New McAfee tool uses analytics to help threat hunters

LAS VEGAS – With security teams overwhelmed by alerts and the time it takes to sort through data feeds to make sense of them and find root causes, vendors are increasingly offering products with analytics in a bid to help ease the load.

McAfee is the latest with the release Wednesday of a product called Investigator, which it says will help infosec pros more accurately assess threats and speed investigations.

It was one of several product announcements made at the company’s annual Mpower conference here.

“Part of the strategy for Investigator is doing more with the data [analysts] have,” company CTO Steve Grobman said in an interview.

“We’ve tried to look at the behaviour of what an incident responder would do with all the tools they have, and then we asked could we use technology to make their job more effective.”

Initially Investigator will pull data from McAfee’s Enterprise System Manager and Hewlett-Packard Enterprises’ ArcSight, which are system information and event managers (SIEMSs).
McAfee said Investigator

  • allows analysts to focus on the most significant threats by using advanced analytics to automatically collect, piece together and visually present suspected attack intelligence;
  • offers fast and thorough malware investigations through machine learning to learn evolving tactics, techniques and procedures to help analysts determine the right questions and explorations to yield efficient and accurate case closure;
  • increases security operation centre efficiency by coaching analysts into implementing advanced thought processes and increases productivity with easy case content sharing.

It makes findings for analysts to determine next steps. Investigator can also order remediation through McAfee Active Response on McAfee endpoints.

Investigator is a software as a service offering. No pricing was immediately announced at the conference.
MGM International hotels has been an early user. In a release Scott Howitt, senior vice president in the CISO organization of the company said Investigator has helped mature his team with automated playbooks and the ability to find similar problems in the MGM environment. “My team spends less time switching between tools and focusing on how to make the tool work and actually focusing on the investigation than they did before.”

McAfee also announced it will release in January a product called Behaviour Analytics, the result of a partnership with an analytics service from a company called Interset. While McAfee already has some behaviour detection capabilities in its enterprise Endpoint Security product and Real Protect Behaviour, which look at behavior on an endpoint, McAfee Behaviour Analytics looks at activity across the enterprise — for example, Grobman said, one endpoint logging onto the network from two cities hundreds of miles apart within minutes of each other.

No pricing was announced.

The new Enterprise Security Manager 11, McAfee’s system event and information manager (SIEM) which can “support 1million or more events per second with the optimum configurations,” will be released in Q1. No product details were given.

Finally, Raja Patel, vice president of McAfee’s corporate products division, announced that systems using McAfee’s OpenDXL data exchange layer will soon be able to communicate with Cisco Systems’ Platform Exchange Grid (PXGrid). That not only will help network administrators craft rules for sending messages between the platforms it also opens up opportunities for some 200 system integrator partners of the companies to create solutions that take advantage of the bridge.

Administrators struggle with unmanaged devices trying to log onto the network, Patel noted, but this can be solved with the bridge. For example, when an unrecognized devices tries to log on Cisco’s Identity Services Engine sees it’s not running malware protection, quarantines the device and sends a message to McAfee ePolicy Orchstrator. ePO can push out endpoint protection. A scan is run on the device and, assuming it’s clean, ISE allows it on the network.

In another example, a security operations team realizes it has a number of compromised devices on the network. Through ePO a message is sent to ISE to quarantine the machines, then pushes out remediation.

The bridge will be available in January.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Related Tech News

Featured Tech Jobs


CDN in your inbox

CDN delivers a critical analysis of the competitive landscape detailing both the challenges and opportunities facing solution providers. CDN's email newsletter details the most important news and commentary from the channel.