McAfee Stonesoft Strategy Includes Incident Response

McAfee took a step closer to fully integrating its Stonesoft next-generation firewall acquisition. The company created a fully interconnected platform designed to not only detect advanced threats but also automate the process of quarantining and removing malware from infected systems.

McAfee (now called Intel Security) showcased its integration strategy to analysts and press at RSA Conference 2014. The company demonstrated how Stonesoft's malware detection engine and file behavioral analysis sandbox connects to its endpoint security software and other components via a new data exchange layer created by its engineering team. The goal is to quickly spread threat intelligence information to a variety of products in the portfolio for better protection, said Michael Fey, the company's worldwide chief technology officer.

"Our goal was to change the way we look at the problem," Fey said. "McAfee and Intel are not just creating a better firewall, we're combining it with endpoint security and a variety of other components to bring it into high-end detection."

[Related: McAfee Emboldens Channel With 'Hot' Growth Opportunities, New Incentives ]

Sponsored post

Fey said the rest of the security industry is talking about creating ways to better detect custom malware, but few vendors are addressing automated incident response once a threat is detected. The message resonates with solution providers in the channel who say they are selling advanced threat detection platforms from Palo Alto Networks, FireEye and other vendors, but often their clients don't consider incident response until after a system is fully deployed and turned on.

McAfee is joining a long line of vendors that are trying to bridge network security and endpoint security to better detect and increase visibility into potential threats, said Cliff Sweazey, who has been a McAfee partner since the company acquired email and web security vendor MX Logic in 2009. For example, FireEye is in the process of integrating its $1 billion Mandiant endpoint security acquisition.

Vendors are building out their platforms, adding capabilities and new products that some businesses won't necessarily find very useful. Sweazey, who is also a Fortinet partner, said the one drawback to many of the vendor strategies is increased complexity, which leads to configuration and manageability issues, and ultimately opens up weaknesses that can be targeted by an attacker.

"Every vendor wants to penetrate the client as deep and as wide as possible," Sweazey told CRN. "Often we see these strategies aimed at sweeping across the product portfolio to help the customer gain visibility across the network, but how well and how easy it is to get it all working seamlessly together is yet to be seen."

NEXT: Race For Advanced Threat Detection

FireEye has disrupted the network security market, causing McAfee and other vendors to race to build out their portfolios for advanced threat detection, said Joe Luciano, CEO of Access It Group, which partners closely with McAfee for endpoint security and Check Point for network security. Luciano said he has been watching endpoint and network security vendors come much closer together in recent years.

"Up until now, endpoint and the network never collided because they were totally different worlds fundamentally and philosophically," Luciano said. "It might make it much easier for enterprises to address their IT security requirements by simplifying it to a suite of four or five different products rather than multiple layers of complexity."

The integration of data and workflows for automated response enables McAfee products to immediately shut down malware communications to remote servers and block infected systems from reaching the Internet, said McAfee's Fey. Noticeably absent from McAfee's strategy is the company's ePolicy Orchestrator and its ecosystem of roughly 180 technology partners. When pressed by those in attendance, McAfee executives acknowledged that a complete standardization on McAfee's portfolio would be difficult to nearly impossible for most businesses, and pledged to work with technology partners to create integration points that tie into its new data exchange layer.

The ePO will continue to be a central management console for McAfee, but what was missing was a security incident response center component, said Peter Firstbrook, a research vice president at Gartner. Firstbrook said McAfee's new data exchange layer is a much-needed update to better connect its products. Look for the company to open it up to its technology partners, Firstbook said.

"They are making the case that the reason why you would buy multiple McAfee components now is because integrated components work better together," Firstbook said. "It's been too hard for businesses to piece this all together, and McAfee is saying that this will make the process easier over time."