• Home Page
• Computer Blog
• Chess Blog
• Exercise & Diet Blog
• Theology Blog
• Islamic Terrorism Blog
• Contact Us

Delivering a safer Internet experience

Interop Las Vegas: No more silos

It is uncanny how many familiar faces I saw as I roamed the show floor at Interop on Wednesday.

It is my second time at this event as McAfee’s CEO. While traditionally a networking fest, Interop has morphed and now includes software, security and more, so it makes sense for McAfee to be at Interop.

True to Interop’s roots, however, I put emphasis in my keynote on the fact that McAfee secures networks. In fact, network security is one of our core businesses. We recently launched McAfee Total Protection for Network, providing better security that is easier to manage and at a lower cost than traditional security appliance deployments.

Additionally, in the keynote and in the series of media interviews afterwards, I emphasized the need for interoperability. Traditionally security vendors have operated in silos, with products that didn’t work together. We’re pioneering change in this area with ePolicy Orchestrator and our Security Innovation Alliance, linking our products with third party products, addressing the interoperability challenge.

In an on-stage interview after the keynote Mr Rangaswami asked me about the S.P.A.M. Experiment. That’s our reality-show-like project where 50 volunteers across the world have been living their life with an inordinate amount of spam over the past 30 days and blogging about it.

Soon we’ll release an analysis of the spam they received, but we already know that spam and related threats have become more targeted and regionalized than ever.

If you would like to see my keynote presentation, it should will be posted to the Interop and Software 2008 Web sites shortly.

Finally, while I was at Interop, though unrelated to the event, we announced the appointment of a new CFO. Welcome to McAfee Rocky Pimentel!

Dave

Listen to your gut when weighing risk

Our brain is an amazing marvel that provides us the wisdom necessary to navigate the river of life.  Until recently though, research around how humans handle risks they encounter was spotty at best.  Understanding, and being able to influence, how we react to risks is key to making better decisions in life.

A recent study released in the Journal of Neuroscience, found that the brain has two separate channels for predicting and evaluating errors from risks we take.  This finding suggests people incorporate lessons learned from incorrectly measured risks in future decision making. Additionally, the brain appears to be using a complex quantitative risk assessment approach, which is far more sophisticated then earlier high/low classification systems that were originally proposed.  Amazing that our brains can quantify risk, but measuring it in InfoSec world is still a work in progress.

Another study in Psychology Today, found that when we sleep our dreams provide a way for our brain to visually rehearse responses to threats in our world.  For example, dreaming that you’re being chased by a ravenous bottlenose dolphin at a marine park is a way of practicing escape tactics.  This effectively enables us to react to situations in our world without thinking.

This research suggests that taking risks is a complex process for people based on the experiences and stimuli they have been exposed to in their lives.  Not all people are equal when it comes to making rational risk decisions.  Some may be better than others based on their experiences.  The reality of course is that we entrust people with the power to respond to information security risks that face our IT environments.  Do we really know whether we have the most effective cerebral cortexes, neurons, synapses, etc. to protect our organizations?  Until neuroscience has some answers, you can either invest in a Siemens Trio 3T full-body MRI scanner as part of your security program, or realize that people vary considerably when it comes to effective risk taking.  Factoring this into your risk analysis process is critical.

In Las Vegas, Green Means More than Money

In Las Vegas, green isn’t just the color of money. It’s also an emerging trend in corporate events and conferences in the city.

As part of our ongoing corporate Green Program, McAfee last week announced the results  of our efforts to “green” (i.e., reduce the environmental impact of) one of our annual corporate gatherings. By taking a number of steps in travel, materials, catering and other areas, we were able to save energy, water, paper and other natural resources while also reducing our non-air travel carbon emissions by 16%. We also offset 100% of our remaining carbon emissions (1,865 metric tons, 90% of which was the result of air travel) through the purchase of offsets provided by Carbonfund.org in support of a reforestation project in Louisiana. For more specifics on the results, please see our announcement.

In working with all of our partners on this initiative, I wanted to share a few lessons learned for anyone else looking at greening their events:

1. Build Your Efforts in from the Start
By working with the corporate event planners and hotel teams early on, you can build strategies to green the event into the decision-making and procurement processes rather than try to green after most of the significant planning decisions have been made.

2. Look Throughout Your Event
There are a number of interesting ways to minimize your environmental impact throughout your event. Identify the major “buckets” (e.g., travel, guest rooms, meeting rooms, catering, production, materials, etc.), identify where the environmental impacts are and brainstorm ways to minimize the impact of each, remembering the mantra of “reduce, reuse, recycle.” Sometimes even small ideas can help make a difference, such as our decision at a dinner banquet to use the evening’s dessert as centerpieces in the place of cut flowers or other items.

3. Get Participants Engaged
Tell the story of your greening efforts to your participants and ask for their engagement in the program. Right from the first internal communication about our event, we included messages around our greening efforts. We also included tips for how participants can contribute in the main conference handout (printed double-sided on recycled content paper, of course). As a result of these efforts, we learned that 81% of participants were aware of our efforts to green the event, with a similar percentage reporting they took steps on their own to contribute.

4. Ask for Ideas and Feedback
Finally, some of the best ideas and feedback comes from your event participants. In the conference evaluation, we added a few questions to gauge response to our greening initiatives. From this, we have some great ideas for additional steps to take for our future events. We also learned that 87% of participants believe it is important for McAfee to continue making environmental commitments as a company.

Special thanks to our partners in this project: ICF International, MGM MIRAGE  and Carbonfund.org.

In Las Vegas, Green Means More than Money

In Las Vegas, green isn’t just the color of money. It’s also an emerging trend in corporate events and conferences in the city.

As part of our ongoing corporate Green Program, McAfee last week announced the results of our efforts to “green” (i.e., reduce the environmental impact of) one of our annual corporate gatherings. By taking a number of steps in travel, materials, catering and other areas, we were able to save energy, water, paper and other natural resources while also reducing our non-air travel carbon emissions by 16%. We also offset 100% of our remaining carbon emissions (1,865 metric tons, 90% of which was the result of air travel) through the purchase of offsets provided by Carbonfund.org in support of a reforestation project in Louisiana or for more specifics on the results, please see our announcement. In working with all of our partners on this initiative, I wanted to share a few lessons learned for anyone else looking at greening their events:

1. Build Your Efforts in from the Start
By working with the corporate event planners and hotel teams early on, you can build strategies to green the event into the decision-making and procurement processes rather than try to green after most of the significant planning decisions have been made.

