A Conversation with Intel Security (Part 2)

Douglas Cooke

Douglas Cooke, Director of Sales Engineering, Intel Security Canada

July 4, 2016

Intel Security Director of Sales Engineering Douglas Cooke sat down with Northern Micro on June 29 to discuss the security landscape, competitors and Intel Security’s measures to address cyber-security. What follows is the second part of their conversation.

What is Intel Security doing differently to respond to these cyber security threats compared to other vendors?

So the primary change that we’re making is that to some extent, the industry or parts of the industry have been concentrating on protection. That includes things like firewalls and antiviruses. In the early days, those were pretty effective technologies – you could keep out the vast majority of hacking activity in your environment with these protection vehicles.

But going from 300 viruses a day to half a million, you certainly have to admit to yourself that although you’ll have as strong a protection defending mechanism as possible and use all the latest techniques for protection, you are going to be compromised at some point; and therefore, you have to build up capabilities that will start to think about detecting anomalous and suspicious activity in your environment and allow you to use that detection of suspicious stuff to see if there’s something that shouldn’t be going on and react to it.

In the past, you used to be able to just rely on the protection. Now you can’t, you have to be in a position where not only are you protecting, but you’re watching for suspicious activity and you’re putting mechanisms, technologies in like SIM and other things that allow you to monitor for suspicious activity that can be highlighted for a knowledgeable analyst who can say “That is bad, and it’s not caught by a protection mechanism, and I’m going to go clean that up.” We call it, protect, detect and correct.

“We call it protect, detect and correct.”

These new tools we have to compliment protection include detect and re-mediate when you detect a problem; and that’s the fundamental change we’re taking and leading.

So other industry leaders are also following a similar approach to the “protect, detect and correct” model. What’s different about Intel’s security model vs. theirs?

The industry is adopting that partly because industry players like Forester or Gardner are driving it that way. The challenge for most of other vendors is that they only have a single point product: they might have a protection mechanism, or they might be protecting email. They’re only point products, and the thing that differentiates us and what we believe is that you have to have an ability to coordinate the variety of security and protection tools that you have and add detection and correction capabilities to them in addition to having them work together.

One of the big things about this is that you need the visibility that all of the individual tools can give you . Things like firewall have a few alerts showing this kind of activity, and the antivirus is getting some alert showing this activity. You need to be able to take that information, put that into systems, analyze it and correlate it; and from there, see some suspicious activity in your environment. And you could always do that using the fact that you can bring together a number of protection tools and compliment them with these detection capabilities so you have greater visibility.

The reason that we’re different is that for a number of years we’ve had multiple security technologies that we’ve been working to make work well together. We integrate them closely, take advantage of the data they generate to correlate and analyze, see suspicious activity and then use the unique tools we have to go and correct the environment when we find the problem. We’re really one of the only vendors that’s positioning themselves across the endpoint and the network to have a full connected integrated set of tools that do protection, detection and correction.

So for example, Fortinet would say something slightly different from that, and Cisco for example for also say something similar. They appear to have a very similar approach to having multipoint security, much like how you’re describing Intel’s. So what is Intel doing specifically that would be better or different than say Fortinet’s solution?

There are some other vendors that are saying that they have an integrated approach, but what truly differentiates us is the way we’re doing that integration.

The challenge has been that customers have taken the burden of integrating. So if you look at banks for example, they’ll have a mail gateway from somebody, they’ll have a web gateway from somebody else, and they’ll have an endpoint protection product that’ll have a management console. And they would actually do a lot of work to integrate those tools – they would do combined reporting, and they would maybe try to set up scripts to have those systems work together. So in the past, most of the burden has been on the customers to integrate these various security tools.

Intel Security understood that about 5 or 6 years ago, and we developed this special technology called the data exchange layer. This is a message-buff infrastructure that is designed to allow security tools from any vendor to be able to share information to support integration activities. And this is a technology we’re putting in place – we’ve primarily concentrated to get our own tools to work well to demonstrate how it works. Now with vendors starting to do the integration, the challenge has been that when they go to integrate, for example if Blue Coat wants to integrate with an endpoint vendor, they’ve got to have their product managers discuss with each other, build API’s and build software that allows those two particular point products to integrate. That works, and over time they could have a large series of integrations; but it’s just not scalable. If Blue Coat makes a change to their software, that might impact their API’s and they would have to change them. There’s just all this work that has to be done between all these vendors to keep this integration going over time and it’s just not practical.

