Just over a year after chipmaker Intel announced its intention to acquire security software vendor McAfee in August 2010, the companies unveiled the first fruits of their partnership.
DeepSAFE, launched by Intel at its developer forum in September 2011, is described as a “hardware-based, zero-day malware defence” platform. It works outside the operating system, analysing hardware behaviour for signs of malware infection.
“DeepSAFE looks at the hardware to detect forms of program behaviour that are associated with malware,” explains Intel’s chief technology officer, Justin Rattner. “You can count the behaviours that are the tell-tale signatures of these attacks on one hand.”
This is particularly effective in combating so-called rootkit attacks, Rattner says, which also execute outside the operating system in order to circumnavigate antivirus software. According to McAfee’s latest threat report, the number of rootkit infections discovered in the first half of 2011 was up 32% year-on-year.
“Rootkit attacks typically turn off malware defences to avoid detection, so you have to be below the operating system,” he explains.
“You even have to be below the virtual machine monitors, because all of those can be compromised and corrupted. This leads inextricably to the conclusion that you have to do this in hardware.”
According to Rattner, DeepSAFE is a “truly revolutionary technology, and I don’t use the word ‘revolutionary’ very often. With DeepSAFE, we can stop the most insidious forms of attack, having never seen them before.”
While broadly supportive of the potential of the technology, Wendy Nather, a security analyst from the 451 Group and former IT security director at UBS, has yet to be convinced of its revolutionary nature.
“Intel has had the security modules that DeepSAFE is based on in their chipset for a long time,” she explains. “But most vendors have never taken advantage of them, because it requires development that they thought there was no market for, or at least very little market.”
Secondly, should DeepSAFE require any updates, they will be much more disruptive than today’s security software patches, she says. “Generally, the further you go down in the layers of the hardware, the more disruptive it is to perform an update,” she explains. “It’s like changing the foundations of a building from underneath it.”
The first McAfee product that is based on DeepSAFE is Deep Defender, an end-point security system designed to “detect, block and remediate advanced, hidden attacks”. It is due to be commercially available in the first quarter of next year.
But if DeepSAFE really is going to be revolutionary, it may not be in the desktop PC malware-protection arena, says Nather. “If they are just taking things that McAfee does today and moving them into the chipset, it doesn’t sound that exciting.”
The real benefit of chip-level security may occur in embedded systems, she says. “Embedded systems are being used everywhere from smart meters to cell phones, and there is a lot of money being invested in trying to secure them,” she says. “People have been working on this for quite some time, but from the outside in. As a chipmaker, Intel clearly intends to start attacking this from the inside out.”
The McAfee acquisition, therefore, can be seen as yet another bid by Intel to improve its position in the hotly contested smartphone chip market.
Nather adds that it may also strengthen its position in the critical infrastructure market. Since the emergence of the Stuxnet worm, which attacked the control systems of Iranian nuclear power plants, security concerns in this market have hit fever pitch. However, the software that these systems run on is unfamiliar to most conventional security companies.
She is certainly not of the view that Intel’s McAfee acquisition was merely a market share buy. “They are definitely following through on their promise to do new work in the security area that incorporates their chipset-level modules,” she says.
But Intel and McAfee have yet to demonstrate that the acquisition will lead to more than the sum of its parts. “I’ll be looking for them to bring out something that is substantially different in terms of security architecture,” she says.