Category Archives: Executive Perspectives

McAfee CTO @ RSA: Catching Lightning in a Bottle or Burning Bridges to the Future?

I spoke last week at the RSA Conference in San Francisco on the subject of AI related threats and opportunities in the cybersecurity field. I asserted that innovations such as AI can strengthen our defenses but can also enhance the effectiveness of a cyber attacker.  I also looked at some examples of underlying fragility in AI that enable an attacker opportunity to evade AI based defenses. The key to successfully unlocking the potential of AI in cybersecurity requires that we in the cybersecurity industry answer the question of how we can nurture the sparks of AI innovation while recognizing its limitations and how it can be used against us.

We should look to the history of key technological advances to better understand how technology can bring both benefits and challenges. Consider flight in the 20th century. The technology has changed every aspect of our lives, allowing us to move between continents in hours, instead of weeks. Businesses, supply chains, and economies operate globally, and our ability to explore the world and the universe has been forever changed.

But this exact same technology also fundamentally changed warfare. In World War II alone, the strategic bombing campaigns of the Allied and Axis powers killed more than two million people, many of them civilians.

The underlying technology of flight is Bernoulli’s Principle, which explains why an airplane wing creates lift. Of course, the technology in play has no knowledge of whether the airplane wing is connected to a ‘life-flight’ rescue mission, or to a plane carrying bombs to be dropped on civilian targets.

When Orville Wright was asked in 1948 after the devastation of air power during World War II whether he regretted inventing the airplane he answered:

“No, I don’t have any regrets about my part in the invention of the airplane, though no one could deplore more than I do the destruction it has caused. We dared to hope we had invented something that would bring lasting peace to the earth. But we were wrong. I feel about the airplane much the same as I do in regard to fire. That is, I regret all the terrible damage caused by fire, but I think it is good for the human race that someone discovered how to start fires, and that we have learned how to put fire to thousands of important uses.”

Orville’s insight that technology does not comprehend morality—and that any advances in technology can be used for both beneficial and troubling purposes.  This dual use of technology is something our industry has struggled with for years.

Cryptography is a prime example. The exact same algorithm can be used to protect data from theft, or to hold an individual or organization for ransom. This matters more than ever given that we now encrypt 75% of the world’s web traffic, protecting over 150 exabytes of data each month.  At the same time, organizations and individuals are enduring record exploitation through ransomware.

The RSA Conference itself was at the epicenter of a debate during the 1990’s on whether it was possible to conditionally use strong encryption only in desirable places, or only for desirable functions.  At the time, the U.S. government classified strong encryption as a munition along with strict export restrictions.   Encryption is ultimately just math and it’s not possible to stop someone from doing math.  We must be intellectually honest about our technologies; how they work, what the precursors to use them are and when, how and if they should be contained.

Our shared challenge in cybersecurity is to capture lightning in a bottle, to seize the promise of advances like flight, while remaining aware of the risks that come with technology.  Let’s take a closer look at that aspect.

History repeats itself

Regardless of how you define it, AI is without a doubt the new foundation for cybersecurity defense. The entire industry is tapping into the tremendous power that this technology offers to better defend our environments. It enables better detection of threats beyond what we’ve seen in the past, and helps us out-innovate our cyber adversaries. The combination of threat intelligence and artificial intelligence, together or human-machine teaming provides us far better security outcomes—faster—than either capability on their own.

Not only does AI enable us to build stronger cyber defense technology, but also helps us solve other key issues such as addressing our talent shortage. We can now delegate many tasks to free up our human security professionals to focus on the most critical and complex aspects of defending our organizations.

“It’s just math..”

Like encryption, AI is just math. It can enhance criminal enterprises in addition to its beneficial purposes. McAfee Chief Data Scientist Celeste Fralick joined me on stage during this week’s keynote to run through some examples of how this math can be applied for good or ill. (visit here to view the keynote).  From machine learning fueled crime-spree predictors to DeepFake videos to highly effective attack obfuscation, we touch on them all.

It’s important to understand that the cybersecurity industry is very different from other sectors that use AI and machine learning. For a start, in many other industries, there isn’t an adversary trying to confuse the models.

