In early May, FireEye announced that company president Kevin Mandia would replace industry veteran Dave DeWalt as CEO. My colleague Doug Cahill had a chance to catch up with Kevin recently to get his perspectives on FireEye, enterprise security, and the threat landscape amongst others. Here are a few highlights:
On FireEye’s direction: in spite of lots of distraction, Mandia is focused on driving "engineering innovation" at FireEye. Normally, this vision would be equated with security products alone, but Kevin believes that products can anchor services as well. This involves installing FireEye’s endpoint and network security products on a customer network, collecting telemetry, comparing it to current threat intelligence, detecting malicious activities, and then working with customers on remediation. To accomplish this, FireEye products must be "best-in-class" for threat detection on a stand-alone basis. The FireEye staff is then available to add brain power and muscle to help product customers as needed.
On FireEye as a Service (FaaS): while Mandia admits that few of its customers start by buying FaaS, they often jump into FireEye as a Service over time. Why? Same old issue that I’ve been writing about for years — the global cybersecurity skills shortage. According to ESG research, 46% of organizations admit to a "problematic shortage" of cybersecurity skills today. So FireEye customers buy products then realize that they don’t have the skills or staff size to do incident detection or incident response processes at scale and then call in the FireEye cavalry for help. FireEye tends to view FaaS as a one-size-fits-all service where you can use it on an as-needed basis. If you have ample cybersecurity resources but need an occasional assist, FaaS can be available. You can also use FaaS for the whole IR enchilada if you don’t have the right skill set. In the future, Kevin would like FaaS to be omnipresent as this type of safety net with tight integration to products so customers can easily access and use FaaS whenever necessary. Kind of an "easy button" for IR.
On endpoint security: Mandia agrees that endpoint security is in a rapid state of transition as large organizations add new threat prevention controls on one hand, while implementing EDR projects on the other. While he recognizes the need for improved threat prevention, FireEye is leaning toward detection for a few reasons. Prevention will always miss things or product false positives adding to operational overhead and creating security vulnerabilities. Kevin believes that once you detect something that’s actually bad, it’s easier and more efficient to block it at that point. Mandia also believes that large customers don’t want to block threats willy-nilly, they also want telemetry and threat intelligence to let them know if they are under attack, who is attacking them, and get some information about the TTPs being used against them. Kevin believes that FireEye can be a major player in next-generation endpoint security as a result of this type of focus.
On threat intelligence: Mandia believes that the combination of Mandiant’s internal IR intelligence combined with iSight Partners external threat telemetry gives FireEye the best threat intelligence available from any source. FireEye also describes how it looks at threat intelligence — from the cyber adversary into the enterprise. Armed with this perspective, FireEye watches the tactics, techniques, and procedures (TTPs) of threat actors, apply analytics, and then anticipate the industries and companies they plan to attack. Given its threat intelligence prowess FireEye views threat intelligence acts as a foundation for all of its products and services and believes that this sets the company apart from others.
On the threat landscape: Kevin characterizes the current threat landscape as the 5th phase he’s witnessed. The first was pre-1996 activities tended toward governments attacking governments incidents. Between 1996 and 2000, the threat landscape started veering toward cyber-crime incidents. In the early 2000s, it was governments attacking the private sector. The 4th wave was characterized by the Sony attacks and quasi-government hackers focused on hacktivism and system destruction. Finally, the current wave is focused on ransomware and extortion. As far as ransomware and extortion goes, attacks have gone from using phishing as an attack vector to using spearphishing exploits. By doing so, cyber-adversaries can now launch targeted attacks, lock down many critical systems simultaneously, and demand lots of money in return. Mandia also talked about multimillion dollar extortion schemes in play today where cybercriminals compromise sensitive data like the emails from corporate lawyers. Many organizations would rather pay the bad guys than have this information exposed publicly. Very scary stuff.
What was most refreshing about our discussion is what Kevin didn’t talk about. While Wall Street remains obsessed about FireEye’s business model and the potential for some type of M&A deal, Mandia stuck to a dialogue about threats, security technologies, skills, and best practices.
In my humble opinion, enterprise CISOs don’t really care about which Sand Hill Rd. VC firm or Wall Street investment bank makes money on cybersecurity investments. Instead, they care about mitigating risk, ensuring that they have the right cybersecurity skills and resources, protecting their IT assets, and addressing problems quickly when they arise. Cybersecurity vendors that offer the right products and services to help them achieve those goals stand to make a lot of money in the process. Kevin Mandia seems to understand this reality and is pushing FireEye as an enterprise cybersecurity solutions provider as fast as possible.