Interview with Dave Marcus, Director of Security Research and Communications, McAfee Labs

SecurityWeek Exclusive

Giant security vendor McAfee this week issued a “call to arms” to the IT security industry with the publication of a report that advocates a more proactive approach to security in a number of areas, many related to the sharing of data. We interviewed Dave Marcus, Director of Security Research and Communications at McAfee Laboratories, to get more detail.

SecurityWeek: You have advocated more cooperation in the war against malware. But the “good guys” – like McAfee – are in competition with one another, and that includes having the best information about potential attacks. Isn’t this a formidable barrier to sharing?

Dave Marcus: We share samples with our major competitors on a daily basis, and we have done that from day one. How we detect the threats is proprietary, but we need to share as much about the threats themselves as possible, and that doesn’t really affect our ability to be competitive.

SW: What other types of sharing are not taking place… and why?

DM: There are two types of data to be shared. There’s the threat itself, the actual binary. That’s what has traditionally been shared. What we want to see more of is information about the threat. How was the threat collected? What IP address was it distributed from? Who does it look like it was created by? When was it detected? By sharing more of that type of information, we get to profile who wrote it. and potentially arrest them and take them down.

SW: What gets in the way of this other type of sharing? Is there reluctance or pushback?

DM: I don’t think so. A lot of people simply haven’t engaged in the discussion yet. As an industry, we’ve never stepped back and asked, “Are we sharing the right type of data? Are we actually empowering law enforcement and giving them what they need?” Promoting those conversations is what will really push us forward. And we have to build some kind of forensic collection into detection.

SW: Could you describe McAfee’s position on responsible disclosure vs. full disclosure?

DM: This is a question that just never goes away. We have always advocated ethical disclosure right from the beginning. Our position is, don’t put users in danger, and to achieve that, you work with the vendor. But [as a vendor], if you’re not seen as being responsive, the security researchers who discovered the vulnerability are going to release it quick., because they think you’re shooting around them or not being responsible or aren’t going to give them credit. The other side is, when you’re a vendor, and we are, you have a process to get patches actually published and that takes time. When you rush patching, you get bad patches.

SW: You state that ICANN has done some good things, like revoking EstDomains’ accreditation and eliminating “domain tasting.” What else should ICANN be doing that it’s not doing today?

DM: Part of the problem we ran into in taking down some of the ISPs and really bad players was the amount of time it took ICANN to actually respond. It wasn’t until Brian Krebs, a former reporter for the Washing Post, put a lot of pieces together and started hammering them publicly that they took the call to action and did something. What they have to do is a lot of the things they finally did, but in a quicker period of time.

SW: What exactly do you mean by proactive law enforcement? Could you provide a couple of specific examples of what’s not taking place right now?

DM: One of the biggest things institutionally – and this is from the security industry’s perspective – is that the bad guys don’t have anything to worry about right now. The number of times you’ve seen a cybercriminal arrested, let alone prosecuted, you can almost count on one hand.

SW: So you want headlines and video showing cops actually arresting cyber criminals.

DM: When I say “cops” I’m using that in a very general sense. It may be Federal. If the bad guys are global, and we’re going to combat them correctly, law enforcement ultimately has to be global, and there needs to be a process to share information across borders.