Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:48 PM
Connect Directly

FireEye Buys Mandiant In $1 Billion Deal

APT-specialty vendors kick off 2014 with major acquisition news and plans for a next-generation, VM-based IPS

FireEye today announced today that it has purchased privately held incident response (IR) and endpoint security firm Mandiant in a $1 billion deal consisting of 90 percent in stock and 10 percent in cash transactions.

The two firms already had close ties. In April 2012, they said they would integrate FireEye's network detection with Mandiant's host-based detection features to offer more comprehensive protection against advanced attacks. The goal was to correlate FireEye's malware analysis with Mandiant's endpoint view for a more complete picture of an attack, the companies said at the time.

The acquisition created quite a buzz around the industry today, with two leading-edge and widely respected security firms now under one roof. Mandiant will become a global services and cloud solutions arm of FireEye, offering security consulting, incident response, and managed services. Its endpoint threat detection and response line will be incorporated into FireEye's new Oculus continuous monitoring platform.

Kevin Mandia, founder and CEO of Mandiant, was named senior vice president and chief operating officer of FireEye. "This is an exciting day," Mandiant said in an investor call about the acquisition. "What I've learned ... is that every customer wants host-based protection and a network-based product. We want to bridge these so when there's a network alert" it's handled quickly at the affected endpoints, he said. "People have been asking us for this for years, and we're going to provide it."

David DeWalt, chairman of the board and chief executive officer of FireEye, called Mandiant the "gold standard" in security. "They often get the first call when a serious breach occurs in an organization," he said. "Strategically, Mandiant brings us closer to the breach when it occurs."

DeWalt said the acquisition of Mandiant, which made $100 million in revenue last year, fits with the company's stated strategy during its IPO tour last year. He said the addition of Mandiant's family of products allows the company to leverage the endpoint management framework for its virtual machine (VM)-based technology in its Multi-Vector Virtual Execution engine, which supports real-time threat protection for Web, email, data center, and mobile and is used by some 1,500 customers in the government and private sector.

One of the first fruits of the acquisition: a VM-based next-generation intrusion prevention system (IPS) that will roll out in the first quarter of this year, DeWalt said. "There are other products in our pipeline that we are not announcing today" as well, he said.

Mandiant's around 500 employees bring the FireEye employee count to around 2,000, he said, spanning more than 40 countries. Mandiant traditionally has had a tiny international presence, with less than 5 percent of its sales outside the U.S., so the acquisition will give the firm global exposure. "We will deliver a full array of services in vulnerability assessment, incident response management, and continuous monitoring," DeWalt said.

Mandiant became more of a household name early last year when it published a detailed report exposing APT-1, a Chinese cyberespionage unit associated with the Chinese military. The firm's report on APT-1 said the unit had been behind targeted attacks on hundreds of companies across 20 major industries, mainly in English-speaking countries.

"We have been on the frontlines of the cyberbattle field. Who are you gonna call? Mandiant owns that space, and it's an important space to own," Mandia said of his 9-year-old company. "We started building footprints of an attacker ... FireEye's virtual detection is the best detection" of advanced malware, he said.

"It was a natural fit with our responding and containing" of the threat strategy, said Mandia, who noted that Mandiant has worked with 33 percent of the Fortune 100, and its 500 customers represent 13 different industry sectors. About half of its sales come from endpoint products and subscriptions, he said, and the other half from incident response engagements.

Mandiant competitor Access Data says the acquisition demonstrates how IR and forensics are becoming "hot." Craig Carpenter, senior vice president of strategy for AccessData, says forensics and IR are now part and parcel of cybersecurity. "The reason for this deal is that we now live in a world of constant compromise. When you know you will be compromised, you can’t just continue trying to keep the bad guys out -- you also need to investigate every compromise, figure out what happened, prevent it from ever happening again, and clean up the mess," he says.

But Carpenter says Mandiant's approach to IR "only makes sense if a customer will only get compromised once" -- which is obviously not the case for virtually anyone -- "or where the compromise is a bespoke event that must be dealt with as a one-off."

And "for every other compromise, companies need and want to be able to handle things in-house as much as possible," Carpenter says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-24
A flaw was found in djvulibre-3.5.28 and earlier. A Stack overflow in function DJVU::DjVuDocument::get_djvu_file() via crafted djvu file may lead to application crash and other consequences.
PUBLISHED: 2021-06-24
Cross Site Scripting (XSS) vulneraibility in Roundcube mail .4.4 via database host and user in /installer/test.php.
PUBLISHED: 2021-06-24
Cross Site Scripting (XSS) vulnerability in Roundcube Mail <=1.4.4 via smtp config in /installer/test.php.
PUBLISHED: 2021-06-24
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5 could allow a local user to access and change the configuration of Db2 due to a race condition of a symbolic link,. IBM X-Force ID: 190909.
PUBLISHED: 2021-06-24
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5 could allow an authenticated user to overwrite arbirary files due to improper group permissions. IBM X-Force ID: 191945.