igor - Fotolia

Pure-play cyber security has real value, says incoming McAfee head

Intel Security has outlined its strategy to protect the new digital economy as it gears up for innovation as a new independent pure-play security firm under the McAfee banner

There is real value in being totally focused on cyber security, according to incoming McAfee chief executive Chris Young, currently senior vice-president and general manager of Intel Security Group.

The McAfee brand is to be resurrected after the company was acquired by Intel five years ago in a $7.7bn deal  and later rebranded as Intel Security only to be spun off in 2017 as an independent company in partnership with investment firm TPG, with Intel retaining a 49% stake.  

Young, general manager of Intel Security for the past two years, will be chief of the new firm and will retain his current leadership team.

“When we become an independent company, we are going to accelerate a lot of what we are doing today, but one of the main differences is that we will be 100% focused on cyber security as a company at the company level,” he told Computer Weekly at Intel Security’s annual Focus conference in Las Vegas.

“And that puts us in a bit of a different position. While all technology companies need to be part of the cyber security fight, there is real value in those that are dedicated to cyber security as a problem set that we are trying to solve, which will allow us to innovate in different ways.”

Young said that although the company was already bringing to market a number of new technologies and systems, to be announced at Focus 2016, once it was independent, there would be a strong emphasis on growth and keeping pace with what was going on in the cyber security industry.

“From my perspective, the cyber security space is the most dynamic part of the overall IT landscape, so as much as IT and technology is changing, cyber security is changing that much faster and so those of us who play in this industry have to grow and innovate very quickly,” he said. “So I view our future as McAfee as an accelerator of what we are currently doing.”

Young said the company’s new tagline was “together is power” and that one of the main differentiators for the newly independent McAfee would be the fundamental thesis that business must organise and unite customers’ threat defence architecture, which goes beyond integration.

Real orchestrated systems

In 2016, said Young, the company was delivering a number of “automated use case-driven workflows”, but the organisation’s future vision was to drive “real orchestrated systems”.

“The journey from integrated capabilities to automated use case-driven workflows to orchestrated systems is how I think of the evolution of our business and of where our industry needs to go,” he said, “because the past of this industry, and even our own portfolio, has been a lot of point products that are knitted together in customer environments, but without the real integration, automation and orchestration that is required to be resilient enough to deal with the changing nature of the threats that we see.”

Everything the company announced at Focus 2016 was aimed at enabling it to build towards that orchestrated future, he said, but that did not mean customers would have to use McAfee products and systems from end to end.

“This week, we will be making a number of partner announcements, as well as new products and system announcements, and that we are opening up the McAfee data exchange layer [DXL] to make it available to everyone in the industry to do threat intelligence sharing in Real Time between and among the different point products in their infrastructure,” said Young.

“Opening up DXL is a massive announcement for us and shows we are aiming to integrate multiple capabilities in our customers’ environments.”

DXL provides a standardised application framework to integrate technologies from different suppliers with each other and with applications developed in-house.

According to Intel Security, DXL is the most highly adopted technology among major players as a way of enabling different technologies to work together better.

To accelerate that, Intel Security is opening DXL to the industry as a “concrete means” of disrupting the cyber attackers’ advantage.

Open source strategy

Through an open source strategy and the beta release of a new software development kit (SDK) for DXL, the company said white hat organisations and technology providers “will gain the ability to attach to a shared real-time communication fabric and exchange security intelligence as well as orchestrate actions for the shortest possible execution of the threat defence lifecycle”.

The theme for Focus is the “second economy”, which refers to the virtual economy based on the provision of services through machine-to-machine communication and interaction through connected networks and systems with no human involvement.

“The second economy is more trust-related and, as we move from a physical to a virtual economy, the trust factor and our ability to deliver a real cyber security capability will be more important because we are moving into a world where computing is a pervasive element of how we live our lives,” said Young.

For this reason, it was important to have a security model for the emerging, virtual and trust-based second economy, which would otherwise struggle to grow, he said.

“Cyber criminals are forcing cyber security companies to redraft the rules of engagement for defending the civilised world,” said Young. “To effectively counteract them, we have to abandon old security playbooks to become more unpredictable and collaborative and make cyber defence a priority.

“Our strategic charter is simple, yet disruptive: integrate, automate and orchestrate the threat defence lifecycle to drive better security outcomes – ultimately reducing more risk, faster and with fewer resources.”

Sharing threat information

The importance of sharing threat information was a key theme in Young’s keynote presentation at the RSA Conference 2016, when he highlighted his company’s participation in the Cyber Threat Alliance (CTA), a cross-industry initiative set up to foster the sharing of information about cyber security threats.

“We are still actively working with the CTA and we are driving towards a future that is going to be truly ground-breaking for industry,” he said, adding that more announcements about that were the pipeline.

According to Young, the new company will continue its dedication to threat intelligence sharing, not only through the CTA, but also by opening up DXL. “That is a contribution we are making in our technological fabric for cyber security that is going to enable organisations to do real-time threat intelligence-sharing between the different security control points in their infrastructure,” he said.

