Anticipation and long term vision are critical in our industry. This view is also shared by our parent company Intel. In fact, Renée James, Executive Vice President and General Manager, Software and Services Group paid us the honour of joining us for a relaxed, open and candid interview with Mike DeCesare.  She told us how much she believes that Intel and McAfee have a unique opportunity and position in the market which enables them to serve their customers and make our world of the predicted 50 Billion interconnected devices, a safer place.

Cybercrime is crossing all boundaries; we witnessed it again with the recent attacks on several US media groups such as the New York Times, Wall Street Journal, and Washington Post. McAfee has released its 2013 Threat Prediction Report setting the scene of new attacks. At the same time we noticed that older cyber threats which some people see as no longer valid are still very real and even mutating in the way they are used by the bad guys, Trojan Citadel being the perfect example, especially here in EMEA. Therefore I could not welcome more the latest commitment and resolve of the European Union to fight cyber threats. McAfee and Intel  work together in Securing the Global Digital Infrastructure (GDI).

In Las Vegas, I also had the pleasure of holding a specific breakout session with my EMEA Team.  We went through our 2012 results, looked at what we accomplished, what we could do better, and our top performing regions and Business Units. I launched our 2013 priorities and goals with our EMEA 2013 theme: PACT which stands for People, Activity, Commitment and Teamwork. Corporate Executives Steve Redman, Pat Calhoun, Ken Levine, and Candace Worley joined us for an interactive Q&A session.  I am really excited about our business. I must say that we have already had a good start to the year. We have the market, we have the momentum, we have the people and these three elements, combined with our EMEA PACT strategy, give us all the cards we need to make 2013 a fantastic year for our customers and partners.

Recently, the data security company Imperva published a much derided test showing what most IT security experts already knew: an AV-only protection scheme is necessary but insufficient.

While traditional antivirus technology continues to hold value for consumers and enterprises, it is only one layer in what needs to be a multi-layered defense.  As such, McAfee pioneered behavioral and other “day-zero” protection technologies to protect against rapidly morphing threats that can evade traditional blacklisting.

Host Based Intrusion Prevention Systems (HIPS) and Application Control are just two examples of security technologies that McAfee has delivered to protect millions of endpoints.  For example, McAfee Application Control protects against 100% of the threats in Imperva’s tests.  McAfee has optimized the ability to respond to evolving threats and our Global Threat Intelligence (GTI) is an example.  It provides the most comprehensive view of the evolving threat landscape, correlated with threat intelligence from and across all threat vectors – file, web, message, and network –driving the transition from blacklisting to grey and white listing. While blacklisting is still a vital ingredient for protecting devices, there is only a small percent of the threats out there that are new and still plenty of old threats that infect devices.  Because of this, blacklisting will never go away.  However, what is changing is that the blacklist is living in the cloud instead of on each device.

Some great new primary research, from Aberdeen’s Derek Brink shows that AV-only group actually spends 1.5-times more, and effectively accepts 68% of its security-related risk.

Not investing in additional endpoint security solutions is actually a false economy – in reality, they are ignoring (and therefore effectively accepting) 68% of the risk and the associated costs.   Endpoint security initiatives should adopt a more comprehensive approach to protecting the organization’s platforms, networks, applications and data.  (Source: Aberdeen Group, March 2012.)

Beyond historic blacklisting, McAfee recommends that users also deploy host or network web protection, HIPS, AND good application control functionality to defeat the current generation of cybercriminals. That is why McAfee is relentless in solving the challenges of increasing threats and we do that by working to fulfill the value proposition of our Security Connected strategy– an integrated platform for security which identifies common host-network customer use cases and implements them to reduce the total cost of ownership for a complete security solution.

If you’re not familiar with McAfee GTI, it’s our cloud-based threat reputation engine.  McAfee GTI collects and shares reputation data across dozens of McAfee security solutions.  This reputation data includes billions of file, IP, mail, web, and other data points, each of which is assessed and assigned a risk score. Through testing, we’ve found that McAfee GTI can improve detection rates by up to 30%.  Perhaps more importantly, these real-time reputation feeds can shrink response times from days down to minutes.

As a cloud-based service, McAfee GTI can and has been incorporated into most McAfee products, including McAfee Network Security Platform (network IPS) and McAfee Enterprise Security Manager (SIEM).

