The long winter is over: today is the official opening day of the 2014 major league baseball season. Here in the Toronto area we are cautiously optimistic over the Blue Jays’ prospects while thinking very fondly of the 1992-93 seasons.
Of course, back in the early 1990s cyber crime wasn’t the big deal it is today. Back then the interconnected world in which we now live was just starting to take shape. Today, everything from bank assets and personal credit card data to intellectual property and trade secrets all reside on corporate networks that clever cyber criminals relentlessly target.
At eSentire, it occurred to us that the game of baseball provides a good analogy for cyber security preparedness and attack response.
Maximizing your cyber security posture can be likened to rounding the bases:
- First Base. Many security products and services will get you here. They monitor events and even stop threats with a known signature. This is a basic capability every company needs, but it only gets you to first base.
- Second Base. Some products can detect threats that got by first base, usually by analyzing aggregated log data.
- Third Base. There are services such as legacy Managed Security Services Providers (MSSP) that will notify you, via an automated alert, email, or a phone call, that a suspected breach has occurred.
Now what? Getting from third base back to home is the great conundrum of the cyber security industry.
The vast majority of cyber security products and services concentrate on prevention. Very few offer practical remediation assistance.
Once they’ve notified you, the MSSP considers their job done, but you’re stuck on third base while your systems are being ransacked.
Cyber security has become an incredibly complex field. The only way to fully address a serious security incident such as an advanced threat or a zero day attack is with the help of trained experts.
In baseball, a pinch hitter is such an expert, who acts as a substitute batter. The team manager can use any player who has not yet entered the game as a substitute, and the tactic is often used to place specialized skills (base hitting ability) at the plate when they are most needed.
When a cyber attack commences, companies are facing a crisis situation. They need cyber security pinch hitters on their team – and they need them now. At eSentire, we call this Active Intervention.
Our Network Interceptor solution includes the concept of Embedded Cyber Security Incident Response. That is, our experts are already on your team, monitoring network events in the background. When a real threat unfolds, they are like a pinch hitter – ready to enter the game and get you back to home plate
Any company that relies on a cyber security program without Active Intervention is operating without a safety net. They are doomed to be stranded on, at best, third base when a difficult security incident happens.
It’s tough (and expensive) to bring in experts when they aren’t already on your team. This year, you can take steps to maximize your cyber security posture by incorporating Active Intervention into your security program.
One resounding theme to emerge from this year’s RSA Conference is that IT security budgets are skewed too much towards automated prevention technology and not enough towards incident response.
In a keynote, Art Gilliland discussed this over-investment on the prevention side, noting that it consumes the overwhelming majority (86%) of annual cyber security spend.
An intriguing session on Security Shelfware detailed how a surprising number of SIEM (and other) security products end up gathering dust instead of being actively used.
In a panel discussion on cyber security incident response, Ponemon Institute founder Larry Ponemon explained what’s behind the scarcity of CSIRT resources, recommending greater investment in incident response.
Then, on the RSA’s final day, Jay Leek – CISO at Blackstone – weighed in from the user’s viewpoint: A CISO’s Perspective: Protecting with Enhanced Visibility and Response.
This valuable session argued for reallocating IT security investment, moving some money from Prevention (where a lot of shelfware exists) to Visibility, Intelligence – and the underfunded Reactive area, upgrading it to a Planned Response footing.
Leek noted that the cost of response has sharply increased, up 75% from $200k to $341k per incident in 2011 – and we can be certain that the cost in 2014 is even higher. Unfortunately, the cost to attackers is much lower. In one slide Meek showed that attackers could breach a company over 2,000 times before spending as much as the company spends on a single incident.
These trends are not sustainable, according to Leek. To mitigate such high costs, investment in incident response, not just prevention, is needed.
This investment can take a variety of forms.
- For better Visibility, organizations should acquire technology that provides real time awareness of network events, thus collapsing the time delay inherent to SIEM products that rely on system and device logs.
- For greater Intelligence, defenses can be tuned based on behaviors and attack profiles.
- For Planned Response, you need trained security analysts who have ready, real time access to actionable forensics.
The market for Prevention-focused products is saturated – but for vendors it’s a lot easier to program a product to identify and stop known threats than it is to provide a solution to an incident that has unknown attributes.
Response is difficult to automate. For serious threats, effective response always requires human expertise. You need security analysts who know how to examine the forensics and what actions to take.
