Two views on FireEye’s Mandiant acquisition

There are two views on the significance of FireEye’s acquisition of Mandiant. One is the consensus typified by Arik Hesseldahl, Why FireEye is the Internet’s New Security Powerhouse. Arik sees the synergy of FireEye’s network-based appliances coupled with Mandiant’s endpoint agents.

Richard Stiennon as a different view, Will FireEye’s Acquistion Strategy Work? Richard believes that FireEye’s stock price is way overvalued compared to more established players like Check Point and Palo Alto Networks. While FireEye initially led the market with network-based “sandboxing” technology to detect unknown threats, most of the major security vendors have matched or even exceeded FireEye’s capabilities. IMHO, you should not even consider any network-based security manufacturer that doesn’t provide integrated sandboxing technology to detect unknown threats. Therefore the only way FireEye can meet Wall Street’s revenue expectations is via acquisition using their inflated stock.

The best strategy for a high-flying public company whose products do not have staying power is to embark on an acquisition spree that juices revenue. In those terms, trading overvalued stock for Mandiant, with estimated 2013 revenue of $150 million, will easily satisfy Wall Street’s demand for continued growth to sustain valuations. FireEye has already locked in 100% growth for 2014.

It will probably take a couple of years to determine who is correct.



Third era of Information Security

As I look over my experience in Information Security since 1999, I see three distinct eras with respect to the motivation driving technical control purchases:

  • Basic (mid-90’s to early 2000’s) – Organizations implemented basic host-based and network-based technical security controls, i.e. anti-virus and firewalls respectively.
  • Compliance (early 2000’s to mid 2000’s) – Compliance regulations such as Sarbanes-Oxley and PCI drove major improvements in security.
  • Breach Prevention and Incident Detection & Response (BPIDR) (late 2000’s to present) – Organizations realize that regulatory compliance represents a minimum level of security, and is not sufficient to cope with the fast changing methods used by cyber predators. Meeting compliance requirements will not effectively reduce the likelihood of a breach by more skilled and aggressive adversaries or detect their malicious activity.

I have three examples to support the shift from the Compliance era to the Breach Prevention and Incident Detection & Response (BPIDR) era. The first is the increasing popularity of Palo Alto Networks. No compliance regulation I am aware of makes the distinction between a traditional stateful inspection firewall and a Next Generation Firewall as defined by Gartner in their 2009 research report.  Yet in the last four years, 6,000 companies have selected Palo Alto Networks because their NGFWs enable organizations to regain control of traffic at points in their networks where trust levels change or ought to change.

The second example is the evolution of Log Management/SIEM. One can safely say that the driving force for most Log/SIEM purchases in the early to mid 2000s was compliance. The fastest growing vendors of that period had the best compliance reporting capabilities. However, by the late 2000s, many organizations began to realize they needed better detection controls. We began so see a shift in the SIEM market to those solutions which not only provided the necessary compliance reports, but could also function satisfactorily as the primary detection control within limited budget requirements. Hence the ascendancy of Q1 Labs, which actually passed ArcSight in number of installations prior to being acquired by IBM.

The third example is email security. From a compliance perspective, Section 5 of PCI DSS, for example, is very comprehensive regarding anti-virus software. However, it is silent regarding phishing. The popularity of products from Proofpoint and FireEye show that organizations have determined that blocking email-borne viruses is simply not adequate. Phishing and particularly spear-phishing must be addressed.

Rather than simply call the third era “Breach Prevention,” I chose to add “Incident Detection & Response” because preventing all system compromises that could lead to a breach is not possible. You must assume that Prevention controls will have failures. Therefore you must invest in Detection controls as well. Too often, I have seen budget imbalances in favor of Prevention controls.

The goal of a defense-in-depth architecture is to (1) prevent breaches by minimizing attack surfaces, controlling access to assets, and preventing threats and malicious behavior on allowed traffic, and (2) to detect malicious activity missed by prevention controls and detect compromised systems more quickly to minimize the risk of disclosure of confidential data.

Panda Security goes inside the web’s black market

Panda Security Goes Inside Web’s Black Market

PandaLabs released 44 page report called, The Cyber-Crime Black Market: Uncovered. If you are not familiar with the subject, this report is very good. Here are some highlights:

The exponential growth of malware

Five years ago, there were only 92,000 strains of malware cataloged throughout the company’s 15-year history. This figure rose
to 14 million by 2008 and 60 million by 2010, which gives a good indication of the rate of growth.

At this rate is it reasonable to rely on a signature-based approach to malware detection? No mention is made of 0-day malware. We like FireEye‘s behavioral approach to complement a signature-based approach to anti-malware.

