Brian Kenyon, Chief Technology Strategist, McAfee, a part of Intel Security, follows a “define-freeze-fix” approach to eradicate malware. He is confident that his company is well positioned to deal with today’s ever-evolving threat landscape.
How do you see the threat landscape evolving? Are attacks getting more sophisticated and targeted?
Even the newest hacker can purchase the deadliest malware today. Available are various tools and techniques that can equip anyone to pose a threat. The nature of current malware is quite refined. This includes ransomware and digitally signed malware, to name a few. Cryptolocker, a kind of ransomware, targets Microsoft Windows and restricts access to the computer system that it infects until a ransom amount is paid to the creator(s).
Our systems are hacker-friendly. Normally, malware will scan the infrastructure for a weak point that can be breached. We promote such intruders to get into the system in order to study their behaviour and use the information against them – block them from other places. When an attacker tries to break-in, we trace the footprints well enough to thwart all future attempts.
There are two broad classifications for all attacks. The first kind is the targeted attack when infiltration is done patiently as the attacker is after a specific kind of data. The other kind causes a nuisance by casting a wide net of malware and seeing what is infected.
What is the integrated security approach McAfee is preaching to protect governments and businesses?
We educate businesses and governments on various security risks and how a security strategy needs to be put in place to induce risk mitigation. This is done largely through our network of resellers and individuals who sit with these entities and understand what their priorities are, how they are struggling and where McAfee solutions can come in.
How effective are standalone appliances in protecting enterprise networks today?
Appliances and security tools today are already moving to a virtual infrastructure but it is progressing slowly – organisations aren’t just jumping onto the idea. Virtualisation of network infrastructure is happening at a steady rate. Earlier on cloud was the big move that everyone made. Software-defined networking and virtualisation aren’t quite there yet. Security needs to be taken seriously in the virtualisation process.
When a server rack is added to a data centre physically, it’s hard not to notice. That isn’t the case virtually. People can launch newer servers and new applications without taking security into account.
While that is happening, McAfee is working with VMware, Microsoft and Citrix to bring a security capability into these organisations to make the network appliances secure. For instance, if Microsoft turns on a virtual Web Server – the security in place (i.e. firewall or antivirus) turns on simultaneously.
What is the biggest source of malware today? Where is it coming from?
It is originating from all over the world but is focused more on cross-platform applications. For example, Adobe and a few Microsoft’s applications are relatively popular as these work on Mac, Windows and all mobile platforms. Applications of such a nature are more likely to be targeted.
The security of each application depends on who wrote it – Android being open-source is more vulnerable because anyone can access it, as compared to Windows or iOS.
How do you protect against Advanced Persistent Threats (APTs)?
McAfee follows a three-pronged approach to deal with all APTs: Define – whereby, we enable customers through our technology to find threats in their environment; freeze – next we quarantine the threat so that it doesn’t spread any further; and fix – finally, we eradicate it.
All APT(s) are there for a long time, which is its weakness. If you are able to find that threat quickly and in an automated fashion, you can contain it in time and eradicate it so that it doesn’t spread any further. When a piece of malware comes through an endpoint, we identify it and use what we have learned to hunt the rest of the environment to see if that exists anywhere else – and if it does, we define and pull it out. Cryptolocker is a case in point – how it was identified on the system alongside all the encryption algorithms that helped us remove it and stop some of the remains from pushing through.
Can you tell us a bit about the sandboxing technology available in your latest appliance?
Also called Advanced Threat Defense, it is built to arm us with an alternate inspection engine. Using our network technologies such as IPS or web gateways, we can move suspicious files to it, contain them in a virtual container and detonate these so we can see how the malware behaves, how it activates, what it does and use that information to protect other solutions and get them to block the virus if it is detected anywhere else.
Is anti-virus obsolete as a technology? Is it just the idea that stands there and not the product itself?
Antivirus isn’t obsolete – it is still very much viable and it still stops a lot of malware everyday but it is not the answer to the future. It’s a technology that is still very relevant but we need to build advanced detection capabilities and get more insight on how users are browsing the website. We are still five years ahead of the antivirus technology becoming obsolete in its traditional form.
Has the rebranding of McAfee Security to Intel Security changed your operations in any way?
McAfee technology is still running the same way as before. Intel Security is a partnership initiative with Intel whereby we are using Intel hardware to make our security capability better and leverage future capabilities of Intel processor chips and data centres. The McAfee roadmap is still very much independent – there are things we are doing with Intel that are being introduced in the market as a combined effort – but McAfee is handling the product development on its own.
As a CTO, what suggestions would you give to C-level IT decision makers about justifying IT spend to drive business? Is selling a particular solution more of a challenge today as compared to before?
Not really, as security is still top-of-the-mind for an enterprise. What is required today is different from what was required previously as we have to provide an integrated security fabric – we can’t go in and sell a product here and a product there. We have to provide them with an overarching solution that leads them to a path of defending their assets. That is different from the past when companies would go just buy an IPS or a firewall. Today, companies approach the security solution provider for an overarching strategy to help them protect their assets.
What is McAfee’s IT security roadmap for the next two years?
McAfee is focused on four core areas: These include advanced malware – being able to quickly define, freeze and fix; Big Data analytics – being able to take anomalous data and identify when things are out of norm; threat intelligence – how can we bring both local intelligence and global intelligence to fight the threat; and virtualisation – continuing to develop the networking functionality of that software that enables virtualisation.
Any parting words for the enterprise buyer?
Organisations need to keep in mind what they intend to defend before getting into what tools they should buy. What they need to analyse first is what information would make the attacker rich from targeting the company, what would ruin them or what regulatory and compliance issues do they have to abide by – from that information they can move onto devising a strategy on what systems and tools would they need to put in place.
We have built a number of training programs and work very closely with the customers and the resellers in order to make sure that when a product is brought to market the expertise is around. Over the next few years, we intend to train the user on not just the tools but security methodologies. From the customer-end, the focus has to be on understanding the security architecture as a whole.