Having ready access to this kind of expertise is a challenge – as Jon Oltsik noted in his session on the Security Skills Shortage.
Small to midsize companies with stretched IT resources are particularly exposed in the skills area – how can they make the investments all of these speakers have recommended?
There’s good news. The new field of Active Threat Protection is designed for just this sort of balanced approach to cyber security.
Key attributes of Active Threat Protection include the acquisition of network data in real time, the ability to detect suspicious behaviors, and Active Forensics that help to eliminate false positives while highlighting the real potential threats.
These capabilities are topped off by Embedded Cyber Security Incident Response, which is the integration of trained security analysts into the mix as network events are being assessed – instead of after a crisis has erupted when it’s too late to minimize the damage.
Active Threat Protection is surprisingly affordable, giving companies a practical way to rebalance their IT security budgets for greater impact and better ROI as numerous RSA sessions have recommended.
It enables organizations to increase their Visibility, develop greater threat Intelligence, and include active expertise into their Planned Response processes – all of which dramatically reduces the cost of handling an incident while maximizing cyber security protection.
One of the most interesting keynotes at this year’s RSA conference was given by Art Gilliland, SVP of HP Enterprise Security Products, on Stop Looking for the Silver Bullet: Start Thinking Like a Bad Guy.
You can view a recording of his presentation here.
Gilliland noted the impossible odds that are stacked against cyber security teams, where to be considered successful the good guys have to win every time, but the bad guys only need to win once.
Despite increased investment in cyber security, the number of breaches continues to rise.
In looking at where this investment is going, HP and Ponemon Institute found that a whopping 86% of the cyber security budget goes toward prevention.
Further research revealed that companies could improve the ROI of their security budgets by shifting investment into the security intelligence system – the people and processes as well as the technology that must combine to protect the enterprise.
“We are over-invested in products,” said Gilliland, in the best sound bite of the session. At eSentire, we couldn’t agree more.
We’ve said for some time that security automation, by itself, doesn’t solve the problem. Automated products are notoriously difficult to tune and keep updated, and even so the cyber criminals have a habit of devising new ways to evade automated defenses.
Too often, organizations desperately want to believe they can buy a technology silver bullet for cyber security – and there are plenty of vendors who are happy to take their money. Yet the number of breaches continues to rise – what’s wrong with this picture?
Companies that rely solely on automated security products are nursing a false hope, not realizing how exposed they really are.
Of course, security automation is needed – and it is very useful in blocking known threats. But it isn’t a panacea. We agree that investments need to include good technology but also be more balanced towards the Security Intelligence System.
A new security concept reflects this reality. We call it Active Threat Protection. It is an approach that combines detection, analytics, and human experts to deliver a higher level of protection than is otherwise possible.
Active Threat Protection acknowledges that you cannot detect every threat, and that advanced threats only reveal themselves by behaviors. It is a more practical approach that recognizes the bad guys will at times succeed in penetrating your network – but you can still stop attacks and minimize exposure if you have invested properly in people and processes as well as analytics.
Companies need to stop chasing security technology silver bullets, because they cannot possibly prevent every attack – succeeding every time while the bad guys only need to succeed once – eventually there will be a breach.
With Active Threat Protection, they have a workable solution that acknowledges the realities of today’s cyber wars.
It’s Day 3 of RSA, and one of the highlights was a panel discussion on Why Cyber Incident Response Teams Get No Respect.
The session had great insights on how CSIRT can be improved, but we couldn’t help thinking that it also pointed out the inequality in CSIRT capabilities between large enterprises and midsize companies.
Supported by a fresh research report from the Ponemon Institute, a major finding was that more investment is needed in CSIRT if organizations are going to materially improve their response preparedness.
It goes without saying that some organizations may have more to invest than others.
When we look at the survey demographics, we see that 82% of the respondents were from companies with over 500 employees – and nearly two thirds were from 1000+ employee companies.
Even so, nearly half of those surveyed (45%) reported that their company has no one dedicated full time to incident response. A further 28% have one resource dedicated to CSIRT. So, the reality is that most companies get by with part time resources in this crucial area.
The study’s recommendation that organizations should invest more in CSIRT is spot on. In very large enterprises, this may be an exercise in raising awareness of the need at the C-level in order to garner support. But in many companies, it’s an exercise in finding budget that simply doesn’t exist.
A trenchant observation in the study is that it’s easier to dedicate budget to prevention, on the theory that if that money is well invested then response won’t be as necessary – because threats won’t morph into attacks.
