Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Interview with Dave Marcus, Director of Security Research and Communications, McAfee Labs

Interview with Dave Marcus, Director of Security Research and Communications, McAfee Labs

SecurityWeek Exclusive

McAfee - Dave Marcus Interview

Interview with Dave Marcus, Director of Security Research and Communications, McAfee Labs

SecurityWeek Exclusive

McAfee - Dave Marcus Interview

Giant security vendor McAfee this week issued a “call to arms” to the IT security industry with the publication of a report that advocates a more proactive approach to security in a number of areas, many related to the sharing of data. We interviewed Dave Marcus, Director of Security Research and Communications at McAfee Laboratories, to get more detail.

SecurityWeek: You have advocated more cooperation in the war against malware. But the “good guys” – like McAfee – are in competition with one another, and that includes having the best information about potential attacks. Isn’t this a formidable barrier to sharing?

Dave Marcus McAfee

Dave Marcus: We share samples with our major competitors on a daily basis, and we have done that from day one. How we detect the threats is proprietary, but we need to share as much about the threats themselves as possible, and that doesn’t really affect our ability to be competitive.

SW: What other types of sharing are not taking place… and why?

DM: There are two types of data to be shared. There’s the threat itself, the actual binary. That’s what has traditionally been shared. What we want to see more of is information about the threat. How was the threat collected? What IP address was it distributed from? Who does it look like it was created by? When was it detected? By sharing more of that type of information, we get to profile who wrote it. and potentially arrest them and take them down.

SW: What gets in the way of this other type of sharing? Is there reluctance or pushback?

DM: I don’t think so. A lot of people simply haven’t engaged in the discussion yet. As an industry, we’ve never stepped back and asked, “Are we sharing the right type of data? Are we actually empowering law enforcement and giving them what they need?” Promoting those conversations is what will really push us forward. And we have to build some kind of forensic collection into detection.

SW: Could you describe McAfee’s position on responsible disclosure vs. full disclosure?

DM: This is a question that just never goes away. We have always advocated ethical disclosure right from the beginning. Our position is, don’t put users in danger, and to achieve that, you work with the vendor. But [as a vendor], if you’re not seen as being responsive, the security researchers who discovered the vulnerability are going to release it quick., because they think you’re shooting around them or not being responsible or aren’t going to give them credit. The other side is, when you’re a vendor, and we are, you have a process to get patches actually published and that takes time. When you rush patching, you get bad patches.

SW: You state that ICANN has done some good things, like revoking EstDomains’ accreditation and eliminating “domain tasting.” What else should ICANN be doing that it’s not doing today?

DM: Part of the problem we ran into in taking down some of the ISPs and really bad players was the amount of time it took ICANN to actually respond. It wasn’t until Brian Krebs, a former reporter for the Washing Post, put a lot of pieces together and started hammering them publicly that they took the call to action and did something. What they have to do is a lot of the things they finally did, but in a quicker period of time.

SW: What exactly do you mean by proactive law enforcement? Could you provide a couple of specific examples of what’s not taking place right now?

DM: One of the biggest things institutionally – and this is from the security industry’s perspective – is that the bad guys don’t have anything to worry about right now. The number of times you’ve seen a cybercriminal arrested, let alone prosecuted, you can almost count on one hand.

SW: So you want headlines and video showing cops actually arresting cyber criminals.

DM: When I say “cops” I’m using that in a very general sense. It may be Federal. If the bad guys are global, and we’re going to combat them correctly, law enforcement ultimately has to be global, and there needs to be a process to share information across borders.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.