AI is extremely fragile, therefore one focus area of the data science group at McAfee is Adversarial Machine Learning. Where we’re working to better understand how attackers could try to evade or poison machine learning models.  We are developing models that are more resilient to attacks using techniques such as feature reduction, adding noise, distillation and others.

AI and False Positives: A Warning

We must recognize that this technology, while incredibly powerful, is also incredibly different from what many cybersecurity defenders worked with historically. In order to deal with issues such as evasion, models will need to be tuned to high levels of sensitivity. The high level of sensitivity makes false positives inherent and something we must fully work into the methodology for using the technology.

False positive can have catastrophic results.  For an excellent example of this, watch the video of the keynote here if you haven’t seen it yet.  I talk through the quintessential example of how a false positive almost started World War III and nuclear Armageddon.

The Take-Away

As with fire and flight, how we manage new innovations is the real story.  Recognizing technology does not have a moral compass is key.  Our adversaries will use the technology to make their attacks more effective and we must move forward with our eyes wide open to all aspects of how technology will be used…. Its benefits, limitations and how it will be used against us.

 

Please see the video recording of our keynote speech RSA Conference 2019: https://www.rsaconference.com/events/us19/presentations/keynote-mcafee

 

The post McAfee CTO @ RSA: Catching Lightning in a Bottle or Burning Bridges to the Future? appeared first on McAfee Blogs.

Mobile World Congress 2019: Q&A with McAfee Leadership

Next week, Mobile World Congress (MWC) will kick off in Barcelona. This year’s event will have an estimated 107,000 attendees, along with 2,400 exhibitors, all representing about 205 countries. While the focus of the event is mobility, we can expect the industry to continue to drive conversations around IoT, artificial intelligence, 5G, connectivity, and more.

As Europe’s biggest gathering in the IT sector nears, we spoke with McAfee leadership about the major themes we should expect to see at MWC this year and what it means for McAfee.

Q: Artificial intelligence and the new 5G standard have been the hot topics of mobility. Do you think these two topics will play an important role at this year’s Mobile World Congress?

Gary Davis, Chief Consumer Security Evangelist: Absolutely. With 5G starting to be rolled out, everyone is waiting on bated breath to see how that affects society and our ecosystems in general. With technologies like 5G enabling almost zero latency, more data will be collected and aggregated. Insights from that mass of data can only be gleaned by using AI-based solutions.

Radhika Sarang, Director of Global Consumer Product Marketing: 5G and AI should be hot topics of discussion at MWC 2019. I fully expect several products and services displaying both technologies on the show floor. 5G will be transformative in how we consume content, adopt new technologies, and connect with one another. However, this phenomenon will increase the need for redefining the concept of digital trust. Narrow or weak AI has grown leaps and bounds recently in areas of natural language processing, machine learning, and advanced analytics. These technologies are also enabling cybersecurity teams to foresee cyberattacks and create proactive solutions.

Q: This year’s theme for Mobile World Congress is Intelligent Connectivity. What does this term mean to McAfee? What does it mean for enterprise businesses?

Davis: For McAfee, we would interpret that to mean that for something to be intelligent, trust must be established. Without trust, intelligent connectivity fails to exist.

Nathan Jenniges, Senior Director of the Device Security Business: It means having access to information when and how you need it. Increasingly the “how” is through mobile devices. The “when” is not defined by traditional business hours, as people engage at all times of the day. They also use the same device for enterprise business as they do for personal business, which increases the level of risk to an organization. Inherent in intelligent connectivity is security. You can connect at any time. But to connect intelligently, you need to be confident the connection is secure and not increasing your risk. As an example, you could connect your mission critical equipment to any electrical outlet. But if you connected intelligently, you’d have some sort of surge protector, so you don’t destroy your mission critical equipment. The surge protector is equivalent to protecting mobile devices from attack when they are connected to organizational resources.

Q: At any industry event, we can expect to see announcements for new technologies and IoT devices. What can you tell us about new security challenges that may arise this year and beyond?

Davis: Most everything being built today is engineered to be connected. However, most manufacturers are solving for time to market and convenience, thus forgoing any meaningful security controls. This results in the rapid expansion of the attack surface, which bad actors will most definitely target.