However, this is a false hope. Every company needs a plan for and resources designated to incident response – because sooner or later they will have an incident to deal with.
It takes specialized expertise to respond quickly to a security incident – fully understanding what happened and confirming that the response was successful and “it’s safe to go back into the water.” For most companies, that means bringing in outside experts.
While affirming that using outside consultants to augment in-house staff is a best practice, the study pointed up two valid problems with retaining third party consultants for incident response help.
First, outside parties are unlikely to “have an understanding of the IT infrastructure they are investigating as well as the business running on top of it.” They need read-in time, right when a crisis is unfolding.
“A third-party contractor can lose precious time navigating to the resources they need. In addition, many of the tools and audit trails that are needed in order to respond effectively to an incident must be in place before the incident begins, and cannot be established on the fly during an incident.”
All this brings us back to the question – what is a midsize company with an already-stretched IT budget to do? It sounds like world-class CSIRT is only possible if you have lots of money.
Fortunately, there is a solution: Embedded Cyber Security Incident Response.
This new concept is part of the Active Threat Protection approach to cyber security. It includes technology that can aggregate network events and detect telltales of suspicious activity, coupled with trained security analysts who actively review these events as they happen – and take action if needed.
Embedded CSIR solves the problem of getting outside consultants up to speed on your IT infrastructure and business processes – because they are already there. It solves the problem needing analytical tools and audit trails – because those are already there too.
At eSentire, we think Embedded CSIR also solves the inequality problem, because even midsize companies can access Active Threat Protection without breaking the bank.
Get this white paper to learn more about Embedded CSIR.
An insightful and entertaining session at RSA today was Security Shelfware: Which Products Are Gathering Dust in the Shed and Why?
This topic really interests us at eSentire, because we conduct hundreds of Enterprise Vulnerability Assessments every year and more often than not we find security products turned off or otherwise on the shelf. We always wonder why a company would pay good money for a security product only to let it fall into disuse (or never really use it in the first place).
Presented by Javvad Malik of 451 Research, the session highlighted some very interesting findings from an original research study.
Many perfectly good security products become shelfware. They work as advertised, and companies buy them with every intention of getting useful value out of them – but somewhere along the line, something happens.
Not surprisingly (at least to us), SIEM products lead the field as those most likely to wind up on the shelf. We suspect that a big reason for this is the notorious difficulty in tuning these systems. Too tight, and you get flooded with so many alerts that you can’t possibly handle them all. Too loose, and you miss that one alert you really needed.
This is collaborated by the fact that, in the research, one of the main reasons given for security shelfware is a lack of staff to use the product properly, and a lack of time or expertise to implement the product properly. Keeping these systems updated and tuned is a highly complex, involved and never-ending task.
As we noted yesterday, cyber security analysis is an increasingly specialized skill, which was validated by Jon Oltsik’s presentation on The Security Staff and Skills Shortage is Worse than You Think! One of the points in that session was that too many false positives are hampering detection and response.
When you combine the two sessions, it’s easy to see why certain security products become shelfware. They may be doing exactly what they’re programmed to do, but if the user companies are stretched for time and resources, they simply won’t be able to analyze everything these products throw their way.
It’s no wonder that the 451 Research study found users’ number one attribute of a good security product to be “centralized (and actionable) reporting.” Beleaguered IT security staff do not need more alerts – they need fewer ones that they can action.
This was a huge disconnect in the study, where vendors rated “out of the box functionality” as the number one sign of a good product while users rated that attribute near the bottom.
Of course, the study pointed out many other interesting things – such as the fact that often companies buy a security product merely to satisfy a compliance requirement but then they end up not using it.
We do appreciate the insights and believe that there is a thread at RSA pointing up the skills shortage in cyber security. This trend will not change any time soon, and smaller to midsize companies will be most impacted because they simply do not have the resources to staff a 24x7 security operations center in the same way that very large enterprises can.
At eSentire, we’ve developed a new approach to cyber security that we call Active Threat Protection. It is a combination of technology and expertise that fills the skills gap while eliminating all those false positives – and it’s surprisingly cost effective, so small to midsize companies can access it.
Embedded Cyber Security Incident Response is a core principle in Active Threat Protection, and it is certainly worth learning about if you have confidential data to protect yet limited resources to devote to security.
Today the RSA Conference kicked off with a bang at the Moscone Center in San Francisco.
