Just four months after its high-profile $1 billion acquisition of Mandiant, FireEye today announced that it plans to buy privately held network forensics firm nPulse Technologies for $60 million in cash and the issue of $10 million in stock. The deal is expected to close in the second quarter of this year, contingent upon specific milestones that FireEye would not disclose publicly.
The acquisition of Charlottesville, Va.-based nPulse provides FireEye a big missing piece of the puzzle for rapid detection, mitigation, and cleanup of attacks: high-speed full packet capture of network traffic at speeds of 10 gigabits per second. Full packet capture is considered a crucial, yet not-so widely adopted, practice among enterprises that can make all the difference in minimizing any damage from malware or other malicious activity.
"We didn't have [full packet capture] before; this is a new capability" for FireEye, says Dave Merkel, CTO at FireEye. "The faster we can see a breach and fix it, the greater the likelihood of [minimizing] the impact."
Merkel says the ability to index in near real-time the packet traffic will provide more context to security events "incredibly quickly," he says.
Tim Sullivan, CEO of nPulse, says some existing security tools focus more on the capture of packet than the actual analysis, so investigating what traffic to and from a particular domain means can take as much as 16 to 24 hours to complete. "It's really easy to [capture] packets off the network and stuff them somewhere," he says. But providing context around that information quickly is something that those products have been missing.
"Mandiant has held us to a design goal, a goal of having IR complete in an hour, and that's ours [goal], too," Sullivan says.
[How to keep calm and avoid common mistakes in an incident response operation. Read What Not To Do In a Cyberattack]
The nPulse family of products, which include Cyclone nSpector, Capture Probe eXtreme, and Security Probe eXtreme, help round out FireEye's purchase of Mandiant's host-based endpoint forensics software.
Both Mandiant and nPulse products focus on forensics, but Mandiant's software provides visibility into what's going on inside the endpoint machine, while nPulse focuses on the outside of the machine, Merkel says. "nPulse is looking at what's going on outside the endpoints," he says. "The two platforms together provide a "true end to end forensic view," he says.
He says the combination of FireEye's Threat Prevention Platform, Mandiant's host-based software, and nPulse's full packet capture and indexing of traffic would allow a victim organization to gather intelligence in real-time about an attack, according to Merkel. "If an attack gets through and exploits some credentials and starts logging into other systems laterally... with nPulse, you have a record of that information and can ask questions in real-time, [such as] what systems were accessed laterally?" he says.
Said David DeWalt, chairman of the board and CEO of FireEye: "The new reality of security is that every organization has some piece of malicious code within their network. The more important question is: has that code been able to execute any compromising activity that puts the organization at risk, and if so, what data left the network? With the addition of the nPulse solution, the FireEye platform will have a 'flight recorder' for security analytics. By incorporating real-time breach information from the endpoint and the network, we’re building a single platform to provide the most in-depth attack information and the right data to protect and remediate before a compromise turns catastrophic."
John Oltsik, senior principal analyst for the Enterprise Security Group, applauded the move by FireEye. "Today, enterprises need as much insight into breaches to understand them in tremendous detail," he said. "By combining endpoint and network visibility, FireEye gives security teams the information they require to respond to attacks and remediate threats of advanced attacks quickly with the right intelligence, analytics, and automation."