McAfee’s new Threat Intelligence Exchange sounds rather innocent, but it actually represents the company’s response to the growing belief that security threats have become so pervasive and powerful that the entire security defense model has to change. When you have government funding to buy malware, and a massive market for militarized malware growing at a national level, the only way to respond effectively is through global cooperation.
No firm, nor any one government, is powerful enough alone to address this threat. No perimeter defense — which is what we’ve largely relied on in the past — is effective, either, and any successful response simply has to assume the perimeter is porous.
Your Perimeter, Like a Medieval Castle Wall, Will Be Breached
Imagine it’s the Dark Ages and we need to defend our castle. We could build a huge wall, but we’d find that any concentrated attack would eventually breach the wall, and we’d be dead. Castle design was thus altered to include levels of defense — basically assuming that invaders would breach the primary wall but have an increasingly painful attack.
As weapons advanced, this no longer worked. States formed nations, which built armies. Today’s cities and town centers are no longer walled. Police forces, national guards, armies and various security agencies provide defense, finding and eliminating threats en masse. As we stopped building massive walls, focus shifted from the perimeter, at least with regard to prevention, to finding and eliminating threats more quickly.
[ Analysis: McAfee Security Report Suggests 2014 Will Be a Rough Year ]
This goes to the heart of McAfee’s approach. The Threat Intelligence Exchange is designed to layer over traditional security. It assumes there will be a breach — but it’s designed to identify and respond to breaches, all while notifying administrators so damage can largely be eliminated. It recognizes that no wall is strong enough to defend against the class of attacks we now see, much like the knights of old discovered that gunpowder and dynamite made walled cities largely pointless. The defense had to change to match the powerful attacks that were overwhelming traditional models.
To Fend Off Malware, Think Globally, Act Globally
Part of the problem, of course, is that attackers are increasingly funded at a national level; software seems to migrate (or initially come from) firms operating legally, kind of like weapons brokers, out of Eastern Europe. This means that, to make a comprehensive internal response function as fast as it needs to be, you have to create a reach that is at least national, if not global.
[ Related: 6 Failures That Led to Target Hack ]
This also hits the core of McAfee’s offering, as it networks global resources — private and public, as well as McAfee’s own global treat tracking service — to spread the news of emerging malware so it can be more rapidly identified and mitigated when used a second time. If the product has been seen or identified by any one of the companies using the solution, or through McAfee’s own resources, the response template is distributed. The other sites are hardened against the product in real time, reducing the response time to an attack and making events such as the Target breach far harder to accomplish, particularly a second time.
If the Bad Guys Get In, You Must Sound the Alarm
When facing a massive attack, perimeter defenses or other limited methods aren’t adequate. But the world is under that kind of threat today. McAfee has created a “Defense in Depth” product, which assumes that you will be breached but can automatically respond to the breach, thus limiting or eliminating the exposure. This is a very different approach, but it’s one that’s unfortunately necessary in today’s hostile world.
[ More: McAfee Moves to Redefine SIEM, Enterprise Security ]
This is hardly the end. I expect future offerings will increasingly use AI models to address even more intelligent malware. McAfee’s Threat intelligence Exchange doesn’t end the arm’s race; it just gives IT an advantage until the next malware breakthrough. But it does make it likely that attackers will hit someone who hasn’t deployed this offering — because that will be a vastly easier target.
Rob Enderle is president and principal analyst of the Enderle Group. Previously, he was the Senior Research Fellow for Forrester Research and the Giga Information Group. Prior to that he worked for IBM and held positions in Internal Audit, Competitive Analysis, Marketing, Finance and Security. Currently, Enderle writes on emerging technology, security and Linux for a variety of publications and appears on national news TV shows that include CNBC, FOX, Bloomberg and NPR.
Follow everything from CIO.com on Twitter @CIOonline, Facebook, Google + and LinkedIn.