McAfee chose “time” as the overarching theme of its 2019 MPower conference, held the week of October 2 in Las Vegas. The idea of the theme being that time is central to everything we do in the cybersecurity industry. Attackers look to increase dwell time while security teams try to reduce mean time to detect (MTTD) and mean time to response (MTTR). For what it’s worth, I felt that my time attending was well-spent. McAfee’s always done a good job focusing its message and approach for these types of events, and this year was no different. The major announcements focused on cloud and analytics, with a bit of open architectures and partnerships included as well – all top of mind priorities for security practitioners.
Unified Cloud Edge
As I’ve talked about repeatedly, elastic cloud gateways (ECG) are an emerging architecture that ESG feels will gain traction quickly as organizations seek to consolidate point tools and shift network security controls to the cloud. McAfee apparently agrees, as it announced an integrated solution combining secure web gateway, CASB, and DLP functionality. A couple of the key points McAfee mentioned align directly with ECGs:
- Data protection – Consistency across both cloud and on-premises DLP is quickly becoming a prerequisite. Policy management and enforcement needs to be centralized in a single solution that addresses cloud, network, and endpoint.
- Globally distributed platform – McAfee boasts 53 PoPs and peering with leading global CDN and cloud providers to ensure a consistent user experience with 99.999% uptime.
- Multi-mode architecture – While many SaaS applications support API integrations, not all do. So a solution that supports both API and proxy-based deployments better addresses the entirety of the cloud application landscape.
- SSL decryption support – McAfee has support for both HTTP2 and TLS 1.3, and back to the distributed platform point above, is able to scale this capability because of its global peering network.
Analytics
The big announcement here was the new MVision Insights solution. The tool aggregates threat intelligence from McAfee’s global installed base, as well as internal customer telemetry, and helps security teams prioritize risks based on the potential impact of those threats against the McAfee defenses the customer currently has in place. Some response capabilities can be run directly from Insights, such as isolation and policy updates. Threat intelligence feeds from other sources will be added as well, although until the solution can account for the posture of non-McAfee defenses, the biggest value will be for customers with a broad set of McAfee solutions.
The other announcement was the further convergence of endpoint security and EDR as McAfee moves to a single-SKU endpoint approach. From a capability perspective, analytics and AI will support faster investigation and remediation. By mapping to the MITRE ATT&CK Framework and guiding analysts in their investigations, McAfee claims security analysts will be able to work 15x faster, with basic investigation and remediation activities being cut from 2 hours using traditional tools to 6 minutes with the combined MVision Endpoint + EDR approach. Endpoint has obviously become a crowded and competitive space, but less complexity is obviously better and may help McAfee recapture some momentum here.
Open Architecture and Partner Ecosystem
McAfee has historically placed a lot of focus on its partner ecosystem and integrations, especially via ePO and DXL. There were a couple of interesting announcements in this area. The first was around McAfee’s DXL framework. What started as more of an internal messaging bus years ago has evolved to a fully open architecture and now boasts over 30 Innovation Alliance partners and more than 100 community integrations on GitHub. Further, McAfee has partnered with IBM and other vendors including Crowdstrike, Fortinet and Tufin to develop the Open Cybersecurity Alliance (OCA). The alliance is being run as an OASIS Open Project with the goal of driving towards open standards to improve interoperability across products from different vendors. McAfee is one of the vendors with a broad enough portfolio to try to drive towards their own platform. While I’m sure that’s the preference, this should be viewed as positive market leadership in addressing a problem that has held the industry back for too long.
Additionally, McAfee highlighted a partnership announced with Oracle in September in which ESM will be delivered via Oracle’s Cloud Infrastructure (OCI). McAfee’s been fairly quiet in the SIEM space for the last couple of years. However, Oracle highlighted ESM’s ability to scale to meet the much higher demands of a cloud environment and ingest 165k events/sec. So, it would seem there’s still a strong story to tell around ESM.
I’ve always felt that McAfee has had somewhat of an under-appreciated position in the industry; that is, I suppose, if you can be a $2B company and be under-appreciated. The divestiture of some major product lines (email and firewall) and seeming lack of attention paid to others (IPS and SIEM) seemed to point to a vendor struggling to find an identity. In reality, McAfee had a strategy and streamlined its business to better focus on where it thought it could differentiate threat prevention, analytics, and cloud.
