A FireEye chat with Kevin Mandia

The company focused on engineering innovation, threat intelligence utilization and security as a service rather than Wall Street capriciousness

In early May, FireEye announced that company president Kevin Mandia would replace industry veteran Dave DeWalt as CEO. My colleague Doug Cahill had a chance to catch up with Mandia yesterday to get his perspectives on FireEye, enterprise security and the threat landscape amongst others. Here are a few highlights:

On FireEye’s direction: In spite of lots of distraction, Mandia is focused on driving “engineering innovation” at FireEye. Normally, this vision would be equated with security products alone, but Mandia believes products can anchor services as well.  This involves installing FireEye’s endpoint and network security products on a customer network, collecting telemetry, comparing it to current threat intelligence, detecting malicious activities, and then working with customers on remediation. To accomplish this, FireEye products must be “best in class” for threat detection on a stand-alone basis. The FireEye staff is then available to add brain power and muscle to help product customers as needed.

On FireEye as a Service (FaaS). While Mandia admits that few of its customers start out buying FaaS, they often jump into FaaS over time. Why? Same old issue that I’ve been writing about for years—the global cybersecurity skills shortage. According to ESG research, 46 percent of organizations admit to a “problematic shortage” of cybersecurity skills today. So, FireEye customers buy products, then realize they don’t have the skills or staff size to do incident detection or incident response processes at scale. They then call in the FireEye cavalry for help. FireEye tends to view FaaS as a one-size-fits-all service where you can use it on an as-needed basis. If you have ample cybersecurity resources but need an occasional assist, FaaS can be available. You can also use FaaS for the whole IR enchilada if you don’t have the right skill set.

In the future, Mandia would like FaaS to be omnipresent as this type of safety net, with tight integration to products so customers can easily access and use FaaS whenever necessary. Kind of an “easy button” for IR.   

On endpoint security. Mandia agrees that endpoint security is in a rapid state of transition as large organizations add new threat prevention controls on one hand while implementing EDR projects on the other. While he recognizes the need for improved threat prevention, FireEye is leaning toward detection for a few reasons. Prevention will always miss things or produce false positives, adding to operational overhead and creating security vulnerabilities. Mandia believes that once you detect something that’s actually bad, it’s easier and more efficient to block it at that point.

He also believes that large customers don’t want to block threats willy-nilly. They want telemetry and threat intelligence to let them know if they are under attack, who is attacking them, and information about the TTPs being used against them. Mandia believes FireEye can be a major player in next-generation endpoint security as a result of this type of focus.       

On threat intelligence. Mandia believes the combination of Mandiant’s internal IR intelligence with iSight Partners external threat telemetry gives FireEye the best threat intelligence available from any source. FireEye also describes how it looks at threat intelligence—from the cyber adversary into the enterprise. Armed with this perspective, FireEye watches the tactics, techniques and procedures (TTPs) of threat actors, applies analytics, and then anticipate the industries and companies attackers plan to target. Given its threat intelligence prowess, FireEye views threat intelligence acts as a foundation for all of its products and services and says this sets the company apart from others. 

On the threat landscape. Mandia characterizes the current threat landscape as the fifth phase he’s witnessed. The first was pre-1996 activities tended toward governments attacking governments incidents. Between 1996 and 2000, the threat landscape started veering toward cyber-crime incidents. In the early 2000s, it was governments attacking the private sector.

The fourth wave was characterized by the Sony attacks and quasi-government hackers focused on hacktivism and system destruction. Finally, the current wave is focused on ransomware and extortion. 

As far as ransomware and extortion goes, attacks have gone from using phishing as an attack vector to using spearphishing exploits. By doing so, cyber adversaries can now launch targeted attacks, lock down many critical systems simultaneously, and demand lots of money in return.

Mandia also talked about multimillion-dollar extortion schemes in play today where cybercriminals compromise sensitive data, such as the emails from corporate lawyers.  Many organizations would rather pay the bad guys than have this information exposed publicly. Very scary stuff.    

What was most refreshing about our discussion is what Mandia didn’t talk about. While Wall Street remains obsessed about FireEye’s business model and the potential for some type of M&A deal, Mandia stuck to a dialogue about threats, security technologies, skills and best practices.  

In my humble opinion, enterprise CISOs don’t really care about which Sand Hill Road VC firm or Wall Street investment bank makes money on cybersecurity investments.  Instead, they care about mitigating risk, ensuring that they have the right cybersecurity skills and resources, protecting their IT assets, and addressing problems quickly when they arise. Cybersecurity vendors that offer the right products and services to help them achieve those goals stand to make a lot of money in the process. Mandia seems to understand this reality and is pushing FireEye as an enterprise cybersecurity solutions provider as fast as possible. 

Copyright © 2016 IDG Communications, Inc.

How to choose a SIEM solution: 11 key features and considerations