Mandiant Intelligent Response v1.4.5
Strengths: Collects everything an investigator needs for solid incident response.
Weaknesses: RAM is limited to what the console workstation possesses.
Verdict: Exceptional incident response platform with solid forensic applications. Recommended.
SummaryMandiant Intelligent Response (MIR) is a powerful incident response investigation and evidence collection tool. It is designed by and for incident responders to collect evidence from possibly compromised machines anywhere in a company's network. Even though it is not an end-to-end forensic investigation tool, it offers investigators exceptional information to help in their searches.
The installation of the MIR box is fairly easy. It consists of three parts: the agents (sensors on specified devices for monitoring), the controller (the information gathering center), and the consoles (user interfaces).
The MIR worked well in our simulated company environment. All from one location, it is capable of gathering everything an investigator would need should a system become compromised. It has a generous amount of storage space, but its memory is limited to that of the workstation on which it is being used. Most importantly, it encrypts the information both in transit and in storage and collects it in a forensically sound manner capable of withstanding courtroom scrutiny.
Documentation is supplied on a CD along with the agent installation. The administrator's guide is flawless, and the same can be said for the user's guide.
Mandiant offers 24/7/365 phone, email and web support, and there also is a user forum.
There is no doubt that the Mandiant Intelligent Response appliance is expensive, but for large companies, its performance is well worth the price. The value of quickly and thoroughly investigating an incident before it becomes overwhelming certainly outweighs the cost of this device. We find that the product is a good value given its purpose and the competent way it addresses it.