If you’re married you understand the need for compromise to build a successful relationship. But in this case I’m talking about something different – a marriage forged around the very idea of compromise – the kind of compromise that has shaken consumer and investor confidence in Target. The glittering marriage between FireEye and Mandiant is a pairing of two vendors with a common failing: Neither can protect customers from targeted malware. Instead, customers have to hope for the best, and when things go pear shaped, hire expensive experts to clean up after a successful compromise.
The good news is that there is a better way forward. We at Bromium know that it is possible to protect end points by design, that there is no need for a patient zero, that we can defeat attacks, eliminate remediation and deliver accurate forensic information, in real time, automatically and without spending a fortune.
Before I go any further, I want to state up-front that I have enormous respect for the team at Mandiant. I have read Richard Bejtlich’s superb book, and the APT1 report is testimony to the incredible investigative capabilities of the Mandiant team. Many Bromium customers have relied on Mandiant to get them back on their feet after an attack and there can be no doubt that they are in every respect a world-class outfit. FireEye delivers useful forensic intelligence, but its technology has fundamental limitations.
Serious infosec pundits have written thoughtful analyses of the acquisition and Mandiant’s billion dollar valuation; moreover the press is gushing with enthusiasm, and Wall Street is in love with the match (here is a counter-point). But every piece I have read fails to recognize that while the new FireEye has a powerful product and services portfolio it doesn’t solve the real problem: It cannot prevent a determined attacker from successfully compromising the enterprise, but it has a powerful story for how it can get you back on your feet, and stop the attackers next time around. I wonder if that’s good enough for Target?
Let’s dig into the portfolio of each company a bit, to illustrate my point:
- FireEye (FEYE) delivers a network appliance (the FireEye Threat Prevention Platform) that uses virtual machine images running on a hypervisor to detect and report on malware entering the enterprise network:
- “The core of the FireEye platform is the patented MVX engine, which provides dynamic, signature-less, and virtualized analysis of advanced cyber attacks. The MVX engine can be deployed across attack vectors and detonates suspicious files, Web pages, and email attachments within instrumented virtual machine environments to confirm a cyber attack. After confirming an attack, the MVX engine also dynamically generates threat intelligence about the indicators of compromise … in a standards-based format, which enables the intelligence to be correlated and shared …”
- Mandiant is primarily services based, selling consultants at rates as high as $500/hour to help enterprises investigate and remediate breaches and develop IR and SOC practices. In addition Mandiant has a relatively new product portfolio (competitors: Crowdstrike, CarbonBlack, Cylance) that relies on end point agents to discover and report Indicators of Compromise (IOCs) to a centralized management system.
- Mandiant for Security Operations: Uses IOCs to inform SOC teams about compromised end points: “… provides the complete picture required to find and scope attacks as they are unfolding. It searches for advanced attackers using Mandiant’s proprietary intelligence and also generates new Indicators from alerts triggered by network security solutions, log management solutions and SIEMs. These auto-generated Indicators analyze impacted endpoints, quickly find other devices affected by the incident and allow you to isolate and contain the compromised devices.”
- Mandiant for Intelligent Response (MIR): “..is an appliance-based solution that scales your experienced incident responders and forensics specialists to investigate thousands of endpoints and scope the impact of an incident. Are you compromised? How did the attacker get in? What systems are involved? Mandiant for Intelligent Response lets you answer these questions.”
- Mandiant Managed Defense is an appliance based system that continually reports on security status, and
- Mandiant Intelligence Center is a subscription based service that provides threat intelligence.
The acquisition makes a lot of sense to both companies:
- Revenue Growth: Mandiant is the industry’s premier brand in Incident Response, and it brings substantial revenue (about $100M / year) to newly public FireEye at a point when Wall Street will value revenue growth more than it will worry about the potential for weaker gross margins due to Mandiant’s historical dependence on services revenue.
- It addresses a FireEye product limitation by providing instrumentation, detection and response to end point attacks that elude detection by the FireEye network appliance. The Mandiant product enables FireEye to extend its visibility – to help to identify compromised end points.
