LAS VEGAS -- At its annual customer and partner conference this week, IT security vendor McAfee announced a sizable...
new effort to integrate threat intelligence data across its product line. While attendees expressed optimism, industry analysts fear lacking threat intelligence standards will hinder adoption.
McAfee, now part of the Intel Security group at Intel Corp., is adding a new type of data-exchange layer code to all of its existing products -- from McAfee endpoint security software, to ePolicy Orchestrator management, to network firewalls and more -- so they can all share threat intelligence data about possible malware or attacks through its new server-based product called the McAfee Threat Intelligence Exchange (TIE).
But McAfee has greater ambitions for its data-exchange layer technology, namely making it openly available to be licensed by third-party security vendors in the hopes they too will add it to their products and enable broader threat intelligence sharing via McAfee's TIE.
"The data-exchange layer is an environment to share information," Mike Fey, executive vice president, general manager of corporate products and CTO at McAfee, said Monday in an interview with SearchSecurity.
During his keynote address today at McAfee's annual Focus Conference for enterprise customers, Fey highlighted McAfee's strategic push to get the rest of the security industry to support TIE.
"We invite competitors to partner in it," he said. Fey added the first iteration of TIE, which just shipped last week, is oriented toward on-premises deployment, but McAfee is looking at how it could take the TIE approach into cloud environments in the future.
Customers, partner support McAfee TIE
Will McAfee's strategy to draw vendors into its orbit in order to share threat intelligence actually work? And will enterprise security managers use TIE, even though it will mean a new learning curve and investment?
So far, security vendors CyberArk Software Ltd., Titus Inc. and ForeScout Technologies Inc. are on board, and according to Fey several more are in discussions to license the data-exchange layer technology.
And there's clearly enthusiasm among some of McAfee's enterprise customers for TIE, which the vendor describes as a server that collects information about suspicious code, which could be malware or attacks, so security managers can take action to track down possible breaches. Security practitioners can also use it to generate a remediation response through McAfee endpoint and network security products.
"We're definitely going to be using it," said Sumit Sehgal, chief information security officer at Boston Medical Center, who attended Focus this week. Sehgal, who's seen the early version of it and provided development feedback to McAfee, says TIE is like a "brain" that says something seems to be amiss and should be investigated. In the case of zero-day malware, for example, it might mean sending suspicious code to be checked by McAfee's Advanced Threat Defense appliance.
Sehgal said he hopes the data-exchange layer technology is adopted by other security vendors, but regardless, he will proceed with using TIE because it will broaden the information he wants and needs to assure data is secure on the network.
"We are going to invest in Threat Intelligence Exchange," said Christophe Hazemann, head of information technology production for automotive glass vendor Carglass in France. The reason is to bring "all the components together" for security, said Hazemann. "That's the key for us. That's the future of security."
Some system integrators are also backing TIE. "It's the early days," said Neil Campbell, an Australia-based group general manager for security at network and security services firm Dimension Data, about TIE. "But if you're a McAfee shop, you'll definitely get more value for security products with it."
In terms of pricing, McAfee indicated the estimated cost would typically be based on endpoint security software deployment, with pricing at $18 per node or less based on volume.
Analysts leery of lacking threat intel standards
But industry analysts also have some cautionary words about McAfee's threat-intelligence sharing approach.
In a presentation Tuesday at Focus, Stamford, Conn.-based Gartner Inc. analyst Lawrence Pingree pointed out that Cisco Systems Inc., Juniper Networks Inc. and ForeScout Technologies Inc. all have their own threat intelligence-sharing technologies. He noted think tank MITRE Corp. also has come with the so-called STIX and Taxii specifications, which are open. He said these all represent competing approaches in many regards and enterprise customers will have to choose among these if they want to ride this early wave of threat intelligence sharing.
"There are no standards here," said Jon Oltsik, principal analyst at Milford, Mass.-based Enterprise Strategy Group about threat intelligence sharing. Although Oltsik said McAfee has a great idea with its data-exchange layer technology, more needs to be known about how open it really will be.
Fayaz Khaki, associate director and analyst with Framingham, Mass.-based IDC, highlighted the increasing competition by noting that Symantec Corp. is doing something similar to McAfee in partnering with other vendors while developing its own threat information sharing capabilities.
In general, Khaki expects that the larger enterprises with substantial in-house security expertise will be the first to test McAfee's data-exchange layer technology. And he sees financial services firms, for example, as likely first adopters -- more so than manufacturing or retail companies. But he has doubts that small and mid-sized businesses have the wherewithal in terms of investment and skillset to use this, though if some sort of outsourced managed service could be provided, it could hold more appeal.
Chris Young, only two weeks on the job as senior vice president and general manager of Intel Security following his departure from Cisco, yesterday said he regards TIE and the data-exchange layer technology as a key ingredient that can help bring together the highly diverse array of security products offered by a multitude of security vendors.
"The industry is way too much fragmented today," Young said. "If you use 115 security products, which one is supposed to stop the threat? That's why we're delivering an integrated architecture."
Threats expert Nick Lewis details how threat intelligence feeds can give enterprise security the upper hand.