FireEye explains their new security operating system release and the drawbacks of signature based defences

FireEye Inc have announced their latest security release which aims to bolster email threat protection and operational readiness.

Greg Day, VP and CTO of FireEye explains the background behind the FireEye Inc. company, their operating system and the security concerns their latest release hopes to address.

In this insightful conversation Greg explains how they go about integrating their systems into those of their clients.

Knowing where attacks are coming from and how they are involving is a key part of providing security solutions and Greg Day explains their understanding of threat sources and the methods they employ to stay ahead of the game to provide their clients with the adequate protection.

Traditional signature based defence systems are old and have their drawbacks, here we find out how systems like FireEye get around this problem and how the impact of the huge raft of changes in the security industry has formed their current offerings.

For more related podcasts visit

Subscribe to receive future podcasts for free in iTunes here.

Download the MP3 to your device here.


FireEye Inc has announced their latest security link which claims to bolster security protection and operational readiness. Greg Day joins me to talk about FireEye Inc the company and their operating system and the security concerns this latest release hopes to address.

Greg, welcome to the podcast give us an overview of FireEye what attacks are you concentrating on dealing with and give us a bit of an insight into the company itself that is behind it all.

Sure, so FireEye has been around for about 10 years now and was started by a gentleman called Ashar Aziz to solve a very specific problem and that problem really was the targeted attack and we have had what two and half decades of cyber crime and before that really malware attacks that were all about proof of concept.

But they were all based on one premise which was volume of attack and if you look at it most of the security tools we use today are really focused around that volume challenge because right since the dawn of antivirus what has happened is what we have seen is a number of customers would be compromised and would start to see the symptoms and all they would do is they would send it to their security vendor who would write then a signature and we would all get the benefit from it.

Now the challenge we have really seen in the last few years, since the birth of the APT if you like is attacks getting more and more personalised, and so FireEye’s remit was all about how do we help you find that attack that was really aimed at you, or just a few, rather than the masses when there is no signature to deal with the problem.

The way we do that is through something called a virtual execution engine and so really what we do is we listen to streams of traffic and we listen in the most common places that we think will be attacked email, web browsing looking at file store and now we can look at mobile devices. We look for traffic anomalies we think could be an indicator of an attack.

When we see enough anomalies coming by what we will do is we will take that whole stream of traffic and we will put it into a virtual environment where we will emulate being that end user. The idea of this is to then be able to see all of the different indicators of change going on to that system during the attack process so we can give you a 100% clear guarantee whether you are being attacked by something new, or if maybe this is just a bad bit of programming by somebody and the whole goal of this is to then give you that defense real time against something that is aimed purely at you by being able to block on those indicators and most importantly being able to block the call back.

So I think one of the rudimentary things in the security today is we have always tried to stop the attack purely as it came in the front door and that is like trying to catch a speeding bullet, and in fact if you look at the PWC or the engine or any of the industry reports , if I quote the entrams report it is an average 243 days before a company realises that it has been breached and being able to block that call back to me is probably about the most important thing we do , because what we are doing there is mitigating the business impact we are stopping information infiltration.

When a client comes to you and asks for your services how do you initially go about integrating your system into theirs?

The thing we do for just about every customer is we offer a thing we call a proof of value trial and if you look around the world if you look at the money we spend on network and endpoint security worldwide we spend about 16 billion dollars every year which is a phenomenal amount , by the way that does not include all the operational costs that go with that.

And so the first thing we normally offer them is say look you have invested all of this money in security why don’t we put one of our appliances in behind your existing security controls and we will just see if there are things that you are missing today.

The simple reality is that 95% plus of those proof of values e find one of two things either they were already compromised and they didn’t know it and we recognised that by the command and control the call back traffic going on or we see an attack actually happening while we are doing the proof of value.

There is one thing that is key in all of this which is we have to rudimentary change I think our mindset a bit when we dealt with cyber crime it was lots and lots of volume but those volume attacks were just after generic information and so the impact on the business was valuable but not catastrophic.

When somebody takes the time to write an attack specifically for an organisation then they have done it with a purpose and the purpose is generally to get to the most valuable information that organisation has.

The education is whilst most organisation measure their success by volume either by the volume of what they stopped or the volume of what put through we have to change that mindset and start thinking about the business impact what is the impact of what gets through versus the impact of what you have stopped.

Where do you find Greg most of these attacks originating from and who is attacking who here?

