McAfee Investigator – McAfee Blogs https://securingtomorrow.mcafee.com Securing Tomorrow. Today. Fri, 15 Jun 2018 19:18:10 +0000 en-US hourly 1 https://securingtomorrow.mcafee.com/wp-content/uploads/2018/11/cropped-favicon-32x32.png McAfee Investigator – McAfee Blogs https://securingtomorrow.mcafee.com 32 32 A Model for Human and Machine Interaction: Human-Machine Teaming Grows up https://securingtomorrow.mcafee.com/business/model-human-machine-interaction-human-machine-teaming-grows/ https://securingtomorrow.mcafee.com/business/model-human-machine-interaction-human-machine-teaming-grows/#respond Fri, 23 Feb 2018 18:00:58 +0000 https://securingtomorrow.mcafee.com/?p=84665 Security operation centers (SOCs) are struggling to keep up with attackers, and artificial intelligence (AI) has failed to deliver significant improvements. The industry has been successful at applying AI to malware detection and user and entity behavior analytics (UEBA) using deep neural networks and anomaly detection. But other core SOC jobs such as monitoring, triage, […]

The post A Model for Human and Machine Interaction: Human-Machine Teaming Grows up appeared first on McAfee Blogs.

]]>
Security operation centers (SOCs) are struggling to keep up with attackers, and artificial intelligence (AI) has failed to deliver significant improvements. The industry has been successful at applying AI to malware detection and user and entity behavior analytics (UEBA) using deep neural networks and anomaly detection. But other core SOC jobs such as monitoring, triage, scoping, and remediation remain highly manual. Some repetitive and low-value tasks can be assisted with automation, but tasks that require analysis and creativity are hard to capture in code. Even worse: Imagine trying to automate the investigation of an undiscovered attack technique.

Automation and current AI solutions depend upon a human observing and understanding a threat, then building a model or writing code. The time gap between the human observing a phenomenon and the machine helping is the reason why attackers often have the upper hand. In order to get ahead, we need to make AI systems learn and interact directly with practitioners at the SOC.

The idea behind human-machine teaming (HMT see [1] and [2]) is to put the human in the AI algorithm loop. In a SOC context, the human has the intuition to find a new attack technique and the creativity to investigate it using company tools. Using human input, the machine gathers information and presents it back in a summary to manage the human cognitive workload. As a result of the human-machine interaction, the machine learns to better proceed in new scenarios, while the human continues to adapt, focusing on higher-value tasks.

Several products put the human in the loop, but few empower the human to perform high-order cognitive tasks.

Research shows that unsupervised anomaly detection can be improved by asking the human to examine alerts when classification confidence is low. This approach improves detection by 4X and reduces false positives by 5X [3]. More importantly, the system teaches itself to address adversaries’ changing tactics.

Our assessment of the current SOC tools landscape shows that several products put the human in the loop, but very few empower the human to perform high-order cognitive tasks. In order to understand where we stand as an industry and what the gap is, we clustered tools into four groups.

Most cybersecurity products today deliver HMT1 and HMT2 capabilities. McAfee Investigator delivers HMT3 and our engineers are working toward HMT4.

On the vertical axis, we have ascending levels of cognitive tasks that humans bring to the team, while on the horizontal axis we have machine capabilities. An assumption of this model is that a human is not able to exercise high-order tasks if she also has to perform low-level functions. This is similar to a Maslow pyramid psychology model. As the machine starts to interact with the human at a higher level of cognition, the team becomes more effective and the degree of human-machine teaming increases from HMT0 to HMT4.

Most of the products in the industry today revolve around the first two iterations of human-machine teaming, known as HMT1 and HMT2. In these scenarios, humans interact with products by analyzing data and providing explicit orders on how to drill down and gather additional data. In some products, humans are able to elevate their work by getting insights and applying their intuition and context to them.

What is clearly missing are products that can take directional feedback, for instance: “Get me evidence that supports potential lateral movement on this case”. We are also missing products that can learn by  observing the human at work, for instance, learning to dismiss the alerts that humans have investigated and dismissed in the past.

At McAfee we are using this HMT maturity model as a guide to building better features and tools for the SOC. We recently launched McAfee Investigator [4] to help triage alerts faster and more effectively. Investigator, which uses a question answering approach to leverage expert knowledge [5], can take directional feedback from the human to pivot an investigation (HMT3). Our goal is to develop Investigator to a point where it can learn directly from practitioners (HMT4).

Learn more about human-machine teaming here.

