One question I often hear is “When will McAfee publish a report on the latest threat?”
It seems to be a hot trend today for security companies to offer reports with topics such as “Operation X” or “Malware Y,” or to trumpet how many zero-day vulnerabilities they have found. Do we now measure a security company on the quantity of whitepapers it publishes or the number of zero days it discovers?
Publishing is a valuable activity, but there is a huge difference between a well-researched threat analysis and a “for the sake of media attention” report. A good analysis will explain the techniques of an attack and offer guidance to help customers or the public learn from the incident and adapt their defenses to combat future threats—that’s threat intelligence.
A security company should be measured by how well it helps customers prevent and mitigate threats with its products, by its response time and openness in addressing newly discovered vulnerabilities, and by its effectiveness in implementing detection and protection in its products.
I was amazed at how fast and dedicated our people in many teams around the world worked to address the recent Shellshock vulnerability. Some teams quickly set up honey pots around the globe to learn how the attackers were abusing this vulnerability and adapted the lessons they learned to create network IPS rules used by McAfee Network Security Platform. In fact, McAfee products began detecting and preventing attacks that exploited the Shellshock vulnerability within 24 hours of its public announcement. Detailed signatures were ready within 48 hours.
Over the years I have seen many headlines based on reports from companies that were quick to publish their findings. But that doesn’t mean they were the only companies to look into those threats. As those reports were being written, our researchers were often working diligently to analyze and counter the threats. Many threats we analyze never appear in the press, because we respect the nondisclosure agreements we sign with our customers. We would rather be regarded as a trusted partner who knows when to keep silent than as a publicity seeker. In some cases we quietly update our products; in other cases we talk to our customers and agree on when to release updates. We publish some of our analyses only after law enforcement investigations have become public.
In recent years, we have analyzed a large number of targeted attacks, also known as advanced persistent threats, or APTs. During these investigations we map our findings against the phases of the “APT kill chain.” The kill chain describes the phases of a targeted attack and shows where it might be possible to stop the attacks:
Phases of the APT kill chain.
In most APT attacks, the modus operandi is the same, maybe using some different tools, but the techniques used by the attackers are usually quite similar. By analyzing targeted attacks, we offer our customers insight into the weaknesses in their organizations—and help them strengthen their defenses.
Given the weekly published reports of destructive attacks, sophisticated malware, and newly uncovered vulnerabilities, I can imagine anyone might lose track of what is important. Reports certainly offer insight and thus have value, but they pale in comparison to the value of timely, effective protection reliably delivered every day.