We thought Jon Oltsik, Senior Principal at Enterprise Security Group, gave an outstanding presentation titled “The Security Staff and Skills Shortage is Worse than You Think!”
Jon highlighted key results from ESG’s 2013 Cyber Security Survey. Several of his points resonated with us at eSentire, and validate the need for companies to move to an Active Threat Protection cyber security strategy.
First and perhaps no surprise, is the fact that fully 83% of those surveyed say recruiting information security professionals is “difficult to extremely difficult.”
Cyber security knowledge – particularly analytical and remediation skills – is an increasingly specialized discipline. While very large enterprises can afford to staff 24x7 security operations centers with in-house experts, smaller companies are at a distinct disadvantage. They struggle to compete for this highly trained and expensive talent pool, and the challenge of supporting round-the-clock operations, a requirement for many, is simply a bridge too far.
In detailed findings of the impacts on incident detection and response, the top impact listed was “lack of adequate staff.” Of course, this follows from the above point about hiring – if good security analysts are hard to find then many organizations will lack the staff they need.
The other impacts on detection and response were instructive. In order, they are:
• Too many false positives
• Too many manual processes
• Too many independent tools
• Events are too hard to detect
• Lack of security analytics skills
These findings point out the gaps in traditional cyber security automation and managed services. Automated tools deliver a flood of alerts that the beleaguered IT security staff cannot possibly analyze. Information is coming from too many sources and cannot be correlated. True threats are too hard to find in this sea of information – and the ability to analyze all this data is lacking.
Legacy MSSP vendors don’t really solve the expertise problem. They detect potential threats but simply notify the customer when one exists – their involvement stops when it comes to the remediation side of the problem.
These findings make a great case for Active Threat Protection, and in particular for the principle of Embedded Cyber Security Incident Response. It’s a way to leverage both advanced detection technology and bring in experts not just to resolve a crisis but to be involved every day in assessing potential threats.
If Active Threat Protection is a new concept to you – it would be worth learning about. This is particularly true if your company is not one of those big enterprise behemoths that can throw millions of dollars into security programs.
Active Threat Protection, which we cover in detail on this website, is a cost effective way for companies to minimize risk and close the gaps in traditional cyber security approaches.
PS: You can download Jon Oltsik’s presentation slides here.
We all know what it means to have an elephant in the room. It’s an obvious situation that people don’t want to acknowledge – so they collectively tiptoe around the issue rather than face it.
What’s the elephant in the cyber security room? While over 90% of the industry focuses on prevention, that fact is you will be hacked, and once that happens most cyber security solutions are useless.
It’s the elephant in the room: in just one week, we’ll be joining thousands at the huge RSA Conference in San Francisco, where you can wander through a cavernous exhibit hall (actually, two of them), only to find that most booths have little to say about what to do after prevention measures have failed.
Cyber security is big business – worldwide spending topped $67 billion in 2013 according to a recent report from Gartner Group. Most of that spending goes towards prevention. Comparatively little is budgeted for remediation – and that’s perhaps understandable (how to you budget for something you hope will not happen, and if it does, how can you measure the financial impact in advance?).
But let’s get back to that elephant: it’s a virtual certainty that your company has suffered a breach, or will suffer a breach. You could be breached at this very moment without knowing it.
While we are the first to agree that prevention measures are essential, we find it curious that few security products or services openly discuss how they come into play after an attack has succeeded.
There are many Managed Security Services Providers (MSSP), but most of them simply notify you of a suspected breach – you have to fix it yourself (at eSentire we call this the ‘It’s not My Problem Syndrome’). There are literally hundreds of security automation products, and the overwhelming majority are built for prevention against known threats.
Once a zero day cyber attack starts to unfold, outward-looking prevention systems are of no value. Where can you go to get practical help when the proverbial paraphernalia hits the fan?
A good start would be to visit the eSentire booth at RSA--520 in the South Hall. We’re the guys with the big elephant in the booth.
We believe that incident response needs to integrate with detection and analytics. We agree with virtually all cyber security authorities that expert assistance from certified security analysts is essential to resolving any serious cyber security incident. And for most companies, that means getting specialized help.
And therein lies the rub. Virtually all of the security industry is structured either to prevent an attack or to wade in and help remediate one after it has begun to do damage.
At eSentire, we think that’s too late. When experts are called during a crisis, they first establish their analytical infrastructure (which could involve shipping and installing specialized hardware). After that, it takes time – even for really smart people – to gather log data and analyze it, as well as learn enough to be knowledgeable about your network and application infrastructure.
