I attended a lunch and learn today on Fireeye and BlueCoat. I’ve used BlueCoat for 5 years, so I’m familiar with that. I was interested in learning more about Fireeye. I’d never looked at them before, but had heard good things from peers.
The have appliances that look at HTTP or SMTP. They don’t replace existing security technology like Firewall, IPS, AV proxy, URL filtering, or desktop security suites. Rather Fireeye acts as supplemental detection. Those technologies rely primarily on signatures and have some heuristics. Fireeye uses virtualization to execute inbound files, look at the results and determine if bad things are happening. I used to manually upload suspicious executables to places like the Norman sandbox and get back a report on the files dropped and registry files changed or network connections attempted. This does that but at wired speed for everything. In addition to that, there detection of exfiltration.
This is just a report of a lunchtime seminar, not a hands on eval, so I present much of a critical eye.
Another attendee asked a common question. “Isn’t it common for malware to have anti-analysis features such as virtualization detection. How does Fireeye deal with that?” The response in the seminar was that it is hardware virtualization. It isn’t as simple as detecting the hypervisor. From other comments I’ve seen, there is added obfuscation occurring to prevent that detection.
In the game of spy versus spy, you wonder what the man in black will do next once you “check” him with this appliance. If the bad guy knows you have this watching 80, why not send a phish with a link to FTP . Also what happens if the bad guy uses another allowed port for HTTP?
There are some purchases where years and years later you still feel smarter than the average bear. Then there are other purchases where sooner rather than later that technology is absorbed back into the standard product. How many people still buy antispyware software in addition to antivirus?
Fireeye sounds like an interesting product. If you’d like to share your experience with that or even a competitor share your comments below.