Sarang: Security threat vectors are shifting and evolving alongside the growth of IoT among consumers, enterprises, and network providers. Hackers are always looking to find creative ways to monetize in this increasingly connected world. With predictions of over 50 devices in each household by 2020, we fully expect to see more DDoS attacks and IoT-based ransomware. And with the advent of 5G that promises to transform our digital lives, it’s imperative that security is addressed as a top priority by service providers to create consumer digital trust in an even more connected world.

Q: How will mobile impact the enterprise in 2019?

Jenniges: Mobile threats continue to increase at record-breaking levels with more and more vulnerabilities discovered every month. In alignment with the threat, more business work is being done on mobile than ever before as mobile devices quickly become the dominant endpoint device. These devices access the same information and contain the same information that a traditional endpoint does with zero protection. As an attacker, you will look for the most efficient attack path and mobile is clearly the new favorite path.

 

We’ll be making a splash at this year’s conference, so be sure to stop by booth #5A21 in Expo Hall 5, where we will host demos, giveaways, and more. Also, be sure to follow @McAfee and @McAfee_Home for real-time updates from the show and opportunities to win giveaways throughout the week.

The post Mobile World Congress 2019: Q&A with McAfee Leadership appeared first on McAfee Blogs.

Privacy and Security by Design: Thoughts for Data Privacy Day

Data Privacy Day has particular relevance this year, as 2018 brought privacy into focus in ways other years have not. Ironically, in the same year that the European Union’s (EU) General Data Protection Regulation (GDPR) came into effect, the public also learned of glaring misuses of personal information and a continued stream of personal data breaches. Policymakers in the United States know they cannot ignore data privacy, and multiple efforts are underway: bills were introduced in Congress, draft legislation was floated, privacy principles were announced, and a National Institute of Standards and Technology (NIST) Privacy Framework and a National Telecommunications and Information Administration (NTIA) effort to develop the administration’s approach to consumer privacy are in process.

These are all positive steps forward, as revelations about widespread misuse of personal data are causing people to mistrust technology—a situation that must be remedied.

Effective consumer privacy policies and regulations are critical to the continued growth of the U.S. economy, the internet, and the many innovative technologies that rely on consumers’ personal data. Companies need clear privacy and security expectations to not only comply with the diversity of existing laws, but also to grow businesses, improve efficiencies, remain competitive, and most importantly, to encourage consumers to trust organizations and their technology.

If an organization puts the customer at the core of everything it does, as we do at McAfee, then protecting customers’ data is an essential component of doing business. Robust privacy and security solutions are fundamental to McAfee’s strategic vision, products, services, and technology solutions. Likewise, our data protection and security solutions enable our enterprise and government customers to more efficiently and effectively comply with regulatory requirements.

Our approach derives from seeing privacy and security as two sides of the same coin. You can’t have privacy without security. While you can have security without privacy, we strongly believe the two should go hand in hand.

In comments we submitted to NIST on “Developing a Privacy Framework,” we made the case for Privacy and Security by Design. This approach requires companies to consider privacy and security on the drawing board and throughout the development process for products and services going to market. It also means protecting data through a technology design that considers privacy engineering principles. This proactive approach is the most effective way to enable data protection because the data protection strategies are integrated into the technology as the product or service is created. Privacy and Security by Design encourages accountability in the development of technologies, making certain that privacy and security are foundational components of the product and service development processes.

The concept of Privacy and Security by Design is aspirational but is absolutely the best way to achieve privacy and security without end users having to think much about them. We have some recommendations for organizations to consider in designing and enforcing privacy practices.

There are several layers that should be included in the creation of privacy and data security programs:

  • Internal policies should clearly articulate what is permissible and impermissible.
  • Specific departments should specify further granularity regarding policy requirements and best practices (e.g., HR, IT, legal, and marketing will have different requirements and restrictions for the collection, use, and protection of personal data).
  • Privacy (legal and non-legal) and security professionals in the organization must have detailed documentation and process tools that streamline the implementation of the risk-based framework.
  • Ongoing organizational training regarding the importance of protecting personal data and best practices is essential to the continued success of these programs.
  • The policy requirements should be tied to the organization’s code of conduct and enforced as required when polices are violated.

