MPOWER 2019: McAfee demonstrates progress in building out its cloud vision

October 11 2019
by Patrick Daly, Garrett Bekker


McAfee began MPOWER 2019 by highlighting the key theme for the event: it's about time. The phrase refers to the ever-increasing burden placed on security professionals to do more – detect more threats, investigate more incidents and remediate more vulnerable assets – in the same time span. Throughout the conference, McAfee highlighted how its latest product investments (including the new Unified Cloud Edge and MVISION Insights products) and the robust partner ecosystem enabled through its open architecture are intended to reduce the time required (or improve the time frame before they are impacted) for customers to detect, investigate and remediate threats in their environments.

The 451 Take

When McAfee first announced the MVISION platform at last year's MPOWER, it represented the company's commitment to delivering its products natively from and for cloud environments. At this year's event, the focus was on demonstrating what McAfee has done to execute on that strategy thus far and highlighting areas of continued investment. The introduction of threat analytics platform MVISION Insights, one of the most significant announcements at the conference, is indicative of McAfee's strategy to simplify security for the practitioner and reduce the effort required to detect, investigate and remediate threats. The company's Unified Cloud Edge, on the other hand, shows how it is trying to drive value for customers by consolidating several point products into a single value proposition – the ability to define security policies in one dashboard and apply those policies uniformly across cloud and on-premises environments.

Corporate strategy

McAfee emphasized three core themes guiding the conference and corporate strategy: the device-to-cloud platform, open architecture and actionable insights. MPOWER also featured several product releases or updates across the MVISION portfolio – which is an umbrella name for all cloud-based/cloud-native security offerings from McAfee – including MVISION Insights and the Unified Cloud Edge vision, as well as updates to MVISION Endpoint, MVISION EDR and MVISION ePO. MVISION EDR and Endpoint are now available under a single SKU, and McAfee also extended the length of time users can store data for investigations from seven to 30 days.

Device-to-cloud platform

MVISION Cloud (based on the Skyhigh Networks cloud access security broker acquisition) now spans security for IaaS and PaaS, as well as SaaS applications. New features include a real-time malware-scanning engine that analyzes behavior to help reduce the time to detect zero-day attacks; the ability for enterprises to compare their cloud security posture to industry peers with suggestions to make improvements (Cloud Maturity Advisor); and the ability for end users to get directly involved in helping resolve incidents via self-service options, with the intent of reducing the demands on SOC analysts. MVISION Cloud also now extends to containers, thanks to the recent acquisition of container security startup NanoSec, which essentially provides vulnerability scanning and micro-segmentation for containers.

The new Unified Cloud Edge will provide a single console across McAfee's MVISION Cloud (CASB), its secure web gateway (SWG), and its DLP offerings to provide a consistent policy layer across web and cloud resources for hybrid, multi-cloud environments. Unified Cloud Edge is not yet a product-level offering, though it does unify API, forward, reverse and client proxies to provide consistent enforcement actions across endpoint, network and cloud use cases. McAfee's SWG is also based on a peering architecture with CDNs that can help lessen the performance impact from routing traffic to and from proxies.

Open architecture

McAfee's open architecture is intended to simplify security for its customers and is highlighted by a network of more than 140 technology partners that have developed integrations with McAfee. These integrations are largely accomplished through APIs. The company's CASB Connect is a self-service API that enables partners and other vendors to build integrations without writing any code. AWS recently made McAfee MVISION Cloud the first CASB to be a part of its Security Competency Partner program. The AWS integration enables McAfee customers to discover shadow IT in their AWS environments, monitor for abnormal user behavior on SaaS applications, continuously monitor for abnormal user behavior, and detect misconfigured assets and policy violations. MVISION Cloud also integrates with Microsoft Teams, a decision that depended in part on MVISION's ability to integrate natively via APIs. For SaaS applications without the mechanisms for API-based integration, McAfee offers a proxy-based integration.

In addition to its partnerships, McAfee has democratized its customers' ability to share intelligence between security products ' the company announced the addition of an OpenDXL Broker to go with the OpenDXL Client it introduced in 2016. OpenDXL is an open source implementation of Data Exchange Layer (DXL), a communication fabric that enables intelligence to be shared between security products from multiple vendors. McAfee's OpenDXL implementation for MVISION lays a foundation for improved compliance initiatives, detection and automated incident response driven by telemetry shared between security tools.

Actionable insights

At MPOWER, McAfee also unveiled MVISION Insights, a set of new capabilities built into McAfee's ePO management platform. MVISION Insights is designed to enable security operations teams to identify and address gaps in their security posture and investigate threats that have already infected devices in the customer's environment. Telemetry from McAfee's geographically distributed network of endpoint sensors provides a global view of the threat landscape across multiple attack vectors. Threat activity is correlated with data collected from an individual organization's environment to identify which threats may be targeting their industry sector or geography, what devices in particular have a larger attack surface or weaker countermeasures, and what action should be taken (updating endpoint defensive content or changing a device's compensating controls, for example) to better protect the organization from that specific threat.

Information related to an organization's security posture &andash; the countermeasures it has in place, the configurations of the security mitigations present, and potential and active attack attempts – is rolled up into MVISION Insight's cloud interface, which is part of ePO. MVISION Insights provides organizations visibility into how secure their environment is via a local protection profiling system, which illustrates the security posture across the organization's environment and recommends changes that would improve the security posture.

On the detection and mitigation side, MVISION Insights will alert customers to known threats and offers security analysts the tools to investigate zero-day threats that may have infiltrated the environment by comparing activity with threat behavior observed by sensors in other customer environments. When a threat is detected, customers can act to mitigate the effects, including isolating the infected machines, taking mitigation actions such as writing new policies, or changing device configurations to halt or prevent the threat. Analysts can then pivot to McAfee MVISION EDR to do guided investigations. McAfee says that the mitigation and remediation actions will continue to evolve in upcoming versions of MVISION Insights.