The devil is in the DeepSAFE detail

gallery

There was something of a media feeding frenzy over the announcement from McAfee during the FOCUS 2011 conference in Las Vegas yesterday that it has, with a little help and a lot of cash from Intel, developed the technology to stop and remediate the kind of advanced stealth behaviour executed by rootkits.

Having spent the last 20 years of my professional life emerged in IT security issues, one way or another, I am perhaps a tad more skeptical than most when it comes to such announcements.

Indeed, I tend to adopt the MRDA approach. MRDA, or Mandy Rice-Davies Applies, refers to The Profumo Affair back in the 1960s and specifically a quote from one of the prostitutes at the centre of the case (the Mandy Rice-Davies in question) who responded to the prosecution stating that Lord Astor had denied having an affair with her by saying "well, he would, wouldn't he?"

In the slightly less salacious case of McAfee/Intel’s claim they’ve produced a rootkit killer, well, they would say that wouldn't they?

There are a few caveats when you look past the hyperbole and somewhat predictable slapping of own backs within the McAfee marketing machine.

Ever since Intel completed the acquisition of McAfee at the start of the year, I have been waiting for the 'next big thing in infosec.' DeepSAFE was a dead cert given both the financial clout that the McAfee/Intel combination has and the unprecedented access to the workings of the hardware inside most of the world's computers it brings with it.

McAfee refers to this as a “new approach” to security and talks about “transforming the security industry” by combining hardware and software to more effectively prevent attacks. Let's get one thing straight right from the get-go, I am not suggesting that the DeepSAFE technology based Deep Defender product announced yesterday isn't a good thing.

It is a given that anything which makes life harder for those who would compromise your systems and steal your data is to be applauded. DeepSAFE technology is designed to sit between the processor and the OS, providing protection to system software in physical memory and enabling an otherwise unseen view of drivers in real time.

This low level visibility into real-time memory and CPU activity, bringing an ability to block or deny potentially dangerous actions, means that prior knowledge of a rootkit is not required in order to detect it at and destroy it. That's great stuff, especially as rootkits are one of the main weapons of those bad guys who have jumped on the Advanced Persistent Threat (APT) cybercrime bandwagon.

Or is it? There are a few caveats when you look past the hyperbole and somewhat predictable slapping of own backs within the McAfee marketing machine. For a start there's the small matter of whether your average enterprise is going to be sold on the idea enough to implement it. While the technology is undoubtedly clever, a quick voxpop polling of a handful of infosec admins at the smaller end of the SME spectrum this morning suggests to me that there is no great appetite to make a move to hardware-based security just yet.

Email to a friend

Print this page