“And that works, and over time they could have a large series of integrations. But it’s just not scalable.”

We work with a small number of partners to demonstrate that we can work outside of our own ecosystem and bring in the partner community, and we’ll expand that over time; but the idea is that once integration is built using this message bus infrastructure, it is scalable, and it can change over time as these companies change. It doesn’t need to be a point-to-point, and it really can work as a community capability to allow these products to work better together over time.

So it’s taking more the platform approach?

Yes. The word platform is key here. It is a platform approach where you have a series of security capabilities that have an underlying platform that allows them to share data and integrate together.

The sharing is the idea that it’s a published subscribed model. So if there’s information that’s available on one component of your security capability, in this case it would be your intrusion prevention that’s happening in you network. If it sees something happening, maybe it’s an alert or it’s a suspicious file, it can pass that information to be evaluated by another technology.

The example would be let’s pass that file to the sandbox which could be anybody’s sandbox in the general context. So that sandbox would evaluate it, the file gets passed through the message bus, and the sandbox sees through the message bus and says “I’ve got a file that’s been put along the message bus. What do I do with the file? I analyze the file, create some results and publish those results to the message bus.” The results would go back to the intrusion prevention system and might say “That’s a bad file convicted” and the IPS would stop that file from going through.

But the great thing about that message bus is that the information about that file can propagate across the message bus to any other security technologies that’s on the bus. So maybe there’s an endpoint technology on there that says “Hey, we just found this bad file in some other place in the organization. We know it’s bad because we evaluated it on the sandbox. I should act on that, and I’ll go tell every other endpoint to be careful of that file.”

So from a technology standpoint, what are some of the important things that customers should consider when they’re evaluating technologies themselves?

They need to understand where their gaps are. So if they have a particular gap, they need to evaluate the capabilities and meet that gap; but they also need to evaluate how they are going to fit it into our overall security strategy and how the company is trying to tackle strategy in total.

Security is a program – it’s not this technology or that. It’s a program that encompasses a wide variety of controls and capabilities. And what they need to think about is having those controls integrated so when they look for a new technology to fill a gap that they have, they should think about that technology is going to fit in with the rest of the integrated technologies that they have.

Let’s switch gears then: let’s talk about the threat defence lifecycle. How would you describe that?

The threat defence lifecycle is built on top of the concept of protect, detect and correct. So we needed a mechanism where we could provide full visibility with the protection as an organization is operating on a day-to-day basis.

One of the things that we know is that as an organization continues to grow, they’re going to continue to do different types of business and move their business in different ways. Which means that they’re going to invest in different technologies to promote their business. These are not security things – these are things to move their business.

It may be that they need to move to cloud technologies to get more efficient in what they’re doing so that they can offer some of their processing databases and move them up to the cloud to be more efficient, save some money and provide greater options from a bursting capability. So we know that companies are going to change over time.

At the same time, the security risk is changing because the hackers are always doing new things. Whatever new technologies come out and whatever new things users are doing, the hackers are always adjusting. So you need to have an ecosystem that allows you to adapt over time.

The lifecycle incorporates protection, detection and correction. So the idea that we’re going as well as we can with protection, we’re going to have very strong mechanisms at the endpoint and at the network to stop the obvious and known malware threats that are coming through. And then we’re going to put ourselves in a position with technologies included in the defence lifecycle around data analytics and correlation to be able to see what’s going on.

Those capabilities are fed by the information supplied from the protection technologies, and if we see suspicious activity as part of the process without the security operations center, then we’ll use correction technologies to go and put things back to normal and get the business back into doing business as opposed to solving a security issue.

You already mentioned the DXL, the data exchange layer, which seems to be pretty unique for the Intel Security platforms. What are the other competing solutions out there that would be really comparable to that DXL layer?

