Just as the new year dawned, FireEye made the announcement that it has acquired incident response specialist Mandiant in a deal that amounts to nearly US$1 billion in cash and shares. The two organisations have been strategic partners since April 2012 and announced an integrated suite of offerings in February 2013. This merger of the two organisations looks to build on and extend that existing relationship in a more formalised manner.
FireEye is positioned as a specialist in real time threat protection against advanced attacks, using virtual machine-based technology to continuously monitor networks and attack vectors to thwart such attacks. Mandiant specialises in incident response and remediation, as well as endpoint security. Together, the combined organisation aims to be a one-stop shop for advanced threat defence and remediation, closing the gap between network and endpoint security to find and stop attacks at every stage of the attack lifecycle.
The addition of endpoint security capabilities to FireEye’s threat prevention platforms is important given the continuing proliferation of endpoint devices within organisations. Early security efforts focused on the network, attempting to prevent network systems from being tampered with or otherwise compromised. But, as networks have expanded over time to encompass an ever-wider range of systems and devices, the growing reliance on endpoints means network perimeters have been all but eroded. Endpoints have become the new perimeter and are increasingly being used as conduits for attack. A recently published report from Bloor Research discusses further the growing need to focus on endpoint security: Why the endpoint should be the new focus.
By adding Mandiant’s capabilities to FireEye’s platforms, organisations will be better able to identify and verify evidence of compromise and forensic artefacts on endpoints so that compromised devices can be isolated and incidents contained so that they can be remediated. They will also be better able to correlate what is happening on network and endpoint systems in order to detect and remediate threats as they traverse laterally through the network—a common tactic used in the advanced attacks being seen today.
Another important aspect of this acquisition is that the combined capabilities will allow organisations to take a more proactive stance on security. Traditional security controls were largely reactive in nature, placing too much of an emphasis on attack prevention. Whilst prevention is important, some attacks will always get through—as can be seen from numerous studies conducted over the past year that show that the majority of organisations have recently been breached. It seems to be a common refrain these days that it is not if, but when you will be breached.
Both FireEye and Mandiant place an emphasis on the use of intelligence for detecting threats and resolving issues. FireEye maintains a real time threat intelligence network, with feeds gathered from some two million devices worldwide. Mandiant invented the term "indicators of compromise", or IOCs, which refers to the forensic artefacts that always remain when an attack has occurred, along with details of the tools, techniques and procedures used by attackers. Armed with the knowledge that IOCs provide, algorithms can be developed that look for one or more IOC to identify evidence of security incidents and hidden threats. This information can then be used to determine what countermeasures are appropriate for taking action to mitigate specific types of threat, based on policies that have been set by an organisation. A recently published report from Bloor Research describes the concept of IOCs in greater detail: Managing indicators of compromise. Mandiant brings to the table a library of IOCs that can be used to provide actionable intelligence on advanced threats that help in responding to incidents.
Given the sophistication of today’s advanced attacks and the determination of attackers to evade traditional security controls, more advanced security techniques are required that allow a more proactive stance to be achieved in order to better identify, defend against and remediate incidents that occur. The combined capabilities of FireEye and Mandiant will go a long way in helping organisations to better defend themselves against and respond to incidents in an efficient, effective manner.