The best time to call in the experts is before you need them, but that can be extremely expensive with today’s business model for cyber security incident response services – most companies can’t afford to pay security experts to “hang around” waiting for something to happen.
For the past few years, we’ve been pioneering the Active Threat Protection approach to cyber security. It includes a capability called Active Intervention based on the concept of Embedded Cyber Security Incident Response. This isn’t having experts on call – it’s having them actively monitoring your network every day and already being on the job if an attack happens.
You should check it out. The approach is so effective that we’ve become the go-to supplier of cyber security protection to the alternative asset management industry, with over 150 funds and $1.3 trillion in assets under our Active Threat Protection umbrella.
Once we admit there’s an elephant in the room, we can do something about it. If you’re coming to RSA, stop by to see us. If not, give us a call or get this white paper on Embedded Cyber Security Incident Response.
It’s a new way of thinking about cyber security that puts the word “active” in threat protection.
With each passing week we seem to learn more about the Target data breach.
On February 4, 2014, top executives of Target and Neiman Marcus testified before a Senate Judiciary Committee hearing. As reported by the New York Times, “John J. Mulligan, Target’s chief financial officer, confirmed that the data thieves gained entry to the company’s computer system by stealing an outside vendor’s credentials.”
Brian Krebs, the influential cyber security authority, reported on his Krebs on Security blog that the outside contractor was an HVAC company that performed work at numerous Target, Trader Joe’s, Whole Foods, and BJ’s Wholesale Club locations.
Regardless of what kind of contractor it was, the revelation that hackers used an outside vendor to surreptitiously penetrate Target’s internal network is a heads-up moment for all midsize companies that do business with larger enterprises.
In fact, it gives more than one heads-up. We’ll list a few of them here:
Heads-up: Cyber criminals don’t ignore small and midsize companies.
The Target breach tells us why – because smaller companies typically have weaker cyber security defenses, they are easier to crack. Cyber criminals see them as the soft underbelly route into their larger trading partners, where higher value data can be stolen.
Too often, midsize companies hope they can hide in the crowd, and cyber criminals won’t target them because they are concentrating on the bigger fish in the sea. But as has been said, hope is not a strategy. With automated tools, cyber criminals can cast a very wide net, probing for companies where they can gain easy access – and the Target breach teaches us (and the cyber criminals) that they can hit the jackpot by using this approach.
Heads-up: Your large trading partners are about to become much more interested in your cyber security posture.
If a big part of your revenue comes from larger enterprises with whom you are connected, you can expect increased scrutiny on the security front. In the future, we will see regular vulnerability assessments – to include disclosure of findings, identification of remediation steps taken, and confirmation that gaps have been closed – as a condition of doing business.
True, the Target breach was probably exacerbated by control failures on the Target side, but with the news that an outside party was the means of entry you can bet that every large enterprise is currently reviewing its policies and mechanisms for vendor connectivity.
Extending their acceptable criteria to include minimum cyber security standards that trading partners must meet is a small and logical additional step (that doesn’t cost the larger enterprise much), which will become increasingly common.
Heads-up: Security automation by itself doesn’t cut it.
We don’t yet know exactly how cyber criminals obtained and exploited the outside vendor’s credentials to Target’s network, but we do know that the vendor’s own network was breached first, which in turn led to the much broader losses suffered by Target.
We also know that today’s advanced threats are not detectable by security automation – at least, not before some unfortunate company has been breached and the threat has been analyzed and a signature created for it. Every organization is exposed to zero-day attacks that are heretofore unknown – and which bypass security automation to penetrate unsuspecting companies.
This may seem unsettling if you are a midsize company: how can you protect your systems, trading partners, and confidential data against both known and unknown threats – and stay within your IT budget?
There is a way. At eSentire we call it Active Threat Protection. Midsize companies can improve their cyber security posture, making themselves safe and preferred business partners for larger enterprises, by taking three simple steps:
- Deploy Active Analytics. This is real time technology that detects known threats by their signatures and unknown threats by their behaviors. It provides extended protection that is broader and deeper than traditional security automation can deliver.
- Move to Nonstop Vulnerability Management. Annual cyber security assessments leave too much time for cyber criminals to invade your systems and establish a beachhead. An approach known as Continuous Security Posture enables midsize companies to close that gap and maximize their defenses.