 

[1] S. Grobman, “Why Human-Machine Teaming Will Lead to Better Security Outcomes,” 13 July 2013. [Online]. Available: https://securingtomorrow.mcafee.com/executive-perspectives/human-machine-teaming-will-lead-better-security-outcomes/
[2] B. Kay, “News from Black Hat: Humans Collaborate and Team with Machines to Work Smarter,” 25 July 2017. [Online]. Available: https://securingtomorrow.mcafee.com/business/news-black-hat-humans-collaborate-team-machines-work-smarter/
[3] K. Veeramachaneni, I. Arnaldo and V. Korrapati, “AI^2 : Training a big data machine to defend,” IEEE 2nd International Conference on Big Data Security on Cloud, 2016.
[4] “McAfee Investigator,” [Online]. Available: https://www.mcafee.com/us/products/investigator.aspx
[5] F. M. Cuenca-Acuna and I. Valenzuela, “The Need for Investigation Playbooks at the SOC,” 2017. [Online]. Available: https://www.sans.org/summit-archives/file/summit-archive-1496695240.pdf   
McAfee does not control or audit third-party benchmark data or the websites referenced in this document. You should visit the referenced website and confirm whether referenced data is accurate.
McAfee technologies’ features and benefits depend on system configuration and may require enabled hardware, software, or service activation. Learn more at mcafee.com. No computer system can be absolutely secure.

The post A Model for Human and Machine Interaction: Human-Machine Teaming Grows up appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/model-human-machine-interaction-human-machine-teaming-grows/feed/ 0
At MPOWER, New Tools Give Partners a Defensive Edge https://securingtomorrow.mcafee.com/business/mpower-new-tools-give-partners-defensive-edge/ https://securingtomorrow.mcafee.com/business/mpower-new-tools-give-partners-defensive-edge/#respond Thu, 09 Nov 2017 14:00:01 +0000 https://securingtomorrow.mcafee.com/?p=82010 October is always one of the busiest months of my year with the beginning of Q4 in full swing and the MPOWER Cybersecurity Summit & Americas Partner Summit events in Las Vegas. This is a prime opportunity to engage with the great partners that carry our brand and our products into the field and expertly […]

The post At MPOWER, New Tools Give Partners a Defensive Edge appeared first on McAfee Blogs.

]]>
October is always one of the busiest months of my year with the beginning of Q4 in full swing and the MPOWER Cybersecurity Summit & Americas Partner Summit events in Las Vegas. This is a prime opportunity to engage with the great partners that carry our brand and our products into the field and expertly support our mutual customers.

This year’s MPOWER Cybersecurity Summit was more than just an conference. This was our first official gathering since becoming an independent company again. In keeping with our motto, “Together is Power,” 2017’s MPOWER demonstrated the formidable togetherness and power of the extended McAfee partner community.

Our commitment to the partner community was on full display at MPOWER, where we showcased powerful Security Innovation Alliance integrations and new innovations on tap to help partners and customers transform their security operations centers (SOCs). Together, we will shift the balance of power in the battle against evolving and emerging threats at every stage of the threat defense lifecycle.

McAfee understands partners are dealing not only with a rapidly changing threat landscape but also with a virtual fire hose of new and updated security solutions. At MPOWER, partners witnessed firsthand how our game-changing “Protect, Detect, Correct, and Adapt,” approach aims to reduce complexity and make partners more efficient and effective.

In the coming months, McAfee partners will have access to several important innovations that promise to continue evolving traditional security architecture, including:

  • McAfee Enterprise Security 11.0: We’ve added speed, power, and advanced capabilities to our premier endpoint protection suite to deliver our most comprehensive client security product. With McAfee Enterprise Security 11.0, McAfee partners can offer customers a highly scalable platform with advanced analytics, deep and machine learning, powerful event handling, and efficient integration with other security products in their arsenal.
  • McAfee Behavioral Analytics: In the SOC, understanding and baselining user behavior often makes the difference between efficient protection and useless noise. Our latest User and Entity Behavior Analytics offering gives McAfee partners powerful analytics to catalog suspicious events and build dynamic threat models based on risky user activity.
  • McAfee Investigator: We’re bringing machine learning and artificial intelligence (AI) to bear on threat remediation and incident response, making the process more efficient, more accurate, and up to 10 times faster. By automating much of the manual threat investigations process with technology that learns and improves over time, partners can deliver world-class protection with less overhead.
  • McAfee Cloud Workload Security: Increasingly, customers are asking partners to protect cloud-based data and workloads. To that end, McAfee is delivering cloud-native technology to discover, defend, manage, and recover customer information no matter where it resides.

McAfee is committed to helping partners become and remain the trusted security advisors their end users demand. We do that by continuing to develop and deliver tools that provide world-class protection and make our partners second-to-none in cybersecurity. That’s the true power of our partnership.