2. Look Throughout Your Event
There are a number of interesting ways to minimize your environmental impact throughout your event. Identify the major “buckets” (e.g., travel, guest rooms, meeting rooms, catering, production, materials, etc.), identify where the environmental impacts are and brainstorm ways to minimize the impact of each, remembering the mantra of “reduce, reuse, recycle.” Sometimes even small ideas can help make a difference, such as our decision at a dinner banquet to use the evening’s dessert as centerpieces in the place of cut flowers or other items.

3. Get Participants Engaged
Tell the story of your greening efforts to your participants and ask for their engagement in the program. Right from the first internal communication about our event, we included messages around our greening efforts. We also included tips for how participants can contribute in the main conference handout (printed double-sided on recycled content paper, of course). As a result of these efforts, we learned that 81% of participants were aware of our efforts to green the event, with a similar percentage reporting they took steps on their own to contribute.

4. Ask for Ideas and Feedback
Finally, some of the best ideas and feedback comes from your event participants. In the conference evaluation, we added a few questions to gauge response to our greening initiatives. From this, we have some great ideas for additional steps to take for our future events. We also learned that 87% of participants believe it is important for McAfee to continue making environmental commitments as a company.

Special thanks to our partners in this project: ICF International , MGM MIRAGE and Carbonfund.org.

In Las Vegas, Green Means More than Money

In Las Vegas, green isn’t just the color of money. It’s also an emerging trend in corporate events and conferences in the city.

As part of our ongoing corporate Green Program, McAfee last week announced the results of our efforts to “green” (i.e., reduce the environmental impact of) one of our annual corporate gatherings. By taking a number of steps in travel, materials, catering and other areas, we were able to save energy, water, paper and other natural resources while also reducing our non-air travel carbon emissions by 16%. We also offset 100% of our remaining carbon emissions (1,865 metric tons, 90% of which was the result of air travel) through the purchase of offsets provided by Carbonfund.org in support of a reforestation project in Louisiana or for more specifics on the results, please see our announcement. In working with all of our partners on this initiative, I wanted to share a few lessons learned for anyone else looking at greening their events:

1. Build Your Efforts in from the Start
By working with the corporate event planners and hotel teams early on, you can build strategies to green the event into the decision-making and procurement processes rather than try to green after most of the significant planning decisions have been made.

2. Look Throughout Your Event
There are a number of interesting ways to minimize your environmental impact throughout your event. Identify the major “buckets” (e.g., travel, guest rooms, meeting rooms, catering, production, materials, etc.), identify where the environmental impacts are and brainstorm ways to minimize the impact of each, remembering the mantra of “reduce, reuse, recycle.” Sometimes even small ideas can help make a difference, such as our decision at a dinner banquet to use the evening’s dessert as centerpieces in the place of cut flowers or other items.

3. Get Participants Engaged
Tell the story of your greening efforts to your participants and ask for their engagement in the program. Right from the first internal communication about our event, we included messages around our greening efforts. We also included tips for how participants can contribute in the main conference handout (printed double-sided on recycled content paper, of course). As a result of these efforts, we learned that 81% of participants were aware of our efforts to green the event, with a similar percentage reporting they took steps on their own to contribute.

4. Ask for Ideas and Feedback
Finally, some of the best ideas and feedback comes from your event participants. In the conference evaluation, we added a few questions to gauge response to our greening initiatives. From this, we have some great ideas for additional steps to take for our future events. We also learned that 87% of participants believe it is important for McAfee to continue making environmental commitments as a company.

Special thanks to our partners in this project: ICF International , MGM MIRAGE and Carbonfund.org.

The Internet isn’t a safe playground

Many of us here at McAfee are parents with children growing up online. Like you, we want to keep them protected, directing them to the safe neighborhoods of the Internet and helping them to avoid the dark alleys. We understand the challenges of talking to kids, tweens and teens about Internet Safety - everything from cyberbullying to avoiding risky online behavior that might compromise the family’s personal information.

To help you and your family stay safe while online, McAfee has just released a downloadable 10-step Internet Safety Plan eBook. The downloadable plan includes age-appropriate, easy-to-understand Internet safety guidelines for kids, tweens, teens, and “newbies. These tips will be useful to parents, educators, community groups and other influencers who want to teach consumers about Internet safety.

Research informs us, that teens and kids are known to engage in “risky” online behavior. For example, 80% of the young people who use the Internet in the U.S. play on-line games according to research by (eMarketer, September 2006). Savvy malware authors have taken notice and are creating password-stealing Trojans designed to rob young people of their identities.  While 51 percent of teens have downloaded music, the search term “digital music” often leads to sites that can populate a computer with spyware, viruses and exploits without the user’s knowledge. In addition, 45 percent of young people said someone they’ve never met has asked them for personal information online.

The McAfee eBook explains how families can work together as a team to set boundaries and create a list of rules to follow. The eBook also includes a section on how to save chat session logs, block users and report intruders. It also provides recommendations for age-appropriate browsers and search engines, among other tips. Finally, an online pledge certificate is available for download to allow families to print, sign and display near the computer to reinforce the mutual obligations necessary for computer safety.

Remember, the more you know, the safer you will be. Check out McAfee’s Security Advice Center for easy-to-read computer and Internet security educational material at www.mcafee.com/advice.

Spammers face the music

In a week which saw mass hack attacks and the head of Serious Organised Crime Agency (Soca), Sharon Lemon, warn e-crime now plays a role in nearly every criminal investigation in the UK, I was pleased to see some good news in the global fight against cybercrime. 
 
“Spam king” Robert Soloway, is facing up to 26 years in prison after pleading guilty to mail fraud and tax evasion charges. Soloway spammed tens of millions of e-mail messages to advertise his fraudulent business Newport Internet Marketing corporation (NIM) Web sites, while constantly moving the site which was hosted on at least 50 different domains. He was once considered the eighth-largest spammer in the world.   
 
Elsewhere the Federal Trade Commission charged online advertising company ValueClick’s with using deceptive e-mails to lure consumers to Web sites with promises of free laptops, ipods and gift cards. ValueClick Inc will pay a record $2.9m to settle the case - the largest settlement under the CAN-SPAM act, the anti-spamming legislation.

