Integrating disparate solutions with real-time data exchange

Breaking down operational silos with McAfee Data Exchange Layer (DXL)

Cybercriminal gangs cooperate with one another, sharing tactics and exploits, leaving security solutions at a distinct disadvantage. We need to tip the scales and retake the advantage from our adversaries. To do that, we need to break down the operational silos between security products and bring the components together into a single cohesive system, regardless of vendor, in effect creating a security cooperative.  This is not just about the industry working together.  This collective approach is about the customers working with each other as well as the industry, in effect, participating in their own survival in a way that has not been possible, even in the recent past.  While tomorrow or later today or even 15 seconds from now was “good enough” in the past, the here and now as well as the future demands true “real-time” capabilities and it demands it from the entire ecosystem – not just a few select parts of it. We have quickly moved from an era of proprietary “black box” solutions to an era where community-driven, open standards-based situational awareness and remediation in milliseconds is rapidly becoming table stakes.

At our recent FOCUS 15 conference, we explored the current and future of integrating disparate, multi-vendor solutions with McAfee Data Exchange Layer (DXL), in conversation with senior executives from CloudHASH SecurityForeScout TechnologiesTITUS, and TrapX Security.

The panel discussed how enterprises are increasingly willing to adopt new security technologies, as a way of gaining competitive advantage. Companies are looking for the new silver bullet to plug security holes in their environments. However, this approach results in technology silos and uncorrelated data. While each product may be best in class, integrating them into a cohesive workflow is difficult. The traditional point to point integration as a way to join together two disparate products does not scale. It is time consuming and breaks whenever either product has a major revision. The information we need is out there, but is not readily accessible and in the rare event it is accessible, the time it takes to actually do something with it simply is not available in a world where everything happens in far less than a split-second.

A colleague and friend of mine Paul Reid (of Interset) recently wrote “The Security Connected vision of real-time information sharing across DXL is more relevant than ever before.” I could not agree with you more, Paul, and it is the collaboration and correlation of a vast array of disparate solutions and the data from these solutions that gives us a fighting chance to change our stars in the current and future world we face.

With the above in mind, the industry has to come to terms with the simple fact that there is no silver bullet.  Stretching that analogy to a painful degree, a silver buckshot approach ties together best of breed products in a loosely coupled but tightly integrated fabric.  In the past, the challenge was the lack of a standard way by which this cohesive, tightly integrated approach could actually work and, more importantly, truly be successful. Enter DXL as an open communication bus that enables products from multiple vendors to share all types of information, such as threat intelligence, data classifications, file reputations, local events, and user context, at the necessary speed and scale. As a result, actionable data can be shared quickly, enabling greater insight into threats that were not visible before, in real-time. This sharing spans the entire enterprise, helping you hunt down every version and variation of malicious code. Products can interact directly with other vendors that have different areas of expertise, without having to rely on a centralized control or master-slave relationship. The result is much faster information flow, greater insight into threats, and less duplication in product functionality, leading to better performance. The multiple points of view produce faster and more accurate correlations, leading to earlier detection and quick convictions with fewer false positives and actionable results.  This type of communication in real-time truly begins to enable what we have talked about for more than a decade: an iterative, agile feedback loop, which evolves constantly to meet new threats and challenges.

Military science teaches this concept as the only way we have a shot at dispelling the fog of war.  Constructs like Boyd’s or OODA (Observe, Orient, Decide, Act) Loops have been tested time and again successfully in the physical world and have been debated for decades by cyber-practitioners in one form or another.  Now that the capability exists to put them into action, the time to do so is now.

Those who have worked with DXL can share exactly what it can bring to the table as companies and customers work together.  When asked about their experience implementing the technology, panelists said that it was the right mix of functionality and simplicity that enabled rapid implementation – less than three weeks in one example. Panelists were also pleased that different security products could interact directly with one another, sharing information, without requiring some type of Intel product as a gatekeeper. Once the companies have done the initial DXL implementation, establishing additional connections between products is simple and very quick. For example, connecting CloudHASH and ForeScout took only about 30 minutes of work on each side to add or edit the message definitions.

Think about that.  Once the initial work was done, ForeScout noted that the time for the four partners at the show to implement a collaborative solution was incredibly small compared to what it would have taken to work with even one partner in the prior model.

DXL was introduced just over a year ago, and is already widely supported with partners in the Intel Security Innovation Alliance (SIA) covering all aspects of endpoint, network, cloud, and data center security, sharing important information to the benefit of the customer. Our partners discussed how DXL is a force multiplier, enabling them to do more than they could as independent security technologies. For example, TITUS identifies a privileged insider, who has legitimate access to a sensitive file, but is observed printing the document to PDF. They put a message out on the DXL bus sharing what they are seeing, which ForeScout picks up and dynamically moves the user onto a separate VLAN. TrapX spawns a deception trap to catch the document before it is exfiltrated, and CloudHASH initiates a forensics review on this user to locate any previous compromise or exfiltration events.

When asked about the future potential, the panelists responded that they were currently just scratching the surface of DXL’s capabilities, and were looking forward to where it might take them. One of the opportunities discussed was the potential for greater automation (moving towards aspects of truly Autonomic Security), reducing extraneous noise, improving response times, and freeing up people for more important tasks.  As a very significant by-product of this type of scalable and extensible implementation was the very real potential to help alleviate the challenge of the shortage of skilled security personnel on both sides of the table. The open messaging bus adds clarity and fidelity to inter-vendor communications (more coming soon on customer interactions), standardizing message traffic and reducing the need to translate between each other’s language. The result is faster and more deterministic security between disparate devices and systems, longer product lifecycles, and faster delivery of actionable intelligence that is more closely connected to the business.

Possibly the most important aspect of DXL is how it is changing the conversation with customers. Customers are getting a clearer look at who is being additive to the security posture. With different threat actors targeting different organizations and industries, we can move from “what can we do” to “what would you like us to do”. This type of customer-focused mentality has been a long time coming to the industry, and I am incredibly proud to not only be a part of it, but to watch it unfold.  Mentalities are changing on both sides as the reality of the challenges we face going forward begin to sink in.  No one silo wins this fight.  No single company wins this battle.  It will take a concerted effort with enablers like DXL to change the game and eventually win the Cyber-War that the world finds itself faced with over the next few decades.  While the task looks daunting as individuals, a concerted cooperative effort by like-minded organizations – bent on turning the tide and not only surviving but thriving – will ultimately be what wins the day.

I have a borrowed and modified a number of quotes in my day and the one that resonates in this situation is the one I have used time and again.

When confronted with seemingly insurmountable challenges always ask yourself:
“If not us, who?  If not now, when?”
Then take that first step…

So with that in mind…

Carpe Annum!

And oddly enough as both Iron Man and Barney Stinson would say…

“Suit up.”

It is time to “dent the universe”.

Leave a Comment

twelve − eight =