Michael is a Senior Sales Engineer at MixMode. Prior to MixMode, Michael spent 5 years at VMware working in vulnerability management. He is a passionate security leader with experience in corporate security, malware research, red team vs blue team exercises, zeroday response, and beyond.
British poet and author.
Around the year 1900, an author (Rudyard Kipling) wrote a poem called “The Elephant’s Child.” In it, he writes:
“I keep six honest serving men They taught me all I knew
Their names are What and Why and When And How and Where and Who.”
Little did Kipling know that these six friends would someday be the cornerstone of modern information security programs.
It’s a straightforward question to ask: “In our program, what friends are we missing?” In years prior, these are all characteristics divided amongst separate tools. There may be three or four tools used to account for all six. At MixMode, our goal is to provide the world’s most advanced Artificial Intelligence security product. A tool that brings all six “honest serving men” to any security investigation.
Using packet-level analysis, “What” is usually a discovery-level trigger. This can be a live intrusion created by a foreign or internal (insider) actor. Or perhaps a malware payload signaling to a Command and Control system for additional instructions. Or perhaps ransomware that is beginning to encrypt files on the network and pivots to other systems. Over the past ten years, we have seen “What” frequently change from new ZeroDay attacks to malicious payloads to direct attacks on the CICD pipeline of security tool vendors. The key is to have a tool that brings “What” to the party so that regardless of the attack vector of the month, we can discover it.
Upon further investigation, once we have discovered “What,” we pivot over to “Why” and “When.” Using our more advanced scoring system, our AI will assess the Asset score and Deviation score to determine “Why” this incident is taking place, how unusual it is for this incident to be taking place this way with these assets, and determine a true “Risk Score” based on the AI using lengthy criteria to determine the true nature of the threat. Next, the AI will use packet-level analysis using time series data. We want to provide the AI with data before, during, and after that discovery to establish a timeline for any incident. This process reduces false positives seen on SIEM platforms by as much as 97%. Many SOC workers have commented that this noise reduction was a game-changer for their teams.
Finally, we move to our last three friends: “How” and “Where” and “Who.” Using the data MixMode has uncovered from our first three friends, MixMode can use log analysis to determine “Where” this issue is originating from using data such as the Source IP Host log header. MixMode can determine “How” this activity takes place by leveraging the source and destination port header information. And with insider threats on the rise, MixMode can determine “Who” based on account logs, and using our “Identity Management” module.
MixMode: Your Answer to Cybersecurity Challenges
MixMode is a revolutionary AI-powered platform that addresses these fundamental questions, providing a comprehensive and proactive approach to cybersecurity. By leveraging advanced Third-Wave AI, MixMode empowers organizations to:
- Autonomous Detection and context for Advanced Threats: Identify known and unknown attacks, including zero-day exploits, advanced persistent threats (APTs), and insider threats that traditional security solutions may miss.
- Prioritize Alerts for Incident Investigations: Gain deep visibility into network traffic and user behavior while reducing alert fatigue by focusing on the most critical threats, enabling faster incident response and minimizing potential damage.
- Automate Routine Tasks: Free up security teams to focus on strategic initiatives.
- Improve Security Posture: Continuously monitor and adapt to evolving threats.
How MixMode Works
- What: MixMode uses advanced analytics to identify anomalous behavior and potential threats, such as:
- Why and When: By analyzing network traffic and user behavior, MixMode can determine the root cause of incidents and pinpoint the exact time they occurred.
- How and Where: MixMode can trace the origin of attacks and identify the specific techniques used by attackers.
- Who: MixMode can identify the individuals or entities responsible for attacks, including insider threats.
Mixmode can bring all six friends to any information security investigation. These six friends are critical assets to any high-functioning SOC team, enabling them to answer.
- What is happening in the environment?
- Why is it happening?
- When did it happen?
- How did it happen?
- Where did it originate?
- Who is responsible?
Just ask Rudyard Kipling; he knew this over a hundred years ago.
Other MixMode Articles You Might Like
Threat Research Recap: Paving the Way for Smarter Defense Tech in 2025
State of SIEM Detection Risk: A Wake-Up Call for Enterprise Security Teams