Author Archives: Manish Gupta

Why Bringing Your Network Security “Inline” Lines Up With Your Goals

| By | Security Perspective, Technology |
Comments
0

An attacker can compromise a network and successfully exfiltrate data in less time than you might think.

The 2011 security breach of EMC’s RSA Security Division showed us that it only takes a few days, if not minutes, for cyber criminals to compromise a well-protected corporate network and launch an attack that would eventually cost at least $66M to remedy. Today’s cyber attacks are fast and hard hitting, sometimes happening so swiftly that qualified security personnel can’t triage the breach before it causes serious damage. In fact, as identified in our 2014 MTrends report, it takes organizations on average 229 days to detect a breach – and that detection is primarily done by third-parties!

Organizations can best protect themselves by leveraging real-time technology that can stop attackers in their tracks before they penetrate their targeted networks.

Getting In Line

Inline security solutions effectively defend against today’s fast-paced, evasive attacks on company networks. In the past, security professionals have weighed the risks of compromise from delayed detection and technology gaps versus the risks of potential traffic bottlenecks that were perceived with inline solutions.

Customers typically voice two issues with deploying inline technology, and they both stem from the concern that business needs to continue securely and uninterrupted.

The first of these issues is making sure the network remains functional and accessible, even if devices fail. Customers can’t afford a point of failure on a mission-critical network. But appropriate network design, internal or external fail-open kits, and associated software features significantly lessen the potential for network failure with inline solutions.

False positives have been another concern. Customers worry that filtering tools used to secure the network will cause significant extraneous noise, which potentially could keep them from detecting a true alert.

Most security administrators further fine-tune the signatures before deploying these products inline to adapt them to their environments. While this ensures that the security solutions do not impede business traffic (and this should be the first goal of any organization – run the business!), it lessens the impact of true, inline security.

Today’s evolving threat landscape of sophisticated, targeted attacks has emphasized a critical need for a scalable, secure solution to prevent the staggering outcomes of a successful breach.

The right type of solution balances the blocking power of true inline security with near-zero false positives. The FireEye Multi-Vector Virtual Execution (MVX) engine was designed to do just that. The FireEye MVX was the first technology to provide true multi-flow, multi-vector correlation of today’s advanced cyber threats. It does this by leveraging a virtual execution engine that mimics the end-user behavior to identify true threats and limit false alerts. The MVX is so accurate that across the FireEye customer base, a typical FireEye appliance gives customers 10 alerts/day instead of the hundreds or even thousands of alerts from other vendors that are made up almost entirely of false positives. With this accuracy, the time to investigate alerts and the associated costs are greatly reduced.

FireEye’s inline technology quickly has earned its customers’ trust. In May 2010, fewer than 15% of FireEye customers were using inline deployment mode. Since then, FireEye’s technology has proven itself as a trusted protection partner against advanced threats. As a result, nearly 50% of customers were inline deployment by the end of 2013, as seen in Figure 1.

inline1

Figure 1: The Percentage of FireEye Customers who Deploy FireEye Products Inline

This trend confirms what we’ve been hearing anecdotally from customers, and the numbers speak for themselves. Customers are confident about FireEye products’ ability to detect advanced attacks in real time with near-zero false positives. More and more of them are choosing to move beyond a detection-only solution to protecting against today’s advanced cyber attacks. Today, these customers are active proponents of inline FireEye deployments, not just as a must in their security framework, but also as a no-brainer in ensuring true, scalable inline security.

Real World vs Lab Testing: The FireEye Response to NSS Labs Breach Detection Systems Report

| By | Security Perspective

Today, NSS Labs released a report detailing the performance of several vendors’ ability to detect advanced attacks. We declined to participate in this test because we believe the NSS methodology is severely flawed. In fact, the FireEye product they used was not even fully functional, leveraged an old version of our software and didn’t have access to our threat intelligence (unlike our customers). We did participate in the BDS test in 2013 and at that time we also commented on the flaws of the testing methodology. In fact, we insisted that the only way to properly test was to run in a REAL environment. NSS declined to change their testing methodology so we declined to participate in the most recent test, results of which have been published today. When NSS tested our product a year ago, they used a sample set that included 348 total samples. FireEye detected 201 of 348 total samples. Of the 147 “missed” samples:

  • 11 were non-malicious.
  • 19 were corrupted (as to why other vendors detected these because some vendors scored higher – close to 100% - means that their detection engines are based on hashes which will match regardless of whether the sample is malicious).
  • 117 were duplicates (as to why FireEye didn’t receive credit for detecting these, we never received a response from NSS).

Clearly, nobody could take this approach seriously—it was a major mismatch versus what we see in the wild.

Understanding advanced threats still represents a black hole for many in today’s security industry. The test unfortunately perpetuates a general failure by many to fully understand and appreciate the inner workings of advanced threats that continue to plague organizations despite millions invested in legacy security technologies. In this case, the test contained a number of flaws that security professionals should thoroughly understand before taking these results at face value.