So, back to the question: If you already get the benefits of McAfee GTI via network IPS, does it need to be incorporated into your SIEM? The answer is yes, and here’s why:

1. Not everyone owns both – While McAfee has security solutions in nearly every major category, it’s safe to assume that most of our customers don’t own all those solutions.  The only way to ensure that all our customers can take advantage of GTI is to include it in all of our product offerings.
2. These solutions may be managed by different teams – Most enterprise organizations have different teams for managing the network (IPS) and incident response (SIEM).  Having GTI built directly into the IPS not only allows for easy access to the data by that team, but it also allows for inline blocking based on reputation.  Having GTI at the SIEM level gives IT incident response teams global insight into potential risks that most SIEM solutions can’t offer.
3. SIEM data is a superset of events – More and more organizations are adopting SIEM tools to get a holistic view of what’s happening on the network.  Network IPS events are just one of many data sources that feed into the SIEM.  When you add firewall logs, netflows, system logs, database logs, etc., you get a much broader picture of what’s happening.  Even if GTI is already part of the IPS solution, including it in the SIEM solution improves protection.  By incorporating GTI into McAfee Enterprise Security Manager, we turn Global Threat Intelligence into global threat event correlation.
4. Data persistence – Many of today’s sophisticated attacks happen over longer periods of time.  Hackers may wait weeks or months in between pushing down custom malware and issuing data extraction commands.  McAfee Network Security Platform, with GTI and other advanced detection methods, has the ability to detect and log many of these stealthy events, but McAfee Enterprise Security Manager has the ability to persist the events (data) for longer periods of time. Being able to apply the GTI lens over months of data can bring interesting trends to the surface.

When we first introduced McAfee GTI integration with Network Security Platform, adoption was a bit slower than we expected.  As we dug into the reasons, we found that one common (and entirely ironic) concern was that by enabling GTI, security teams found new events that they had to respond to.  We couldn’t argue with that.  It wasn’t long, however, before customers started seeing the benefits of GTI, and now the vast majority of our IPS customers turn it on.

But as I think back to the concern of too many security events, I realize that GTI with SIEM helps solve the ‘too many security events’ dilemma.  While individual security products may trigger on the same event independently – and kick off independent efforts to resolve an issue – having a correlated view of security events at the SIEM level helps streamline the incident response process, ultimately delivering the best of both worlds.

Q2 saw one of our strongest quarters ever in deals over $1 million, helping drive Enterprise growth in all theaters. These results point to the customer strength and relevance of our Security Connected strategy as it continues to spark more end-to-end deployments across the endpoint, the network and in the cloud, providing the most advanced protection with unified management powered by our world leading GTI (Global Threat Intelligence).

We are also continuing to see increased results from our SMB focus. Significant investments to fuel SMB growth have been made in terms of updates and enhancements to our SMB suites, improved training tools, and the doubling of the McAfee Rewards payout on our SMB suite family. Based on our double-digit increase in SMB deal registration bookings in Q2, these investments are starting to pay off and build momentum.

Technology Chat with Mike Fey

During the Town Hall Technology Chat with Mike Fey, our SVP of Advanced Technologies and Field Engineering, Mike talked about the future of Security Connected, and more specifically, how our recent acquisition of NitroSecurity helps us together with our partners deliver a highly scalable SIEM environment that brings actionable situation awareness and countermeasure awareness.   For Partners, McAfee’s SIEM (McAfee ESM – Enterprise Security Manager) brings significant new revenue opportunity with a SIEM that is less expensive to purchase, deploy and operate.  This business is growing >100% for McAfee  – get on board!

Priorities for the Second Half: Capitalizing on the Momentum

We have tremendous momentum heading into the second half of the year and to capitalize on this momentum we remain focused on driving relevance and mutual profitability:

• Broaden Your Expertise to Sell More:  Your customers are looking for trusted security advisors to help solve their challenges. Become that resource by expanding your security expertise. This includes driving more POCs through your ACEs, leveraging the new demo simulation tool in your sales efforts, and taking advantage of our new continuing education tracking tool.
• Grow Your Business with McAfee: The solutions and programs are in place to help drive new opportunities around SIEM, and recurring revenue from services through our new Managed Services Partner Program.
• Maximize Your Profit: Take advantage of our Profitability Stack that includes enhanced deal registration, our rich partner Rewards program, and our special Q3 promotion.

The security opportunity is larger than ever before. And, with the recent unveiling of our exciting Q3 bundle promotion McAfee Total Access, now is the time to take action!

Finally, if you have not registered for our upcoming Partner Summit taking place October 23-25 in Las Vegas, I encourage you to do so today.

Good selling!

