ITB - IT Solutions for the next generation
linkedin logo twitter logo facebook logo google+ logo

Investigator – MCI

Back to Partner
Investigator – MCI

McAfee Investigator helps analysts close more cases faster with higher confidence that they’ve determined root cause. Triaged alerts trigger expert-led exploration of relevant SIEM and real-time endpoint data. Security operations centres (SOCs) can efficiently investigate malware, network threats, and indicators of compromise (IoCs) using automation, expertise, and artificial intelligence.

Key Benefits

  1. Reduce dwell time: Thorough exploration of case data increases root cause detection rather than remediating a symptom.
  2. Shift from alerts to cases: Reduce time spent on manual and low-priority investigations.
  3. Focus on the unknown: Zero in on the unique artefacts and insights that need human interpretation and decisions.
  4. Improve triage: Process more cases more quickly with higher quality.
  5. Reduce analyst burnout: Make the best use of finite time, energy, and cognitive capacity.
  6. Build analyst skills: Guidebooks and relevant insights educate analysts about the right questions and hypotheses within the workflow.
  7. Extend value of current systems: Existing data sources and analytics are enhanced to increase focus and accuracy.

SOC Challenges

Huge event volumes and data shelf-life issues make it hard to accurately assess the importance and extent of an alert. Analysts often ignore alerts because they lack the context or knowledge to decide if it should be treated as a formal incident Investigations of any selected incidents can then take a long time and substantial expertise across threat vectors to dig to the core of the problem. These trends mean the need for skilled SOC analysts is growing, while the available talent pool is not.

Triage accurately and quickly

Investigator improves triage immediately by permitting security operations to automate prioritisation of certain situations for immediate attention. For these alarms, as well as other alerts an analyst wants to explore, McAfee Investigator collects, organizes, summarizes, and visualises the alerts, activity, evidence, and intelligence gathered on a suspected attack.

Relevant data is collected in the background and includes only the insights important to a specific threat investigation that will trigger a decision. Data from security information and event management (SIEM) solutions can be augmented with data from endpoints, without requiring endpoint detection and response (EDR) agents at every node. This model replaces silos with contextual visibility into IoCs, tactics, techniques, procedures, and relationships. A data analytics and machine learning engine compares evidence data against known baselines and threat intelligence sources. It processes artefacts and elevates key suspicious insights.

By collecting and prioritizing the right data automatically, McAfee Investigator reduces the effort and increases the speed with which analysts can determine the risk and urgency of the incident. Analysts can make accurate triage decisions faster and focus on the most significant threats. At an organisational level, the benefits multiply. By up levelling triage from alert reviews to contextual cases, each analyst can be more efficient, more cases are dispositioned by Tier 1 analysts, and analyst time is spent on the highest value activities.

When an incident is chosen for a detailed investigation, analysts leverage interactive guidebooks that focus analysts on what is important as they scope and assess. Investigative guidebooks are not script-based or static. The system mimics the human brain, exploring many hypotheses in parallel for maximum speed and accuracy.

Speak to ITB about McAfee Investigator – MCI licences today:
CALL for Information and Pricing