- Mandiant also brings to FireEye an ability to quickly scale a tiered services business around the combined product portfolio, in synergy with its primarily direct-sales based business.
So what’s the problem?
- Neither FireEye nor its acquired Mandiant products prevent compromise of the end point. The FireEye appliance informs the SOC about attacks that it detects entering the enterprise. The Mandiant products inform the SOC about compromised end points, and assist with IR. But neither stops the attack. Many FireEye appliances that I have seen are configured to run legacy, unpatched end-point software, and report tons of false positives – a VM is successfully compromised, but the actual end points were not vulnerable to an attack because they were already patched (so I think of FireEye as selling a false sense of good security practice).
- Lots of malware that I see nowadays is FireEye aware – it specifically waits for end user input before it conducts its attack, to make sure that it is running on an end point. The Mandiant products don’t block attacks on the end point. The image below is an example LAVA trace of FireEye aware malware:
- To identify an attack, both the FireEye and Mandiant products rely on detection (and therefore some patient zero from which a signature can be created) to determine whether traffic entering the enterprise is malicious, or an end point has been compromised.
- If an attack is identified, there is no automatic remediation. Fortunately the Mandiant consultants will be available to clean up the mess and get you going again, but that requires expensive, skilled humans.
- If an end point is attacked and the attack is identified, neither FireEye nor Mandiant can automatically block the attack enterprise-wide. More humans are needed to turn the IOC into rules for the firewall, IDS or IPS, or even AV.
- From a sales perspective, the services-centric approach of Mandiant makes sense to the direct sales model of FireEye. But the company has poor appeal to the channel, and the services business will compete directly with services-centric VARs.
An Alternative: Protect-first, and deliver accurate Threat Intellgence – on a Budget
We at Bromium believe that there is no need for patient zero, that end points can protect themselves by design without third party signatures or IOCs, and automatically remediate themselves when attacked. We know that protected end points can deliver detailed, accurate forensic insights that would take a human expert days or weeks, in real-time. We also know how to turn these insights into automatic responses that block attacks enterprise wide. So the FireEye + Mandiant approach appears to be the polar opposite of the Bromium approach. They focus on expensive IR and remediation assuming compromise. Bromium takes a no compromise approach to security, and automates IR:
- Protect first, and protect always. The solution is not dependent on network based or IOC detection on the endpoint. It protects the end point by design, and because of that resiliency, prevents the customer from having to spend a lot of money on expensive remediation & Incident Response
- Automated forensics, not humans at $500/hr: Because there is no need for an “indication of compromise” (indeed no compromise, or patient zero) LAVA can rely on the resilient protection architecture of vSentry to automatically provide unrivalled detailed insight and forensic analysis of the attack, without expensive human-centric processes. Only by ensuring that attacks execute in an isolated environment on a vSentry protected end-point, can the process of threat intelligence gathering and sharing be properly automated, eliminating the compromise and remediation, and saving time and money for analysis.
- Real-time insights, not post-hoc panic: vSentry micro-VMs not only “protect first” but also collectively create an enterprise-wide sensor network that generates real-time threat intelligence that is enterprise- and user- specific, giving real-time insights to actual attacks that have been defeated, rather than false positives or successful compromises.
- No false positives: By relying on robust protection, it is possible to wait until a hardware-isolated attack actually compromises the software on an end point (as opposed to whatever software happens to be on a sacrificial VM in the network) – without risk. With proof of an actual attack, it is possible to eliminate the inevitable false positives that result from the FireEye approach – reducing the workload of the SOC team.
- Automated, enterprise-wide protection: When an attacker strikes, LAVA delivers accurate, complete forensic insights in real-time, in the open STIX/MAEC format, allowing automated enterprise-wide protection – blocking the attack at the perimeter, and updating signature based systems automatically, for example using System Center workflows, or integrations with leading vendors such as ForeScout.
Net, net, I think the bloom will come off this rose in the medium term, though I also think that the new FireEye is a powerful force to be reckoned with in the security ecosystem.