- Line Up Active Intervention Services. The best approach to cyber security is to presume you will be hacked, and that you will need expert help to remediate the situation. Unfortunately, most companies don’t call in the experts until after an attack has unfolded and it’s too late. By moving to Active Threat Protection, your company will benefit from Embedded Cyber Security Incident Response, in which security analysts call you (instead of vice versa), and are already working to remediate threats that need expert attention.
Active Threat Protection is a new approach that gives midsize companies an extremely strong cyber security posture without breaking the bank. If midsize companies can learn anything from the Target data breach, it’s that they can’t count on cyber criminals to ignore them, but there are practical steps they can take today to minimize risk.
By: Eldon Sprickerhoff
The XXII Winter Olympics in Sochi is a modern-day microcosm of what it's like to live with the threat of terror. And like any sports event or known public gathering, the event itself becomes a soft target. Ultimately, the Sochi Games will be a test of will and determination, and a chance for Russian officials to show the world that Sochi is safe and ready for the challenge.
Though threats to Sochi are real and serious, nobody has suggested the Games be cancelled. We believe the Russians have chosen a broad selection of successful techniques - including a combination of technology and people immersed within the environment – that will deliver the continual updates and analysis to rapidly address security issues:
Embedded Defense Actors
In the context of the Olympics, security is embedded with thousands of visible and invisible personnel deployed because you can’t always rely on technology. Insiders know how to beat the system, they know someone’s watching, the external attackers don’t necessarily know there is someone watching all the time. We think this is a huge plus in combating the threat.
In additional to traditional attacks and threats, we are seeing new attack vectors and tools being used to compromise networks. It’s the same in the Olympics, some threats may be different and some are new. Russian host organizers have had time to ready for both the type of attack that took place in Munich in 1972, and for something different: financial crimes, spreading malicious content and phishing attempts.
Russian preparation time means procedures have been put into place to respond to and remediate an attack. If something happens, they can deliver a response that’s appropriate to the vector and the threat. Time to prepare and coordinate is key.
Emphasizing Facts over Fear
You accept risk every day when you get out of your bed. You mitigate risks and address them the best you can, but you don’t focus on the fear. The corporate security perspective is the same – there are things you do to prepare for an appropriate degree of response to meet the threat.
Traveling to Sochi? Take heed of some common sense recommendations:
- Be prepared to enter an environment of continuous surveillance. The Russian government has given fair warning that mobile phone conversations, messaging, e-mail, social media and other facets of modern-day communication and interaction will be monitored. Sound familiar? It’s the new normal and technically not too different from the current state of surveillance in the United States by the NSA, in Canada by the CSEC, and other nation-state intelligence operations.
- Take nothing for granted: It will take both individual and collective situational awareness to mitigate or foil any terrorist attempts. Fans, security personnel, athletes, officials and journalists need to be proactive, vigilant and recognize and report anomalous behavior.
- Believe in the power of your intuition: Using human intelligence to detect unusual behavior is imperative. A relatively recent case-in-point: The Times Square bomber, whose efforts were foiled by two alert street vendors who discovered the car bomb in a parked car at Times Square and alerted authorities.
- Think beyond the Ring of Steel: When traveling in to and within Russia, have an elevated sense of your surroundings and a heightened awareness on trains, busses, airplanes, and all public gathering points.
We believe the Sochi represents a unique modern-day nexus between physical and electronic security that’s not too different from the way we protect corporate networks from unknown threats. The time, preparation, coordination and visible commitment made by Russian officials will likely make the Sochi Games safe and the competition fierce, living up to the Olympic motto: Citius, Altius, Fortius (faster, higher, stronger)!
Eldon Sprickerhoff is CTO and co-founder of Cambridge, Ontario-based eSentire, a leading provider of active threat protection services. He can be reached directly at
By: J.Paul Haynes
FireEye’s acquisition of Mandiant validates the eSentire business model and investments to-date, structural decisions on how we solve next generation security problems, and our operating premise that technology alone cannot battle the onslaught of advanced threats and targeted attacks that today are commonplace. Human threat defenders are ultimately needed to protect against human threat actors, especially as 40 percent of all attacks are not tied to malware but insider threats and other inherent and underlying vulnerabilities.
A few months back I was asked by an industry analyst to describe where eSentire positions itself, I replied: ‘at 30,000 feet we are like a combination of FireEye and Mandiant, delivered as a service, to midsized enterprises who know they don’t have the in-house skills to tackle advanced cyber security threats.’