The cyber-crime professions

Panda quotes the FBI’s list of ten different professions that make up the cyber-crime black market – Programmers, Distributors, Tech Experts, Hackers, Fraudsters, Hosted systems providers, Cashiers, Money mules, Tellers, and Organization Leaders. This division of labor should give you some idea of the maturity of the cyber-crime underground.

The process

Panda does a fairly good job of documenting the process although this section of the report could have been better organized.

The black market at-a-glance

This section show just how sophisticated the black market ecosystem is. Just like the markets we engage in every day, there are promotion, try & buy offers, discounts for volume purchases, multiple payment options, and post-sale support services.

What to do and what not to do

The report closes with some common sense advice as to what to do and what not to do to minimize your risk of cyber-fraud.

Technical botnet takedowns useless. Technical controls needed.

TrendMicro’s 2010 in Review: No Recession for Cybercrime notes the ineffectiveness of several of the publicized botnet takedowns.

The futility of takedowns was seen when Pushdo/Cutwail was taken down earlier this year. Within days, it was back in business. Similarly, security researchers were able to take down the Waledac botnet in March but, as we noted at the time, the spam levels remained unchanged.

The lesson is that shutting down a botnet by purely technical means doesn’t do anything in the long term; arresting the people responsible is key to fixing the cybercrime threat.

What does this mean to the enterprise? You are on your own. Given the ease with which new botnets can be created and their geographic distribution, the arrests will be interesting but will not significantly reduce the botnet threat.

Cymbel provides three complementary solutions which help you mitigate the risks of botnets:

  • Palo Alto NetworksNext Generation Firewall with integrated Intrusion Prevention, URL Filtering, and botnet command and control communications detection.
  • FireEye – Heuristics-based malware detection with sandboxed suspicious code execution to minimize false positives.
  • Seculert – SaaS-based, External Threat Intelligence which alerts you on your compromised systems by monitoring the botnets themselves.

Outgunned: How Security Tech Is Failing Us — InformationWeek

Outgunned: How Security Tech Is Failing Us — InformationWeek.

Our testing shows we’re spending billions on defenses that are no match for the stealthy attacks being thrown at us today. What can be done?

Greg Shipley has written an excellent article about the state of information security. The hard copy version in this week’s InformationWeek magazine sums up the situation – “Epic Fail.”

…collectively, we’ve spent billions of dollars on security technologies, and we still can’t curb these threats. Intruders trot through firewalls deployed to block them, while malware flourishes on systems that antivirus vendors pledge to immunize. Meantime, our identity management efforts guzzle funds faster than politicians before a crucial vote.

Recent events suggest that we are at a tipping point, and the need to reassess and adapt has never been greater. That starts with facing some hard truths and a willingness to change the status quo.

Greg points out what we’ve been saying for the last three years:

…sometime in the last few years a number of our key security technology controls crossed that threshold and ceased to be effective, yet as an industry we have yet to adjust. We’re pouring billions of dollars–literally–into security products that are gaining us very little. We don’t retire anything but rather pile on more layers, leading to increased complexity, expense, and exposure.

One of the big three security technology controls Greg calls out is firewalls. I would be more specific and say “stateful inspection” firewalls. These have been the staple of network security for 15 years. But Web 2.0 applications and social networking breeze right by the stateful inspection firewall. In fact, the stateful inspection firewall provides practically no control or protection at all.

Fortunately, we have begun to see the rise of what Gartner calls the Next Generation Firewall as exemplified by Palo Alto Networks. NextGen Firewalls are application aware and more importantly enable you to build policies based on applications and users rather than ports, protocols, and IP addresses.

Greg’s four recommendations are:

1) Start spending money on controls that are more in line with threats. This is in fact why Cymbel has embraced (and enhanced) the SANS 20 Critical Security Controls for Effective Cyber Defense. Controls were selected based knowledge of exploits. For example, Controls #1 and #2 are about Discovery of network assets and the software running on them. Unknown and/or unmanaged devices will thwart a patch management program every time.

2) Adjust assumptions and put to rest some age-old debates. For example the insider vs. outsider debate. Due to what we call the ‘inside-out” attack vector, the outside attacker becomes an insider once the attacker steals the insider’s credentials. We discuss this in more detail in the Threats section of the Five Forces of Change. This is why internal network segmentation based on application and user policies has become critical.

3) Stop rewarding ineffectiveness and start rewarding innovation. Here Greg repeats his observations about the ineffectiveness of (stateful inspection) firewalls and antivirus. It is for this reason that we developed our Next Generation Defense-in-Depth architecture, which features real, proven, innovative solutions which mitigate these new threats. Another good example is FireEye, which prevents 0-day and unknown malware attacks using heuristics plus virtual sandboxes to test suspicious code. The virtual sandbox capability practically eliminates false positives, the bane of heuristics-based intrusion prevention systems.