The message is clear - while there is no silver bullet to stop cybercrime and the bad guys are getting smarter, there are federal law enforcement agents who will investigate these labor intensive cases and there are federal prosecutors who will pursue cyber criminals aggressively.
 
I was also fascinated to read how cyberspace has become a focus in the government’s efforts to foil terrorist organizations. They are deploying Cold War techniques online to disrupt communication networks of militant organizations.
 
Cyberspying and online secret agents was a key global trend we’d seen emerge in our latest Virtual Criminology report. In the report, we revealed how there was now a growing threat to national security and that web espionage was becoming increasingly advanced from curiosity probes to well organized operations.
 
The conclusion? There is a darker side of cyberspace and fighting it is 24/7 global battle, and that it is far from over.

Government and industry must unite to fight cybercrime

Highly trained cyberterrorist groups have already demonstrated the destructive outcome of planned attacks on public infrastructure, most notably in Estonia last year. 

The cyber threat to national security is a growing concern and something we highlighted in our annual Virtual Criminology report. Coordinated attacks on national infrastructure take place every day. This calls for an equally persistent, resourceful response from both government and private industry.  

This year’s Cyber Storm II in which we are playing an active role in promises to be the nation’s most comprehensive cybersecurity exercise involving 18 Federal agencies, 9 states, 40 private-sector companies, and 4 international partners.

Exercises such as Cyber Storm keep government and private sector experts focused on the issue of national-scale cyberattacks, and engaged in developing new solutions and security initiatives that will elevate our preparedness when faced with the real thing.    

The big difference in this year’s exercise is a significant increase in attack complexity. This is something McAfee‘s researchers have seen - cyber threats becoming more sophisticated and more localized.  In order to coordinate a response to this new threat, government agencies and industry need to work closer together and build stronger relationships than ever before.  

I’ve just finished the wrap up meeting in Washington and on my way home.  The findings of this week’s Cyberstorm II should make interesting reading when they are released later this year by the Department of Homeland Security.

More evidence of hackers for hire

Without question, cyberthreats have evolved significantly. The unfortunate reality is that no one is immune - individuals, businesses, even governments. That’s why CNN’s expose about a group of highly organized Chinese hackers didn’t shock me.

We’ve seen a considerable amount of emerging threats from organized groups of individuals like those profiled in the CNN piece. In our latest Virtual Criminology report, specialists from top institutions like NATO and the FBI concurred with us that there is now a growing cyberthreat to national security.

Web espionage and cyberattacks on government networks have become far more sophisticated in their nature, specifically designed to slip under the radar of security systems. These attacks and cyberspying have become increasingly advanced, moving from curiosity probes to well-funded and well organized operations out for financial, political and technical gain.

The troubling feedback from analysts we spoke to for our annual Virtual Criminology report was that many governments are still unaware of the threats facing them and are not doing enough to protect the high-value information. Last year’s attack on Estonia can only have served as a timely wakeup call.

While we are still a way off from efficient global cooperation on cyberenforcement, many governments are taking the cyberthreat very seriously. Point in case: several nations are collaborating with the US government this week in a series of cybersecurity exercises under the code name “Cyber Storm II”.

Early Threat Detection using Human Social Habits

Leave it to the Air Force Institute of Technology to develop technology that detects patterns in email/web usage that could offer leading indicators of insider security threats. 
 
The technology is called Probabilistic Latent Semantic Indexing (try saying that a couple times fast). It sifts through email and web traffic logs to identify trends in human behaviors that could ultimately lead to malfeasance.  For example, an employee who becomes distant with colleagues over email and increases communications with outsiders could be a sign of dissidence. If you’re keeping tabs on this topic, this is an extension of the research MIT is doing around “Reality Mining”.
 
Researchers will argue they are not concerned with the content of data, but rather data about data (i.e. deltas in creation time, volume, etc.) to draw conclusions.  However, this seems a bit flawed with this security guy. 
 
I’m all for finding new ways to find the bad guys especially if good data exists to prove a wrong doing.  But, making security predictions based on historical trends of human behavior seems a bit like guess work at best.  In my opinion, there is too much inherent variability in human behavior for even the savviest computer and slick algorithms to predict what comes next.  If people were truly rational, security would be a heck of a lot easier.
 
When it comes to preventing insider threats, I believe a basic understanding of human psychology is far more effective than directing machine learning at the problem.  People with access to do bad things, combined with a motivating factor and the right opportunity pose a threat to organizations.  No arguments there. 
 
While it is difficult to control motives, we certainly can address the access and opportunity sides of the problem.  Limiting access, managing data and monitoring usage are critical components to any successful security program, but sadly these are often areas of most neglect.  We can’t solve humans, but we can institute pragmatic process and technology to limit them. 
 
Gotta run now and send some emails off…  I don’t want some fancy mainframes out there inferring that my lack of email (because I’m writing this blog) is a sign that I’m about to commit a crime.

Virtualization equals real security

Hotels in Cannes don’t just sell out for the Film Festival; all rooms are also booked for a big IT show this week: VMware’s first VMworld Europe.

Today I showed an audience of about 4,500 people at VMworld Europe how VMware and McAfee together will be able to protect virtual environments in ways beyond what is available to protect physical environments today.

Our customers are using more and more virtualization. We’ve devoted a lot of time and energy to provide the best protection possible, for both physical and virtualized environments.

Virtualization represents a disruptive change in how the world uses its computing devices. It has also expanded the possibilities for more comprehensive security for the virtualization platforms and the guest operating systems they host.

With the popularity of virtualization and the rush to reap its benefits, security must not become an afterthought. That is why I am excited about today’s big news: VMware VMsafe. With VMsafe, VMware is building adaptable security interfaces as a fundamental part of its products, allowing partners such as McAfee to offer innovative security solutions.

McAfee is the first security company to publicly demonstrate VMsafe. At VMworld we showed how, with VMsafe, we can block a malicious driver being executed in a virtual machine. We also showed that we can scan and clean offline VMs so they are up-to-date when they’re spun up.

We deliver real and meaningful security for virtualized environments today. Our security risk management solutions are fully compatible with VMware virtualization and help organizations create a safe computing environment, spanning virtualized servers, networks and desktops.

