Why FireEye’s Helix matters to security professionals

Earlier this month I saw a post on Investor’s Business Daily outlining why FireEye was important to the company’s shareholders.  The article got me thinking about the low awareness that Helix has with security buyers. In my opinion, it’s one of the more under-rated security tools.   

For better or worse, FireEye has strong association with the sandboxing market.  This has been a critical security tool for almost all businesses but many companies, even FireEye customers, don’t look to the vendor for other security functions.  Its Sandbox will be the core product for FireEye into the foreseeable future, but Helix will be an important adjacent market for the company and its customers.

Helix is an end-to-end detection and response system designed to surface unseen threats and empower expert decisions with frontline intelligence.  It collects event data from FireEye and non-FireEye components of a security infrastructure and overlays frontline intelligence, rules and analytics to give organizations the context to determine which threats present the greatest risk and how to subsequently respond.  From within a single interface, Helix facilitates all SOC functions including alert management, search, analysis, investigations and reporting. 

Understanding the value of the platform requires believing the following statements about how things have changed and why a different type of intelligence solution is needed.

1. Most security teams have a lack of visibility into new attack vectors and the blind spot is getting bigger.  Traditional security is based on a bigger and stronger moat to keep the bad guys out.  This sounds reasonable, but today fewer breaches are occurring at the perimeter.  One telling stat from a ZK Research survey of 1,500 technical and business decision makers and influencers in the U.S. and Europe is that 90% of security spend is for perimeter protection but only 27% of breaches happen at that point. (Disclaimer: I am the founder and principal analyst of ZK Research). The bad guys aren’t stupid and they know that breaking through a state of the art, next generation firewall is very difficult, so why try?  Instead it’s easier to focus on more targeted attacks and focusing on applications or users.  If you’re looking for more proof, consider all of the highly publicized breaches over the past few years.  Target, Sony, Ashley Madison and others were all non-perimeter based breaches.  Better visibility would likely have caught these or at least minimized the “blast radius”.

2. Security is becoming exponentially more difficult.  I call this the “asymmetric security challenge” where businesses need to protect an increasing number of entry points but cyber criminals only need to find one way in.  Reactive, signature-based systems were effective in the past but are too slow today.  However, most threats are slight variations on past ones, so a solution built on the right intelligence should be able to spot new threats much faster than a reactive system can.

3. More isn’t better. In security, more isn’t a good thing, whether its more tools, alerts, data or whatever else.  Another interesting factoid from the ZK Research survey cited above is that the average number of security vendors enterprises need to manage is 32, and I’ve never heard a CISO say that when they get to 33, they’ll feel more secure.  Because security methodologies rely on manual processes, having more discrete tools just drives complexity up by adding to the volume of alerts and data that most security teams already can’t process fast enough. 

How Helix helps

FireEye Helix integrates security information from FireEye’s own network and endpoint security products as well as third-party security products and uses machine learning to put that data in context.  I understand that many security vendors are now using machine learning to “connect the dots” in the massive amounts of data that exist, but FireEye also has added expertise and analysis from the Mandiant team.  Recall that Mandiant rose to prominence in 2013, prior to being acquired by FireEye, when it released a report that implicated China in cyber espionage targeting the U.S. and other countries.  It’s this combination of machine learning and Mandiant expertise that FireEye claims gives it a competitive edge.  The product looks for hidden patterns and anomalies in the data to find non-malware based threats.  These are attacks in which the hacker uses existing software to execute malicious activities. 

[ Related: Fileless attacks explained: How hackers invade systems without installing software ] 

From a security operations perspective, Helix’s value is derived from the unified console that shows everything that warrants a closer look.  The possible threats can be diagnosed and forensics can be done directly from the console instead of having to send people out to visit each desktop, saving thousands of man hours over the course of the year.   The dashboard can be customized for each environment as well so there’s no need to view extraneous information.  This is significantly different than some of the SIEMs that show pages and pages of data that take Ph.D.-level skills to decipher.  The visual dashboard also makes it easier to comply with regulations like PCI and HIPAA. 

As the Investors Business Daily article pointed out, Helix is important to the future growth of FireEye stock, but this is only possible because Helix is an intelligence-based platform that enables its customers to find threats faster and then diagnose and remediate against them faster than legacy signature-based solutions.