Issue #1: Poor sample selection. Specifically:

  • NSS mostly relied on VirusTotal to download payloads (clear text executable files). The NSS sample set doesn’t include Unknowns, Complex Malware (Encoded/Encrypted Exploit Code & Payload), and APTs. Almost by definition, APTs use new or updated code to bypass detection, which is standard procedure. However, NSS used a known corpus of malware. Advanced threats are in, out, and cleaned-up in minutes. In the past, the malware samples used in the NSS tests were available on VirusTotal (an aside: the oldest sample on VirusTotal is from 2006 and the median sample age is 17.2 months). By contrast, when tests specifically leverage malware samples that are new and unknown, antivirus detection rates fall dramatically. For example, the Imperva study found that antivirus detected only 5% of malware. The other vendors in the NSS report are built for detecting known malware. By relying on VirusTotal, NSS missed out on AK-47s and spent time analyzing pea shooters.
  • Even for Payloads, NSS doesn’t perform Forensics Analysis to understand if the sample is malicious, goodware or corrupt (can’t execute). NSS gives a positive score as long as a vendor sees the sample on the wire, even if the sample is not actually malicious.

 

Issue #2: Differing definitions of advanced malware: Vendors and test agencies differ in how they define advanced malware. The NSS test confused Adware, Spyware, & APTs and accounted for Adware and Spyware as APTs. For instance, some of the NSS tests expected Adware to be classified as malware. In this series of tests, Adware that changes the home page of the browser, but does not infect the system in any other way, must be flagged as malware by a product in order to receive a positive score. FireEye solutions wait for true malicious behavior to avoid false alerts. In the aforementioned case, the page load of the new home page would be analyzed to identify if the change was truly malicious or not.

Issue #3: Poor test methodology. Specifically, the NSS test:

  • Doesn’t account for the use of zero day exploits. There were no zero day exploits in the test sample. This is difficult to do. Testing for zero days requires having a zero day on hand or developing one yourself, which is expensive. Finding new malware that utilizes zero day exploits is where FireEye thrives. In 2013, we found 11 exploitable zero days as well as countless malware campaigns used in cyber espionage, warfare or crime. This year, we have already uncovered two zero days.
  • Did not have access to our security intelligence in the cloud. Unlike our customers, the FireEye appliances were NOT connected to our Dynamic Threat Intelligence cloud to get latest content updates, virtual machines and detection capabilities.

We respect NSS and the work they do—especially for IPS – and their testing methodology for BDS is also more suited to testing IPS products. However, we believe the issues we identified with their evaluation of advanced threats are indicative of the security industry’s broader lack of knowledge regarding sophisticated attacks. FireEye is designed to supplement legacy signature and reputation based technologies to protect against advanced threats—and the NSS tests didn’t properly gauge our capabilities. Our product’s efficacy is proven by how well we protect customers in real-world deployments. Consider that in 2013, FireEye:

  • Found 11 exploitable zero day vulnerabilities, with two uncovered so far in 2014. (By comparison, among the top 10 cyber security companies ranked by security-related revenue, only 2 other zero-day vulnerability were reported in 2013.)
  • Tracked more than 40 million callbacks.
  • Tracked more than 300 separate APT campaigns.
  • Deployed more than 2 million virtual machines globally.

Any lab test is fundamentally unable to replicate the targeted, advanced attacks launched by sophisticated criminal networks and nation-states. The best way to evaluate FireEye is for organizations to deploy our technology in their own environment and they will understand why we are the market leader in stopping advanced attacks. We believe it is erroneous for NSS to compare security efficacy, performance, and cost in the same graphic, because doing so assumes that all three buying criteria are all equally important. In our experience, security efficacy is much more important than the others. In fact, most users and vendors are moving toward a malware prevention, detection, and response architecture.

In August 2013, IDC issued a report, Worldwide Specialized Threat Analysis and Protection 2013–2017 Forecast and 2012 Vendor Shares. This report identified and ranked vendors claiming to stop advanced malware attacks. FireEye was listed as the top vendor based on market share (38%) compared to the nearest competitor with 14% market share. The market is voting with dollars based on their real-world experience while under real-world attacks from advanced threats.

Introducing the New FireEye Security Platform - One Solution to Detect, Contain, Resolve, and Prevent Threats

| By | Business of Security, Executive Perspectives, Security Perspective, Technology

I am excited to announce the expansion of FireEye’s MVX-based security platform. The newly enhanced platform incorporates endpoint protection and managed security services from recently acquired Mandiant, as well as new analytics and intrusion prevention capabilities. Each one of these new solutions can drastically improve an organization’s threat posture, and with this new security platform, we can offer our customers one security solution to detect, contain, resolve, and prevent threats. We’ll be showcasing each of these products over the next few weeks and have demonstrations of the entire platform at the RSA conference in San Francisco later this month. In the meantime, here’s what’s new in the platform: Continue reading »

Needle in a Haystack: Detecting Zero-Day Attacks

| By | Executive Perspectives, Security Perspective, Technology

People often ask me what differentiates FireEye from its rivals. The real question is “What should I look for in a solution to advanced persistent threats, regardless of the provider?” (And while I can rattle off a long list of reasons why FireEye should be that provider, I’ll save that for another time.)

The key for any solution to advanced persistent threats (APTs) is finding the needle in the haystack — detecting and blocking zero-day incidents from among millions of traffic flows in a typical enterprise network. That means detecting it accurately, with few false positives or false negatives. Attackers, especially the well-funded ones, invest lots of time up front designing attacks to avoid detection and enhance impact. By accurately identifying their targets and the best way to approach them (often by analyzing social networks), attackers maximize their impact while minimizing chances of detection.

To combat persistent attackers, solutions must become smarter. When evaluating any advanced threat prevention solution, the three key issue to consider are accuracy, scale, and timeliness of detection. Continue reading »