All of this will take time to roll out, and changes will be made along the way. But by working together, we’ll build and bring to market a better approach to security to counter the dynamic threats we all face. I invite you all to send us feedback on how McAfee is doing and what you need to succeed. We’ll work to empower you.

Together is power.

The post At MPOWER, New Tools Give Partners a Defensive Edge appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/mpower-new-tools-give-partners-defensive-edge/feed/ 0
Safe Soaring: McAfee Advances Customer Success with Integrated Analytics, Ecosystems, and Experiences at MPOWER https://securingtomorrow.mcafee.com/business/safe-soaring-mcafee-advances-customer-success-integrated-analytics-ecosystems-experiences-mpower/ https://securingtomorrow.mcafee.com/business/safe-soaring-mcafee-advances-customer-success-integrated-analytics-ecosystems-experiences-mpower/#respond Wed, 18 Oct 2017 20:01:24 +0000 https://securingtomorrow.mcafee.com/?p=80593 This blog was written by Barbara Kay. Security embodies the analogy of fixing a plane in flight. Every company has some variety of security people, process, and technology in place already. So, like a plane in flight, your security infrastructure needs an operational model that can be updated, adapted, repaired, or serviced while it is […]

The post Safe Soaring: McAfee Advances Customer Success with Integrated Analytics, Ecosystems, and Experiences at MPOWER appeared first on McAfee Blogs.

]]>
This blog was written by Barbara Kay.

Security embodies the analogy of fixing a plane in flight. Every company has some variety of security people, process, and technology in place already. So, like a plane in flight, your security infrastructure needs an operational model that can be updated, adapted, repaired, or serviced while it is actively at work protecting your business infrastructure.

A successful model must accommodate several inconvenient truths. Security systems are not set-and-forget, nor does any product or service exist in a vacuum. There’s no single vendor. The people-process-technology trifecta takes a sound, extensible architecture and continual nourishment to support healthy and secure enterprise operations.

These truths are fundamental to the McAfee threat defense lifecycle model and human-machine teaming vision, which received new support this week in Las Vegas at the MPOWER Cybersecurity Summit. Here’s an overarching view and examples of the 360 degree approach McAfee is taking for customer success. We are innovating in products, in industry collaboration, in cloud enablement, and in the customer relationship model.

Innovating in Analytics

Multiple new and updated products increase the precision, efficiency, and efficacy of defenses and security operations through new analytics based on machine learning, artificial intelligence, and really smart people in our Foundstone consulting practice and McAfee Labs.

  • New McAfee Investigator solution applies advanced analytics to increase SOC productivity
  • Deep Learning integrated into McAfee Endpoint Security, leveraging knowledge gleaned from both pre- and post-execution review
  • New McAfee innovations feature ransomware decryption and a new “stegware” or steganography detection initiative

Breaking Glass (and Silos)

ESG research shows that enterprises want to embrace automation as a means of getting more done with existing resources, but automation is contingent on integration of data and processes between products. That’s been difficult because of the many moving parts: accessible APIs, vendor politics, and available integration skills and time.

We’ve taken the need for easier integration to heart, building on the success of the Data Exchange Layer and the OpenDXL initiative, announced one year ago. This week, McAfee unveiled a ground-breaking , bridging two communications fabrics and ecosystems for end-to-end visibility and risk mitigation. By linking the Data Exchange Layer with Cisco pxGrid, we have extended the reach of high-fidelity data and the range of automated actions companies can implement, and increased the possibilities when companies take advantage of the OpenDXL open source initiative and its community.

Industry leadership like this is one reason the McAfee Security Innovation Alliance ecosystem continues to flourish, and MPOWER celebrated a nearly 15% surge in new independent software vendors joining the community.

Protecting Hybrid Cloud

One challenge of enhancing our “plane in flight” is the heterogeneous nature of the infrastructure itself. Few, if any, organizations operate security and business systems purely on-premises or purely in the cloud. Hybrid infrastructures require adaptation of implementation, access control, visibility, policies, and reporting to span and accommodate this diversity.

McAfee has expanded our portfolio of hybrid products and services with new options for using and leveraging the cloud alongside other security and corporate infrastructure.

Re-imagining CX

Finally, let’s think about the experience of managing and maintaining the plane in flight. The pilot (CISO) needs to get the job done while he keeps the passengers (end-users) happy and safe and minimizes wear and tear on his co-pilot, flight crew, and ground personnel (CIO, architect, SOC analysts, and administrators). A unified plan for the flight experience will permeate calm and reliability through the flight, using best practices to implement features and updates, as well as anticipate challenges and inevitable changes.

