I am interested in this too. I work with moderately large distributed environments, and good ol F-Response and EE still require substantial IO back to the examiner. Over a VPN or WAN it falls flat as far as scale out.
A "smart" agent that could push processing to the remote node would really help in certain circumstances... E.g. is this file / artifact present on these x hundred nodes...
I guess this is the space of the Mandiant MIR and Bit9/Carbon Black on the commercial side.
↧