In the future, VMsafe could be used in a range of our products, further enhancing the protection. Just as VMware has provided a fundamental change to how computing resources are used, it will allow security technologies to protect virtual environments in ways beyond those possible for a single monolithic OS. VMsafe is the key to that promise.

Aside from our support for VMsafe, we also announced an OEM (original equipment manufacturer) agreement with VMware to use VMware ESX Server in future products. In addition, we announced beta availability of our new Email and Web Security Virtual Appliance, built from the ground up for the VMware platform, and unveiled a new virtual infrastructure security assessment service. 

You can read more about how McAfee secures virtual environments in our news releases and on our virtualization Web site: http://www.mcafee.com/virtualization

Virtually yours,

Christopher

Experts confirm spam link to criminal conduct

In a recent speech before the Direct Marketing Association, Eileen Harrington, the Deputy Director of the Federal Trade Commission’s Bureau of Consumer Protection said that the most problematic spam now is tied to criminal conduct.
 
This statement really resonated with me and confirms what we’ve been seeing for a while now.  Spam is now much more than a nuisance that clogs up corporate networks; it is a key weapon used by cyber crooks to target unsuspecting consumers and this makes it a major threat to individuals and businesses alike.

When it comes to managing spam, the mantra has traditionally been just don’t click on it! But the problem now is that cyber crooks are getting smarter.  The bad guys are employing sophisticated and more localized social engineering techniques that many people simply don’t realize that the emails they are receiving are spam.

We’re seeing the “quality” of the content both in terms of language and presentation increasing and making it more difficult for unsuspecting users to tell whether it’s legitimate or not.  This is a trend our researchers identified in the latest global Sage report.

The bad guys may have gotten smarter, but so have the good guys, and we can beat them. Consumers need to be careful, and businesses need to take a holistic approach to their technology solution.

And while there is no silver bullet to stop cyber crime, I applaud the Federal Trade Commission for highlighting the issue of spam and the steps it is taking in the global fight against cyber crime.
 

Our best results in three years

Yesterday on our earnings call with investors we delivered our best sales results in more than three years and achieved our third consecutive quarter of accelerating growth. It’s been a busy year for McAfee - we completed our restatement and we’ve been working hard to transform the company. We had double-digit growth across all non-GAAP metrics and set records across the board. We are focused and energized, and our execution is only going to improve.

Here are the highlights:

* Record revenue of $357 million
* North America grew 11% year over year
* International grew 24% year over year
* Record deferred revenue of more than $1 billion
* Record non-GAAP net income of $75 million
* Record non-GAAP diluted earnings per share of $0.46

The security market continues to be a spending priority for our customers. Industry analysts have forecast security spending will increase at a rate of two to three times that of overall IT spending. We could not be more optimistic about the company and demand for our products.

And to top it off we completed our acquisition of ScanAlert, marking a significant step forward in our efforts to make the Internet safer for consumers everywhere. As I said when we first announced our intent to acquire ScanAlert, we plan to integrate the company’s trusted e-commerce service into our SiteAdvisor technology to protect consumers as they search, surf, and now shop.

ScanAlert audits and certifies the security of more than 100,000 Web sites, and its patent-pending technology protects more than 50 million e-commerce transactions each month. SiteAdvisor, which has been downloaded more than 100 million times around the world, uses a simple rating system (red, yellow and green) to warn users about risky Web sites that deliver malware, contain browser exploits, display aggressive pop-up ads, try to scam visitors, provide a poor online shopping experience, or send multiple spammy emails.

Together these stellar technologies will form the industry’s most powerful shield yet against cybercriminals.

Cheers,
Dave

Should Mac users worry about security?

I attended the Macworld 2008 Conference last week in San Francisco, and in retrospect several diametrically-opposing observations come to mind on the experience.

First, and foremost as a security professional, I was struck by how little concern there is in the Mac community for matters of information security and personal information protection. Everyone reading this blog knows there are fewer vulnerabilities and much less of a malware presence on OS X compared to Windows – but I thought at least some of the attendees I encountered would have some interest in the dangers lurking out there.

I presented on the security topic in the Developer area of the exhibit hall and got a respectable number of people in the audience; but I suspect they more sought the comfort of a soft chair rather than my pearls of wisdom regarding securing their MacBooks.

My main message was “Leopard is great and it’s an OS designed with many facets of good security in mind, and therefore I agree with much of the relaxed attitudes regarding use of additional safeguards.” In other words, the sky is certainly not falling.

My sub-message, however, was an overview of the bad stuff out there on the Internet, and how it’s just a matter of time before the professional malware writers target the OS X market as being ripe enough for harvesting credit card numbers and SSNs. In fact, one could argue that this has already begun but is just below the radar.

I pointed out that there is no one silver bullet to protect a user of any computer platform – be that a PC or a Mac. In fact, we employ techniques that go far beyond the conventional antivirus and firewall-blocking approaches for protecting personal information. Techniques such as safe surfing (SiteAdvisor), safe e-commerce (ScanAlert), and Data Leakage Prevention to help prevent sensitive data from inadvertently leaving the computer in the first place.

I found that my audience was indeed pretty interested in the various types of malware, how it operates, what its symptoms are, and what is done with their stolen information. So I guess the effort we made for a security presence in the expo area wasn’t in vain.

A disappointment I had was in missing out on the Steve Jobs keynote that opened the expo. I thought I’d try getting a seat in the front by getting to the Moscone by 6am; but even by then the line wrapped fully around the bock … and these are big blocks! I later understood that people starting lining up for entrance to the keynote at 10pm the night before. Oh well, at least later on I was able to fondle the newly-announced MacBook Air, which is a delightfully thin and light notebook computer. It runs the same OS X as the big brothers in the family, so it ultimately offers us security professionals some additional fertile ground.

All in all, the Mac platform is a great one for developers, users, consumers and enterprises alike. Unfortunately so too for the bad guys … but we’ll be there watching for them.

Are companies doing enough to avoid becoming the first true poster child for data loss?

Data loss is a burning issue that should be on the mind of every C-level executive and board member, if it isn’t already. According to a recent Ponemon Data Loss Study, the costs associated with data breaches rose 55% in 2007.

What is troubling is the scope and opportunity for such abuse and loss of data, even worse is the fact that the intentional, or malicious, attacks are the easiest to spot and manage, with the unintentional data losses caused by rogue emails and employee ignorance doing the most damage.

