At McAfee, Protecting Customers Takes Precedence Over Seeking Headlines

By on Nov 21, 2014

One question I often hear is “When will McAfee publish a report on the latest threat?”

It seems to be a hot trend today for security companies to offer reports with topics such as “Operation X” or “Malware Y,” or to trumpet how many zero-day vulnerabilities they have found. Do we now measure a security company on the quantity of whitepapers it publishes or the number of zero days it discovers?

Publishing is a valuable activity, but there is a huge difference between a well-researched threat analysis and a “for the sake of media attention” report. A good analysis will explain the techniques of an attack and offer guidance to help customers or the public learn from the incident and adapt their defenses to combat future threats—that’s threat intelligence.

A security company should be measured by how well it helps customers prevent and mitigate threats with its products, by its response time and openness in addressing newly discovered vulnerabilities, and by its effectiveness in implementing detection and protection in its products.

I was amazed at how fast and dedicated our people in many teams around the world worked to address the recent Shellshock vulnerability. Some teams quickly set up honey pots around the globe to learn how the attackers were abusing this vulnerability and adapted the lessons they learned to create network IPS rules used by McAfee Network Security Platform. In fact, McAfee products began detecting and preventing attacks that exploited the Shellshock vulnerability within 24 hours of its public announcement. Detailed signatures were ready within 48 hours.

Over the years I have seen many headlines based on reports from companies that were quick to publish their findings. But that doesn’t mean they were the only companies to look into those threats. As those reports were being written, our researchers were often working diligently to analyze and counter the threats. Many threats we analyze never appear in the press, because we respect the nondisclosure agreements we sign with our customers. We would rather be regarded as a trusted partner who knows when to keep silent than as a publicity seeker. In some cases we quietly update our products; in other cases we talk to our customers and agree on when to release updates. We publish some of our analyses only after law enforcement investigations have become public.

In recent years, we have analyzed a large number of targeted attacks, also known as advanced persistent threats, or APTs. During these investigations we map our findings against the phases of the “APT kill chain.” The kill chain describes the phases of a targeted attack and shows where it might be possible to stop the attacks:

20141121 Beek-2

Phases of the APT kill chain.

In most APT attacks, the modus operandi is the same, maybe using some different tools, but the techniques used by the attackers are usually quite similar. By analyzing targeted attacks, we offer our customers insight into the weaknesses in their organizations—and help them strengthen their defenses.

Given the weekly published reports of destructive attacks, sophisticated malware, and newly uncovered vulnerabilities, I can imagine anyone might lose track of what is important. Reports certainly offer insight and thus have value, but they pale in comparison to the value of timely, effective protection reliably delivered every day.

 

About the Author

Christiaan Beek

Christiaan Beek, lead scientist & sr. principal engineer is part of Mcafee’s Office of the CTO leading strategic threat intelligence research within Mcafee. He coordinates and leads passionately the research in advanced attacks, plays a key-role in cyberattack take-down operations and participates in the NoMoreRansom project. In previous roles, Beek was Director of Threat Intelligence ...

Read more posts from Christiaan Beek

  1. Thank you for your feedback Marc, and I fully understand your point around executive and upper management pressure. We will internally discuss your request with regards to the support site.

  2. I generally agree. However, when these threats make headlines, our executives and upper management pressure us to "check with McAfee to see if they have us covered". McAfee's silence is sometimes interpreted by them as a lack of response. It would be good if there were someplace in the support site where we could quickly check that the latest threat in the news was indeed addressed – or in process. We, as security professionals, understand your viewpoint. There are many threats that are just as bad, or worse, which do not make headlines. But for the ones that do make headlines, we need to be able to get a quick response that the threat is covered.

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to McAfee Securing Tomorrow Blogs