Finally, an organization must have easy-to-understand external privacy and data security policies to educate the user/consumer and to drive toward informed consent to collect and share data wherever possible. The aim must be to make security and privacy ubiquitous, simple, and understood by all.

As we acknowledge Data Privacy Day this year, we hope that privacy will not only be a talking point for policymakers but that it will also result in action. Constructing and agreeing upon U.S. privacy principles through legislation or a framework will be a complicated process. We better start now because we’re already behind many other countries around the globe.

The post Privacy and Security by Design: Thoughts for Data Privacy Day appeared first on McAfee Blogs.

Step Up on Emerging Technology, or Risk Falling Behind

Earlier last year, the U.S. Commerce Department’s Bureau of Industry and Security (BIS) put out a call for public comment on criteria for identifying emerging technologies that could potentially be subject to future export control regulations. The tech industry responded in full force, providing recommendations for how the federal government can ensure U.S. competitiveness in the global market while supporting the development of emerging technology (read comments submitted by McAfee here).

Emerging technology poses an interesting challenge for tech companies and federal regulators alike. In many cases, technologies that BIS designates as “emerging,” such as AI and machine learning, are already in widespread use around the world. Other technologies like quantum computing are very much in the research and development phase but have the potential to alter the course of national security for decades to come. Many of these technologies are difficult to define and control, and many are software-based, which greatly complicates the development of regulation. Software technologies, by their very nature, are fundamentally different from physical items and physical process technologies. Their intangible, readily-reproducible character makes software-based technologies inherently difficult to define and control.

This task is enormous and must be handled cautiously, as history has provided countless examples of how overregulation has the capability to hamper development. A poignant example of overregulation at the cost of progress is the automobile industry. According to Deloitte, although tough restrictions on automobiles were nothing but well-intentioned in the late 1800’s, regulation greatly hampered research and advancement. The early days of the automobile industry should serve as a cautionary tale when it comes to regulating new and innovative technology.

The U.S. is in a unique position to act to protect our technological interest and secure the nation’s position as a global leader. The U.S. secured a pivotal tech leadership role, having spearheaded the development of the internet in the early 1990’s. The nation has immense power and potential to take the mantle on emerging technology, and the stakes are high. Some of the country’s greatest accomplishments have stemmed from empowering the private sector and encouraging innovation. For example, tremendous strides in private sector space exploration have been made possible due to the support and administration of empowering legislation. Companies like SpaceX and Boeing are creating next generation space technology, working each day to ensure that the U.S. maintains competitiveness.

Cybersecurity is another area that requires particular attention. Given the global availability of cybersecurity tools, many of which make use of the emerging technologies under review, McAfee understands that great care needs to be taken by our government before imposing additional export controls on American cyber companies. These rules can have the unintended and harmful consequence of stunting the growth and technical capabilities of the very companies that currently protect vital U.S. critical infrastructure, including federal and state government infrastructure, from cyber-attacks. As a leading nation, it is critical to stay ahead of threats by criminal actors. This is only possible if cyber companies have the ability to access global markets to fund the research and development needed to keep pace with rapid innovation. Controls should be implemented with a great understanding of the need to stay competitive in global innovation, particularly when it comes to cybersecurity.

Overregulation could cause great harm, and the U.S. government must tread carefully in administering a carefully-crafted, targeted approach. Rather than burdening U.S. software companies with new and substantial export control compliance costs, the U.S. should seek to empower these companies. Any controls deemed essential by the government should be as narrowly tailored as possible, especially given the broad range of current and future companies and technologies. A multilateral approach to export controls on emerging technologies is vital for U.S. companies to remain innovative and competitive in the global marketplace. This cautious approach would ensure alignment between the private and public sectors, ultimately allowing for emerging technology to be front and center. Providing an ecosystem in which the technology of tomorrow can flourish is essential to the U.S. continuing to blaze the trail on emerging technologies.

The post Step Up on Emerging Technology, or Risk Falling Behind appeared first on McAfee Blogs.

