Q: It's interesting to note that FireEye has cloud-based updating mechanism to rapidly deploy countermeasures and updates. But by going the way of the cloud, isn't FireEye also exposing itself to open threats, since the cloud isn't as secure as we believe it should be?
The FireEye Malware Protection Cloud interconnects FireEye appliances deployed within customer networks, technology partner networks, and service providers around the world. This worldwide cloud efficiently shares auto-generated malware security intelligence, such as covert callback channels, as well as new threat findings from the FireEye Malware Intelligence Lab.
When an appliance confirms an attack locally, it generates a dynamic and anonymised signature of the attack and distributes it through the Cloud to warn other users:
• Malware attack profiles, including identifiers of malware code, exploit URLs and other sources of inbound infections and attacks
• Analysis of email attachments and URLs
• Fully qualified malware callback destinations (Destination IP address, protocols used, ports used) that identify malicious websites and email sources
• Malware communication protocol characteristics, such as custom commands used to instantiate transmission sessions
• Third-party threat intelligence feeds from many different sources, which are then automatically validated using FireEye technology and added into the MPC subscription feed
The biggest fear to cloud adoption is that customers are concerned on how their data is being secured in the cloud infrastructure. FireEye understand this and as such, we do not host any customers' confidential data on our systems. Instead, our cloud system merely serves as delivery mechanism to collect and distribute threat intelligence. Customers have benefited greatly from this as this serves as a real-time early warning indicator for new zero-day threats emerging on the Internet.
Q: How do you measure ROI on security products, especially if their usefulness is only realised when "what if" situations materialise?
According to the recent Advance Threat Report we published, advanced malware evading signature-based detection has increased nearly 400 percent since 2011, to an average of 643 successful infections per week per company.
While patterns of attack were radically different between the financial services, energy/utilities, healthcare, and technology industries, one constant remains — industries with significant intellectual property or customer and financial data remain the primary targets as attacks increase.
According to HotForSecurity, in 2011 hackers earned US$12.5 billion, mainly by spamming, phishing, and online frauds. Some companies have made their financial losses public, while others chose not to disclose them. Here are some examples (from HOTforSecurity):
• US$171 million — Sony: Hacked in April to June 2011, Sony is by far the most famous recent security attack. After its Playstation network was shut down by LulzSec, Sony reportedly lost almost US$171 million. The hack affected 77 million accounts and is still considered the worst gaming community data breach ever. Attackers stole valuable information: full names, logins, passwords, e-mails, home addresses, purchase history, and credit card numbers.
• US$2.7 million — Citigroup: Hacked in June 2011, Citigroup was not a difficult target for hackers. They exploited a basic online vulnerability and stole account information from 200,000 clients. Because of the hacking, Citigroup said it lost US$2.7 million. Just a few months before the attack, the company was affected by another security breach. It started at Epsilon, an email marketing provider for 2,500 large companies including Citigroup. Specialists estimated that the Epsilon breach affected millions of people and produced an overall $4 billion loss.
Other examples from CSO Online:
• RSA Security (March 2011 — possibly 40 million employee records stolen; estimated impact: US$66 million): The impact of the cyber attack that stole information on the company's SecurID authentication tokens is still being debated. The company said two separate hacker groups worked in collaboration with a foreign government to launch a series of spear phishing attacks against RSA employees, posing as people the employees trusted, to penetrate the company's network. EMC reported last July that it had spent at least $66 million on remediation. But according to RSA executives, no customers' networks were breached.
• Stuxnet (Sometime in 2010, but origins date to 2007): Meant to attack Iran's nuclear power program, but will also serve as a template for real-world intrusion and service disruption of power grids, water supplies or public transportation systems. The immediate effects of Stuxnet were minimal — at least in the U.S., but it was the first that bridged the virtual and real worlds.
• Google/other Silicon Valley companies (Mid-2009 — Stolen intellectual property): In an act of industrial espionage, the Chinese government launched a massive and unprecedented attack on Google, Yahoo, and dozens of other Silicon Valley companies. The Chinese hackers exploited a weakness in an old version of Internet Explorer to gain access to Google's internal network. It was first announced that China was trying to gather information on Chinese human rights activists. It's not known exactly what data was stolen from the American companies, but Google admitted that some of its intellectual property had been stolen and that it would soon cease operations in China. For users, the urgent message is that those who haven't recently updated their web browser should do so immediately.
So it is obvious that the threat landscape is changing and organisations have to adjust to this.
If we talk about cyber attacks on a nation-level, then the possible ROI is beyond material impact if you think just about the possibility of potentially bringing down a country's power grid or telecommunications networks. In this context, we have to argue the same we would discuss other investments as part of a country's defence spending.
Sign up for Computerworld eNewsletters.