Since High Roller appears to be introduced via a malicious website or social engineering attack, McAfee SiteAdvisor Enterprise and McAfee Web Gateway can prevent users from accessing malicious host sites.  McAfee Host Intrusion Prevention (HIPS) can block drive-by vulnerability exploits, preventing the malware from running for the first time on a target machine. McAfee Application Control can prevent any unknown or unapproved application from being installed or allowed to run.  McAfee VirusScan Enterprise protects the machine from any known variants. McAfee Deep Defender will block the vast majority of kernel mode rootkits that High Roller variants may contain, day zero, with no need to update any signatures. Additionally, both McAfee VirusScan Enterprise and McAfee Host Intrusion Prevention prevent registry modifications and other configuration changes. And finally the McAfee Desktop Firewall can block outbound command and control communication to sites deemed malicious by McAfee Global Threat Intelligence technology.

Read the full report on Operation High Roller here:

http://www.mcafee.com/us/resources/reports/rp-operation-high-roller.pdf

For more on the four phases of every attack, please see my blog:

http://blogs.mcafee.com/enterprise/the-four-phases-of-every-attack

And more detail about protecting yourself against the 4 phases of every attack is here:

http://blogs.mcafee.com/enterprise/how-todays-new-generation-of-security-products-protect-you-in-each-of-the-4-phases-of-every-attack

More on High Roller as it comes out.

Be SAFE!

Security information and event management (SIEM) systems were invented to help IT security teams within financial services companies, health care providers, defense contractors, and governments address the growing volumes of information security data. An onslaught of well-publicized data breaches followed by public outrage and a surge of regulatory mandates quickly made SIEM must-have technology.

The point product feeding binge

As corporate security officers scrambled to address these issues, virtualization bred even more data and applications that had to be secured and reported on. Companies added new security products—each bringing its own instrumentation and logging requirements. The volume of security data and real-time data streams grew exponentially until SIEM solutions bogged down. Some security teams started turning off SIEM data feeds in an effort to preserve performance. Unfortunately, each disabled data feed created another vulnerability and exposed the enterprise to greater risks.

Time for a big security data fitness plan

So how do you deal with big security data even as your business tightens its belt?

Today you need more relational information about the source, asset, user, and data to provide greater security context and situational awareness. You also need real-time correlation of this information with event flows—including scalable architecture that can keep pace with big security data’s growth.

Add Muscle, Lose Fat

Legacy SIEM solutions don’t have the power to handle big security data. Today, you need a SIEM that includes high-performance architecture to handle reams of security data and easily scales to handle future growth. In other words, you need McAfee Enterprise Security Manager (formerly NitroView). This SIEM powerhouse is specifically built for big security data with a powerful database, appliance options, and the processing power to quickly correlate billions of events and flows.

Boost Your SIEM IQ

The next generation of SIEMs must go beyond simple event analysis to share security intelligence among security components and quickly deliver actionable information. McAfee Enterprise Security Manager achieves this by immediately collecting and analyzing contextual information on events, users, and data, creating and sharing situational awareness among solution components.

• McAfee Global Threat Intelligence further strengthens dynamic threat visibility, providing around-the-clock reputation-based threat intelligence and sharing this insight through integration among solution components.
• McAfee Risk Advisor uses this shared information to help you quickly pinpoint attacks and implement countermeasures.

Achieve Balance and Agility
Big security data requires security tool integration and enterprise-wide visibility. Two-way integration with McAfee ePolicy Orchestrator (ePO) software extends visibility and control across your entire security and compliance environment.

Just like any fitness plan, SIEM requires effort and dedication. It gets easier over time and results become an excellent motivator.

McAfee relentlessly provides Global Threat Intelligence (GTI) that our customers leverage to keep up-to-date and automatically block suspicious behavior and connections. This constant service is accomplished by using Big Data to uncover those who may be slithering in cyberspace and up to no good. Even before McAfee obtains a malware file, McAfee Labs has most likely already rated the reputation of its associated files or connections as suspicious. What really makes GTI successful are the highly specialized security professionals working around the clock and around the world, sifting through enormous volumes of data.

On average, the sampling of GTI data includes:

• 75 Billion Malware Reputation Queries/Month
• 20 Billion Email Reputation Queries/Month
• 2 Billion IP Population Queries/Month
• 300 Million IPS Attacks/Month
• 100 Million IP Port Reputation Queries/Month

With over 100 million queries a month, there’s a good chance that we will start to identify questionable behavior and connections. In my next entry, I’ll look at how IT can start to manage and create their own security intelligence with similar techniques – leveraging GTI to gain unique visibility into their own IT infrastructure and business threats.

I pulled this pretty graph out of our Google Analytics feed which shows the lifetime of the spam message, well, in fact it shows the history of unique visitors to the page which is much the same thing:

You can see that activity started on the 22nd October (with just over 4,000 clicks) and peaked on the 1st November with just under 12,000 unique clicks. Since the 3rd November there’s been no activity on this page, indicating that the particular scam campaign has ceased.

