ESG's Jon Oltsik talks with Jason Rolleston of McAfee about SOAPA and Cybersecurity. This is part 2 of a 2-part series.
Read the related ESG Blog: SOAPA Video with McAfee (Part 2)
Announcer: The following is an ESG 360 video.
Jon: I'm back talking SOAPA with Jason Rolleston, VP of Product Management for Security Operations Products and McAfee. Welcome back, Jason.
Jason: Thanks, Jon.
Jon: So let me parse the term SOAPA. Security Operations and Analytics Platform Architecture. Operations and analytics. What's McAfee doing in each of those areas?
Jason: I'll kind of follow the construct I had before, this idea of getting the data in to feed the analytics. So analytics for us starts with this idea of signal to noise. So how do I look through this whole system, all this information that's coming in, more data than we've ever collected, and find the things that really matter? We're certainly using traditional correlation for that. Remains important, very efficient, very fast but we've added that McAfee behavioral analytics, which is a way of using statistics and big data to really quickly identify those high, high risk users and entities. To allow you to focus your attention on them. So that's, kind of, the starting point of analytics and then the other two, kind of, bleed together for us.
So operations is now what do you do with that information? Once you've figured out the things you've got to look at, the threats that are there, how do I rapidly and efficiently identify is this an instant? What systems were impacted? And how do I do that in a way that is, kind of, maybe not as dependent on humans as it was in the past? And so we have a variety of solutions from McAfee Investigator to Active Response, which is our EDR tool, our sandbox technologies that are all really coming together to support the analyst as they go through that operations phase of, kind of, determining what to do with those alerts.
Jon: Okay. Now a lot of...when I talk about SOAPA people think about threat detection and response. End users are saying to me, "We need better prevention. We need to reduce the amount of work we have by preventing more things happening." So what are you doing along those lines?
Jason: The big one that we've been thinking about a lot most recently is in particular in relation to the behavioral analytics. One of the things you know that those tools provide and certainly ours does a really great job of it is coming up with a risk score. And so we talk a lot about how that risk score, yeah, it's useful in figuring out which threats are the most important but we're also now talking about how that risk score can drive a very different security posture. So as the risk score gets higher, maybe I want to start putting more SIEM correlation rules on that system. Maybe I want to change my endpoint policy to be a bit more restrictive. Maybe I want to change my DLP policy to be more restrictive such that as your risk goes up, I now stop you from being able to take that information out. So as opposed to me finding out that, yeah, you're high risk and the information is gone, I find out when you're in the act and I'm able to actually stop it.
Jon: So information-driven control.
Jason: Yeah. So using risk scores, again, not just to investigate forensically but using risk scores to change the actual control structure, to change your policies across the board, and ideally prevent that data theft from occurring.
Jon: And probably a loop back to EPL.
Jason: Absolutely a loop back to EPL.
Jon: I get it. So I know McAfee would love to dominate the world, as every vendor does, and control everything but what we're hearing is most customers want a heterogeneous environment for SOAPA. How does McAfee attack the market, find opportunities, but also provide for this openness?
Jason: Yeah. I think we came to this conclusion a couple years ago, honestly, when we stepped out of a couple different markets. Kind of understanding that we couldn't be all things to everyone. If we went back and looked at our history, that's really what we were trying to do and I think we acknowledged that we needed to be really good in a couple areas. And that's where you see us talking about the device to Cloud cyber security company. So certainly very focused on the devices. Long heritage in end point and extending that into mobile and IOT. The Cloud with our acquisition of Skyhigh and then security operations, kind of, tying it all together.
But we've known that that means there are firewalls, there are identity solutions, there are all kinds of things that are out there and even if it's our endpoint, it's not always our SIEM and it's not always our IPS. Whatever it might be. So we've done a lot of work on openness. OpenDXL. We've extended our SIA partner system. We have Cisco as an SIA partner and have integrated DXL and pxGrid. We have IBM as an SIA partner. I mean we're opening our doors and integrating with vendors who I think a couple years ago you never would have predicted McAfee would say, "Yeah, absolutely. They're in our SIA program."
Jon: Well that's good. That's a step in the right direction, but along those lines how do you communicate to the market, educate the market, on what you're doing from an architectural standpoint? Versus, kind of, product by product.
Jason: Yeah. I think OpenDXL has been a huge part of how we've tried to work with the market and communicate, "Hey, here's who we should be interacting and talking." One of the things that DXL actually exposes is the breadth of APIs that exist, both inside of ePO and the other tools. And so a lot of it's just saying, "Look guys. Go. We've given you the tools. We've given the kit. We have OpenDXL.com. Just get started. Get moving and you're going to find those things out." So that's, kind of, the sharing of messages in that front. Obviously in different sectors we talk in more detail. So in the SecOps world, yeah, we're talking to analytics companies about how they can consume data coming off of SM. And saying, "Here's how we can feed data to you and here's how you can feed data back into us." You still have a central, kind of, view of all the alerts that are coming in.
Jon: So development support, reference architecture, those kinds of things?
Jason: Yeah, absolutely. As I say, the SIA program has been a great one for us for a long time and it's a very mature program. I don't even remember now. Hundreds of partners and we're adding new ones all the time, and now some quite big ones, too, I should say.
Jon: Okay, last question. Easy one. Easy. What's the future of SOAPA for McAfee and what do you see in the industry?
Jason: I think there are a couple big things that are really interesting. One is we're all now facing the same UI problem in the sock that we faced in the rest of security for probably the past 15 years, and where EPO has really been very strong for us in the traditional operational side. We've got to start thinking about what does a UI look like for an analyst that can abstract some of these different technologies and make it more easy for them to operate in that environment, and that's certainly something we're quite keen on. I think the second one is really, and we've started to do some hints here in places, is how we're able to share knowledge. I think SecOps has been an area where knowledge sharing has not been nearly as efficient or widespread as it has on the endpoint. So I think we've got to find ways to share learnings from the best and make that be more widely applicable and more widely usable.
And then I think the third piece is the same thing, kind of, goes for analytics. I think there's going to be no one company that has a monopoly on good math. There's going to be a lot of great algorithms and a lot of great tools out there, and I think we as an industry have to figure out a way to make that, kind of, consumable by customer. That doesn't force them into five different products and redundant infrastructure to run different algorithms.
Jon: Well great. Thanks so much for participating. This is very insightful and educational for me, and stay tuned for more SOAPA content very soon.