FireEye - Ninja of Incidence Response

When a bank is attacked by armed robbers intent on stealing money, public sympathy is with the bank. When the same robbers return over the Internet to steal the bank’s customer information, public sentiment turns against the bank. Similarly network security companies providing DDoS protection or encryption services to corporate sites are deemed as good, but when their services are employed to protect contentious sites, they are deemed a menace. Security posture must be accompanied by ready-laid plans for disaster recovery and re-establishing customer trust Despite spending some $30bn annually on Incidence Response (IR), every major corporation and government institution worldwide has been hit by severe and successful hacker attacks stealing money, customer information, intellectual property, strategic data etc. Companies incur significant financial losses (estimated this year by one analyst firm to be around 1,6% of annual revenues), along with dents in customer trust and lost competitive edge. Only one-third of these breaches are discovered by the victimised company itself, and perpetrators have on an average been inside the victim organisation for more than 6 months before discovery. This is the market that FireEye addresses: rapid discovery and prevention of attacks and efficient cleansing of corporate sites once an attack has been discovered. FireEye emphasises that IR is not just about discovering and preventing attacks, it’s also about preparing a company to handle breaches and thus minimising the damage in the aftermath of a successful attack. **FireEye – An American in Europe** At its first European analyst briefing event in London, FireEye’s EMEA management team and key-technologists provided an in-depth view into the murky underworld of Internet crime, and the tools and procedures FireEye uses to protect its 3500 customers worldwide. It was one of those presentations where you are not provided with a copy of the slides and analysts are reminded repeatedly not to mention company names or customer details. FireEye is today a red-hot Internet security company entrusted with IR security management in thousands of global corporates and scores of national governments. The company is today loaded with cash, talent, products and services underpinning its 400% growth curve from 2012-15. The hockey stick really took off after the company acquired Mendiant back in 2012. But the company remains a well-kept secret in the European corporate world. The FireEye global platform distributed on 8 regional SOCs (Security Operations Centre) inspects 50 billion objects daily, with some notable successes. FireEye claims to have discovered 16 of the latest 22 zero-day exploits – more than all the other IR providers together. The SOCs and the company’s 300 analysts look for interesting and unusual activities on the wire, using very aggressive algorithms to identify them. In that huge ‘haystack’ of data, the platform picks out any piece of hay that even remotely resembles a needle, and then determines whether this needle (among the many other needles found in the haystack) is potentially harmful to customers. **The FireEye 20:20 Focus** FireEye builds its business on three pillars: – **Technology** – primarily based on its analytical engine that inspects gigabytes of network traffic, using virtual machine introspection (VMI) developed by the company founder Ashar Aziz back in 2004 as the analysis mechanism. – **Intelligence Gathering** – from its incident handling, its wide-flung sensor net and close contacts to customer CIRTs (Computer Incidence Response Teams). – **Security Expertise** – 10 years experience with APT attacks Screen Shot 2015-11-23 at 15.27.59.png Classic on-premise antimalware software must reliably block malware upon entry; if one is missed, on-premise defences can be deactivated. On the other hand, with VMI, the antimalware runs on a host, outside of the customer data centre, and is thus impossible to deactivate by malware that subverted the customer system. **What are the challenges facing FireEye today?** Lack of corporate presence – especially in Europe is the top business expansion priority. Being a relatively young player in the IT security space, FireEye opted in its early years to concentrate on the US government sector. Governments remain the largest vertical for the company today, with 77 governments on its client list. Better funding after 2009 and the Mendiant acquisition in 2012 helped FireEye to expand globally and open up more corporate business. But the company still lags in corporate IR recognition behind the major hardware vendors (HP, IBM, Cisco, Dell and Fujitsu), global telcos (Verizon, Telefonica, BT, T-Systems), major system integrators (Cap Gemini, CGI, Atos, TCS) and a security vendor (Symantec). One obvious step is to build more alliances with leading service providers (telcos and SI) with strong corporate ties and that are willing to launch ‘FireEye Inside’ security services. Another option is to put more emphasis on its FireEye-as-a-Service offering which allows FireEye to sell services to the mid-market corporate segment, predominant in Europe. Then there are the FireEye product names that are completely anonymous: ETP, NX, HX, FaaS, TAP – neither exciting nor meaningful – unless you are already on the inside. FireEye needs to emerge from its own shell. But of course asking a ninja to step into the glare of wider public recognition requires careful consideration.