Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:48 PM
Connect Directly

FireEye Buys Mandiant In $1 Billion Deal

APT-specialty vendors kick off 2014 with major acquisition news and plans for a next-generation, VM-based IPS

FireEye today announced today that it has purchased privately held incident response (IR) and endpoint security firm Mandiant in a $1 billion deal consisting of 90 percent in stock and 10 percent in cash transactions.

The two firms already had close ties. In April 2012, they said they would integrate FireEye's network detection with Mandiant's host-based detection features to offer more comprehensive protection against advanced attacks. The goal was to correlate FireEye's malware analysis with Mandiant's endpoint view for a more complete picture of an attack, the companies said at the time.

The acquisition created quite a buzz around the industry today, with two leading-edge and widely respected security firms now under one roof. Mandiant will become a global services and cloud solutions arm of FireEye, offering security consulting, incident response, and managed services. Its endpoint threat detection and response line will be incorporated into FireEye's new Oculus continuous monitoring platform.

Kevin Mandia, founder and CEO of Mandiant, was named senior vice president and chief operating officer of FireEye. "This is an exciting day," Mandiant said in an investor call about the acquisition. "What I've learned ... is that every customer wants host-based protection and a network-based product. We want to bridge these so when there's a network alert" it's handled quickly at the affected endpoints, he said. "People have been asking us for this for years, and we're going to provide it."

David DeWalt, chairman of the board and chief executive officer of FireEye, called Mandiant the "gold standard" in security. "They often get the first call when a serious breach occurs in an organization," he said. "Strategically, Mandiant brings us closer to the breach when it occurs."

DeWalt said the acquisition of Mandiant, which made $100 million in revenue last year, fits with the company's stated strategy during its IPO tour last year. He said the addition of Mandiant's family of products allows the company to leverage the endpoint management framework for its virtual machine (VM)-based technology in its Multi-Vector Virtual Execution engine, which supports real-time threat protection for Web, email, data center, and mobile and is used by some 1,500 customers in the government and private sector.

One of the first fruits of the acquisition: a VM-based next-generation intrusion prevention system (IPS) that will roll out in the first quarter of this year, DeWalt said. "There are other products in our pipeline that we are not announcing today" as well, he said.

Mandiant's around 500 employees bring the FireEye employee count to around 2,000, he said, spanning more than 40 countries. Mandiant traditionally has had a tiny international presence, with less than 5 percent of its sales outside the U.S., so the acquisition will give the firm global exposure. "We will deliver a full array of services in vulnerability assessment, incident response management, and continuous monitoring," DeWalt said.

Mandiant became more of a household name early last year when it published a detailed report exposing APT-1, a Chinese cyberespionage unit associated with the Chinese military. The firm's report on APT-1 said the unit had been behind targeted attacks on hundreds of companies across 20 major industries, mainly in English-speaking countries.

"We have been on the frontlines of the cyberbattle field. Who are you gonna call? Mandiant owns that space, and it's an important space to own," Mandia said of his 9-year-old company. "We started building footprints of an attacker ... FireEye's virtual detection is the best detection" of advanced malware, he said.

"It was a natural fit with our responding and containing" of the threat strategy, said Mandia, who noted that Mandiant has worked with 33 percent of the Fortune 100, and its 500 customers represent 13 different industry sectors. About half of its sales come from endpoint products and subscriptions, he said, and the other half from incident response engagements.

Mandiant competitor Access Data says the acquisition demonstrates how IR and forensics are becoming "hot." Craig Carpenter, senior vice president of strategy for AccessData, says forensics and IR are now part and parcel of cybersecurity. "The reason for this deal is that we now live in a world of constant compromise. When you know you will be compromised, you can’t just continue trying to keep the bad guys out -- you also need to investigate every compromise, figure out what happened, prevent it from ever happening again, and clean up the mess," he says.

But Carpenter says Mandiant's approach to IR "only makes sense if a customer will only get compromised once" -- which is obviously not the case for virtually anyone -- "or where the compromise is a bespoke event that must be dealt with as a one-off."

And "for every other compromise, companies need and want to be able to handle things in-house as much as possible," Carpenter says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Hunny, I looked every where for the dorritos. 
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver Vault Plugin prior to v0.0.6, Azure Plugin prior to v0.0.10, and GCP Plugin prior to v0.2.0 allow an attacker who can create specially-crafted SecretProviderClass objects to write to arbitrary file paths on the host filesystem, including /var/lib/kubelet/pods.
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 allow an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under var/lib/kubelet/pods that conta...
PUBLISHED: 2021-01-21
Kubernetes CSI snapshot-controller prior to v2.1.3 and v3.0.2 could panic when processing a VolumeSnapshot custom resource when: - The VolumeSnapshot referenced a non-existing PersistentVolumeClaim and the VolumeSnapshot did not reference any VolumeSnapshotClass. - The snapshot-controller crashes, ...
PUBLISHED: 2021-01-21
Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive. This can potentially overwrite any files on the system of the process executi...
PUBLISHED: 2021-01-21
Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typicall...