Security on a chip

• Article 28 of 33
• SC Magazine, January 2012
• View the original article online

Page 1 | Page 2 | All 2 Pages

Then there’s the question of how well it actually does what it says it does. McAfee is only willing to commit DeepSAFE to being able to spot and prevent ‘most’ root kits from working. “There are no numbers or metrics at the moment,” says McAfee’s Raj Samani. “It’s quite dangerous in this industry to claim to be 100% secure, such as when the first wireless routers with WEP keys came out. So we’re not attaching specific percentages to how much malware it can stop.” The company is also a little tight-lipped about how it plans on ensuring that DeepSAFE will stay up to date in spotting all the latest rootkits and their techniques, although Samani does promise “new, clever ways to avoid the patch management lifecycle”.

If it’s only heuristic, will it need updating at all and how long will it be before hackers work out what behaviours it’s looking for if it doesn’t get updated? If it uses signatures as well, how often will they need to be updated? Rival Symantec argues that “with more than 286 million new threats found last year, never before seen threats emerge on a regular basis and too quickly for a silicon-based solution to react and protect against.”

Without much real-world exposure of DeepSAFE, it’s hard to test its efficacy at stopping malware infections. Analyst companies such as Gartner have yet to report back on it (“I'm afraid it's not something we've covered”), so are as tight-lipped as McAfee. However, DeepSAFE relies on the ePolicy Orchestrator management console for deployment and management and that does have a security track-record that can be examined.

“They want to manage it with ePolicy Orchestrator which obviously sits on top of an operating system. That’s fine, but that piece of management software has been hacked,” says Activity IM’s David Freeman. “That’s probably why they’re using Windows 7, which isn’t so vulnerable. That raises the whole question of how they are getting authentication because [ePolicy Orchestrator’s] protocol in our experience when we test systems is generally wide open, not very well configured and everyone can see the traffic – you can see what data is being collected and how it’s being collected. It would worry me – the management of it may be its own weakness.”

Indeed, the addition of another layer of software security could provide a new avenue of attack for hackers. Rik Ferguson, solutions architect at Trend Micro, argues that, “When you add code, you add the potential for holes.” Ironically, McAfee also can’t say how well DeepSAFE will work in a virtualised environment. Ferguson points out, “you can protect the hardware of the host running the hypervisor, but how relevant will it be to virtual desktop environments or won’t it work with them?” While DeepSAFE can monitor the kernel of the Windows OS for rootkit behaviour, can it monitor the kernel of a Windows OS hosted in another virtualised environment?

So: a new piece of unproven security software that only runs on a minority of desktop and laptops even within the average enterprise, that’s managed by McAfee’s once-compromised management software, that isn’t guaranteed to stop all malware, will require additional management and could potentially add extra security holes. It seems at face value unlikely to change the market. So far, adoption hasn’t been swift, with McAfee unable to provide either customer numbers or even reference sites to point to. The typical response from CIOs asked to discuss whether they intended to investigate DeepSAFE mirrored that of Deloitte: “We haven't looked in great detail at this technology yet – it’s just too new.”

But Avecto’s Mark Austin thinks it has the potential to change even PC-buying habits. “McAfee have got in there early and they probably will drive adoption of [PCs with Intel chips]. People will want to make sure they can get that level of protection on their infrastructure. It comes down to a choice. If you’re hit by a rootkit taking sensitive data from your operation, the [extra costs of new PCs] will be less important.”

Other anti-malware vendors are also looking at the possibilities of the new technology. Sophos’s CTO Gerhard Eschelbeck says that using modern processor capabilities including VTX virtualisation “is definitely one of the many tricks to be used to combat the bad" and Rik Ferguson says that when Intel releases its on-chip security APIs, if they provide a viable way of improving security, Trend Micro will consider pursuing a similar technology.

But Activity IM’s David Freeman has advice for McAfee. “What they really need to do is provide more of an integrated management product with these components in it, rather than a separate product, so that if you have a Wintel architecture you can build DeepSAFE into your set-up and if you have an AMD architecture you can do something else. I don’t see McAfee doing that right now, but if they’re really serious, that’s the way they’ve got to go. At the moment, they’re missing too much of the infrastructure to make it worthwhile.”

Page 1 | Page 2 | All 2 Pages