McAfee gets into the deep

Feature by Rob Buckley

Opinion is divided as to the merits of the joint technology from McAfee and its parent, Intel. Rob Buckley speaks to McAfee's EMEA CTO, and asks others in the industry for their views.

Opinion is divided as to the merits of the joint technology from McAfee and its parent, Intel. Rob Buckley speaks to McAfee's EMEA CTO, and asks others in the industry for their views.

Sometimes it can feel like a losing war, fighting the ever-advancing technological capabilities of malware. Trojans such as Zeus are now able to update themselves just as quickly, if not quicker, than anti-virus packages; if they can sneak past your defences, hundreds of thousands of rootkits can quickly bypass conventional security by working at the kernel level; and there's the arrival on the scene of ‘advanced persistent threats' – aka patient, technologically adept criminals who are determined to break into your systems, no matter how long it takes.

So the chances are that any given PC is going to get infected sooner or later, unless security is absolutely water-tight, and possibly even then, too. Worse still, you probably won't even know about it because everything within the OS that could tell you will have been compromised and circumvented.

So McAfee's announcement of Deep Defender in September 2011 seems like a real ‘paradigm shift'. Raj Samani, CTO of McAfee EMEA, explains: “Most security technology works at the OS level, which is where most malware works.” Conventional anti-malware approaches have been like a prison yard with wardens and cons mixing on the same level, he says – the wardens not able to see everything the prisoners are doing. Deep Defender moves at least part of anti-malware prevention down the stack to below the operating system. “This enables us to have better oversight over the whole yard,” Samani says.

The hardware angle

Deep Defender uses McAfee's DeepSAFE, which it has co-developed with new owner Intel. DeepSAFE takes advantage of Intel's VMX virtualisation technology to sit in memory under the operating system: it is, in essence, a virtualisation host, and the OS is then a ‘guest OS' in that hosted environment.

While running as the host, DeepSAFE then takes advantage of on-chip security technologies in Intel processors to monitor the memory and CPU for suspicious activity and prevent it from occurring. If it spots anything that looks like rootkit behaviour, it will report its findings to the McAfee ePolicy Orchestrator management console.

David Freeman, consultancy director at Activity IM, says: “McAfee is to be applauded for trying to use hardware for security. Once you get in hardware, it's much more secure and harder to attack than software.”

Mark Austin, CTO of Aveco, agrees. “This is something unique. Rootkits bury themselves deep in the kernel and are definitely a threat. It's the right move to move security below the OS.”

Moving anti-malware security to the hardware is not a totally original idea: Trend Micro's Rik Ferguson points out that his company had a version of PC-Cillin that resided in-BIOS a number of years ago; and Juraj Malcho, chief research officer at ESET, says that “it has been discussed for several years in academic and research circles”. But this is the first and only product on the market of its type at the moment.

So Samani does have some justification for saying: “With some people, it just looks like marketing when you call something a paradigm shift, but this is a fundamental change to the way things have been done in the past.”

Revolutionising the market and hardening previously unreachable parts of the desktop security stack is certainly McAfee's aim. But do DeepSAFE and Deep Defender really offer something important enough that enterprises will want to invest in them as part of their security strategy?

“My initial reaction is that there are too many constraints on it to be useful to the enterprise,” says Activity IM's David Freeman. These constraints – in an admittedly very new, version 1.0 technology – become more apparent as DeepSAFE is examined in greater detail. For starters, it requires the host PC to have an Intel Core i3, i5 or i7 processor, Windows 7, 2GB RAM with 32-bit Windows or 4GB RAM with 64-bit Windows, and the Intel Virtualization Technology enabled in BIOS. That immediately disqualifies many new PCs, particularly ones that run on AMD chips, as well as older PCs that haven't been or can't be upgraded to Windows 7. At the moment, Samani says, the company can't say whether it will develop the technology to work with older versions of Windows or with different processors, but insists enterprise adoption of the product will be determined by the appetite for risk.

“There may be particular systems the enterprise is concerned about” that will require greater protection thanks to DeepSAFE, he argues, and these may merit upgrading to these higher specs as a result. But does he expect an entire enterprise to switch to DeepSAFE-compatible machines? “It's difficult to boil an ocean,” he admits.

The PC bias

DeepSAFE's system requirements also disqualify virtually anything that isn't a PC. “If you think where we're going with ‘bring your own', people are using iPads, smartphones, consuming things on the move – with things that don't have Intel chips,” says Freeman.

