How McAfee uses Customer Zero to get to decisions faster

By and on

The third in a series of three blogs by Grant and Jason on the process of identifying actionable insights.

In this series, we’ve been examining how data is collected, processed and analyzed. And, because of the complexity of the task at that analysis stage, we’ve been looking at the task of augmenting human analyst capability with automation and machine learning. Learning mechanisms – for humans and machines – are critical to this final step.

At McAfee, our greatest progress thus far in automating insights has been the application of McAfee Behavioral Analytics (MBA) and McAfee Investigator and customer machine learning classifiers using our McAfee Enterprise Security Manager (ESM) data set.  This combination leverages machine learning and deep neural network capabilities to guide analysts to insights that then lead to decisions. We’re now focused on extending these investigation guides at the core of McAfee Investigator, which encapsulate the best thinking and practices of expert threat hunters, so that analysts can gather more relevant intelligence.

Those investigation guides are not just about the questions that good threat hunters ask; they are also about how the best minds answer those questions. Collecting and analyzing the attackers’ objectives, methods, and techniques directly result in operational threat intelligence that leads to conclusions about suspicious activity. For example, do we need to work with our endpoint tools to change the data they throw off and create so that we can be more effective with our investigations later?

To capture these inquiries, we’re tapping into the resources of McAfee Customer Zero, our Security Fusion Center teams. McAfee Product Management, Engineering, and the Office of the CISO are collaborating to expand the investigational use cases that are relevant to actual investigations. We view our own Security Fusion Center as the place to learn, to try things, to fine-tune our products and make them better. In the process, we want to help the Fusion Center teams triage which events matter, to get to root cause and an answer as rapidly as possible.

These are very much human-centric investigations – even with all the AI and machine learning baked in. Human-machine teaming doesn’t try to reduce the role of the person. We’re trying to help the human  do more.

We believe that by collaborating and sharing best practices, augmented by machine capabilities, we can help security teams arrive at insights that lead to decision, faster and with more confidence. And that action, achieved together, is a powerful outcome indeed.

You can look for Grant Bourzikas on Twitter and LinkedIn and at security events like MPOWER, Blackhat, and RSA. Jason Rolleston can also be found at similar events and on Twitter and LinkedIn.

McAfee technologies’ features and benefits depend on system configuration and may require enabled hardware, software, or service activation. Learn more at No computer system can be absolutely secure.


McAfee does not control or audit third-party benchmark data or the websites referenced in this document. You should visit the referenced website and confirm whether referenced data is accurate.

Categories: Security Operations

Leave a Comment

Similar articles

I had the pleasure of sitting on a panel at CyberScoop’s CyberTalks event this week, which coincides this year with the RSA 2018 Conference in San Francisco. Our discussion focused on the need to protect election systems from would-be hackers seeking to change results, sow discord in our election processes, and undermine confidence in our ...
Read Blog
The authors thank John Fokker and Marcelo CaroVargas for their contributions and insights. In our upcoming talk at the Cloud Security Alliance Summit at the RSA Conference, we will focus our attention on the insecurity of cloud deployments. We are interested in whether attackers can use compromised cloud infrastructure as viable backup resources as well ...
Read Blog
At the end of 2017, McAfee surveyed 1,400 IT professionals for our annual Cloud Adoption and Security research study.  As we release the resulting research and report at the 2018 RSA Conference, the message we learned this year was clear: there is no longer a need to ask whether companies are in the cloud, it’s ...
Read Blog