FireEye Technical Briefing 19th March 2015 part 1

I attended a pretty interesting technical update afternoon hosted by FireEye recently and as usual made notes during the talks.

The first talk was titled ‘Staying one step ahead of the attacker‘ by David Dewalt the CEO of FireEye

This was a broad talk covering the gap between current security defensive and offensive capabilities followed by some thoughts on how to best combat this and detect advanced attacks.

State of the Defence

– Is Offence outweighing defence? Offensive skills and tooling are outpacing defensive at the moment.

-Number of offensive groups growing rapidly, great skills

-Lots of state sponsored action occurring – Russia, China, US etc.

-Low barrier of entry

-Emerging states -just need skilled people to enter game.

– Less to protect, more to gain

– Less advanced / wealthy nations can enter game at a much higher level than in the traditional physical offense / defense world.


Offence has been winning – they only have to succeed once!

Mean number of days before breach detection is still 205 days.  This has reduced since last year, but it is still orders of magnitude too high.

69% of companies breached learned about the breach from an external entities.

The majority of breaches occurred in companies that had up to date AV etc. – These are still valuable as hackers will go for the low hanging fruit.  However many advanced threats can evade traditional defences.

Defensive capabilities are currently too reactive, and there is a huge volume of noise to sift through to find the one ‘real’ security event.

The basic attack pattern has been unchanged for some time – research through initial exploit to malware and call-back to maintaining presence onto ongoing data exfiltration.

Very often research leads to spear fishing to exploit.

Data exfiltration may just be monitoring information such as financial data to enable insider trading and fraud, there may not actually be high volumes of data actually exfiltrated – makes detection even harder.


Detecting the exploit is key since every phase after that can be encrypted by the attacker.

Advanced threats are everywhere.

Knowing where to focus is key – not a mile wide one inch deep, but an inch wide, a mile deep.

Must understand that;

– Significant % of traffic is not through firewalls

– 100% of attacks are multi flow

– 91% of attacks are multi vector

– Attacks increasingly off band / off network

– Consumerisation increasing surface – more vectors, more flows


Need more pro-active defence.

Monitoring across multiple attack vectors

Need to be able to spot malware that evades traditional defences

Must have skills available in security teams (in house or external) to understand, investigate, respond and automate

Must combine with advanced threat intelligence to know what to look for, what current threats are and how to best respond.

Take away thoughts:

Security needs to provide an overall advanced threat management and response capability;

– Detect

– Protect

– Analyse

– Respond

Its about joining the dots to provide a complete picture.


RSA conference Europe Wrap Up / Final Thoughts

I’ll keep this relatively brief as I have already covered this conference in some detail while blogging live from the event.  I think the write ups ended up around 12000 words in total across the three days!  I hope you have managed to read those covering content that was of interest to you – there was certainly a lot of information there that I found useful!

As usual with conferences like this some of the presentations had slight vendor bias, with an prime example being companies like EMC championing the need to prioritise spending from limited security budgets on more advanced tools for detecting and preventing longer term advanced threats (Advanced Persistent Threats – APT) at the expense of older more stable technologies such as AV.  EMC is currently selling and promoting products in this area..  This was followed by Symantec who obviously highlighted that they think AV is still critical and should continue to be invested in, unsurprising as anti-virus / anti-malware is still one of their key products and revenue streams.

On this point I fall between the two in that I completely agree AV is still important, but due to the maturity of the market and quality of most products you should be looking to drive costs down in this area while still maintaining an acceptable level of quality.  By managing costs in established areas and looking for end point solutions that cover multiple vectors such as AV, firewalling, DLP etc.  you should hopefully be able to free up budget to invest in some of the newer more advanced tools or improve key areas such as your log monitoring and correlation capabilities.

Overall the presentations remained fairly vendor neutral and contained loads of useful content.  Highlights for me included;

–          Wireless hacking demos

–          Man in the browser demos

–          Discussion around the state of the industry

–          Presentations on building a cyber-security capability and improving the way we in security can interact with the business

–          Presentations on the threat landscape

All of which were covered in the conference blog posts.

To wrap up my commentary of the conference, I’ll finish with a few of what were, for me, the key take away points;

–          Understand your environment and your industry – where is your data, what are your important assets and what are the key threats to your organisation.  If you don’t know this how can you know what to protect and how?

–          Following on from that, make sure you are protecting the right things and to correct level.

–          Read useful reports such as the Verizon Breach report – the data is frankly eye opening if you are not yet aware of the time most breaches take to be discovered and how poorly protected many businesses are (416 days and likely to rise..)

–          Become better at interfacing with the business – it is our job to make sure the decision makes at the highest level are aware of the risks and what they mean to our business / organisation.  Board level executives may choose to accept or ignore risks, but they should do with a full awareness of the threat landscape and our risks.  If the business / the board are unaware of the risks to the environment this is 100% our failing.  If they accept a risk and we are breached it is on them and they accepted the risk(s) with awareness they may be exploited.  If your organisation is exploited and the board / business were unaware then it is on us.

–          Finally it reminded me how much I love IT security and creating secure solutions and environments!  Take pride in what you do and do it well; jobs, money and peoples identities rely on us doing this right.

As always, feel free to ask if you want any more information, I’m more than happy to evangelise on these topics!