Full Report
Coordinated Multi-Agent Investigation and Remediation
Analysis Summary
# Best Practices: Establishing a Coordinated Multi-Agent Investigation and Remediation Framework
## Overview
These practices detail the implementation of "Agentic Security," an operational model shifting from manual, reactive alert handling to an intelligent, agent-assisted process for cloud security detection, investigation, and remediation. The focus is on leveraging standardized security context (via Wiz MCP) and orchestration platforms (like Infosys Cyber Next) to enable specialized AI agents while maintaining essential human-in-the-loop governance.
## Key Recommendations
### Immediate Actions
1. **Establish Context Standardization:** Immediately identify and deploy a mechanism to standardize security context access. Utilize the **Wiz Remote MCP Server** to expose the Wiz Security Graph via the Model Context Protocol (MCP) as the central, AI-friendly interface for security data.
2. **Audit Current State:** Conduct an audit of current security operations workflows to identify processes that are most time-consuming, repetitive, and data-intensive, prioritizing these for initial automation via agent assistance.
3. **Define Human Authority Boundaries:** Determine and document initial "human-in-the-loop" checkpoints for automated workflows, defining where human approval is mandatory before execution (especially for high-impact remediation actions).
### Short-term Improvements (1-3 months)
1. **Implement Orchestration Platform:** Select and begin integrating a central orchestration platform (e.g., Infosys Cyber Next) capable of consuming standardized contexts (Wiz MCP) and integrating with ITSM/CMDB systems to enrich findings with business context (ownership, impact).
2. **Deploy Specialized Agents (Discovery Focus):** Begin piloting specialized agents focused on early-stage security lifecycle tasks, such as the **Discovery Agent**, responsible for identifying assets and their initial security posture based on contextual data.
3. **Integrate Contextual Reasoning:** Configure agents to utilize the rich, interconnected context provided by MCP (e.g., attack paths, sensitivity, identity relationships) rather than just isolated alerts, enabling reasoning over *why* a finding matters.
### Long-term Strategy (3+ months)
1. **Mature Multi-Agent System:** Expand the deployment of specialized, narrow-scope agents across the entire security lifecycle (Investigation, Remediation, Content Engineering). Ensure clear delineation of roles to minimize agent overlap and scope creep.
2. **Develop Advanced Remediation Agents:** Develop and rigorously test agents capable of proposing and executing automated remediation actions. These must only execute after thorough validation against business risk and explicit human authorization in the loop where necessary.
3. **Establish Monitoring for Agent Efficacy and Drift:** Implement continuous monitoring to track the performance, accuracy, and compliance of the agentic system. Regularly review agent decisions against organizational security policies to prevent security context drift or flawed automated actions.
## Implementation Guidance
### For Small Organizations
- Focus exclusively on utilizing the Wiz MCP interface to query clean, high-fidelity context for manual analysis, speeding up investigation triage immediately.
- Prioritize the adoption of pre-built, unified solutions that offer integrated orchestration capabilities rather than building separate custom integration layers.
- Start with agents focused solely on enrichment and information gathering (e.g., identifying asset owners via CMDB integration) before attempting any automated remediation.
### For Medium Organizations
- Invest in a dedicated orchestration platform to manage the coordination of 2-3 specialized agents (e.g., Discovery and Initial Triage).
- Use Wiz MCP to bridge gaps between existing point solutions (like ticketing systems or vulnerability scanners) and emerging AI tooling that requires structured context.
- Develop standardized security context queries (MCP requests) that can be reused across multiple team workflows.
### For Large Enterprises
- Implement the complete multi-agent architecture, dividing labor across multiple specialized agents operating across discovery, investigation, and content engineering.
- Leverage the central orchestration layer to unify context from diverse sources, including Wiz MCP, ITSM MCP servers, and configuration management databases.
- Establish rigorous governance and version control for all deployed agents and their defined roles, treating agents as production assets requiring formal lifecycle management.
## Configuration Examples
*(Note: Specific configuration syntax is not provided in the source text. The following describes the required configuration elements based on the architectural components mentioned.)*
1. **MCP Exposure Configuration:** Configure the **Wiz Remote MCP Server** to expose the relevant Security Graph data endpoints (e.g., attack paths, identity relationships) via the Model Context Protocol (MCP). This involves enabling the server and defining access policies for authorized orchestration tools.
2. **Agent Authorization:** Configure the central orchestration layer (e.g., Infosys Cyber Next) with credentials and access permissions necessary to query the Wiz Remote MCP Server using specific MCP tools (like `get_secops_agent_analysis`).
3. **Context Enrichment Integration:** Configure the orchestration platform to map outputs from Wiz MCP to relevant records retrieved from ITSM/CMDB MCP servers to enrich security findings with business context (e.g., linking a critical finding to a specific business unit owner).
## Compliance Alignment
This agentic approach directly supports compliance goals by enhancing the speed and reliability of processes required by:
- **NIST Cybersecurity Framework (CSF):** Improves **Detect** (faster identification of threats) and **Respond** (faster containment and investigation). The centralized context enhances **Identify** capabilities.
- **ISO/IEC 27001:** Supports stronger evidence collection during audits by ensuring investigation and remediation steps are logged via the central orchestration layer, ensuring accountability.
- **FedRAMP Continuous Monitoring:** Automating context gathering and risk prioritization drastically accelerates meeting continuous monitoring requirements for maintaining compliance status.
## Common Pitfalls to Avoid
1. **Relying on Static Alerts:** Do not treat the agentic system as simply a faster alert processor. The value derives from agents reasoning over **rich, interconnected context** (Wiz Security Graph via MCP), not just isolated findings.
2. **Ignoring Human Accountability:** Failing to maintain a verifiable **human-in-the-loop** governance structure will undermine accountability, auditability, and trust in the automated remediation actions.
3. **Creating Overlapping Agent Responsibilities:** Designing agents with poorly defined, overlapping scopes will lead to redundant processing, conflicts, and inefficiency. Ensure specialization for each agent role.
4. **Building Rigid, Point-to-Point Integrations:** Avoid the traditional approach of building custom API integrations for every security tool. Use standardized protocols like **MCP** for a scalable, consistent interface between data sources and reasoning engines.
## Resources
- **Wiz Security Graph:** Core source of deep, contextual cloud risk data.
- **Wiz Remote MCP Server:** The standardized, AI-friendly interface for accessing the Security Graph context.
- **Model Context Protocol (MCP):** The underlying standardized framework enabling consistent tooling interaction (required for agent reasonability).
- **Infosys Cyber Next / Topaz Fabric:** Example of a central orchestration layer that unifies observability and coordinates specialized agents.