Focus 2011: McAfee sees advanced-persistent threats changing network security priorities

McAfee has laid the groundwork for a shift in network security that the company feels is necessary for dealing with targeted attacks.

Greg Brown, McAfee vice president of network security product marketing, said that blocking targeted attacks and other emerging threats will require a new approach to firewalls and intrusion prevention systems (IPS.)

"What we are seeing is an evolution in the needs of network security, we think of this as a fundamental change," Brown said.

"It used to be someone would launch an attack on everyone, like Conficker, but increasingly we are seeing attacks with targets of just one company."

Brown noted that recent high-profile attacks such as ShadyRAT have been specifically crafted for individual targets using tools to harvest specific pieces of information without user detection. In such cases, Brown suggested administrators would prefer to isolate and examine the behaviour of the malware rather than immediately block activity.

"The issue that comes up is you never understand the root cause and you are never able to fully eliminate the attack within your infrastructure," Brown explained.

Rather than try to stop an attacker after it has entered the network, McAfee is looking to develop a system that allows administrators to limit the damage an infection can cause and then analyse the network to see which systems are infected and where the command and control centre for an attack is running.

To accomplish this, McAfee recommends customers use a combination of its network security whitelisting, heuristics, IPS, Global Threat Intelligence network and third-party protections along with its ePolicy Orchestrator platform.

In doing so, Brown suggests firms can better prepare themselves to deal with targeted attacks.

"When you are the only one being attacked, no one has seen that code," he said, "but we can provide a best guess."