Over the life of this campaign there were 99,816 unique people who tried to access the spam site (a bogus recipe page), all who saw our infamous blue warning banner:

This to me is interesting, because it shows the scope of spam – for the best part of 100,000 people to click the link, how many actually got the email? 5x, 10x, 100x or more?

Overwhelmingly in this case (>90%) the visitors in this particular campaign came to us from China, which is curious because the ultimate intended landing page is in English only – I can only suggest that they clicked the link either because the spam email was targeting them, or perhaps because it was in English and they could not read it.

To finish, I’ll tell you of another strange statistic in the world of Short URLs – the most popular site lately has been a news article in Dutch regarding the comedian Youp van ‘t Hek releasing a new magazine poking fun at corporate helpdesks. It only had a short lifespan of 3 days, but peaked at 75% of the clicked links – popular guy it seems!

Now, if I only read Dutch…

McAfee’s ability to detect and respond to Operation Aurora before any other security vendor illuminates some very significant advantages of our security model, particularly in the area of network security.

To understand the role that network security can and should play in defense of coordinated attacks like Aurora, it makes sense to explore three common shortcomings of today’s security approach:

1) Most solutions don’t protect against threats that haven’t yet been detected.

2) Most solutions lack the levels of analysis automation and global intelligence necessary for timely identification and propagation of threat information.

3) Most solutions act in isolation, lacking the ability to collect and share threat information across security infrastructure. This situation reminds me of the federal government’s review of 9/11. Many of the pieces of information existed, but they just couldn’t put it all together and disseminate it.

‘Pre-detection’ defenses

The notion of disarming a threat before it is detected is challenging to say the least. Yet McAfee has a number of tools that do just that. The following is a short list of McAfee’s notable ‘pre-detection’ defenses:

1) Tightly controlled communications channels. Aurora, for example, used a non-RFC compliant SSL control channel for outbound communication that would have been blocked by McAfee Firewall’s SSL proxy (see McAfee Firewall Enterprise).

2) Heuristics that use a combination of real-time inputs, rules-based logic and intuitive judgments regarding whether a file, communication or site is a potential threat. McAfee TrustedSource, for example, is a behavior and reputation correlation engine that feeds into several McAfee network defense products. In the case of Aurora, McAfee engines leveraging TrustedSource technology would have prevented the attack by preventing the distribution of the malware (see Network Threat Response, McAfee Web Gateway, TrustedSource).

3) Whitelisting techniques that permit only known communications from known applications, allowing security infrastructure to block threats long before they appear on a blacklist, simply because they aren’t on the ‘guest list’ (see McAfee Application Control).

Pre-detection methods aren’t a replacement for signature-based protection against known threats, but organizations should consider heuristic and control-based security tools as being central to their security plan if they wish to disarm Aurora-like attacks at the onset.

Automated intelligence through McAfee GTI

While heuristics and reputation based security measures help fend off attacks prior to detection, the most certain way to block an attack is to know exactly what it is and how it works in order to put concrete prevention measures in place. For some time now McAfee has been the leader in threat detection and identification. It’s no coincidence –automating the collection and analysis of global threats has been the key to McAfee’s rapid and accurate detection of the latest attacks. McAfee Labs Global Threat Intelligence (GTI) is an automated cloud-based system for analyzing threat information collected by Artemis, a collection of hundreds of servers around the globe that continually captures information on potential threats from millions of sensors and end-points. By automating the process of collecting and analyzing threat information, GTI has dramatically sped the process of trending global threats in order to confirm them as legitimate attacks. The comprehensive, automated coverage McAfee has with GTI is proving to be the only way to deliver the speed and accuracy required to combat and shut down attacks like Aurora.

Security infrastructure whose sum is greater than its parts

One of the biggest differentiators in McAfee’s security model is that our solutions span the entire security infrastructure… and work together. You must have security devices working in concert to achieve maximum security effectiveness. Relying on cross-pollination of threat intelligence through GTI across multiple security mediums has allowed McAfee to do what no other vendor can match. The intelligence that allowed McAfee Network Security Platform, for example, to block Operation Aurora attacks from taking advantage of the IE vulnerability was the same intelligence used to update antivirus packages, firewalls, network threat analysis, web defenses, email security and more. Not only did GTI allow McAfee to be a first mover in the response to Operation Aurora, it allowed us to reach all possible threat entry and exit points in the organization.

Operation Aurora was one of the most visible attacks we’ve seen in years. It wasn’t the first of its kind, nor will it be the last. The sophistication levels and frequency of attacks will likely continue to increase. Fortunately, I am confident that McAfee remains in a very unique position to stay ahead of the threat landscape.