Business, Security Connected

Threat Intelligence Exchange: An Old Dog with Plenty of New Tricks

By on Mar 10, 2014

This year’s RSA Conference was a major success for McAfee, garnering significant excitement because our McAfee Threat Intelligence Exchange announcement.  In fact one industry analyst told me, “every client I have met has asked about your announcement.”

Being the old dog in the market with over 25 years of experience researching and providing endpoint protection solutions positions us in a unique place. Like a trusty hound, we know how to hunt, retrieve, and protect. We’ve been through quite a few brawls and fights.

We describe Threat Intelligence Exchange as an immune system against Advanced Targeted Attacks. We view advanced targeted attacks, which are designed to penetrate existing security controls using malware, as a separate attack class. As such it mandates its own specific defenses.

When attacks are company or asset specific, defenses must be tailor-made, evaluating targeted attacks in the context of the organization they are attacking. Therefore we have created the concept of Personalized Threat Intelligence. Using the McAfee Threat Intelligence Exchange Server we make it possible for administrators to easily tailor comprehensive threat intelligence from global intelligence data sources, such as McAfee GTI™ and third party feeds, with local threat intelligence sources from real-time and historical event data coming from endpoints, gateways, and other security components. Customers are empowered to assemble, override, augment, and tune the intelligence source information, customizing threat intelligence information for their environment and organization to match controls and policies to their risks and threats.

TIE Optimizing Security

Getting more, more relevant intelligence is just the first innovation in this product. In its first release, McAfee Threat Intelligence Exchange provides innovative endpoint prevention, through the use of a threat intelligence VirusScan Enterprise module. The module works with the existing VirusScan client and the Threat Intelligence Exchange Server to make more accurate file execution decisions. It uses a unique classification engine, leveraging the combined intelligence coming from local endpoint context (file, process and environmental attributes) and the current available personalized threat intelligence (e.g. how many times have we seen this file in our environment? When have we seen this file for the first time? Is this certificate trusted? And more) provided by the TIE server. Endpoint protection is now optimized, executing security actions through its access to the richest set of security details, creating a new class of defense against advanced targeted attacks.

The ability to combine organization-specific context and observed behavioral patterns enables using multiple different indicators together to make accurate classification decisions with regards to executable files. This precision would not have been possible using the individual indicators separately.

By sharing threat information across controls and directing preventative actions in real-time, using the Data Exchange Layer (McAfee’s architecture for adaptive security), McAfee is able to provide immediate protection against the threats posed by advanced targeted attacks across both network and endpoint controls. Endpoints are protected based on malware detected by network gateways while network gateways block access based on endpoint convictions. More importantly, your organization is proactively and effectively protected as soon as a threat is revealed – from encounter to containment in milliseconds.

Seems like an old dog can learn plenty of new tricks.