We Put You at the Core

As we usher in the new year, I want to update you on some exciting transformations the McAfee Customer Success Group (CSG) has undergone. As a company, McAfee is committed to putting you—our customer—at the core. Our goal is to help you make the right decisions as you evolve your security maturity from device to cloud and to bring you the best possible customer experience every time we interact.

McAfee uses the Net Promoter Score (NPS) to quantify customer sentiment about our brand and our products. This allows us to see customer feedback, analyze it, and make strategic decisions based on this intelligence. By listening to and acting on your input, CSG has made significant changes around people, process, technology, and offerings. These enhancements will help you make the most of your McAfee solutions so that you can successfully achieve your desired security outcomes.

We’re constantly innovating to provide cybersecurity services that align with your definition of success. The transformation changes include:

Cybersecurity Services

To help move your security goals forward, we’ve updated and developed new offerings.

McAfee Customer Success Plans

We’re now offering three unique Customer Success Plans: McAfee Premier, Enhanced, and Essential Success Plans. These plans help enterprises—of all sizes—address today’s biggest challenges: the cybersecurity talent shortage, the growing threat environment, and lack of sufficient training. The plans are a strategically packaged set of personalized services, resources, and expert guidance that help drive product adoption, reduce security risks, and maximize your investment. You can expect proactive planning, success and escalation management, consulting, and education services, and business reviews to help transform your security into a business driver. Learn more.

McAfee Education Services

The IT professionals who enforce the security policies and run the tools that protect their organizations’ data frequently lack access to the training they need. The skills shortage, combined with lack of easily accessible training, leaves organizations exposed to attacks and data loss. Our cutting-edge McAfee Education Services portfolio offers flexible product and security training options that help you stay ahead of threats, save time, and maximize your McAfee investment. We’ve added guided on-demand training, bringing the classroom training experience in a remote setting with hands-on labs access, and refreshed our product training catalog. Learn more.

McAfee Incident Response

You need to be prepared for cyberattacks. The McAfee Incident Response (IR) Service is a comprehensive offering that combines two services that prepares and strengthen your company against potential cyberattacks and gives you greater peace of mind. Our 40-hour IR readiness assessment provides you the opportunity to collaborate with McAfee security professionals to proactively build a comprehensive IR plan. You also receive 160 pre-paid emergency IR hours to use over a 12-month period. Should a cyberattack occur, you have access to McAfee security experts to help you through the crisis, saving downtime and loss of reputation. Learn more.

McAfee Corporate Support Enhancements

McAfee understands that your time is valuable. We’ve made some important changes to help you resolve issues more quickly and, ultimately, make it easier to interact with McAfee Technical Support. These enhancements include a simplified Service Request submission process, single case ownership from creation to resolution, phone lookup enhancements for direct connect to the case owner. This provides consistency and reduces the time spent on troubleshooting, ensuring your business issues are addressed. Learn more.

Self-Service Tools

To improve your digital support experience, we’ve developed several new self-service tools and resources. These include:

  • New mobile application which allows you to receive notifications and view, update, and close Services Requests.  Download to your Android or iOS mobile device from the app store
  • New portal landing pages, a central location for common resources, categorized by product, where you can get answers to your critical questions
  • Support communities where you can collaborate with liked-minded security professionals to resolve issues and share information and best practices
  • Access to a library of YouTube videos that provide “how to” support for new product features
  • Launching next month, an in-product McAfee ePO Support Center plug-in to simplify and streamline technical troubleshooting (for version 5.3 and higher)
McAfee Customer Success Group

CSG supports your aspirations. The improvements we’ve made demonstrate how we are transforming along with you. We’re listening to your needs and committed to delivering an exceptional customer experience to each of you, every time.

Advanced security solutions from McAfee are designed to detect, protect, and correct—from device to the cloud.* CSG helps you optimize those security solutions so that you can innovate fearlessly, proactively protect your business, and scale up in line with your timeframe.  We look forward to working closely with you to accomplish your near-term and long-term security and business goals. As we’re accustomed to saying around here, “Together Is Power.”

To find out how we can help you reach your security goals, visit the “Learn More” links above or contact your sales account manager or partner.

 

 

*McAfee technologies’ features and benefits depend on system configuration and may require enabled hardware, software, or service activation. No connected environment can be absolutely secure.

