ESG's Jon Oltsik talks with Jason Rolleston of McAfee about SOAPA and Cybersecurity. This is part 1 of a 2-part series.
Read the related ESG Blog: SOAPA Video with McAfee (Part 1)
Announcer: The following is an ESG 360 video.
Jon: I'm here talking SOAPA with Jason Rolleston, Vice President of Product Management for Security Operations products at McAfee. Welcome, Jason.
Jason: Hi, Jon.
Jon: I think of McAfee and I think of a broad portfolio of products and SOAPA is about integrating those products. What are you doing along those lines?
Jason: We started by building a construct for security operations much in line with SOAPA thinking about how we get the data into the system, how we share that data, make use of the data in the form of analytics and finding signal from noise, and then how we transition to helping people investigate. By definition, that involves a number of products. So we're working on integration points at all of those levels and trying to think about a very holistic picture of that architecture and how all those products come together to really enhance the security operation function for a customer.
Jon: Very SOAPA like. I like that. And so I think of McAfee and of course, I have to think of endpoint security. We had an interesting conversation at the RSA Security Conference. What's the value of endpoint security data to a SOAPA architecture?
Jason: We really did a bunch of work to shift and take McAfee forward coming out of Intel. We thought a lot about the most challenging parts of finding advanced threats today. And endpoint is such a rich source of contextual information. The same data you might be able to achieve and find in there places through the environment much, much better if you can get it at the endpoint. You have the process, the user, all the rest of the things there. So we really see endpoint as just a critical source of data, a very rich source of data for analytics and investigation.
Jon: And it was interesting because I remember at RSA, you said if you have a good view of the endpoint, you may not need some other data.
Jason: Yeah, absolutely. We talk about the same piece of data in a couple of different places found in the network, on the web gateway, on an endpoint, outbound IP traffic, for instance. The additional context on that endpoint of the users that are logged in, the things that they're doing, the other actions going on is so amazing. And if you have coverage of a good portion of the endpoint environment, you've actually got probably the vast majority of network data you might need. Not full packet. Some cases you'll go further, but certainly a lot of what you need to put together a pretty strong picture of what's happening.
Jon: Sure. Now, you think of endpoint and McAfee but you also think of EPO, which is ePolicy Orchestrator. Where does that fit in into the McAfee SOAPA architecture?
Jason: Yeah. ePO for us has been a tremendous asset both for management of the endpoint estate allowing us to really scale our endpoints to just phenomenal numbers of nodes. So we have really rich data inside the ePO infrastructure, which is also very useful, I think, in a SOAPA context and something that we can start mining more than maybe we've had in the past. But secondarily, ePO is also this point of action of orchestration, of making commands, of segmenting or taking systems off the network or communicating with other tools. So ePO in many ways becomes a central point on the remediation side of things and the response side of things as well.
Jon: Yeah, that's great because we too often get hung up on technology but process is really important here.
Jason: Yep. We find that a lot of folks, their technology stack in the SecOps space and sometimes is well ahead of their process majority.
Jon: Yeah. And that's gotta change. Now, with integration, I'm an old-school guy and I like to think about integrating software using middleware. I'm very intrigued by what McAfee is doing around DXL and around using Kafka, the open source Kafka messaging bus. Tell the audience about what you're doing there.
Jason: Two really different challenges so let me start with Kafka briefly because it's very related to the SOAPA architecture directly. Most SIMs traditionally have taken data from the data sources, fed it into the SIM and if you wanted that data, you'd try to take it out. Maybe the API is there, maybe it's not. Kafka to us was a way for us to ingest a lot more data, because we know that any SOAPA architecture is gonna require that for the analytics in particular, ingest a lot more data and make that data much more freely available to the analytics functions, to the other things that would use it without forcing it through the bottleneck of the SIM. So it's a much more efficient way of gathering and sharing the data. So that's really what Kafka was all about for us in the SIM.
Jon: Okay.
Jason: For DXL, DXL is a bit of different one. It's almost a higher level construct and this is about how we distribute information very efficiently to a large number of endpoints or other nodes in the environment, other products so that we're not sending all those point-to-point mails and point-to-point messages. It's a message bus for distribution largely of threat information. This is a bad file. This is a bad executable. This is something you wanna stop. How do we communicate that rapidly through the environment? So both of them kinda come together. And Kafka is for ingesting all the data for analytics and sharing information in the SecOps context and DXL is really for sharing that information broadly to the environment and the other products that are in it.
Jon: Yeah. And if you look at the way SAP and Oracle built ERP back in the '90s, this is what they had to do and this is sort of new to the security industry, but I think it's really important.
Jason: Absolutely. I say a lot of times, it's really tragic that our adversaries are actually more collaborative than we are. And so we went down the DXL path and that opened up DXL and now made it possible for anybody to interact, that was really our intent. And our hope here was to try and create a bit of that spirit of collaboration amongst security vendors and help the community come together a bit.
Jon: Well, on that scary point, will you stick around for part two of this video?
Jason: Yeah. I would love to.
Jon: Okay. Great. Thanks.