One Solution, No Confusion
Test Center | 01 October 2006
McAfee has been providing security solutions in the country for many years now and its products have pervaded so many desktops, workstations and servers that I really do not need to explain what they are into. But even though you may be aware of the fact that McAfee is the company that “sells anti-virus software” for your desktop or workstation, it does not just stop at that. Kartik Shahani (Director Sales, India & SAARC) explained how the thought process of a company that is totally focused on providing AV solutions has evolved over the years as intrusions have become more sophisticated. Mr Shahani stressed on these changes that have helped make what McAfee is today.
Virus Growth Trend
KS: Initially there was an exploratory phase wherein viruses were pure nuisance value. This moved on to create real trouble, usually done by sending mass mails. Now it has taken a serious turn with financial gain as the objective. Anti-phishing, spyware, adware are all made for fi nancial gain. There are more instances of tools like key loggers that try to gain sensitive information. There are many more avenues to attack because of the kind of devices, which have changed. The number of devices connecting to a network has increased. This results in innovative forms of attacks targeted at these devices (access points). Earlier, an attack was effective only when involved some sort of interaction. Today, intrusions do not require any interaction at all. Blended attacks—where a Trojan and bot is combined—have increased steadily. These might not even activate on the PC immediately. This has been the scene on the desktop front. It might gradually take on a similar pattern for the mobile users also.
The Proactive Approach
KS: We found that virus attacks were getting faster in terms of its implementation worldwide. The timeline when a vulnerability is exposed, to the point when it is exploited has started shrinking. A signature file could not be generated fast enough if an attack was, say, a 3-minute one. By the time any vendor creates an antidote it will be an hour since the attack and there will probably be ten versions of it. This was when AV was very reactive in nature. The only way to solve this was to block the ‘root’ and this was done with IPS. IPS (Intrusion Prevention System) has become a very general term today but we were the first ones to come up this system. We did that using two companies—Introvert and Entercept. The former came up with IPS technology on the network side. But that was not good enough because attacks like an SQL injection, which will look valid when you go through the network. It was required to have a ‘host-based’ intrusion prevention also and Entercept provided this. Now we have a host-based and a networkbased IPS. IPS actually blocks the vulnerability. We took the IPS technology and moved it into the AV making it proactive. The minute a vulnerability is blocked then any virus variants will not affect the machine. In December 2005, we detected vulnerability for the 32-Gen virus, it was patched and early this year the MyWife virus struck. Machines installed with our IPS-based AV products were the only ones that were not affected. The technology of signatures was also implemented in IPS because it is the fastest way to removing any infections in files that are to be scanned. This cross-pollination of technologies has improved the AV’s throughput.
KS: McAfee then acquired a vulnerability management and analysis company called Foundstone. The next thing that we did after making Foundstone our vulnerability management tool, was introduce the McAfee Policy Enforcer (MPE). This is an “end point protection” product. This is meant for users who plug-in to an office network. This is very essential if you have a large number of visitors (working on a contract basis) logging into your network. You cannot allow them to log in if their machines do not comply with the organization’s security policies. But they have to have access to network so that they can do the work the organization has employed them to do. The system is first checked to see if it complies with the requirements of the organization. If it does not, it goes into a “quarantine” mode. Only after it is completely patched up it is allowed out of quarantine.Simplified Administration
KS: SiteAdvisor (protects your browser from spyware and phishing sites) is integrated with the rest of our products. If you have it on a gateway then you - as a corporate - can decide that employees should not access any fi le/site that is assigned as “red”. A system like this can be easily enforced at the gateway with the help of a network-wide policy. The policy template is provided by PreventSys (a risk and compliance management company McAfee acquired recently). This is not domain-based or IP-based, therefore it becomes easier to administer. Let’s take an example of a company that needs to adhere to certain security guidelines in order to achieve an objective. The rules that need to be followed are set by using a ‘compliance template’ – made with policy enforcing and management software like Preventsys or Foundstone. The products are able to audit systems constantly so as to make sure that the desktops continue being compliant to the template that was created. If a user/desktop does not comply to a parameter in the policy, then a report will be generated stating the vulnerability and the reason for the lapse. McAfee is not only looking at detection only. We are looking at providing solutions that have prevention attached to it – IPS does exactly that.
A trusted network solution
KS: Cisco has been stressing on the “trusted networks” concept for a while now. It is about NAC (Network Access Control). The problem was that it required recognition on a hardware level. If you had a router from 3Com and a switch from Cisco—it would not work. 3Com router did not support the solution. You needed to have hardware that supported Cisco’s solution for trusted networks. Trusted networks would only work on Catalyst switches over 6500-series. This meant that customers who liked the idea of a trusted network were confronted with a huge expense because of the prospect of a complete hardware upgrade. We came up with a software-only solution called NAC—which is agnostic to whatever switch/router is used in a network. It can be implemented at a fraction of the cost that would otherwise have to be spent in the scenarios mentioned above. You can have a mixed network environment and NAC will still work well along with MPE.
A single product
KS: We noticed a lot of customers had one grouse – every time they approached us there would be one more product to buy and install. So if you need an anti-virus you would install an AV and if it was spyware then you would have to install anti-spyware. The list could go on—when would it end? At the end of all this the PC will full of these “anti-solutions”, eating up system resources leaving the user with no space to run other applications. This was a cause for concern. We released Total Protection (in April this year)—one agent which included anti-virus/ malware/spyware/adware/phishing, etc. Total Protection is not a suite of products —it is a single product. It collectively uses 40 percent less resources than all the separate products installed on a system. If you were to buy any McAfee product it would communicate with ePO (ePolicy Orchestrator). Every technology that we procure is pushed into this reporting module. This is better than having different consoles for the gateway, host, signatures, etc. Effectively, you have a single “agent”. This means to keep your system secure all you need to do is download a single “DAT” file to update the firewall, AV, anti-spyware, etc.