CBR: What impact will McAfee’s Threat Intelligence Exchange (TIE) have on the security landscape?
VA: I think it’s a big game-changer, because now for the first time every McAfee product that participates in that architecture – and we’re opening it up to our partners – is able to share information in real-time with everybody else. In the past this was impossible to do. You had private APIs (application programming interfaces) and even then it it was very difficult to enable it, it was difficult to deploy it, and so it was very challenging.
This will accelerate product development, first of all, and then it will make deployment much, much easier. The result is from a user point of view security becomes more and more automated and effective. If I see something on one of my firewalls or one of my boxes all other McAfee solutions on the network become intelligent instantly, which I think it quite amazing. It’s like a beacon: I suddenly hold a red light up and every McAfee solution in that network is able to see my red light and actually understand what it means.
CBR: What are the challenges of rolling this out to your customers?
VA: Everyone has to upgrade their ePO (ePolicy Orchestrator), and upgrade the software that runs in the network. Each one of our teams is releasing software that integrates with TIE. We released two products this month, ATD (Advanced Threat Defense) and IPS (intrusion prevention system), that integrate with TIE. Next quarter we will introduce our next generation firewall (NGFW), so then customers will have to upgrade the software.
Depending on the size of the organisation and their policies sometimes it takes them months to upgrade. Sometimes they have upgrade windows that are a year out, and sometimes they have just upgraded, so there’s no chance of upgrading until six, nine or 12 months.
CBR: Is this mostly for financial reasons?
It can be financial reasons because you’re bringing down your old network. You have to find down-time because it’s two in the morning four months away. It’s an effort to upgrade, so that is a challenge. The operational challenges are very minimal, because this is a simple architecture. There’s no advanced training required, there’s no advanced operational issues, you don’t need extra headcount to manage this. You just have to update your infrastructure software.
CBR: Do you see this as something that will solve the skills shortage problem in cybersecurity?
VA: Not completely but it will help. What it does mean is that if you see an attack this will help in distributing all the information to all the other devices and it will allow us to automatically enforce policy. For instance if I download a bad file, the first time I download it this mechanism will kick in. Some McAfee device or even the software running here will identify this and say I’m running a bad file. It’s going to inform everybody else.
Now if the operator has enabled automation there all other McAfee solutions can automatically put a rule in saying: "This particular file is bad, so freeze its propagation." The third thing we’re doing is called "Fix", where we go back to the systems that already downloaded it and we can go and actually clean it out. So this is a completely automated loop of "Find, freeze and fix".
CBR: Are there any performance issues you’re anticipating with this?
VA: Not from TIE and DXL (Data Exchange Layer) itself. Individual products face their own performance issues because of the role they play in the network. Too much traffic comes and at some point you get overloaded, but that is normal behaviour of every single product. TIE and DXL themselves are not expected to add any more to things.
CBR: It seems intuitive that processing more information would create would traffic.
VA: You’re only exchanging information, so I’m only going to give you the filename and push it it to everyone else. That’s a small set of characters, so I’m not going to overload anything. And how many times do I get a bad file every day? If I get a bad file every second we have other problems. I’m going to see a bad file once every several minutes or several hours so I don’t expect we’ll overload the system so much.
Again, it depends on how you configure it. If I want to go to the other extreme I could say every security event, everything a McAfee solution sees, gets pushed on this. My IPS itself sees millions of events a day. If a push all that on this there is going to be a performance problem, but only a small subset of those millions of alerts are interesting alerts.
CBR: So is it fair to say you won’t need to upgrade your hardware to install this?
VA: A hardware upgrade is not needed, in almost all cases it’s a software upgrade.