“As we build on open DXL with the industry and our partners, it is going to open up a whole new set of use cases for how our different products and systems communicate with each other and share.”

Read more about Intel Security

Another key theme of Young’s RSA Conference keynote was the value of automation in freeing up human resources to take care of the more challenging security threats and strategic approaches to data defence.

“Our strategy is built around the ‘thread defence lifecycle’ – protect, detect and correct,” he said. “Those are the three phases of a closed-loop set of actions when an organisation is under attack, but historically the tools, processes and approaches were disconnected across that lifecycle, and so we are giving customers the ability to prosecute that lifecycle in a fully automated way to get the full value of this approach.”

Young said that in the company’s dynamic endpoint system, for example, it was adding to protection through something called dynamic application containment, which restricted access to resources to any new file that was not known good or known bad.

“The problem is that if you automatically block something that is not malicious, then you risk upsetting people in the business by disrupting their work,” he said. “But at the same time, you do not want to expose yourself to a zero day attack by allowing something that is unknown to have unfettered access to resources on a device. So dynamic application containment allows you to restrict resources on the machine, so you do not allow a full-blown zero day attack without disrupting the business.”

Machine-learning capability

Young said the company was also going much broader and deeper on detection by adding machine-learning capability through a new capability called “real protect”, which has both on-device and in-cloud machine-learning capabilities.

“This enables organisations to do both pre- and post-execution analysis of files that land on these devices, opening up a whole new set of detection capabilities by doing static code analysis and behavioural analysis, which are both important for a comprehensive look at zero day and similarly difficult-to-find attacks,” he said.

The company has also integrated McAfee active response, which enables organisations to conduct cloud-based trace detection and analysis. This means that if something gets through that is later found to be malicious, organisations can go back to identify where the threat landed in the environment.

“All of this is now being delivered in a common system that runs across all endpoints and is managed all in one place with our e-policy orchestrator,” said Young. “This is a great example of how we are automating to get the full closed-loop threat defence lifecycle capability in one system, which otherwise would require organisations to work across four or five different systems.”

Another area of focus for the company is securing the internet of things (IoT), but Young said it was important to think about which industry vertical was involved.

“You need to consider whether you are looking at IoT for the home or whether you are looking at it in the context of manufacturing or healthcare,” he said. “It is important to start with where you are in the domain, which enables you to understand what type of attacks you need to worry about and which attack vectors are important.”

IoT is technology transition

Young said the IoT was about connecting devices and experience, and bringing computer-generated experiences into the physical universe. That is what the IoT really represented: a technology transition, he said. It was not a market, but a movement, an evolution.

“And, depending on which industry you are in, that will have different implications for security and what you are looking to protect,” he said. “To determine that, you have to consider the risks of connected devices and connected experiences in a particular environment.”

The IoT botnet attack on domain name system (DNS) services supplier Dyn in October 2016 demonstrated that even if an organisation has no internet-connected devices in its environment, it may still be the victim of an attack that exploits those connected devices.

“Clearly, we all have an interest in ensuring that the cyber security model contemplates the power of billions of connected devices and what that could mean in other, non-connected environments,” said Young.

Although Young said there was still a lot of work to do in this regard, he believed technological controls could be found.

“We work very closely with partners in manufacturing environments and healthcare, all of whom are working very diligently to implement cyber security for their connected devices and the data that they generate,” he said.

The connected home

One of the areas that Intel Security’s consumer-focused business was tackling was around the connected home, said Young. He pointed out that the company was planning some announcements on this subject at the Consumer Electronics Show (CES) in Las Vegas in January 2017.  

“This shows we are moving from being a provider of security mainly for PCs and computing devices to one that is going to provide capability to protect customers more broadly with all the different devices and connections they have got in their home environment,” he said.

“That kind of capability is going to be important, not only to protect against inbound attacks, but also in the long term against outbound attacks [such as the one against Dyn].”

Despite his conviction that technological controls could be brought to bear, Young acknowledged that, like everything to do with security, all stakeholders had a role to play, ranging from silicon producers to device manufacturers to IoT service providers and users.

“But even if device manufacturers step up and do more, you are always going to have cyber attackers who find a way to use the infrastructure we are connecting to their advantage, and that is where the pure-play cyber security companies have a role to play,” he said. “If you want to make any device, any software or any cloud application usable, it will be attackable. That is just always going to be true.”

Confirming that the new company’s strong financial backing from TPG would allow its leadership to start thinking about mergers and acquisitions, Young said the company believed in its vision of integrate, automate and orchestrate.

“As we evolve our business, we are going to look at how we build, who we partner with, and what gaps we have in achieving the strategy and the mission we have set for ourselves, and we will look at where mergers and acquisitions can play in the set of opportunities that we’ve got,” he said.

Read more on Hackers and cybercrime prevention