A lower degree of alignment between the various threat defences deployed by organisations can deliver better defence, according to Steve Grobman, senior vice-president and CTO at McAfee.
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
“This is what I call the threat defence correlation paradox,” he told Computer Weekly, saying that if an organisation is using perfectly aligned technologies, there will be no overall gain in efficacy.
This means that if an organisation is using three perfectly aligned technologies that each have an efficacy of 70%, the combined effect will still be only 70%, said Grobman.
“If they are perfectly correlated, that means they are essentially only going to give the same answer to everything – they are all going to detect the same things,” he said.
Therefore, deploying extra technology does not necessarily result in better threat detection, and for this reason, McAfee’s technology development typically aims at low correlation with existing technologies.
“If we are considering a new technology that covers what existing technologies already cover, then we dismiss it quickly, unless it is cheaper to produce,” said Grobman.
“Paradoxically, having a lower correlation will result in a higher level of defence because a correlation of zero means that the detection of each technology will be independent from the others.”
This means that three technologies with a 70% efficacy rate could potentially deliver a combined efficacy of 97.3% if there is zero correlation, he said.
“Since they are independent, the only time you will not detect a threat is when all three fail,” said Grobman.
“And because there is a 30% likelihood of failure for each, the combined likelihood of failure is 0.3 X 3, which is 2.7%, and subtracted from 100% gives a combined detection capability of 97.3%.”
In other words, said Grobman, with exactly the same detection rates of 70% each, a higher overall level of defence can be achieved through layering if there is a low level of correlation or overlap.
“Using this concept, we can pick technologies that might otherwise be discounted if they were looked at on their own,” he said. “Even if a technology detects only a few percent of threats, if it is in an area we do not have coverage on, it could be amazingly valuable.”
Having a highly analytical approach to technology and its deployment enables McAfee to build a much better defence capability than security suppliers that are focused on making one thing better, said Grobman.
“If you take one thing and try to make it better, you will start getting diminishing returns, but if you layer multiple technologies in a technology teaming fashion, and as long as you do that by applying well-founded scientific methods to it, you can get to a much better outcome than any technology on its own.”
In line with this approach, McAfee is designing its products to allow the inclusion of different technology modules, he said.
“So, if we find something in our research and development labs that fits this mathematical model well, we can just snap it into the product. We don’t have to design a whole new product.”
Correlation of defence
This is a way of thinking about layered security that is not just about counting the number of layers, but requires an understanding of the correlation of the defence between the layers, said Grobman.
“When you think about defence in depth, you have to understand whether you are getting uncorrelated defence capabilities that are truly improving your security, not just adding to your cost,” he said.
Because McAfee understands this concept, said Grobman, it enables a much more effective approach to layered defence, which is sometimes achieved within one product. “But we are only going to do it when it adds value and when it can deliver an exponential improvement,” he added.
An example of where McAfee has used layered technologies is the use of two different machine learning modules in its endpoint security product, said Grobman. One is a structural machine learning technology and the other is a behavioural machine learning technology, so that malicious activities can be detected both on what they are and what they do.
“If you had a script that used WinZip and OpenSSL to implement ransomware, those components are not bad and would not be detected by the structural machine learning module,” said Grobman. “But behaviourally, if it starts encrypting everything on the disk, that’s bad and will be detected by the behavioural machine learning module.
“In testing, we found that those two technologies are fairly uncorrelated, so we get a lot of value by having them both. So really understanding the nuance of how technologies relate to each other will allow us to build far superior capabilities than competitors that are just looking at things from a single standpoint.”