The post We Put You at the Core appeared first on McAfee Blogs.

Championing Equality: McAfee to Achieve Gender Pay Parity in 2019

Recently, the World Economic Forum revealed it will take 202 years for women to achieve economic gender parity at our current rate. Two hundred and two. Let that sink in for a moment. Doesn’t quite seem right does it? At McAfee, we believe every single employee should be compensated fairly and equally for their individual contribution and impact to the company, regardless of gender. Which is why we’re committed to acting now to address any gender pay parity discrepancy in the first half of 2019.

This announcement underlines our unwavering commitment to inclusion and diversity. When McAfee reaches global pay parity in 2019, we will be the first pure-play cybersecurity company to do so. And while study after study reinforces the simple fact that diversity drives prosperity, we’re still falling short with just 11% female representation in cybersecurity.

 

Making significant progress is not going to happen overnight. It also won’t happen on its own. We need greater collaboration to help drive the actions that will change the conversation. So in the spirit of transparency and sharing best practice, here are four steps McAfee is undertaking to achieve gender pay parity:

  1. We define pay parity. At McAfee, pay parity means fair and equal pay for employees in the same job, level and location, controlling for pay differentiators such as performance, tenure and experience, regardless of gender.
  2. We complete our inaugural review. Create job groups by role, level and location to evaluate any discrepancies outside of the predetermined controlling factors.
  3. We adjust pay. If a gap is found between females and males within the group, our purpose is to ensure nothing about a person’s gender is causing the discrepancy and to make adjustments if needed.
  4. We uphold pay parity. This will not be just a point in time review, but an annual analysis to stay the course. But maintaining pay parity also means keeping it at the forefront throughout the year—from our hiring practices to how we promote and reward our employees.

In these four steps lies a momentous promise to equality. Each day, I’m proud to work alongside a team dedicated to creating a workplace where all voices, perspectives and experiences are welcomed, where everyone can belong. But our investment in pay parity is among the most important steps in showing our people we value them, equally.

With this commitment, we continue to live our values, build an inclusive culture, create better workplaces and build stronger communities. I’m honored to join companies beyond the world of cyber already striving towards pay parity and I hope more will join us in reaching this milestone in equality.

Ready to work for a company committed to equality? McAfee is hiring!

Disclaimer: This blog was originally published on LinkedIn

The post Championing Equality: McAfee to Achieve Gender Pay Parity in 2019 appeared first on McAfee Blogs.

New DHS Agency Will Provide Needed Emphasis on Cybersecurity

Cybersecurity is playing an increasingly greater role in our government and economy. As our world becomes more interconnected, the cyberthreat landscape is growing and rapidly evolving. To address both physical threats and cyberthreats, the leading federal agency must have the flexibility and resources to quickly mitigate any potential interruptions or harm.

Last week, a critical step was taken in how the Department of Homeland Security (DHS) manages cybersecurity. The long-awaited Cybersecurity and Infrastructure Security Agency (CISA) Act was signed into law by the president, reorganizing the former National Protection and Programs Directorate (NPPD) into CISA. The permanent establishment of a stand-alone federal agency equipped to deal with cyberthreats is long overdue and welcome among the cybersecurity community.

CISA will be its own department within DHS, similar to the Transportation Security Administration (TSA), and will be led by cybersecurity expert, NPPD Under Secretary Christopher C. Krebs, who has had a distinguished career in both the public and private sectors. Establishing CISA as a stand-alone agency within DHS elevates both the mission of cybersecurity in the federal government and cybersecurity’s importance and solidifies the position of cybersecurity in our economy.

This is a smart decision on the part of Congress and the White House. It will help the newly created agency outline its priorities, advocate for a separate budget, and further develop recruitment efforts. CISA’s leaders will have the ability to continue to drive a culture of cybersecurity within our federal agencies and workforce while enhancing their capabilities to partner with the private sector to address our nation’s most critical cybersecurity threats.

McAfee looks forward to continuing to work with Christopher C. Krebs and his able team, led by CISA Assistant Director for Cybersecurity Jeanette Manfra.

 

The post New DHS Agency Will Provide Needed Emphasis on Cybersecurity appeared first on McAfee Blogs.