No matter how data loss occurs, it is a watershed moment for large organizations all over the world. And with increasing pressure to stay compliant, organizations need to start taking proper precautions to prevent the floodgates from bursting. Bottom line: you want to build a brand around trust and losing data weakens consumer confidence, which translates to lost business.

Awareness is an important first step, but it is not enough to forestall disaster. Every enterprise needs to make data loss preparedness a priority.

The following are some key things to think about before embarking on a data leakage protection initiative:
- While IT maintains the systems and networks that process and store data, they are not
always aware of the criticality or value of that data. Business owners need to be an active participant when it comes to data protection in order provide business context around the data

- Data protection requirements will change over time, so technology solutions need to be flexible. Today you may choose to alert against certain data activities, but tomorrow you want to block or encrypt them. Encryption is a key consideration of any data leakage protection initiative and currently no one else is looking at this. This is extremely important when talking about lost laptops

- Data loss protection offers an excellent opportunity for IT and business units to work together toward a common set of objectives. However, it’s critical that all parties involved understand the scope of the effort, individual roles and responsibilities, and service delivery levels

By establishing data loss prevention policies, educating employees, and implementing technologies that automate and simplify enforcement and monitoring tasks, large organizations can prevent data breaches and focus on their business goals. It is only by taking responsibility that enterprises can maintain a global commerce environment that is flexible, collaborative and innovative. It is not too late, at least not yet.

Why Reinvent the Wheel?

Open source software provides an invaluable benefit to almost any software developer, including McAfee. In the future I expect the use of open source code by software makers to increase.

Why is open source code so important? Well, because a software developer can use open source code instead of spending time developing code that does the same job. Simply said, it doesn’t make sense to reinvent the wheel.

At McAfee we distribute and use open source code including Linux, OpenSSL and Apache, with our products. Linux has proven to be a very solid platform to deliver security appliances, OpenSSL has created some great tools to secure connections and Apache is so robust it prevents us from having to write a Web server every time we need that functionality. And these are just some of the examples.

Because of the availability of open source code we didn’t have to develop the functionality provided by the readily available code ourselves. Instead, we could focus on our core competency: delivering the world’s best security products.

Further, our customers use open source software as well. As a security vendor we cannot ignore that requirement. We have several products available that support Linux, OpenBSD and other well known platforms and projects.

Of course we know that while open source code is freely available, the use and modification of the code incurs some obligations. The requirements differ depending on the applicable license. We are very careful to meet these requirements, doing both legal and technical inspections. For example, if we make any changes to software licensed under the GPL, then we provide those changes with our distribution.

Recently we filed an annual report with the U.S. Securities and Exchange Commission. SEC rules require us to include a detailed list of potential risks we face in our business. Among these risks we also described potential risks associated with our use of open source software, as well as risks associated with our use of any other third party software, regardless of the license type.

Our mention of the open source risk could be misconstrued by people unfamiliar with such regulatory filings as suggesting that these risks are new, unique and dangerous or indicate a negative opinion of the value of open source. Nothing could be farther from the truth. In fact, this risk factor has been included in previous McAfee filings and is similar to open source risks described in current filings from other companies including Symantec, Oracle and many others.

The open source communities around the world continue to provide valuable solutions for many customer problems and for McAfee as well. We’re grateful for that and we are also happy contributors to several open source projects for almost 10 years.

Meet the blogger and read disclaimer information

Can We Guarantee Legitimate Identities on an Anonymous Internet?

Earlier this week, the Associated Press reported that MySpace has reached an agreement with more than 45 states to help prevent sexual predators from misusing the social networking site. This is a step in the right direction, but there’s more work to be done.

In its current form, the Internet is no place for an unsupervised child. A child’s innocence can quickly be lost - and never regained. To address this concern for children’s safety online, proposals for safer Internet security measures by way of authentication and verification methods for identities have been proposed by state governments in conjunction with various sites.

Social sites can do more to reach out to school districts. One step is to provide schools with special authentication based on the school’s enrollment. The advantage would be a safe harbor for children to socialize that would keep the majority of predators out. It would be the equivalent to the “drug free zone” you see when driving next to schools - but in this case, a “predator free zone” for the virtual school body. It’s a start, but children are worth protecting.

With a majority of states embracing embedded chips containing biometric information for additional authentication, does that mean that our driver’s licenses will soon include assigned pin numbers to help verify one’s identity? If so, we will achieve better verification, however, it will cause additional headaches and privacy issues, lawsuits against “big brother,” infrastructure costs to customers (to include verification technologies), and nothing substantial will be accomplished. Although I do not question the intent of the measures being enacted to protect users, I do question the method being used. How can one guarantee legitimate identity through an anonymous Internet? There have been many cases where identity was misrepresented –including from authorities (sting operations on sexual predators).

The fact is that the status quo must change. Predators must be stopped. Starting a “new and safe Internet” is too cost prohibitive to customers, and questions of who will patrol it and enforce rules are a subject of much debate. Commercial enterprises are stepping up – in part because of concern for the consumer, but also because of fear of litigation. These companies will incur development costs, and in the long run, the consumer pays for it.

Can We Guarantee Legitimate Identities on an Anonymous Internet?

Earlier this week, the Associated Press reported that MySpace has reached an agreement with more than 45 states to help prevent sexual predators from misusing the social networking site. This is a step in the right direction, but there’s more work to be done.

In its current form, the Internet is no place for an unsupervised child. A child’s innocence can quickly be lost - and never regained. To address this concern for children’s safety online, proposals for safer Internet security measures by way of authentication and verification methods for identities have been proposed by state governments in conjunction with various sites.

Social sites can do more to reach out to school districts. One step is to provide schools with special authentication based on the school’s enrollment. The advantage would be a safe harbor for children to socialize that would keep the majority of predators out. It would be the equivalent to the “drug free zone” you see when driving next to schools - but in this case, a “predator free zone” for the virtual school body. It’s a start, but children are worth protecting.

With a majority of states embracing embedded chips containing biometric information for additional authentication, does that mean that our driver’s licenses will soon include assigned pin numbers to help verify one’s identity? If so, we will achieve better verification, however, it will cause additional headaches and privacy issues, lawsuits against “big brother,” infrastructure costs to customers (to include verification technologies), and nothing substantial will be accomplished. Although I do not question the intent of the measures being enacted to protect users, I do question the method being used. How can one guarantee legitimate identity through an anonymous Internet? There have been many cases where identity was misrepresented –including from authorities (sting operations on sexual predators).

