McAfee Building Tool To Pinpoint Relevant Zero-Day Threat Campaigns

McAfee has begun working to transform the raw data coming out of its one billion global sensors into world-class analytics capabilities that are actionable for customers.

The Santa Clara, Calif.-based platform security vendor said the Apollo research project will focus on the intersection between what's happening in a user's organization and the latest developments in the global threat landscape, according to Steve Grobman, McAfee's senior vice president and chief technology officer.

"Clearly, none of us are able to look at billions of pieces of data and make any sense of it," Grobman told the more than 3,000 attendees at the MPower 2018 Cybersecurity Summit in Las Vegas Thursday. "This transformation of that raw data gives an individual an insight for an actual plan."

[Related: The 5 Boldest Statements From Chris Young, McAfee CEO, At MPower 2018]

Apollo will provide a global view of threats occurring around the world every second of every day, Grobman said, and is able to detect when a threat is impacting certain regions or goes from simmering to full boil. From there, he said McAfee will be able to identify the segment of its customer base that could potentially be affected and give them an early warning so that they can take defensive action.

McAfee today has a security resources tab to provide users with a better understanding of the threats that exist at a global level, Grobman said. Apollo will take that capability to the next level by customizing the threat report to make it specific for a customer's environment, according to Grobman.

Apollo will be able to both find new campaigns before they even have names, Grobman said, as well as zero in on where in a user's environment they've seen activity that resembles a ransomware campaign.

For instance, he said McAfee can see at a global level which regions and which McAfee technologies are most effective at detecting different elements in the indicators of compromise for GandCrab ransomware. McAfee is able to weave that information into a timeline indicating exactly where GandCrab was seen in a user's environment and when it was effectively blocked or protected against.

From there, Grobman said McAfee can use sensor data to identify areas of potential exploitation in a user's environment due to presence of rogue, misconfigured, or unpatched machines. By examining the entire sequence of events, Grobman said Apollo can identify the things companies actually need to be worried about versus those they can be safely confident have been defended against.

The tool will enable McAfee to tell customers about campaigns when there's early-forming storms before the rest of the industry even knows that such a thing exists, Grobman said. Ultimately, Grobman said Apollo will provide McAfee with a zero-day threat campaign detection capability, meaning that the campaign can be detected before anybody even understands what it is.

By seeing attributes of threat activity through its threat sensor network, Grobman said Apollo will be able to identify very specific patterns such as whether a campaign is focused on a specific sector or sectors. Based on that, Grobman said McAfee can then inform customers in those particular industries that there's a new campaign that they need to be aware of.

Similarly, Apollo is able to identify when the intensity of an attack is focused on a geographic region, which Grobman said is particularly helpful since nation-state activity very often targets a specific locality or geography. From there, Grobman said McAfee will be able to make customers in that region aware of the possibility that a more sophisticated attack is underway.

Moreover, Grobman said McAfee's technology and global perspective will make it possible for the company to understand if a user is the first, tenth, or millionth person to be impacted by a specific threat.

"If there's a targeted attack against your environment, that means that an adversary has put a lot of engineering into taking something or destroying something that is valuable to you," Grobman said.

Apollo will be able to look at blueprints and send feature vectors to McAfee's machine learning algorithms to understand if the behavior pattern is indicative of a fundamentally new malware structure that has never been seen before anywhere else in the world, according to Grobman.

In addition to identifying that a threat has occurred, Grobman said Apollo can also provide insight into what the threat is all about and how it stacks up against McAfee's machine learning models.

Even though McAfee doesn't have a sample of the malware in its back-end inventory, Grobman said Apollo will still be able to provide information around why the company's model believes it is malicious. The model is often tipped off by actions that are occurring during an analysis of the behavioral execution, according to Grobman.

Ultimately, Grobman said the industry can no longer pretend that data from a single environment will be sufficient for defending an organization. Future innovations will be all about identifying insights from the confluence of data from an organization and a global perspective, Grobman said, and then building out the next generation of analytics to examine that type of data.

"Nation-states and cybercriminals continue to up their game, and so must we," Grobman said.

Providing more actionable information around emerging security threats should help customers stay ahead of the game, according to Patrick Smith, a technology consultant at Irvine, Calif.-based Ingram Micro. Better integration between a user's security posture and the global threat landscape should be helpful for everyone.

"Security is job security, no pun intended," Smith said. "Now, it's actually coming into fruition and action."