So when the deal was made public on Jan. 2, I couldn’t help but notice the striking Detect, Contain, Resolve, Prevent graphic on slide 7 of the FireEye - Mandiant deal announcement is almost identical to Bruce Schneier’s well known Prevent, Detect, Respond model published 14 years ago in Secrets and Lies: Digital Security in a Networked World. Fittingly, Schneier’s Prevent, Detect, Respond was the inspiration and original model used by eSentire CTO Eldon Sprickerhoff when he founded eSentire in 2001, and an operating model we continue to follow in deploying our Active Threat Protection services.
Schneier foreshadowed today’s advanced threat reality in expert testimony he delivered at the Hearing on Internet Security, before the United States Senate Subcommittee on Science, Technology, and Space of the Committee on Commerce, Science and Transportation, July 16, 2001. Following is an excerpt:
“Real-world security includes prevention, detection, and response. If the prevention mechanisms were perfect, you wouldn't need detection and response. But no prevention mechanism is perfect. This is especially true for computer networks. All software products have security bugs, most network devices are misconfigured, and users make all sorts of mistakes. Without detection and response, the prevention mechanisms only have limited value. They're fragile. And detection and response are not only more cost effective, but also more effective, than piling on more prevention. Prevention systems are never perfect. No bank ever says: "Our safe is so good, we don't need an alarm system." No museum ever says: "Our door and window locks are so good, we don't need night watchmen." Detection and response are how we get security in the real world, and they're the only way we can possibly get security on the Internet. We must invest in network monitoring if we are to properly manage the risks associated with our nation's network infrastructure.”
The ultimate success of FireEye - Mandiant will be determined by the new entity’s customer experience. While shareholders certainly win in the short term, will customers win long term? Will FireEye feel the same pressure to innovate when half their company is paid top dollar to remediate post-incident or during a breach?
Another frequent and inherent issue when product companies buy service companies is a culture clash. Pre-acquisition, Mandiant’s incident responders ruled the roost. Will they contrast and collaborate effectively with FireEye hardware sales executives, or will their smartest incident responders run for the exits?
Prevention ≠ Security
Case-in-point: we recently won the business of a top-three service provider in Canada who was convinced their $150,000 set-and-forget FireEye appliance stopped everything. We put our service in behind FireEye and found 12 high or critical infections in less than two days. The customer contracted with us to have our Active Threat Protection services immediately put in place. Today we help them by: detecting and blocking hidden payloads; blocking connections to upstream command-and-control based on our expert threat intelligence; using operational forensics to detect non-malware based behaviors indicative of advanced targeted attacks, and by using intel to block exfiltration attempts. No word yet on the fate of their FireEye appliance.
How will the deal move the needle for FireEye toward profitability? FireEye needed Mandiant’s human intelligence, incident response savvy and robust digital forensic capabilities to truly balance and complete its market offering. I believe the deal will offer significant synergies on the sales, marketing and administrative fronts, so expect the equivalent post-merger organization to be approximately half its current size, which should give FireEye a shot at turning a profit. They are aggressively buying market share, and with 70-73 percent gross margin, they need every nickel of SG&A synergy possible. I note the eSentire model yields slightly higher gross margins.
Industry pundits in their analysis of the deal have been more bearish. Richard Stiennon, one of the information security industry’s highest-profile analysts, wrote about FireEye’s acquisition (in analysis for SecurityCurrent) not as a consolidation play, but rather as ‘a scramble on the part of FireEye to backfill its lack of product depth.’
Also, almost all of the combined entity’s product and managed service customers are $1M annual contracts with Fortune 100, government, defense and intelligence organizations. It is not clear to me if their economic model will allow them to conceivably get below the Fortune 1000. While FireEye does get some mid-market traction they are at the very upper end of what these organizations typically spend. Perhaps clients will have better negotiating power when procuring both FireEye network security and Mandiant endpoint solutions, which will put downward pressure on margins.
So to the new FireEye, we say welcome to the Active Threat Protection market. As Schneier testified in 2001: Security based solely on preventive products is inherently fragile. Newly discovered attacks, the proliferation of attack tools, and flaws in the products themselves all result in a network becoming vulnerable at random (and increasingly frequent) intervals. Active security monitoring is a key component missing in most networks.
J. Paul Haynes is CEO of Cambridge, Ontario-based eSentire, Inc. www.esentire.com