Security Connected

Threat Intelligence Exchange: An Old Dog with Plenty of New Tricks

By on Mar 18, 2014

Last week’s RSA conference was a major success for us getting significant excitement from the market with regards to our announcement of threat intelligence exchange.

Being the old dog in the market with over 25 years of experience researching and providing with endpoint protection solutions positions us in a unique place. We know our trade. We’ve been around the block a few times. We have the knowledge and the experience. Let’s not forget, we are the leader, according to Gartner and others, in the endpoint protection business.

We describe threat intelligence exchange as an immune system against Advanced Targeted Attacks (ATA). We view advanced targeted attacks, which are designed to penetrate existing security controls using malware, as a separate attack class. As such it mandates it’s own specific defenses.

Attacks are target specific. Defenses must be tailor-made evaluating targeted attacks in the context of the organization they are attacking. Therefore we have created the concept of Personalized Threat Intelligence. Using the McAfee Threat Intelligence Exchange Server we make it possible for administrators to easily tailor comprehensive threat intelligence from global intelligence data sources, such as McAfee GTI™ and third party feeds, with local threat intelligence sources from real-time and historical event data coming form endpoints, gateways, and other security components. Customers are empowered to assemble, override, augment and tune the intelligence source information customizing for their environment and organization personalizing the threat intelligence information.

Gathering and maintaining context (threat intelligence) specific to each organization allows optimizing the security for each organization when it is combined with behavioral patterns observed on endpoints (for example).

McAfee TIE provides innovative endpoint prevention, through the use of the VSE TI Module, making accurate file execution decisions, using a unique classification engine, leveraging the combined intelligence coming from local endpoint context (file, process and environmental attributes) and the current available personalized threat intelligence (e.g. how many times have we seen this file in our environment? When have we seen this file for the first time? Is this certificate trusted? And more) provided by the TIE server. Endpoint protection is now optimized executing security actions through the access to the richest set of security details necessary creating a new class of defense against advanced targeted attacks.

The ability to combine between organization-specific context and observed behavioral patterns enables using multiple different indicators together making accurate classification decisions with regards to executable files, which otherwise would not have been possible using the individual indicators separately.

The following examples combining between organization-specific context and observed behavioral patterns would have prevented some of the recent publicized incidents where advanced targeted attacks have been used –

  • When a file is new to an organization, not been seen many times and is packed in a manner mimicking malware it would be safe to assume it is indeed malware.
  • When a file is new to an organization, not been seen many times and it’s certificate is revoked it is safe to assume it is indeed malware.

By sharing threat information across controls and directing preventative actions in real-time, using the Data Exchange Layer (McAfee’s architecture for adaptive security), McAfee is able to provide immediate protection against the threats posed by advanced targeted attacks across both network and endpoint controls. Endpoints are protected based on malware detected by network gateways while network gateways block access based on endpoint convictions. More importantly, your organization is proactively and effectively protected as soon as a threat is revealed – from encounter to containment in milliseconds.

Seems like an old dog can learn plenty of new tricks.