The fact is that the status quo must change. Predators must be stopped. Starting a “new and safe Internet” is too cost prohibitive to customers, and questions of who will patrol it and enforce rules are a subject of much debate. Commercial enterprises are stepping up – in part because of concern for the consumer, but also because of fear of litigation. These companies will incur development costs, and in the long run, the consumer pays for it.

A Malware Epidemic in 2007

If you read Jeff Green’s post on the Avert Labs blog yesterday, you saw that there was a staggering increase in the amount of malware last year, reaching almost “epidemic” proportions. By year’s end, there were 357,820 pieces of malware, up from 221,935 at the beginning of the year. That’s one driver written every four minutes.

What’s particularly scary about these numbers is virtually all of this malware is financially motivated. These aren’t just kids having fun. These are serious criminals going after your social security number, your credit card number and your bank routing number. The criminals have figured out that there’s real money to be made, and that attracts even more malware writers to the business. Their techniques are getting stealthier, and the lifespan of each piece of malware is getting shorter, meaning that there isn’t much time for people to catch on before the criminals move on to a new technique.

We expect these trends to continue in 2008 as cybercrime remains a lucrative business. It’s imperative for security vendors to recognize these trends and motivations in order to stay one step ahead. Only by analyzing these new forms of attacks can we find ways to stop them. Avert Labs is at the forefront of this research, and in 2008 we’ll use this research to find new ways to protect our customers from the spread of this malware epidemic.

Cooperation is the Only Way to Stop the Bad Guys

Our Avert Labs researchers announced a stunning prediction that the 2007 year-end malware virus count will reach more than 357,000 - a 60 percent increase over 2006. They also predict the cumulative total of 2008 to hit 550,000. When you look at these malware rates and compare them to the low rate of convictions for cyber criminals, it begs the question - is the security community doing enough to protect consumers?

Given this ongoing rise in global malware distribution, we need broad cooperation between security vendors, government and ISPs to in order to stay ahead of the bad guys.

It’s going to take a coordinated global effort, including:

· Cooperation between Internet Service Providers: ISPs and domain registars need to share information with security companies. In the end, it comes down to a question of privacy considerations versus criminal behavior - but if the ISPs see an unusual amount of activity, it should be flagged. One action that needs to be discussed is how security vendors can work with ICANN to best protect consumers’ identities and personal information.

· Greater involvement with law enforcement: The current legal mandates make catching and prosecuting criminals extremely difficult. Implementing standards and information sharing between departments at a federal level will be necessary to cut hackers off at a geo-political level. Although it’s not something that can be easily done, a coordinated effort and increased legislation is essential.

· Standards for domain registration: Similar to how PCI established a set of standards for the payment card industry, I believe we need standards for domain registrations, including background checks. Hackers are successful because they are able to change domains very quickly.

2008 is a complex time for both consumers and enterprises to protect themselves. If the security industry can’t come together and coordinate a plan, malware and financial losses will continue to reach unprecedented heights. I call on our industry leaders to cooperate and utilize a combination of technology and our legal system to ensure that the bad guys never win.

Gartner Recognizes McAfee’s Leadership in Endpoint Protection

In case you missed it, over the holidays we quietly announced a major validation of our technology strategy. For the third consecutive year, McAfee leads Gartner’s Magic Quadrant for Endpoint Protection Platforms. This is a great acknowledgement coming from one of the most respected firms in the industry. I am very excited about this and want to add a bit more color.

One of the secrets to our success is McAfee Avert Labs. Our team of researcher’s work around the clock compiling and analyzing the latest global threats - malware, spyware, adware, phishing and every other type of threat imaginable. Why is this important? In order to devise and execute a security plan, it’s vital to understand what you’re up against. Our goal is to protect the most valuable assets of your organization, and in order to effectively do that, we need to ensure we know how and what the bad guys are targeting. Armed with a broad range of data on emerging threats, our researchers are able to search the Internet for the latest variants of malware that have the ability to affect large amounts of users. McAfee has responded swiftly to develop solutions that protect users from these threats.

The final ingredient to building a core of solid leadership is having a vision and executing upon it. McAfee has refined its Security Risk Management strategy by integrating all products into ePolicyOrchestrator. In 2007, we broadened our vision with the addition of data loss prevention capabilities. In 2008, we’ll integrate full disk encryption from our Safeboot acquisition, to bring to market the industry’s most comprehensive data protection solution.

While being ranked as a leader by Gartner gives us a sense of pride, we know the battle is ongoing and constantly changing. Our leadership team at McAfee is determined to remain vigilant in ensuring we are assembling the right technologies and people to provide superior protection. Let me know if your organization has benefited from McAfee’s endpoint protection.

A Look Back at 2007

It’s been a great year for McAfee, and I’m already looking forward to 2008. A couple weeks ago during our internal holiday celebrations I told our employees that if you gathered 1000 CEOs of technology companies in a room, you’d have a hard time finding one as proud as I am about the company I am privileged to lead. I’ve spent 22 years in technology and have never been at a place with such an inherently noble cause. We are 100 percent dedicated to protecting people around the world from the bad guys—and that is awesome. Every day I get to work with brilliant, motivated people who are truly passionate about their jobs, which is why McAfee is such a rare and special place to work.

As we say goodbye to 2007, I wanted to share with you just a few highlights of how McAfee has made a difference over the past year:

We made it safer to surf the Internet—especially for children. A specific example of this is our partnership with Texas Attorney General Greg Abbott, who used our software to identify, track down and put 95 child predators in jail. A couple months ago I had the honor of presenting Mr. Abbott with the inaugural McAfee Cyber Crime Fighter Award, and as the father of three daughters, that moment was one of the most fulfilling of my career.

We protected more than 100 million customers around the world from viruses, malware, Trojans and all sorts of bad things that bad guys use to steal valuable information from individuals and organizations—from Social Security numbers to home addresses to online banking passwords. The bad guys are smart, but we are smarter.

After years of intensive research and development we launched ePolicy Orchestrator 4.0, which allows enterprises to centrally manage not only McAfee products but our competitors’ products, all in one place. The platform is essentially a “manager of managers” for network, systems, data and compliance security optimization and allows you to understand what is happening across your entire security ecosystem at a glance. No one in the industry comes close to offering anything like it—not by a mile.

