15 Minutes With… Ben Andrew

Welcome to “15 minutes with” – an occasional contribution between Simon Hunt, CTO Endpoint Security and the movers-and-shakers within McAfee’s technical community.

This week on the stand is Ben Andrew, Senior Product Manager for Virtualization Security.

So Ben, care to tell us how long you’ve been with McAfee, and what you’ve been involved in?

Hi Simon – I’ve been a part of McAfee on/off for 11 years, started in Professional Services as a Senior consultant traveling across North America implementing McAfee Security solutions, mostly in Endpoint Security, ripping out competitor’s products, dealing with 911 emergency engagements where customers were wrought with infections, mass outbreaks at places like the US Mint, Ford Motor Company, American Express, etc.

I Moved into Product Management in 2007 and took over competitive analysis, writing technical white papers, best practice guides, before managing SiteAdvisor Enterprise. I moved into virtualization into 2009 and now manage the Endpoint Virtualization security solutions.

It’s the virtualization topic I especially wanted to talk to you about this week – I know you’re about to release a new version of MOVE – McAfee Optimized for Virtual Environments?

For those who don’t know anything about MOVE – is it possible to sum it up simply?

Actually, we released MOVE 2.0 a couple weeks. We offer a couple different solutions to solve the most common security issues in virtual environments… and have a lot planned as well.

Firstly we solve the problem of AV Storms – where a number of virtual machines running on the same physical box simultaneously do something like a scheduled On-Demand scan, creating a massive load on the physical host. MOVE Scheduler manages scheduled On-Demand Scan tasks by monitoring the load of the hypervisor.

Secondly we address the Density problem – making sure customers can continue to collapse their physical world onto the least number of boxes. MOVE AV offloads On-Access protection to a security VM instead of running full protection inside each guest VM.

Is the concept of AV storms a real problem for datacenter owners then?

Yes, if a security solution isn’t aware of the load of the host, scheduled scans and updates can use too many resources and overall performance can suffer dramatically, even to the point of moving workloads to other hosts (vMotion, etc.).

Do you think people are generally aware of this problem now, or is it still something that you’d have to be an expert in to really realize is going on?

Most customers are aware of this, and it ends up being one of the top reasons they come to us for help…

So perhaps you can tell us more about the new features you’ve just released – you mentioned the point of MOVE was to increase performance of the virtual servers, and also keep the density up – I guess these are things you’re still working on improving?

Yes, we made significant improvements in the shared cache in our recent release, this provides advanced “scan avoidance” – If you don’t have to scan, you don’t have to use resources… application startup times improve, etc.

We added support for Virtual Servers in 2.0 as well, which allows us to improve density, by not requiring the full AV product to run within each and every guest VM. We do this by changing the way the AV products check the validity of a file – first we check a local (in guest) cache to see if the file has previously been scanned by that guest, if not, the fingerprint is compared against the shared cache which contains the files checked by all the guests, before being scanned.

We see about 60% density improvement in this solution over traditional AV.

So can you put that in perspective for the audience? When we hear “scan avoidance” we usually equate that to a lower level of security – for people struggling to protect high density virtual environments at the moment, what’s their expectation when looking to implement something like MOVE when compared to traditional protection measures?

Sure, in most virtual environments, virtual machines are based on a common template or “gold image.” When the first VM on a host boots up, with no previous shared cache, we scan the Operating system files, any applications that are launched, and then add them to the shared cache.

Then as subsequent VMs boot, with the same operating system, the files don’t have to be scanned = scan avoidance

The ability to leverage the shared cache reduces the amount of resources required.

So no reduction in protection then?

The offloaded solution does not offer the same level of protection offered by the full VirusScan enterprise product as it only provides On-Access Scanning, because of that we recommend implementing Host IPS in guest to provide Buffer Overflow protection, and we include it in the SKU for MOVE for Virtual Desktops.

As in most dynamic VDI scenarios, Virtual Images are flushed at the end of the day, in guest on-demand scans and repair functions are not required.

So are you saying our MOVE customers can expect nearly the same performance as if they had no AV at all?

If the scan has already been performed on the file, the experience will be similar to no AV. There are of course exceptions to this, but if the environment is properly configured with appropriate exclusions, end users experience significant performance improvements.

This is especially the case where users are accessing data that is stored on a network drive… and that data is already scanned where it is stored, such as a NetApp On-Tap filer protected with McAfee VSE for NetApp on-box.

McAfee SE’s are able to provide best practice recommendations to optimize customers’ environments

Sounds like a great release Ben. And you say it’s available to customers right now?

Thanks Simon, yes the team did a great job. The release was posted on September 14th, and we have had lots of interest…

So “MOVEing” on – what’s next in your world that you can tell us about? I know the life of a Product Manager is full of secrets, but is there anything on the horizon you can tell us about?

LOL. Yeah, we have a lot coming… very cool things…

First, we are working very closely with VMware to release a version of MOVE that will have a vShield Endpoint add-on. This will provide customers with the ability to have basic AV protection enabled automatically when a VM is created.

We are also looking at the overall virtual data center to provide recommended protections at every portion

So final question for you Ben – something I always Product Managers in particular – is there anything you want to confess or apologize for? Some truly awful design decision you instigated, or a release you weren’t particularly proud of?

Yeah, we took a hard look at the way we implemented the initial architecture

of MOVE?

Yes. The solution was first developed to solve the density problem of traditional AV…yet, we found that many customers need/want in-guest memory protection, so we are improving the Buffer-Overflow protection in VSE so it can be optimized.

And you reversed that decision with the recent release?

The reasons for the improvements in the shared cache in the recent release, and also the plan for our future release also. We intend to bring full security protections in; optimizing the components that use the most resources, then sharing the components that make sense to share (like the cache) centrally.

Well thanks Ben for giving us an update on what’s happening in the virtualization space. Safe Travels!

Thanks Simon. By the way, your readers can find out more about VMWorld from their site,   http://www.vmworld.com/community/conference/europe/ and about MOVE, from the McAfee site – http://mcaf.ee/move