Well I think there is a typical misconception here, I think it is very easy to think this is all nation states and it is Government to Government cyber warfare or espionage, and certainly we do see that we see attacks coming out of China and we see attacks coming out of a whole bunch of different nation states but the simple reality is in an average month we are seeing around about 25,000 unique new attacks every single month and nearly 80% of those will hit purely one company.

It could come within country to country, it could come across country but I think the simple part is that this is very much a global problem so we see it in just about every nation, we see it in every entry vertical so it is very hard to say that the problem just exists in this specific place.

Well you have announced the release of the new FireEye Operating system what was lacking in your offering an also in the market place that led you to develop the new release in the first place?

I think for us this is just the next natural evolution that we are going through and we are very customer focused so a lot of this was driven by customer feedback. I think that one of the things that organisations asked for time and time again was we really want quick access to understand what is going on and there is a key part here we have often invested a lot of money in security platforms so we need to be able to integrate into that so we worked with just our own if you like, management dashboard to make sure that the key information is right in front of you at all times.

We have also added in a web services APRI that allows us to be able to in real-time or quickly pass that information when we have discovered it into other security platforms either platforms that you might want to actually action on that data or central management platforms that you have got maybe if you are using a simpt or some sort of other technology.

I think the other thing or two other things that we have added to focus on is one was to priories and increase capabilities and so that was starting to put in different accounts into our interfaces as we see more and more global organisations deployed a broader scale, they wanted to be able to have accounts for specific sub parts of their organisations. And certainly more and more wanted order only accounts where they needed to track configuration changes to see who has been involved in using the technology but not be able to touch it.

In the same side we also added in new SNP alerting so we could keep a very clear and close eye on the health and status of the box. I think the third and final bit is keeping ahead I suppose the technology trends so we have added in support for IPV6 as we are starting to see real adoption around the world and the last which is the one you mentioned is we have added in dynamic URL support .

So what does that really mean?

We talked about we can monitor email and web browsing what we see commonly these days is attacks will actually link those two different methods together in a way of circumnavigating traditional security controls, so if I have something like a sandboxing technology it would typically just grab an object and look at it in its own entity.

So what we see the attacker do is potentially send you a targeted email and within that email would be maybe a link to a website, and when you go to that website it will then download the attack object, so when you join all those different parts together now historically wheat we would have done was we would have passed the information from our email appliance over to our web appliance, and what that would have done is that will have given the email appliance in its own right the ability to, if you like, go through that hole and now assist its chain so that we can make sure that we stay ahead of the attacker.

That is using what we very often call multivector different methods and also multiflow, there is different components within that attack. That is one of our ongoing challenges is as we see attackers using new and different techniques making sure we add those capabilities in and making it as easy as possible for our customers to put in those protection controls.

You talk a lot about the differences and advantages of your system over the more traditional signature based defenses what are the weaknesses that you see within those older defenses?

I think signature based technology really started when viruses did back in the late 1980’s early 90’s and it comes back really to the point that I made earlier signatures in many ways are based on known. It is based on the fact that somebody has to see the attack and recognize that they have been attacked and then give it to the security vendor and the security vendor will then turn that into a signature and the security vendors share signatures with each other so that has been the kind of challenge.

Signatures work very well when it is volume based , if I were to look for example maybe at a new banking Trojan when you see 10’s of thousands and millions of instances in a day obviously it does not take long for somebody to recognize that something is going on and at some point somebody gets it to the vendor and within 4 – 10 hours I have got coverage but when it is targeted purely at my organisations and nobody else then if I don’t see it then who is going to write the signature, and even if I do see it then it’s too late because it has already happened.

Now I think you will find that a lot of signature based technology is also used some behavioral monitoring so they all flag up and indicate here is something suspicious and I think that in its own right is valuable but creates challenges because now what I get is the challenge that a lot of organisations face today which is information overload.

I get all these things that potentially might be a problem or might not be a problem and I talk to companies that typically now are aggregating all of these events from signature tools from behaviour tools, right down to some of the alerting and logging that comes from the operating system and often they are getting literally in the hundreds and millions of events that are coming back into a big simpt tool every day and then it starts to become a bit like looking for a needle in the world’s largest ever haystack and the key part of this is what we want is clear simple actionable data.

Full information on this release from FireEye can be found on the description part of the podcast page on Now Greg what do you see as the biggest changes within the security industry in recent times and what do you expect to be planning for going forward into the future?

I think probably the most rudimentary changes that is almost still in its infancy now is a change of mindset, if we go back 5 – 10 years ago I think we almost had this belief that we could stop everything getting in and that was okay when we had maybe a 1,000 or a couple of thousand computers and they were all standard and locked down.

Now most organisations have hundreds if not millions of devices we have such a broad and complex environment and then we add in the human factor into here I think there is a realisation that we have to start to realise that at times we will be compromised and certainly once the attacker evolves and changes therefore we need to focus not purely on defending but how we respond to that and I think that one of the things that certainly I am hearing more and more is that in times gone by when organisations were attacked they would literally go to those systems and wipe them and restore them from images because that was the quick and easy way to get back on to doing your normal thing, but actually more and more what we need to be able to do is to start to do that forensic analysis more that says okay so the attack got in so it is almost like the automated bit it got in and spread around but then there is the human element to this which is so what is the person who actually launched the attack do, what information did they take from me.

What does that mean? That I need to do as a result of that so the terms we will hear more and more is attribution. Really attribution is really about trying to understand a bit more as to who was sat at the other end of the attack and what was their motives, was it somebody who was state sponsored, was it somebody who is maybe a competitor in my industry space that is trying to steal my IP, was it just a criminal who has just realised that they can make more money by taking small amounts of high value information rather than volumes of generic information.

We need to be able to figure that out to be able to understand what is the right response that we take and certainly at the minute there is the EU network information security directive which is in review that looks like in the next year or two will mean that we actually need to be able to do this post incident analysis and we shall have to report that back to our national authority.

So I think the game is changing in actually what is the remit of security. I think that in terms of the attacks cyber crime will continue it has been unfortunately successful for a long time and will continue but certainly we are seeing almost the half way house between APT’s now and cyber crime which is just targeted advance attacks that are taking all the tools the side of the criminal hand and just personalising them down for organisations.

I think as we look forward we are going to see a couple of new things into this, mobile is starting to become more and more of a factor whether that is just doing reconnaissance and just gathering intelligence or whether it becomes almost the instigation point and I think what we are also going to see is more collaboration out there , I suppose the organised crime element and certainly that kind of follow through of innovation as they start to very quickly share each other’s techniques and work together .

I think one final thing that we are expecting is we start to see these, in many easy high profile attacks which we will have to disclose i.e. bigger impact, I think we will see more attacks actually wipe the system when they finish , and it is almost a bit like if I am a criminal and I have left my fingerprint s in the building how do I make sure that no one can get them whereas if I were to burn the building down there is no evidence left so I think we are going to see more attacks in the next year or so once they have achieved their goal and almost self destructing system do there is no forensic evidence left behind them.

As securities company how do you monitor the way that threats are developing and changing in order to stay ahead with your offerings and your products to counter the ever evolving new types of attacks?

I think there are a couple of parts to that one is obviously monitoring technology innovation itself an seeing what is coming out whether it is new operating systems, new applications, new devices and having to look at it in kind of the broader picture and say whilst it brings all this great capability how can we see it being misused and then starting to prepare building into our technology the ability to be able to actually look within those environments ready to then start to put in controls. I think the next part of this is this kind of leading edge of the most sophisticated attacks take real time to develop and will occur once and what we see behind that is that we start to see others reusing those techniques.

So the other part of this is keeping a very close eye on just how we see those different kinds of innovations starting to come out and then almost joining the dots together and saying we have seen this happen , we have seen this new technology how do we think that will next innovate and again trying to make sure that we put controls in place and I think the most rudimentary part of this is that whenever you take a step forward we have to try and solve the problem at the broader level otherwise you would be responding every two minutes .

Again one of the beauties for us is this idea that the virtual execution engine because we are almost using the attacker against themselves by being able to put it into an environment and actually see what it does we can monitor all of those different steps so we see all of those new little traits and techniques .

Let me give you a simple example. So sandboxing is a different way of solving the problem that is again getting some traction but if you think about it if I put an attack into an automated environment there is nobody sat at the other end you put it in the environment and you emulate it through , so what we have seen recently is attackers start to monitor for that and they will do things like see if anyone actually clinked on the links, see if the mouse truly moved and clicked on the attachment.

So we have to be able to monitor for things like that and actually do that emulation to make sure the attack works as it really does in just the same way we see them put in time delays because if it is automated again then they could just say right once the user clicks on the link I’ll do nothing for 12 hours and if I am in a sandbox or some sort of automated environment it will probably run for 2 minutes and finish.

So we are quite unique because we actually work almost as they integrate directly in a hardware level so we hear all those requests going on and when we start to see those we can then start to be able to respond to them appropriately.