Super Hero like Speed on DXL

By on Mar 03, 2017
Speed and Agility
Speed and Agility

Superheroes are part of the lore of American culture — the thought of human-being acquiring superhuman power such as flight, invisibility, breathing underwater has always been intriguing to many.  The thought of speed and agility is one of those sets of powers that has caught a lot of attention — the ability to transcend time and achieve a goal such as getting somebody out of the way of a speeding bullet.  One particular superhero is The Flash.  His ability to move rapidly has amazing advantages that ultimately can protect against disaster. It’s time to adapt our cyber security abilities to be more like The Flash.

Enter the days of Threat Intelligence Exchange (TIE) and Data Exchange Layer (DXL), which do exactly that for the threat landscape: provide a new approach to producing a different outcome.

So many of us are living the in the past regarding how we have implemented security technologies.   It’s imperative that we start to focus our time on the unknown to shrink the gap between malicious and safe.   Moreover, the way to change security outcomes is by changing the fundamental ways technologies interact no matter their manufacturing origin.  Let’s face it we’re tired and we need automation.

Many of us are still leveraging anti-virus signatures, which are important, and some of us leverage cloud detection plus signatures, but it’s still a basic approach.  Signatures reflect a point in time and only address what is known.   It’s a challenge to know every piece of malware and keep up signatures for each one. About 10 years ago, McAfee Labs would get about 20 or so new and unique pieces of malware a day – truly never been seen before.  Fast forward 10 years and we see about 500,000 new pieces of malware a day.  It’s time to automate and collaborate.

We are accustomed to the process of submitting malicious code to McAfee Labs, which can be time-consuming. While waiting for a response the business isn’t protected.  The malware is able to replicate itself and perhaps move laterally.

Here’s the general process that many of us use day to day –

  1. Hunt to find the infected endpoint
  2. Capture the malicious code
  3. Submit the malicious code to McAfee Labs.
  4. Now we wait for a response.  This could take a long time – 48 hours in some cases, depending on the complexity of the code.
  5. McAfee Labs distributes and Extra.DAT to the customer.
  6. The Extra.DAT is deployed to the environment over time.
  7. Next, a full scan of the endpoints would be done across the environment (hoping that the malicious code was eradicated and wasn’t polymorphic).
  8. If polymorphic – go back to #1 and start over.
  9. Reimage the endpoint and move on.

There is hope, however!  Advancements in architecture are enabling businesses to derive context out of every new file as it emerges in the environment.  For example, a new file is downloaded that invokes the endpoint and network controls to work together to understand the file.  What is it?  Why is it packed a certain way?  What is its source?  These simple questions, if not answered in a way that says “Safe,” will trigger an automated workflow.  They start to correlate and analyze the file.  The process checks public and private threat intelligence, leverages a sandbox, and collaborates with other security controls.

The sum of the security controls working together obtains a “composite reputation,” meaning many security controls will work together to establish the true reputation of the file.  Even if there is no signature, the file can still be eradicated from the architecture.  No more long drawn-out process.  How does that sound?

Enter the age of the Threat Intelligence Exchange (TIE).  In the TIE scenario, the architecture can quickly use many sources of information to answer the question of good or bad, safe or malicious.  If there are no local detection capabilities such as a signature in a DAT, a workflow is invoked that works to solve the problem.  The composite score is an aggregation of the engines working together to score the unknown file as good or bad.  By obtaining the score in this manner TIE is writing a signature on the fly with little chance of error.  This eradicates the file and socializes it to all countermeasures in the architecture that are listening for updates on DXL – a simple connection fabric that provides a secure, real-time way to unite data and actions across multiple applications from different vendors as well as your own.

Now the kicker – the whole process may seem like this takes a long time. In fact, this process happens in seconds.  This is the speed and agility that is needed.  This solves the issue of the large increase in malicious code that we see every day.  The days of automation are here, thanks to TIE and DXL. Together, they too warrant the name “The Flash.”

Here are some questions to consider –

  • Are you approaching anti-malware with the same approach?
  • Are you using any 3rd parties to help with detection?
  • Is your organization accustomed to just re-imaging an endpoint and moving on? What is that cost to you?
  • Do you need automation to provide time back to your security team?

About the Author

Chris Cole

Chris has over 15 years of experience in IT security & infrastructure, specializing in providing security awareness and solutions to protect businesses in the enterprise, commercial, healthcare and state/local government verticals. In the past 10 years with McAfee, Chris has primarily focused on security solutions for critical infrastructure in the energy sector, public/private and healthcare ...

Read more posts from Chris Cole

Subscribe to McAfee Securing Tomorrow Blogs