Logo Rob Buckley – Freelance Journalist and Editor

Security on a chip

Security on a chip

Is Intel and McAfee's DeepSafe technology a game changer?

Page 1 | Page 2 | All 2 Pages

Sometimes it can feel like a losing war, fighting the ever-advancing technological capabilities of malware. Trojans such as Zeus are now able to update themselves just as quickly, if not quicker, than anti-virus packages; if they can sneak past your defences, hundreds of thousands of rootkits can quickly bypass conventional security by working at the kernel level; and there’s the arrival on the scene of ‘Advanced Persistent Threats’ – aka patient, technologically adept criminals who are determined to break into your systems, no matter how long it takes. So the chances are that any given PC is going to get infected sooner or later, unless security is absolutely water-tight, and possibly even then, too. Worse still, you probably won’t even know about it because everything within the OS that could tell you will have been compromised and circumvented.

So McAfee’s announcement of Deep Defender in September seems like a real ‘paradigm shift’. Raj Samani, CTO of McAfee EMEA, explains: “Most security technology works at the OS level, which is where most malware works.” Conventional anti-malware approaches have been like a prison yard with wardens and prisoners mixing on the same level, he says, the wardens not able to see everything the prisoners are doing. Deep Defender moves at least part of anti-malware prevention down the stack to below the operating system. “This enables us to have better oversight over the whole yard.”

Deep Defender uses McAfee’s DeepSAFE, which it has co-developed with new owner Intel. DeepSAFE takes advantage of Intel’s VMX virtualisation technology to sit in memory under the operating system: it is, in essence, a virtualisation host and the OS is then a ‘guest OS’ in that hosted environment. While running as the host, DeepSAFE then takes advantage of on-chip security technologies in Intel processors to monitor the memory and CPU for suspicious activity and prevent it from occurring. If it spots anything that looks like rootkit behaviour, it will report its findings to the McAfee ePolicy Orchestrator management console.

David Freeman, consultancy director at Activity IM, says that “McAfee is to be applauded for trying to use hardware for security. Once you get in hardware, it’s much more secure and harder to attack than software.”

Mark Austin, CTO of Aveco, agrees. “This is something unique. Rootkits bury themselves deep in the kernel and are definitely a threat. It’s the right move to move security below the OS.”

Moving anti-malware security to the hardware is not a totally original idea: Trend Micro’s Rik Ferguson points out that his company had a version of PC-Cillin that resided in-BIOS a number of years ago and Juraj Malcho, chief research officer at ESET, says that “it has been discussed for several years in academic and research circles”. But this is the first and only product on the market of its type at the moment.

So Raj Samani does have some cause for saying, “With some people, it just looks like marketing when you can something a paradigm shift, but this is a fundamental change to the way things have been done in the past.”

Revolutionising the market and hardening previously unreachable parts of the desktop security stack is certainly McAfee’s aim. But do DeepSAFE and Deep Defender really offer something important enough that enterprises will want to invest in as part of their security strategy?

“My initial reaction is that there are too many constraints on it to be useful to the enterprise,” says Activity IM’s David Freeman. These constraints – in an admittedly very new, version 1.0 technology – become more apparent as DeepSAFE is examined in greater detail. For starters, it requires the host PC to have an Intel Core i3, i5 or i7 processor, Windows 7, 2GB RAM with 32-bit Windows or 4GB RAM with 64-bit Windows, and the Intel Virtualization Technology enabled in BIOS. That immediately disqualifies many new PCs, particularly ones that run on AMD chips, as well as older PCs that haven’t been or can’t be upgraded to Windows 7. At the moment, McAfee’s Raj Samani says the company can’t say whether it will develop the technology to work with older versions of Windows or with different processors but enterprise adoption of the product will be determined by the appetite for risk. “There may be particular systems the enterprise is concerned about” that will require greater protection thanks to DeepSAFE, he argues, and these may merit upgrading to these higher specs as a result. But does he expect an entire enterprise to switch to DeepSAFE compatible machines? “It’s difficult to boil an ocean,” he admits.

DeepSAFE’s system requirements also disqualify virtually anything that isn’t a PC. “If you think where we’re going with ‘bring your own’,” says Activity IM’s David Freeman, “people are using iPads, smartphones, consuming things on the move – with things that don’t have Intel chips.” While McAfee has mentioned the possibility of deploying DeepSAFE on Android phones that use Intel chips, DeepSAFE will currently only run on a minority of PCs machines, is unlikely to ever run on some machines and the majority of the ever-growing mobile market, and is reliant to some extent on the PC refresh cycle to bring in more potential deployments.

Page 1 | Page 2 | All 2 Pages

Interested in commissioning a similar article? Please contact me to discuss details. Alternatively, return to the main gallery or search for another article: