FireEye - Part 1. Why FireEye? How it works?

FireEye makes a difference today because, like what the CEO of FireEye expressed this for Forbes magazine, “Much of the money you are spending on computer security is focused on fighting the previous generation of threats, not the current ones that are the most dangerous that compromise over 95% of organizations”.

The previous generation of threats were mostly ‘pattern’ attacks - attacking open ‘known ports’ as an example. However, today’s threats are leveraging irregular and unconventional ‘multi-faceted’  attacks.  Another way of looking at it is, in the diagram below, the attacks were simple and had 2-3 phases of attack and it was easy to block these.  However, it has now become complex.

If you think about it, the known and unknown ports, entry points (browser, emails etc.) have remained the same however, the threats have increased. There is a combination of phases of attack involving emails, browsers from the front, botnets, malwares, worms, virus etc. in the back, in addition to the attacks on other vulnerable computers. As it says in one of the SANS whitepaper “Over the past 10 years, computer attacks have shifted from operating systems to applications”. So, CEO of FireEye is right that the exposures has remained the same however, threats have increased today.

So, Why FireEye and how it works?  Rather than me explaining, here is the excerpt on how FireEye works from Forbes. See diagram from FireEye themselves.

Finding Threats that Don’t Want to Be Found

Finding threats that are expertly concealed and utilize multiple steps to take over a system, takes a three stage approach that combines aspects of machine learning and a cloud-based knowledge repository. Here’s how FireEye works from a high level:

  • On the way in to an environment, the initial attack malware is embedded inside ‘good’ traffic, such as within Web pages, emails, or in documents. But at some point it has to do something incriminating to kick off an attack. The challenge is separating unusual but harmless actions of a Web page or email attachment from embedded malware attempting to do dirty work. The first thing that the FireEye system does is scan for suspicious Web traffic, email attachments, and/or documents on file shares tag it for further analysis. In other words, FireEye starts with a bunch of weak signals that could or could not be pre-cursors of a problem.
  • For example, once a web page does something potentially suspicious, FireEye then sets up a virtual execution environment in which to safely execute, or ‘detonate’, that Web page in the safe confines of a virtual environment. Inside the virtualized environment, the suspicious Web objects are all run through its paces and observed. If it is a normal page, then FireEye learns that the potentially suspicious behavior wasn’t a problem. If the malware starts an attack, say by exploiting the PDF plug-in, the malware activities all happen inside the environment so no harm is done while full malware forensics and outbound communications are captured. At that point FireEye can say for certain that malware has been identified and stop the attack from exfiltrating data.
  • So, the malware forensics can then be shared by all FireEye systems through a ‘protection’ cloud network. The malware knowledge repository gets smarter at an increasing rate the more systems are involved. The sharing of machine learning enables the protection of the rest of the system before they get hit. Participants do not have to wait for an updated virus detection file to be installed to be protected. This reduces the window of vulnerability during day zero of an attack.

Subsequent blogs follow

Part 2 : FireEye deployment practice

Part 3 : Collection of articles on how FireEye brought (or attempted to bring)  botnets down

Part 4 : What are the downsides of FireEye

2 Responses to “FireEye - Part 1. Why FireEye? How it works?”

  1. All about IT Governance » Blog Archive » FireEye - Part 2. FireEye deployment practice Says:

    [...] All about IT Governance Information Security - Can’t live with it, Can’t live without it! « FireEye - Part 1. Why FireEye? How it works? [...]

  2. All about IT Governance » Blog Archive » FireEye - Part 3. Collection of articles on how FireEye brought (or attempted to bring) botnets down Says:

    [...] Previous part of FireEye deployment is here [...]

Leave a Reply

You must be logged in to post a comment.