Mandiant Intelligent Response v1.2
Strengths: Collaborative environment that also is forensically sound.
Weaknesses: We would have liked to have seen a bit more attention paid to a support website.
Verdict: A solid incident response product with an excellent forensic pedigree.
SummaryMandiant Intelligent Response (MIR) is a bit of an odd duck and a most welcome one for incident responders and investigators. It is odd because it is an incident response evidence collection and management tool, built by incident responders for incident responders. Its purpose is to collect and manage evidence in a forensically sound manner across an enterprise. We found that unique in the tools we examined.
The appliance installs readily enough and the three-layer architecture consists of the controller (where most of the action takes place), the agents (very lightweight sensors on monitored devices over the enterprise), and consoles (the user interfaces). The controllers can be cascaded across the enterprise for scalability and multiple responders can collaborate on incident data.
We found logging to be robust. The variety of data that can be collected includes just about everything that one might need when analyzing an incident. There are about two terabytes of storage and data is encrypted both in motion and at rest. The controller queries the agents and the data is used to analyze the root cause of the incident. Additionally, because the data is handled following forensic practice it can survive court challenges. This is very important when data collected and analyzed on MIR is presented as evidence in criminal or civil litigation.
Documentation is on a supplied CD along with agent software. The administrator's guide is first-rate. Mandiant offers 24/7 support, but there is no obvious place on the website to access a support site. That said, Mandiant offers a very complete suite of professional services, although we would have preferred an easily accessible support section on the website directly addressing the Intelligent Response product.
This is an expensive box. However, cost must be taken in the context of what it does for the organization, and that is considerable. The difference between solving a very costly incident and leaving it unaddressed or poorly addressed can be huge, especially when one considers regulatory requirements and potential upstream liability. We find that the product is a good value given its responsibility and the competent way it addresses that responsibility.