McAfee's DeepSAFE: Beyond OS, beyond need?

McAfee's Focus 11 conference — like every vendor's conference — isn't really about the open sharing of detailed technical information. That takes place at events like AusCERT or Black Hat. It's about preparing soil for the seeds of marketing.

It's therefore not important that you get to understand the latest information security issues. Not really understand them.

That's why the keynotes — the IT industry's equivalent of the Home Shopping Network — are full of middle-aged executives awkwardly high-fiveing each other, pacing like roadside preachers and being "excited" by everything. Of contantly-moving graphics filled with out-of-context numbers — big numbers, always such big, meaningless numbers! Of major-chord music with the bass turned way too high.

Full of everything, in other words, that'll prevent you forming a rational response.

None of this is unique to McAfee, of course. It's just How Things Are Done. After all, if you're preparing soil there's something that it simply must be full of.


At least McAfee isn't a blatant as certain other infosec vendors.

So, after spending the bulk of this week in Las Vegas being shovelled with the McAfee message, what have I learned?

The key message is that McAfee — now "an Intel company", as we were constantly reminded — is in a unique position. McAfee's software smarts are now combined with Intel's hardware smarts and their great big pot o'cash.

The first fruit of that union is DeepSAFE (technology that sits between the processor chip and the operating system), and the first product to use DeepSAFE is Deep Defender (which detects and defends against both known and unknown malware in the kernel).

And we really, really need this technology because modern malware is both incredibly sophisticated (cue white paper, The New Reality of Stealth Crimeware) and incredibly prolific (cue a Big Number, 100 megabazillion new malware threats every millisecond, or thereabouts).

Deep breath.

DeepSAFE is doubtless an important new technology. The ability to step outside the box of the operating system and see what's going on inside it is a powerful new ability. As one of McAfee's star presenters put it, it's effectively sitting between the code and the computer's critical resources — processor, memory, input-output channels etc — and moderating everything that happens. It gives McAfee a big advantage.

Until the bad guys figure out how to get there themselves and subvert the process.

Or until the competitors catch up.

McAfee executives say that'll take a while.

"We've been on this journey of developing this now for two and a half years, so we believe they're going to have to take at least that period of time," said McAfee co-president Todd Gebhart.

"Let's say they're twice as smart as we are, which we don't think so, but it's still... look... remember at the end of the day the overall objective is to secure computing, right? And we actually hope the competitors look at what we're doing and go, 'Yeah we need to get there'. Because if we all do a better job of securing computing, guess what? Computing's going to continue to grow.

"Regardless of what device it's on, it'll take a lot of different flavours, a lot of different approaches. But we all need it to grow. Our lifestyles depend on it. The economies of too many worlds are waiting for it to happen. It is a way of life and we've got to continue to propagate it."

Fortunately — or unfortunately, I'm not sure which — fellow co-president Michael DeCesare broke in before we crossed the Strangelove threshold.

"It's open technology. It is published. Any other vendor has equal rights to us. What other vendors don't necessarily have is the economic firepower to be able to make the investments necessary to get there," he said.

"We were the largest dedicated security company, and we have gotten an acceleration of RD resources from Intel as a result of the merger."

(Fertiliser Fine Point: "Largest dedicated security company"? True, actually. Symantec is bigger than McAfee was before being bought by Intel, but their product range isn't limited to security.)

But do we really need something like DeepSAFE? After all, most real-world security problems could be solved by dealing with the basics, as the Defence Signals Directorate (DSD) showed. Patch your software, patch your operating system, get rid of all those administrator accounts and only allow whitelisted software to run.

It's the same message as a decade ago, isn't it? And none of it needs DeepSAFE.

"I think the difference is that over the last couple of years... the sophistication of the bad guys has gotten far different. This is no longer kids in a university trying to see if they can break into the Pentagon for a project. These are organised bad guys that are coming after organisations in a very big way." DeCesare said.

"I'm not sure that I know any large corporation that I have met with who has not dealt with some APT [advanced persistent threat] in the last year that has come after some of the most critical IP they have out there. That's going to force the security companies to react in another way and try to protect those customers in a better way. That's why we're so excited about the DeepSAFE technology," he said.

"Stuxnet would have been prevented with it, for example," said Gebhart.

That's a great sound bite, Mr Gebhart, but there's really no way of knowing whether it's fact or fertiliser.

Still, McAfee has DeepSAFE, and that'll now become a checkbox on all the security product comparison charts. Expect the other vendors to race to create their equivalent technologies to avoid an empty checkbox.

Whether we need it or not.

Personally, I can't help but think moving "below the operating system" takes us down Kurt G?del's wormhole, and a few years from now we'll be hearing how some new product takes us "below DeepSAFE".

Stilgherrian is attending McAfee's Focus 11 security conference in Las Vegas as their guest.

Contact Stilgherrian at or follow him on Twitter at @stilgherrian

Copyright © 2011 IDG Communications, Inc.

The 10 most powerful cybersecurity companies