This is the design center for a new team at McAfee. At MPOWER, McAfee announced the new Customer Success Group, which unifies services, support, education, and consulting. Their first deliverable is the new Premier Success Plan.

This plan understands that buying the right tools is just a starting point. Post-sales decisions around design, deployment, maintenance, risk management, escalations, education, and strategy will have a dramatic impact on an organization’s security posture, time to value, and value over time. With so many options to choose from, it’s not always easy to know which consulting, service, and support you need to be successful. Without tracking, your team may not capture full value from the ones you order.

Our new Premier Success Plan takes away the guesswork and fills in the gaps. A comprehensive roadmap combines professional and solutions services, training, and technical support with personalized management.

Benefits All Year Long

Each year, this fall conference ushers in a wave of products, programs, and ideas, just in time for planning for the next year. You don’t need to attend to capture all of the product and programs value, but the community, camaraderie, and creativity you experience can be a welcome rejuvenation from the ongoing stress of flying the security plane.

This year, it was especially important #VegasStrong.

We hope to see you next year. Soar safely.

Stay up to date on all things MPOWER17 by following us on Twitter at @McAfee.

The post Safe Soaring: McAfee Advances Customer Success with Integrated Analytics, Ecosystems, and Experiences at MPOWER appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/safe-soaring-mcafee-advances-customer-success-integrated-analytics-ecosystems-experiences-mpower/feed/ 0
Introducing McAfee Investigator: Automated, Expert System-Based Analytics to Transform the SOC https://securingtomorrow.mcafee.com/business/introducing-mcafee-investigator-automated-expert-system-based-analytics-transform-soc/ https://securingtomorrow.mcafee.com/business/introducing-mcafee-investigator-automated-expert-system-based-analytics-transform-soc/#respond Wed, 18 Oct 2017 16:02:18 +0000 https://securingtomorrow.mcafee.com/?p=80085 This blog was written by Barbara Kay. SOC analysts are getting beaten up by both commodity attacks and sophisticated ones, with many companies taking far more than a day or a week to close a case and few consistently digging all the way to root cause. McAfee research collected in May 2017 documented this dilemma […]

The post Introducing McAfee Investigator: Automated, Expert System-Based Analytics to Transform the SOC appeared first on McAfee Blogs.

]]>
This blog was written by Barbara Kay.

SOC analysts are getting beaten up by both commodity attacks and sophisticated ones, with many companies taking far more than a day or a week to close a case and few consistently digging all the way to root cause. McAfee research collected in May 2017 documented this dilemma and showed that companies are investing in advanced analytics and automation as a way to fight back:

  • 85% of SOCS want to use more analytics
  • 84% of SOCs want to use automation to move up the maturity scale
  • Mature SOCs automate more than 3X more often than new SOC teams, but almost everyone is investing
  • Mature SOCs automate more than 50% of investigation processes, and want to automate more
  • Top active automation areas include real-time endpoint analysis, triage, forensics, and remediation.

We’re eager to help. As part of our expanding portfolio of automated threat and malware analytics based on machine learning, McAfee is proud to announce McAfee Investigator, a SaaS analytics subscription that transforms novice analysts into expert investigators. Rather than adding complexity with yet another product silo, it leverages the data sources and alerts of a SIEM and includes real-time endpoint visibility via McAfee ePolicy Orchestrator and a dissoluble agent.

McAfee Investigator automates data collection, organization, and case management within an expert system-driven workspace. Starting with prioritized triage, automation, Foundstone expertise, and machine learning (in fact, artificial intelligence as well) come together to guide analysts to consider the right questions and hypotheses for the specific situation. Insights with drill downs and visualizations help them explore the most relevant details and subtle indicators as they move rapidly through scoping, validation, documentation, and disposition.

Scott Howitt, senior vice president in the CISO organization of MGM International, says that McAfee Investigator helps them to spend more time on actual investigations:

“The way Investigator helps me mature my organization is with the automated playbooks, with the easier ability to go find like problems in my environment and things like that. My team spends less time switching between tools and focusing on how to make the tool work and actually focusing on the investigation than they did before.”

This service helps SOC teams mature operations as they fulfill several goals:

If you have an overworked SOC and a yen to try a new model that makes the most of the strengths of both humans and machines, this new service is worth a look. Visit mcafee.com/investigator or contact your sales manager to learn more.

For more news on McAfee Investigator and updates from MPOWER17 follow us on Twitter at @McAfee.

The post Introducing McAfee Investigator: Automated, Expert System-Based Analytics to Transform the SOC appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/introducing-mcafee-investigator-automated-expert-system-based-analytics-transform-soc/feed/ 0