We introduced our consumer 2008 security suites, featuring the industry’s first “Triple Play” of PC, Web and mobile protection. The latest suite is easier to use than ever, runs faster and lighter, and is always current with continuous, automatic updating. We also acquired SafeBoot, whose innovative encryption technology protects data on mobile devices, and ScanAlert, the world’s leading provider of ecommerce security services.

We pushed—and will keep pushing—for Congress to toughen laws on cyber crime, and we are being recognized more and more for our commitment to leading the global fight against this malicious industry. We are a founding partner of the National Cyber Security Alliance, and in 2008 we pledge to do more to educate our politicians about this extremely important issue. The Cyber Security Enablement Act is on the Senate floor right now, and we need to get this important legislation passed.

We helped our communities. Our generous employees around the world donated their time and money to important causes such as Project HELP in Silicon Valley, Cystic Fibrosis in Plano, CRY India in Bangalore, the COPE Foundation in Cork, Ireland, and the Prince’s Trust in the U.K. Many have also come to me and asked about or offered suggestions for McAfee’s environmental or “green” initiatives. We’re looking forward to getting all of our employees involved as we roll out McAfee’s Green Strategy in January and beyond to help make sure our children and grandchildren inherit from us an environment of clean water and healthy air.

Happy holidays, and here’s to a safe 2008.

Cheers,
Dave

Is Unified Threat Management Possible?

In the article “Security Vendors Revamp Desktop Suites,” Andrew Conry-Murray presents a very interesting challenge. He states that the “ideal goal” of a unified threat management framework is “impossible.”

I would like to present an alternative view to Mr. Conry-Murray’s as presented in his article. I propose that helping clients proceed along a defined Capabilities Maturity Model, such as the SSE-CMM is not only a noble cause, but a desirable one. Each cycle towards maturity brings along not only improved security, but better data protection and operational efficiency. Such is the case with integration between individual products to yield a working solution.

As the security market has matured, we have seen a call for integrated suites, which is reflected in how the major analysts are now grading us. It is no longer merely an AV Magic Quadrant, or Wave, but rather an Endpoint Security or Desktop Suite that is being assessed as an integrated solution. The truth is that, properly configured and managed, the sum is greater than the individual parts that compose a suite. It is not mere bundling anymore. It is integration at the code level, with months of engineering cycles to achieve it, not just marketing hype.

When critical pain points are identified, the build vs. buy decision that McAfee makes mirrors that of our customers. The identification of data loss prevention and mobile security fueled the acquisitions of Onigma in October 2006 and SafeBoot in October of 2007. These acquisitions will create a new business unit that will focus efforts on meeting customer needs on this under-served market. Through actions and proper organization, we are working hard to protect what you value.

The Heart of McAfee

In the midst of the holiday season and heading toward a new year, as many focus on giving back to others in need, I’d like to share a few examples of how our employees are making a difference in their local communities.

Across the United States, McAfee employees took part in our November “Virtual Food Drive.” For every dollar donated to a food bank, they can use that dollar to purchase up to $25 in equivalent food purchases (through bulk and wholesale purchasing). Through the Virtual Food Drive, our employees contributed the food donation equivalence of up to $143,750 to local food banks in North Texas, Silicon Valley, Beaverton, Oregon, Orange County, California and New York City.

In Silicon Valley, our employees took part in several community initiatives recently, including participation in the annual Family Giving Tree toy drive, an effort that delivers approximately 75,000 gifts to children in need in the Bay Area. This involved both toy donations and employee team volunteering at the Family Giving Tree warehouse. Our holiday party even included a children’s book drive, through which our employees donated several boxes overflowing with books for children in San Francisco public schools, through the San Francisco School Volunteers program.

In Texas, our employees have been busy in the local community. In November, they supplemented our Virtual Food Drive by participating in a traditional food drive to collect food donations and gift cards to benefit Samaritan Inn, Collin County’s only homeless shelter. In December, our Plano team took part in a holiday toy drive, which collected 238 toy donations to benefit WFAA’s Santa’s Helpers. The organization collects toys for children throughout the Dallas/Fort Worth counties of Dallas, Tarrant, Collin and Denton.

Several other offices in the U.S. and Canada also have given back to their local communities this season. In the Pacific Northwest, our employees in Beaverton, Oregon participated in the Family Giving Tree online toy drive to benefit the Bradley-Angle House, Portland Public Schools Head Start, Goose Hollow Family Shelter and Trillium Family Services. Our Miami, Florida employees donated boxes and bags of toys and gifts to benefit Toys for Tots of Miami. Finally, the employee team in Waterloo, Canada participated in a Holiday Food Drive to benefit the Food Bank of Waterloo Region, an organization serving the 47,000 people living below the poverty line.

We always talk about how our employees are the brains and the heart of McAfee. I’m sure you can see why.

Best wishes from McAfee for a Happy New Year!

Closing the Corporate Citizenship Gap

Since May, I have enjoyed the opportunity to share McAfee’s overall approach to corporate responsibility and offer specific examples of our own initiatives. Every now and again, it’s important to step back and look at the bigger picture of societal issues and how our commitments compare to those of other companies.

Yesterday, I had the privilege of taking part in a webcast to promote the release of the State of Corporate Citizenship 2007 study. The biennial study, conducted by the Center for Corporate Citizenship at Boston College and funded by the Hitachi Foundation, surveyed a cross-section of U.S. executives on a range of issues related to the role of business in society.

The overall theme of this year’s study was a gap between rhetoric (what companies say about their commitments to corporate responsibility) and reality. For example, 73 percent of executives believe that corporate responsibility needs to be a business priority, but only 39 percent say it’s’ part of their business planning. Sixty-five percent of executives say that the public has the right to expect good corporate citizenship, but only 29 percent say their companies are discussing corporate citizenship outside the company.

Another interesting theme that emerged was that of the changing social contract in the United States. In recent years, we have seen U.S. businesses increasingly involved in helping meet societal needs around health care, education, poverty reduction, disaster relief and affordable housing - areas typically assigned to the role of government. Even among corporate responsibility professionals, a view is emerging that the scale may have tipped too far toward businesses being responsible for addressing these needs.. To quote one of my fellow speakers yesterday, “perhaps it is time for business to step up and be advocates for more effective government again.”

