McAfee Emphasizes Threat Intelligence with Spinoff from Intel Now Complete
McAfee is once again a freestanding provider of security software, following last week's completion of its divestiture from Intel, which was announced last fall. Private equity firm TPG acquired a majority 51 percent stake in the McAfee spinoff for $3.1 billion, though Intel has a strong vested interest in McAfee retaining 49 percent ownership. Now free from Intel's control, the new McAfee is no longer beholden to the interest of the chip provider, giving it a freer hand to compete with the likes of IBM, Symantec, Sophos and Trend Micro, among others.
Chris Young, who ran Intel Security, is now McAfee's CEO. While TPG has suggested further acquisitions are likely and said in its strategy statement that it intends to "build and create one of the largest, independent, pure-play cybersecurity companies in the industry." As many have noted, Intel's $7.7 billion acquisition of McAfee back in 2011 didn't live up to its promise. Now McAfee hopes to gain ground in a much different IT security landscape.
Nevertheless, McAfee has a formidable and wide range of cybersecurity offerings including its flagship endpoint security software, intrusion detection and prevention tools, its Enterprise Security Manager SIEM offering and e-mail security, Web security and vulnerability scanning tools. While it exited the next generation firewall (NGFW) business, ePolicy Orchestrator had become an "anchor" platform for Intel Security, and now McAfee, according to ESG Senior Principal Analyst Jon Olstik, in a Network World blog post. Olstik, who has followed McAfee for decades since it was known as Network Associates, said McAfee's challenge is to regain its leadership in endpoint security, become less product focused, emphasize the C-suite and focus on cloud security, an area the company hasn't adequately addressed.
One area McAfee has invested in heavily is threat intelligence with ePolicy Orchestrator tied to its Threat Intelligence Exchange (TIE), whose wide gamut of partners supports its Data Exchange Layer (DXL), which the company recently made available as open source in the hopes to extend adoption.
In the first McAfee Labs Threat Report following the spinoff, the company identified five critical challenges to handling threat intelligence: volume, validation, quality, speed and correlation. The 49-page report is available for download, though here's an edited synopsis of the five threats McAfee Labs believes the industry must address:
- Volume: The Internet of Things has led to the deployment of millions of security sensors creating high volumes of data fed into threat intelligence tools, which include streaming analytics and machine-learning software that process and analyze the data. While these tools have improved the level of internal threat detection, it has created a yet unsolved massive signal-to-noise problem. Vendors are tackling this in various ways, such as building access monitors that scan sensitive data, sophisticated sandboxes and traps that can resolve contextual clues about a potential attack or suspicious event.
- Validation: Given the ability for threat actors to issue false threat reports designed to mislead or overwhelm threat intelligence systems, it's essential to validate the sources of shared threat intelligence.
- Quality: Vendors need to rearchitect security sensors to capture and communicate richer trace data to help decision support systems identify key structural elements of a persistent attack. Filters, tags and deduplication are critical. McAfee is among six founding members of the new Cyber Threat Alliance (CTA), launched in February during the RSA Conference, that is looking to address the quality issue. Joined by Check Point, Cisco, Fortinet, Palo Alto Networks and Symantec, the CTA will automatically score the quality of threat intelligence data, but can only gather information if they are supplied quality input.
- Speed: The latency between a threat detection and the reception of critical intelligence remains an issue. Open and standardized communication protocols, optimized for sharing threat intelligence are essential for successful threat intelligence operations. Advanced persistent threats and sophisticated, targeted campaigns often target multiple organizations in specific vertical industries, meaning communications among an intermediary or exchange must occur within hours of the first indication of an attack.
- Correlation: As threat intelligence is received, correlating the information -- while looking for patterns and key data points relevant to the organization -- is critical. Vendors must find improved ways to share threat intelligence among different products and improve methods to automatically identify relationships between the intelligence collected and ultimately to employ machine assistance to simplify triage.
While the report points to an industry call to action, it gives a synopsis of McAfee's priorities regarding threat intelligence, an emphasis kicked off back in 2014 with the launch of its DXL threat exchange. Olstik noted the DXL platform is effectively security middleware. The TIE includes products from dozens of exchange members who offer network management, application and database security, incident response, forensics, endpoint and mobile device management platforms, authentication, encryption, data loss prevention and cloud security.
Posted by Jeffrey Schwartz on 04/14/2017 at 11:42 AM