Seems like McAfee is making a run to become the security industry's "Minitru" . This is not the first time a company wishes to do so and it will not be the last.
Who will come out standing, remains to be seen as there is also Computer Associates and a variety of other bridge salesmen in this arena.
Someone at McAfee did, however, impress me with her comments. She is the CTO, Phyllis Schneck, someone who is likely in the know when it comes to pie charts and a variety of other data correlation and statistics which ultimately mean nothing.
According to McAfee's website : "Dr. Schneck, who testified before the Committee on Homeland Security’s Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies, outlined some policy recommendations to improve public/private sector information sharing that is essential to provide the government with the capabilities it needs to respond to the cyber threat."
No offense with the pie-chart jab Dr. Schneck (if you stumble upon this) the reality is that the data, you see, can be a figment of an attacker's creativity. This was discussed in depth in "Art of Cyberwarfare - Analysis Fail" . Nevertheless for those looking to waste time in looking for needles in the haystack, feel free to do so.
Regardless of my view of the security landscape, I do believe that there is a vast and increasing need to share information between companies that are either under a cyber attack or from companies that have been compromised, however, I doubt this could ever happen.
For example, the recent notification of compromise coming out of RSA is alarming and enigmatic. We have RSA stating: "We were compromised, intellectual property concerning key fobs were stolen. Nothing taken so far will affect those key fobs." Define so far? And why did it take them a week to stop this attack (as they stated.) I smell a pattern of deception here.
Companies do not want to publicly admit they were compromised. Financially it is not beneficial for them to report a compromise. Although I cannot point out accurate statistics concerning that statement (the benefits/downsides of reporting) - I am basing this on experience.
Besides, I am nothing more than a security engineer slash hacker monkey creating, developing, deploying, exploiting and researching security based services, not a statistician. I can infer "financial downsides" as being the TOP reason that companies are not willing to disclose information concerning a compromise.
After all, would you want to continue putting my hard earned money in a bank which was just "hacked?"
Following good media whoring security industry practices, I will label this as the "Compromise Dilemma." According to Wikipedia's definition: A dilemma is a problem offering at least two possibilities, neither of which is practically acceptable. During a compromise there is the dilemma of reporting the incident:
1) "If we report it investor confidence will be shaken, we stand to lose millions."
2) Under certain regulatory guidelines, we have to report this. We stand to lose millions."
Offering a third option under controlled circumstances yields a more positive future outcome.
3) "Working with other companies in identifying how I was compromised would enable them to defend themselves. The more companies that report this, the more information can be shared and the less risk we would collectively have."
For all the hype surrounding all of these "sophisticated" attacks, not an iota of the compromise information has come to light in either academia or public circles. Private circles is an altogether different arena here.
So here lies an issue I have: "What constitutes sophistication?" Imagine for a moment that I state that I was compromised by a "recurring complex attack" would you look at me strangely as a security professional? How about if I said: "the attack was advanced and it was persistent?"
I theorize that the reasons for the misuse and abuse of the APT acronym is because companies simply want to save face: "we cannot disclose we were had. For crying out loud, we are the first line of defense!!!"
What is being overlooked however, is that you (the company) were already compromised. Game over. Whether a company forgot to change a default password or whether someone used 200 PS3s  to do the job, the fact is, someone walked in where they were not supposed to.
How did they do it? Where did they come from? What did you notice in your analysis? In reporting this type of information, companies not only allow other companies to defend, but there is a likelihood that many security researchers could chime on OSINT style and offer clues, theories and so on.
Another set of eyes never hurt and data can be zeroized to prevent further security calamity - so notions of proprietary and other clever verbiage can take a backseat.
Companies do not need to waste time looking backwards, historical research is for academia, intelligence analysts need forward looking data to work with. Where and when will this collaboration come to light should be the big question here.
Ultimately, the only reality behind any "advanced persistent threat" is in the wording. ALL attacks can be considered advanced once a compromise has taken place. Obviously the attackers were more advanced than the security professionals and technologies a company had in place.
Persistent is rather irrelevant since I would bet my the shirt off of my back in stating: "Companies online will always be attacked." Finally, there will always be threats. Why the need for useless terminology other than to scare up pictures of a "cyber-boogeyman"
While I was impressed by some of Dr Schneck statements I was not surprised to see the usual finger pointing at the boogeyman. Rather, cyber-boogeyman to be cyber-politically correct. "She spoke about McAfee Global Threat Intelligence, which offers the most comprehensive threat intelligence in the industry, and how it was used to detect and remediate both the Operation Aurora and Night Dragon cyber attacks."
Really? That simple? And the answer was front of us all this time. Purchase and deploy McAfee's HBSS (HIPS) which will then alert when someone compromises your machines, all would be fine.
Sounds like the same old security "détritus" being pitched for the better part of a decade (Intrusion Prevention/Detection/Tolerance). I wish McAfee and other companies got a clue outside of pie-charts though.
Reality check: hackers slash tinkerers have been bypassing those HIPS all along. For the better part of over 13 years at least. Its only because they are advanced and persistent like that though. Or should I say, they have a keen ability to create "Recurring Complex Attacks."
Honestly speaking though, if companies created a consortium of security pros to disseminate real time attack data though (remember as I said above, controlled circumstances), the industry would be better off.
No one wants to report a compromise and there is little reason why this data cannot be shared other than companies wanting to save face (PR). Most data can be zeroized/regex'd to prevent identification of whom was compromised and what was stolen.
Otherwise, we can continue to fork out millions of dollars to security companies promising the latest and uber-protection tool which will only be bypassed by a Recurring Complex Attacker.