In this age of transparency and communication with stakeholders, the study’s organizers have turned to social media to continue the discussion. They have created Corporate Citizen 07 blog (full disclosure: I am a featured contributor). On this blog, everyone is invited to continue the dialogue on many of the topics highlighted by the study’s results.

What role do companies have in addressing the changing social contract? How should companies address the gaps between company rhetoric and reality on corporate citizenship? How can companies use values-centered leadership and employee engagement to drive their initiatives?

Have some thoughts? Bookmark the McAfee Security Insights blog then head over to www.corporatecitizen07.com to join the discussion.

New & Improved: ePO 4.0 a “Must Have” for Integrated Security

It’s been three months since we began shipping ePolicy Orchestrator 4.0, and I’m proud to report that we’re hearing great customer success stories. Enterprises are telling us that version ePO 4.0 is a clean, ready-to-ship software package with excellent overall performance. According to one large enterprise customer, ePO is now considered to be in “better shape that several packages released from other companies lately.” We are also receiving positive reviews of our new Web interface and user-friendly layout.

Compiling reports from disparate security consoles used to take so much time that IT staff could wander off, fix themselves a pot of coffee, and come back to see if the report was done. But because ePO 4.0 provides instant visibility, actionable reports and automation, one customer recently said, “I can’t justify the coffee breaks anymore.”

ePO 4.0 was designed with significant input from our customers - we called on more than 200 customers worldwide in some industries critical to the global economy, including: finance retail, pharmaceutical, airlines, semiconductor manufacturing and defense. Our customers told us that they needed to answer three fundamental questions: Am I secure? Am I compliant? Am I at risk? They told us they needed integrated, flexible security solutions to protect against malicious code and viral content. They told us they wanted a Web-based user interface, actionable reporting and role-based access controls. We listened. Many of these companies actually helped us build it: signing off on design goals, testing and even telling us when they thought we were ready to ship.

The result? Nearly 90 percent of our ePO customers have rated ePO 4.0 as either “good or excellent.” Customers have clearly validated the fact that we our listening to how we can best protect what they value and their response is: “It is awesome, you must have been watching me” or “hearing my pain.”

Recently, a large multinational pharmaceutical firm, with 130,000 nodes, was upgraded in two hours — without a hitch. A 75,000 node customer reported a similar story, and I’m aware of at least one competitive displacement rolling out this month. ePO 4.0 is rapidly becoming a “must have” for large organizations.

ePO 4.0 has proven its ability to help customers save money, and they are seeing measurable operational savings. We will continue to place a high value customer feedback as develop our products in 2008.

Security Learns from Eastern Manufacturing Philosophy

Leading companies are borrowing a page from Eastern philosophy to achieve “intelligent security” – moving from point product solutions into a secure, optimized state.

Security practitioners have been struggling with too many tools, consoles and reports to be effective. To truly be successful as a security practice, you must have maturity with regard to policies, processes and protection. For years, the goal of security providers has been to provide layered security for their customers. This is the concept of breaking down each vulnerability and threat, and mitigating it at every layer.

“Suriawase” has been successfully used by Toyota, among others. The rise of Toyota has been well documented, and provides many valuable lessons to businesses around the globe. As we apply this philosophy to security we will end up with better protection, more efficient and effective processes and timely and manageable reports that integrate across multiple products and functional areas. The end result? A cost effective, scalable, and finely-tuned security operation.

Toyota has constantly improved the quality of its output and maturing its manufacturing process. University of Tokyo economics professor, Fujimoto Takahiro, asserts that ‘Suriawase’ is the reason for their success. Suriwase has many definitions, but most aptly means integrating numerous parts into a single, finely-tuned product. Suriwase entails putting the numerous pieces together and selecting components that maximize the performance and quality. It helps focus collaboration across disparate divisions and departments that are critical to the success of the process or product.

As we look to the future, IT requires an integrated model where the layers are intelligent and leverage each other to provide an optimized state of security. Suriawase will help us get there.

Internet2: A New, Secure (and regulated) Internet?

As our research continues to demonstrate, the Internet is the primary tool used by cyber criminals to distribute malware on a global scale. This begs the question: is it time for the Internet to be regulated?

Larry Seltzer at eWeek recently analyzed this issue and discussed some of the difficulties in imposing governance of the Internet – e.g., there is no governing body forcing organizations to make those changes. Instead, many of the core services of the Internet (DNS, IP protocols, etc.) rely upon committees and consensus-building to make decisions.

One of the valuable lessons we can draw from the eWeek article is that it’s more important than ever to establish a practice of security risk management. Business and government entities rely on established security practices to ensure critical infrastructure can continue to operate even amidst security attacks. They have taken appropriate steps to evaluate the risk of those systems being exploited and decided that protecting them is more cost effective than redesigning them to eliminate security issues.

So what would it take to redesign a new, secure Internet? The likely answer is that it would require billions of dollars, decades and likely business process change. This redesign is underway in the form of “Internet2,” which will focus on the integration of security, high performance networking, and advanced applications over a publicly available network “Internet.” “Advisory councils” composed of representatives from academia, research and industry are being formed which guide each of these key focus areas. After speaking with individuals who are currently connected to this network, they continue to see the same issues that occur on the Internet at large, DoS (Denial of Service) attacks etc, although at a much lower rate, and they believe the governing structures put in place on this network have significantly impacted security for the common good.

New technologies are popping up on the Internet at an alarming rate. Social networking sites such as Facebook offer the ability to extend or build applications on top of those highly trafficked properties. This instant availability of software development and distribution evokes a completely new breed of commerce, developers and attackers. In turn, security vendors will continue to deliver technologies that provide protection for these services.

Bad Guys Beware

If you live in the San Francisco Bay Area or around Dallas, you may have noticed some new McAfee billboards on your way to work. We recently launched a regional advertising campaign, and the billboards are generating a bit of buzz for their boldness. We are doing this, in part, to remind the public that there are bad guys out there who are always looking for ways to get at confidential information—especially in the thick of the holiday shopping season. The billboards reinforce the fact that McAfee is the leading company working to protect consumers and businesses from hackers.

The response I’ve heard from employees and customers has been overwhelmingly positive, so watch for more in 2008 as we reach out to a broader audience with this campaign. And bad guys, beware. You may be smart, but we are smarter.