several Guidance customers today have it. On its future roadmap, Guidance wants to integrate EnCase Cybersecurity with the SIEM from Q1 Labs (which is , a deal expected to close by year-end).