4) Know when security products cannot help you. Technology is not always the answer. Our Approach, based on the SANS 20 Critical Controls acknowledges this as well. While the first 15 are automation oriented, the last five are not: Secure Network Engineering, Penetration Testing, Incident Response Capability, Data Recovery Capability, Security Training.

The validation of our approach to information security is gratifying. Thanks Greg.

Who’s Behind Stuxnet? The Americans? The Israelis? – Security Watch

Who’s Behind Stuxnet? The Americans? The Israelis? – Security Watch.

The security research community continues to marvel at the sophistication of Stuxnet. In fact, there is a growing body of opinion that Stuxnet must have been developed with government sponsorship. Since 58% of identified infections seem to have occurred in Iran, the two obvious countries attracting speculation are the United States and Israel.

Previously, I’ve written about Stuxnet on August 14September 15, and September 17.

Aside from the extremely precise targeted nature of Stuxnet, what is striking is that it took advantage of four different 0-day or unknown vulnerabilities.

If this is not a wake-up call for the need for specialized 0-day malware defenses, I don’t know what is.

Forrester Pushes ‘Zero Trust’ Model For Security – DarkReading

Forrester Pushes ‘Zero Trust’ Model For Security – DarkReading.

Last week Forrester Research began promoting a new term, “Zero Trust,” to define its new security model. The new model’s underlying principle is “trust no one.” In other words, you cannot trust the servers and the workstations inside your network any more than you could trust external third parties.

Given the nature of the changes we’ve seen during the last 3 to 5 years in technology and the threat landscape, we agree. We have seen a huge increase in what we call “inside-out” attacks where insiders are lured to malware-laden web pages on, for example, Facebook, Twitter, YouTube, and even the New York Times. The malware gets downloaded to the unsuspecting person’s workstation along with the normal content on the web page. From there, the malware steals the person’s credentials to access bank accounts, internal intellectual property, customer records, or whatever the attackers can readily convert to cash. This type of malware is not the traditional single-purpose virus or worm. Rather it’s an agent controlled by remote servers that can modify its functions. These “bots” have gone undetected for days, weeks, months, even years.

From a security perspective, this type of attack looks very similar to a malicious insider, and information security must protect against it along with the traditional “outside-in” attack method.

From my perspective, Forrester’s Zero Trust model and Cymbel’s next-generation defense in-depth architecture are the same when it comes to network security. Our Approach, based on the SANS 20 Critical Security Controls for Effective Cyber Defense, is broader.

However, there is one area where I disagree somewhat with John Kindervag, the Forrester analyst discussing the Zero Trust model, who is reported to have said:

It’s like a UTM [unified threat management] tool or firewall on steroids,” he says. It does firewall, IPS, data leakage protection, content filtering, and encryption with a 10-gigabit interface that separates the switching fabrics for each function.

Gee, how did he leave out packet shaping? I have no doubt that there are vendors attempting to do all these functions in a single appliance, but it reminds me of Network Access Control in 2007. NAC was going to subsume all manner of security functions in a single appliance. The complexity was overwhelming. Furthermore, most organizations really don’t want all that functionality in one box. There is still the need for a defense-in-depth architecture, in our opinion.

Some level of function consolidation is surely reasonable and advantageous to organizations with limited resources, i.e. everyone!! However the expertise needed to develop and advance all of these different functions is virtually impossible to assemble in one company. For example, full packet capture is really about innovative data storage and retrieval. High performance, stream-based, application level, firewall/IPS is about innovative deep-packet inspection combined with clever hardware design. And data loss prevention requires proxies and semantics-based data classification algorithms.

While I am surely not saying that we can achieve nirvana now, the components of Cymbel’s next-generation defense-in-depth architecture can provide major improvements in network security today:

  • Next-Generation Firewall with application- and user-level, internal network segmentation, integrated intrusion prevention, and bandwidth management – Palo Alto Networks
  • 0-day threat and botnet command & control communications prevention – FireEye
  • Cloud-based web and email security – Zscaler
  • Device/software discovery and configuration change detection – Insightix, AccelOps
  • High Performance Full Packet Capture – Solera Networks
  • Layer 2, 3, 4 encryption – Certes Networks
  • User-based, behavioral anomaly detection using net flows and logs plus high-performance event correlation – Lancope

I look forward to learning more about Forrester’s Zero Trust model and working with partners who recognize the new landscape and respond with creative solutions for our clients.

“It’s like a UTM [unified threat management] tool or firewall on steroids,” he says. It does firewall, IPS, data leakage protection, content filtering, and encryption with a 10-gigabit interface that separates the switching fabrics for each function