Mandiant introduced new incident response automation technology that promises to perform the first set of post-breach analysis tests the IT security company would provide via its breach investigation services.
Having already launched several free forensics applications via its Web site, the breach consulting services provider is hoping to cash in on demand for its incident management skills with the new set of electronic evidence discovery (EED) and corporate investigation tools.
Labeled as Mandiant Intelligent Response 1.0 (MIR) and targeted initially at large enterprises in the financial services, health care, and ISP verticals -- company officials contend that large customers are ready to invest in applications that could save them millions on post-breach analysis services.
"We think large and mid-tier enterprises have the capability to use this technology, those that are fortunate enough to have the type of people who can respond, but who might not have standing armies to do so," said Jim Hansen, chief operating officer of Mandiant. "These are difficult skills that we provide, and these tools allow customers to accelerate the response process before someone like us can get there."
Hansen said that combined with his company's services, the incident forensics applications, delivered in an appliance form-factor, also extend the consulting provider's breach investigation capabilities.
The faster that companies can begin the data mining and incident analysis process after a breach, the more likely they are to discover exactly what type of problem has occurred and deduce whether they might be forced to publicly report any data exposures, the expert contends.
The cost of reporting data incidents -- both in terms of issuing immediate breach notifications and responding to any subsequent impact on business, including regulatory fines -- has created a market where enterprises with high-risk information and compliance concerns are ready to invest in software that may give them a leg up in the investigation process, Hansen said.
"This is a way to begin creating an incident response system with a full audit trail at the push of a button. [It's] something that's going to give teams a head start on the electronic data discovery process," said Hansen. "We're still doing a majority of our business answering response calls, but this product can help investigators get started."
The appliance will also arm incident response teams with analysis documentation that can be submitted as part of any legal activity related to a breach or inquiries about the resulting investigation process itself, he said.
The executive maintains that the set of data aggregation, analytics, and reporting tools represents a new breed of electronic forensics automation software. Rather than competing with existing discovery applications, Hansen said that MIR was built to integrate with and aggregate from those systems with which the product may be linked via its open API, Hansen said.
The individual software modules residing on the Intel-based appliance, which runs on Linux, consist of an endpoint forensic agent, a controller that handles data aggregation and analysis duties, and its console, which offers a Web-based interface that can be accessed remotely over the Web.
For now, MIR will only provide analysis of Windows-based systems, but Mandiant said it is already looking to build versions of the appliance that can be dropped into different environments.
At $86,500, not including additional support and services costs, the MIR appliance is clearly aimed at large customers, but Hansen said that Mandiant is considering development of a cheaper, more lightweight device or software package aimed at smaller environments. The company may even create a version of the tools to be delivered via a software-as-a-service model, he said.
Some industry watchers said the Mandiant system may even allow customers to stay ahead of potential incidents, shifting elements of the electronic discovery process from a reactive measure to a preventative exercise.
"Mandiant Intelligent Response can change the negative perception associated with rapid evidence discovery by providing a unique collaborative environment that enables remote identification, collection, analysis, and reporting of electronic evidence," said Charles Kolodgy, analyst at IDC. "By fostering precision collection, organizations can avoid gathering incorrect or incomplete data and wasting critical moments when responding to time-sensitive matters."