While McAfee has mentioned the possibility of deploying DeepSAFE on Android phones that use Intel chips, the technology will currently only run on a minority of PC machines, is unlikely to ever run on some machines and the majority of the ever-growing mobile market, and is reliant to some extent on the PC refresh cycle to bring in more potential deployments.

Then there's the question of how well it actually does what it claims to do. McAfee is only willing to commit DeepSAFE to being able to spot and prevent “most” rootkits from working. “There are no numbers or metrics at the moment,” says Samani. “It's quite dangerous in this industry to claim to be 100 per cent secure, such as when the first wireless routers with WEP keys came out. So we're not attaching specific percentages to how much malware it can stop.”

The company is also a little tight-lipped about how it plans to ensure that DeepSAFE will stay up to date in spotting all the latest rootkits and their techniques, although Samani does promise “new, clever ways to avoid the patch management lifecycle”.

If it's only heuristic, will it need updating at all and how long will it be before hackers work out what behaviours it is looking for, if it doesn't get updated? If it uses signatures as well, how often will they need to be updated? Rival company Symantec argues that “with more than 286 million new threats found last year, never-before-seen threats emerge on a regular basis and too quickly for a silicon-based solution to react and protect against”.

Casting doubt

Without much real-world exposure of DeepSAFE, it's hard to test its efficacy at stopping malware infections. Analyst companies such as Gartner have yet to report back on it (“I'm afraid it's not something we've covered,” says a spokesman), so they are as tight-lipped as McAfee.

However, DeepSAFE relies on the ePolicy Orchestrator management console for deployment and management, and that does have a security track record that can be examined. “They want to manage it with ePolicy Orchestrator, which obviously sits on top of an operating system. That's fine, but that piece of management software has been hacked,” says Freeman. “That's probably why they're using Windows 7, which isn't so vulnerable. That raises the whole question of how they are getting authentication because [ePolicy Orchestrator's] protocol in our experience, when we test systems, is generally wide open, not very well configured and everyone can see the traffic – you can see what data is being collected and how it's being collected. It would worry me – the management of it may be its own weakness.”

Unanswered questions

Indeed, the addition of another layer of software security could provide a new avenue of attack for hackers. Rik Ferguson, solutions architect at Trend Micro, argues that: “When you add code, you add the potential for holes.” Ironically, McAfee also can't say how well DeepSAFE will work in a virtualised environment. Ferguson points out: “You can protect the hardware of the host running the hypervisor, but how relevant will it be to virtual desktop environments, or won't it work with them?”

While DeepSAFE can monitor the kernel of the Windows OS for rootkit behaviour, can it monitor the kernel of a Windows OS hosted in another virtualised environment?

So: a new piece of unproven security software that only runs on a minority of desktops and laptops even within the average enterprise, that's managed by McAfee's once-compromised management software, that isn't guaranteed to stop all malware, will require additional management and could potentially add extra security holes. It seems at face value unlikely to change the market.

So far, adoption hasn't been swift, with McAfee unable to provide either customer numbers or even reference sites to point to. The typical response from CIOs asked to discuss whether they intended to investigate DeepSAFE mirrors that of Deloitte: “We haven't looked in great detail at this technology yet – it's just too new.”

But Avecto's Mark Austin thinks it has the potential to change even PC-buying habits. “McAfee have got in there early and they probably will drive adoption of [PCs with Intel chips]. People will want to make sure they can get that level of protection on their infrastructure. It comes down to a choice. If you're hit by a rootkit taking sensitive data from your operation, the [extra costs of new PCs] will be less important.”

Other anti-malware vendors are also looking at the possibilities of the new technology. Sophos's CTO, Gerhard Eschelbeck, says that using modern processor capabilities including VTX virtualisation “is definitely one of the many tricks to be used to combat the bad guys”, and Ferguson says that when Intel releases its on-chip security APIs, if it provides a viable way of improving security, Trend Micro will consider pursuing a similar technology.

But Freeman has advice for McAfee. “What they really need to do is provide more of an integrated management product with these components in it, rather than a separate product, so that if you have a Wintel architecture you can build DeepSAFE into your set-up, and if you have an AMD architecture you can do something else. I don't see McAfee doing that right now, but if they're really serious, that's the way they've got to go. At the moment, they're missing too much of the infrastructure to make it worthwhile.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events