Well I don’t think we believe that there’s anybody out there that’s doing that in a serious way, and the reason I say that is that there’s a lot of examples of message-bus infrastructure in other parts of IT. It’s used quite a bit in the application development area quite widely.

The concept of a message-bus infrastructure isn’t new, and our data exchange layer is based on a technology called MQTT – that’s the foundation of it. We made some extensions and some enhancements with it, but it’s definitely known technology. There are some vendors that are doing some similar things but only in the network world that would maybe tie together network components. But we’re the only vehicle that we know of that is across the IT spectrum from endpoint servers and connecting with the network side and being made available to work properly in the cloud environment.

It’s primarily because of Intel who does this on a regular basis. They look at the security industry and say, “What do we have to do in order to make a big change on how we do things?” So the visibility and understanding how contributing needs to evolve in the next few years. This data exchange layer is really something that’s been built and funded by Intel, not just Intel Security, to be effective across the complete IT spectrum including enterprise, IOT, cloud and all those sorts of things.

We don’t believe that there’s anybody else that’s gone as far as we have in the breadth and the depth of the strategy as we have.

Talking about ransomware, you mention that that’s a growing threat in the business world, hitting businesses, institutions, even governments in some cases. How can governments be protected from that with Intel Security?

This is where they primarily have to take advantage of the most recent technologies. This can get frustrating for customers, but unfortunately you have to keep up to date. There may be new technologies that you have to invest in because this is the newest of the new things, and it’s the most difficult to deal with. Furthermore, it could have the biggest impact on your organization.

If a hacker gets on the right laptop at the right time and lock it up with encryption, this could bring your company to a complete stop. So you have to be investing in the most recent technologies that we have whether its reputational based, malicious code protection or dynamic application containment. These newest and greatest technologies that we have as a part of the defence lifecycle have to be in place to combat ransomware.

There’s a growing trend towards using public and hybrid cloud services as part of businesses IT as well. How is Intel Security looking to secure those parts of the infrastructure as well?

We see there’s really 3 things you have to think about when it goes to cloud. The first one is that organizations do a lot of work with SaaS based applications, you know Salesforce and those types of things for example. So organizations have to think about greater mechanisms to give them greater visibility to what apps are being used and then to be able to have an understanding of what data is being passed through in order to protect their data. So we’re doing a lot of work through our web gateway and are coming to help customers gain visibility and control over what they’re doing with SaaS based applications.

The second is thinking about when they want to move their processing, either in whole or in part, over to cloud based environments like Amazon. What we do in that world is try to provide visibility. Through our security management tool called EPO, we can have visibility to systems you’re running in cloud environments and give you the same visibility control and measurement of security posture whether it’s on your premise or on a cloud environment.

The third one is that Intel Security is introducing capabilities to protect the organizations interest as they use SaaS applications such as Sales Force. It starts with providing the organization more visibility to the SaaS applications in use being mindful of shadow IT. It then extends to Cloud Access Service Broker functions to monitor data flowing to SaaS data repositories to ensure it is meeting compliance requirements that will come to the market in 2016.

They need to start with some analysis of the maturity of their program in general, and where they have gaps.

I would say that all organizations have some level of security. They need to start with some analysis of the maturity of their program in general and where they have gaps. They need to have someone who has some knowledge internal or someone they could bring in to help the organization determine where they’re at now, what the maturity level of the various capabilities they have, and what the most significant gaps are.

So just to wrap things up, what would your recommendation be as a first step for organizations that are thinking about and revaluating how to protect themselves from attacks?

It may be that they haven’t invested enough in technologies that will minimize the impact on the organization through hacking from a browser. Maybe they haven’t invested in that sort of thing, and you can see a series of gaps, and they would move towards those gaps. That’s the best way for an organization to work. They should understand what their needs are and go find the appropriate technologies to address that need.

But when they move over and start evaluating those technologies, they’ve got to think about the security in total. They’ve got to understand their maturity in the different areas and disciplines of security that they need whether its vulnerability management, network protection or endpoint protection data leakage. For each of those, they have to establish what their current maturity is and then think about the gaps they need to address in priority and how overtime they can fill the gaps and make their entire program more mature.