At RSA Conference in late February, McAfee announced the acquisition of sophisticated sandboxing technology and 38 product enhancements that together extend McAfee’s lead in protection against malware. During our pre-RSA press and analyst event, McAfee senior vice president Pat Calhoun also discussed at length an idea we call “comprehensive malware protection,” which includes five foundational antimalware capabilities that you can learn more about in my previous blog entry.
Those foundational antimalware capabilities are:
One by one over the next several months – beginning with “integrated” this month – I’m going to discuss in detail these five key capabilities and how they work together to protect against malware in a comprehensive way.
What does “integration” mean as it relates to protection against malware?
Let me illustrate through an example.
Our newly acquired sandboxing technology will be a key part of McAfee Advanced Threat Defense – that’s what we’ll call our intelligent, layered antimalware product once it’s available – and it will be tightly integrated with McAfee Network Security Platform (NSP) and McAfee ePolicy Orchestrator (ePO).
A typical malware “find, freeze, and fix” scenario will be one in which a suspect file is detected by NSP and passed to McAfee Advanced Threat Defense for analysis. Once the suspect file has been convicted, McAfee Advanced Threat Defense will automatically pass a convicted malware report to ePO, which will in turn automatically propagate that threat information to all of McAfee’s antimalware products. Those products will then prevent all future instances of the malware from being transmitted across the network or embedding themselves on endpoints.
In addition, within seconds of receiving the report from McAfee Advanced Threat Defense, McAfee technology will automatically identify any endpoints in the network that have already been compromised. With a simple click by a security analyst, a process will be automatically initiated to remediate all of the compromised endpoints.
There are dozens of similar McAfee product integration examples, but I think you get the picture.
Why is an integrated antimalware solution important?
Security product integration provides many benefits, but I believe these are the most significant:
- If your network, endpoint and management security products are integrated with a solid threat intelligence service, they receive new threat information in real time – improving malware detection accuracy and your organization’s overall security posture.
- If a security information and event management system (SIEM) is integrated with your network, endpoint and other management security products, the security system delivers better situational awareness and shortens response time to malware threats, shrinking the window of vulnerability.
- If the security products are integrated with a single-pane-of-glass security management product, it can provide ubiquitous security visibility and control across the organization.
- If your security ecosystem comes “out of the box” already integrated, it reduces implementation time and lowers cost.
In a recent Network World guest blog, Enterprise Strategy Group principal analyst Jon Oltsik noted:
“Integrated host/network security coverage is becoming more appealing. Note that 37% balance their security focus across hosts and networks. This is the prevailing trend. As one CISO put it to me, ‘I pay for and then manage network defenses and host defenses. If these things worked together, my guess is that I’d have better security and lower costs. So please tell me: Why don’t they work together?’ In the past, host and network security controls were a world apart, but several vendors including McAfee, Sophos, and Sourcefire are bridging these technologies giving them a market advantage. Others will acquire or partner as host/network integration gains popularity.”
I believe the CISO Jon quoted is right – integration does indeed improve organizational security posture and lower costs.
What is needed to deliver an integrated antimalware solution?
At the base level, organizations need antimalware-focused endpoint, network, and management security products at many layers – a “defense-in-depth” approach. Once all the bases have been covered, integration becomes a very powerful weapon in the fight against malware.
With the antimalware security ecosystem in place, the products then need to be integrated – which is easier said than done. Most organizations follow a best-of-breed approach to security product selection but soon discover just how hard and how expensive it is to integrate them together. Some organizations purchase their key security products from a single vendor, believing that they must be integrated already. But that’s not necessarily so. Take Cisco’s security products as an example. In a recent CIO Magazine article, reporter Ellen Messner noted:
“[Cisco’s Dave] Frampton does acknowledge that Cisco could be doing a better job in one area: uniting the security products it has acquired over the years so that they have a more unified policy and management platform. An integrated system, says Frampton, ‘will happen over the next several years.’”
Several years? Wow!
Similarly, in its restructuring announcement in January 2013, Symantec’s CEO, Michael Bennett, publicly acknowledged its failure to deliver useful integration:
“Symantec has ‘great point solutions built mostly from acquisition,’ said Mr. Bennett. ‘We haven’t really integrated the value of those different point solutions to solve important customer problems.’”
Having failed once, Symantec’s strategy announcement quoted a discouraging timeline for their next attempt at integration:
“The overall development process is estimated to take six to 24 months depending on the specific offering.”
In stark contrast to these “futures,” McAfee’s end-to-end suite of endpoint, network, and management security products are integrated right now. In fact comprehensive malware protection is just a concrete example of our entire Security Connected framework, which guides our work at McAfee. At its core, Security Connected relies on end-to-end, integrated protection to improve security posture, optimize security for greater cost effectiveness, and align security strategically with business initiatives.