Defense Evolved: From Threat Intelligence, to Investigation, to Orchestration with DXL


In my last post, I discussed the attributes of our adversaries, the drivers behind their activities, and their recent attack methodologies. I also discussed the threat defense efficacy curve, which illustrates how cyber defense capabilities decline in efficacy over time as attackers develop countermeasures to evade them.


My FOCUS 16 keynote last week also explained how we can build more effective defenses that match our adversaries’ abilities to innovate and orchestrate.

At-the-Head of the Curve

It really all comes down to landing new technologies at the leading edge of the threat defense efficacy curve.

That is, it’s important that we add new technologies into our environment at the point where they can live with a high level of efficacy for the longest duration of time before adversaries develop countermeasures rendering them less effective.


To do this, McAfee is delivering a pipeline of technologies that can very rapidly be integrated and deployed into enterprise environments.

Last week at FOCUS, Brian Dye and Candace Worley showcased Real Protect and Dynamic Application Control. These capabilities will integrate within platforms like McAfee Endpoint Security, where it’s not about deploying an entire new product, but simply reconfiguring and selecting new functionality that can flow into the platform with a much lower level of effort than deploying entirely new solutions.

What we’re committing to is creating a strong pipeline of capabilities that is constantly looking at how to defend against the latest threats, including working on things that will counter some of the most difficult problems that we have in the industry today.

These capabilities could address the latest ransomware strains, or the challenge of real-time polymorphic packing of executables, where it’s very difficult to use traditional signatures or hash-based approaches because every time something is packed, it’s going to be 100% unique to a target victim.

Human-Machine Teaming

Today I explained that when we move beyond the individual technologies, we need to think about how we protect our environment overall. At McAfee, we believe the strategy really needs to be around “human-machine teaming.”

If you look at the “human” and “machine” elements of cyber defense, each of them has unique properties which, put together, can deliver the best possible solution.

Machine learning is really the only way we can deal with the massive scale of data required to analyze and understand cyber events within environments. But we also need to recognize that there will always be a human adversary on the other end of an attack, always working to confuse and evade our technologies. So, it’s absolutely critical that we put our incident responders and security operations personnel into the equation, where they can bring unique strategies and intellect to think like the attackers think.

To do this, however, we need to build out a new structure for talking about cyber defense.

Moving Beyond Threat Intelligence

For years we have been talking about threat intelligence, which started as object reputation and over time has come to include additional elements such as tactics, techniques, and procedures, or specific information about campaigns.

The problem with threat intelligence is it can tell you what the threats are, but it doesn’t actually tell you how to defend against them.

We need to augment this nomenclature with other key elements, namely, investigative methods to determine what is going on in our environments. We need visibility into events, analytics to process and determine what those events mean, and assessment recalibration to go from recognizing what is happening to deciding what must be done about it.

Finally, once we identify threats operating in our environments, we need to be able to orchestrate the right responses effectively and efficiently, allowing us to both recover and update our protections.

To build technologies that link threat intelligence, investigative methods, and orchestrated response capabilities together, we need a high degree of scalability from an infrastructure perspective, and the right underpinnings in the fabric upon which these capabilities rely.

McAfee built McAfee Data Exchange Layer (DXL) with these requirements in mind, and, this week at FOCUS, we announced that we are making DXL available as an open industry protocol:

From a connectivity perspective, DXL allows us to communicate about events with clients even when they are in complex network situations, and get information to or from them with ease. The protocol also favors efficiency, making sure that enterprises can move data across their networks once, and have one-to-many or many-to-one sorts of data transfers. Moreover, DXL enables a security model that allows integrity and attestation, such that data goes only where it should go.


My keynote featured an example of DXL in action.

We showed how command and control traffic could be reported to McAfee solutions by a Checkpoint solution, and allow McAfee defenses to quickly determine the right analysis and, later, the response.

Our demo system captured events and turned around and executed searches to determine where the event came from. Based on the “machine” results of the search, we humans then took action to address it. We could tag an impacted system and change policies if needed.

Finally, we sent a request to a Rapid7 vulnerability management solution, set a tag in an Aruba access control solution, and contained the incident within the network.  All with a sophisticated 218 lines of code.


This human-machine teaming example showed how our threat intelligence, investigative methods, and orchestration framework could be implemented by organizations.  Today’s announcement of the release of OpenDXL means that such a framework can be built with and even extended beyond McAfee and McAfee Security Innovation Alliance (SIA) partner solutions to include any number of other third-party solutions.

But, more importantly, it means McAfee customers can evolve however their situations require. They now have the power to design cyber defense capabilities unique to their environments, however specialized and complex they may be, whatever their functions or businesses are, and however they might be confronted on the cyber-threat landscape.

Please see the replay of my FOCUS’16 keynote for more information and insight.



Introducing McAfee+

Identity theft protection and privacy for your digital life

FacebookLinkedInTwitterEmailCopy Link

Stay Updated

Follow us to stay updated on all things McAfee and on top of the latest consumer and mobile security threats.


More from Executive Perspectives

Back to top