McAfee's DeepSAFE: Beyond OS, beyond need?

Who needs ever-cleverer security software when we're still forgetting the basics?

Safe never sleeps (but grammar does): McAfee co-president Todd Gebhart delivering a keynote at Focus 11 in Las Vegas. (Stilgherrian / CSO Online)

Safe never sleeps (but grammar does): McAfee co-president Todd Gebhart delivering a keynote at Focus 11 in Las Vegas. (Stilgherrian / CSO Online)

McAfee's Focus 11 conference — like every vendor's conference — isn't really about the open sharing of detailed technical information. That takes place at events like AusCERT or Black Hat. It's about preparing soil for the seeds of marketing.

It's therefore not important that you get to understand the latest information security issues. Not really understand them.

That's why the keynotes — the IT industry's equivalent of the Home Shopping Network — are full of middle-aged executives awkwardly high-fiveing each other, pacing like roadside preachers and being "excited" by everything. Of contantly-moving graphics filled with out-of-context numbers — big numbers, always such big, meaningless numbers! Of major-chord music with the bass turned way too high.

Full of everything, in other words, that'll prevent you forming a rational response.

None of this is unique to McAfee, of course. It's just How Things Are Done. After all, if you're preparing soil there's something that it simply must be full of.


At least McAfee isn't a blatant as certain other infosec vendors.

So, after spending the bulk of this week in Las Vegas being shovelled with the McAfee message, what have I learned?

The key message is that McAfee — now "an Intel company", as we were constantly reminded — is in a unique position. McAfee's software smarts are now combined with Intel's hardware smarts and their great big pot o'cash.

The first fruit of that union is DeepSAFE (technology that sits between the processor chip and the operating system), and the first product to use DeepSAFE is Deep Defender (which detects and defends against both known and unknown malware in the kernel).

And we really, really need this technology because modern malware is both incredibly sophisticated (cue white paper, The New Reality of Stealth Crimeware) and incredibly prolific (cue a Big Number, 100 megabazillion new malware threats every millisecond, or thereabouts).

Deep breath.

DeepSAFE is doubtless an important new technology. The ability to step outside the box of the operating system and see what's going on inside it is a powerful new ability. As one of McAfee's star presenters put it, it's effectively sitting between the code and the computer's critical resources — processor, memory, input-output channels etc — and moderating everything that happens. It gives McAfee a big advantage.

Until the bad guys figure out how to get there themselves and subvert the process.

Or until the competitors catch up.

McAfee executives say that'll take a while.

"We've been on this journey of developing this now for two and a half years, so we believe they're going to have to take at least that period of time," said McAfee co-president Todd Gebhart.

"Let's say they're twice as smart as we are, which we don't think so, but it's still... look... remember at the end of the day the overall objective is to secure computing, right? And we actually hope the competitors look at what we're doing and go, 'Yeah we need to get there'. Because if we all do a better job of securing computing, guess what? Computing's going to continue to grow.

"Regardless of what device it's on, it'll take a lot of different flavours, a lot of different approaches. But we all need it to grow. Our lifestyles depend on it. The economies of too many worlds are waiting for it to happen. It is a way of life and we've got to continue to propagate it."

Fortunately — or unfortunately, I'm not sure which — fellow co-president Michael DeCesare broke in before we crossed the Strangelove threshold.

"It's open technology. It is published. Any other vendor has equal rights to us. What other vendors don't necessarily have is the economic firepower to be able to make the investments necessary to get there," he said.

"We were the largest dedicated security company, and we have gotten an acceleration of R&D resources from Intel as a result of the merger."

(Fertiliser Fine Point: "Largest dedicated security company"? True, actually. Symantec is bigger than McAfee was before being bought by Intel, but their product range isn't limited to security.)

But do we really need something like DeepSAFE? After all, most real-world security problems could be solved by dealing with the basics, as the Defence Signals Directorate (DSD) showed. Patch your software, patch your operating system, get rid of all those administrator accounts and only allow whitelisted software to run.

It's the same message as a decade ago, isn't it? And none of it needs DeepSAFE.

"I think the difference is that over the last couple of years... the sophistication of the bad guys has gotten far different. This is no longer kids in a university trying to see if they can break into the Pentagon for a project. These are organised bad guys that are coming after organisations in a very big way." DeCesare said.

"I'm not sure that I know any large corporation that I have met with who has not dealt with some APT [advanced persistent threat] in the last year that has come after some of the most critical IP they have out there. That's going to force the security companies to react in another way and try to protect those customers in a better way. That's why we're so excited about the DeepSAFE technology," he said.

"Stuxnet would have been prevented with it, for example," said Gebhart.

That's a great sound bite, Mr Gebhart, but there's really no way of knowing whether it's fact or fertiliser.

Still, McAfee has DeepSAFE, and that'll now become a checkbox on all the security product comparison charts. Expect the other vendors to race to create their equivalent technologies to avoid an empty checkbox.

Whether we need it or not.

Personally, I can't help but think moving "below the operating system" takes us down Kurt Gödel's wormhole, and a few years from now we'll be hearing how some new product takes us "below DeepSAFE".

Stilgherrian is attending McAfee's Focus 11 security conference in Las Vegas as their guest.

Contact Stilgherrian at or follow him on Twitter at @stilgherrian

Join the CSO newsletter!

Error: Please check your email address.

Tags marketinginformation securitymcafeeDeepSAFEsecurityOS

More about APTCERT AustraliaetworkHome Shopping NetworkIntelMcAfee AustraliaSymantec

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Stilgherrian

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place