Out Innovating the Adversary, Part 2

By on Nov 22, 2017

My last post discussed the challenges of working to out-innovate our adversaries given the growing variety of objectives they might pursue, and the growing variety of methods they might use in pursuit of those objectives.

As mentioned, part of the answer to these challenges lies in thinking differently about threat defense, and in understanding that the correlation of detection technologies is as critical as their efficacy.

We also need to think about confidence. We benefit from independent technologies agreeing on what they are detecting. We need to think about some of the nuance on how to maximize the value of modern threat defense technologies.

Let me give you an example outside cybersecurity.

Anyone who travels by plane must put their bags through an x-ray machine, and bags are either pulled off for inspection or not. If airport security teams were only measured on detection, they could achieve 100% detection rates easily. Simply pull and search every bag. In this sense, threat detection is easy.

But such a practice would create lots of extra overhead associated with energy and labor costs, along with many false positives. Which is why, when you think about threat detection, you can’t think about threat detection alone. That’s easy. It’s threat detection without false positives that’s hard. In cybersecurity, where the adversary is constantly innovating, threat detection without false positives is incredibly hard.

Threat Detection is Easy…. Threat Detection Without False Positives is Hard

To address this, we have thought about the tools and capabilities we can use to solve problems like this. We have looked at the quality of each of our technologies, and acted upon our understanding of how false positives relate to detection.

For instance, given that I can have any level of detection if I’m willing to tolerate a number of false positives, I can simply graph the detection to false positive rate. The quality of the technology is indicated by the knee of the curve in the top left (below). Higher quality technologies will ramp to high detection rates before intolerable false positive rates occur.

What this also does is allow us to tune our technologies to give you the best outcome. We have looked at the underlying structure of threat defense, and dial in the right level of detection to give you a great outcome.

Either extreme will provide a bad result. If we go too far to the left (below) to where we see the green dot, we have a lot of headroom. We can achieve a much higher level of detection without incurring the cost of false positives.

Similarly, if we go all the way to the right, we start getting a lot more falsing without increasing our detection rate. There is an area of optimal sensitivity that is really key in order for us to tune the products we deliver to our customers.

At McAfee, we’re looking at each technology on its own, optimizing it to give customers the best outcome, and then making it work with all the other technologies in your environment to provide the best aggregate set of capabilities.

Strategy Anchored in Understanding

We have anchored the McAfee strategy on understanding adversary counter-evasion, and we’re investing in the building blocks we need to out-innovate the adversary.

We think about machine learning, but do so intellectually, understanding that every model will eventually be evaded.

Threat research is incredibly important because understanding what the adversary is going to do next, allows us to go where the puck is going to go, not where it currently is.

Being able to amplify your incident responders and other security operations personnel gives you the headroom to actually do the investigation to out innovate the adversary.

It’s also important that we don’t think about technologies in a vacuum for any product. For instance, we use many forms of analytics and data science and we use each of them across our product lines, from the backend systems of McAfee Labs to the endpoint.

McAfee Advanced Threat Defense (ATD), our sandboxing technology, can take the output of all the capabilities that different elements of the gauntlet provide to come to a better conclusion, a higher-quality analysis of whether a sample is malicious or benign. We’re using it in our enterprise endpoint product to counter adversarial machine learning.

Our McAfee Investigator product is all about the concept of human-machine teaming, amplifying how your incident responders and operations personnel can benefit from using this technology. Here we use machine learning to separate the good, from the bad, from the unknown, and then allow human intellect and intuition to determine critical context and next steps.

The only way McAfee is going to help you out innovate the adversary, is if McAfee is going to out innovate everyone else in the industry. I’m committed to helping lead the 7,000 employees at McAfee in embracing innovation as the only way we can win this battle.

One of the things you will always see from McAfee is a high level of intellectual honesty about our  technologies, what their capabilities are, and how we’ll innovate and build upon them to address the future attack landscape. Our commitment to you is to not only build great capabilities that work well when you install them, but further down the line, when you need resilience, efficacy and stability.

About the Author

Steve Grobman

Steve Grobman sets the technical strategy and direction to create technologies that protect smart, connected computing devices and infrastructure worldwide. Grobman leads McAfee’s development of next generation cyber-defense and data science technologies, and threat and vulnerability research. Prior to joining McAfee, he dedicated more than two decades to senior technical leadership positions related to cybersecurity ...

Read more posts from Steve Grobman

Subscribe to McAfee Securing Tomorrow Blogs