Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:48 PM
Connect Directly

FireEye Buys Mandiant In $1 Billion Deal

APT-specialty vendors kick off 2014 with major acquisition news and plans for a next-generation, VM-based IPS

FireEye today announced today that it has purchased privately held incident response (IR) and endpoint security firm Mandiant in a $1 billion deal consisting of 90 percent in stock and 10 percent in cash transactions.

The two firms already had close ties. In April 2012, they said they would integrate FireEye's network detection with Mandiant's host-based detection features to offer more comprehensive protection against advanced attacks. The goal was to correlate FireEye's malware analysis with Mandiant's endpoint view for a more complete picture of an attack, the companies said at the time.

The acquisition created quite a buzz around the industry today, with two leading-edge and widely respected security firms now under one roof. Mandiant will become a global services and cloud solutions arm of FireEye, offering security consulting, incident response, and managed services. Its endpoint threat detection and response line will be incorporated into FireEye's new Oculus continuous monitoring platform.

Kevin Mandia, founder and CEO of Mandiant, was named senior vice president and chief operating officer of FireEye. "This is an exciting day," Mandiant said in an investor call about the acquisition. "What I've learned ... is that every customer wants host-based protection and a network-based product. We want to bridge these so when there's a network alert" it's handled quickly at the affected endpoints, he said. "People have been asking us for this for years, and we're going to provide it."

David DeWalt, chairman of the board and chief executive officer of FireEye, called Mandiant the "gold standard" in security. "They often get the first call when a serious breach occurs in an organization," he said. "Strategically, Mandiant brings us closer to the breach when it occurs."

DeWalt said the acquisition of Mandiant, which made $100 million in revenue last year, fits with the company's stated strategy during its IPO tour last year. He said the addition of Mandiant's family of products allows the company to leverage the endpoint management framework for its virtual machine (VM)-based technology in its Multi-Vector Virtual Execution engine, which supports real-time threat protection for Web, email, data center, and mobile and is used by some 1,500 customers in the government and private sector.

One of the first fruits of the acquisition: a VM-based next-generation intrusion prevention system (IPS) that will roll out in the first quarter of this year, DeWalt said. "There are other products in our pipeline that we are not announcing today" as well, he said.

Mandiant's around 500 employees bring the FireEye employee count to around 2,000, he said, spanning more than 40 countries. Mandiant traditionally has had a tiny international presence, with less than 5 percent of its sales outside the U.S., so the acquisition will give the firm global exposure. "We will deliver a full array of services in vulnerability assessment, incident response management, and continuous monitoring," DeWalt said.

Mandiant became more of a household name early last year when it published a detailed report exposing APT-1, a Chinese cyberespionage unit associated with the Chinese military. The firm's report on APT-1 said the unit had been behind targeted attacks on hundreds of companies across 20 major industries, mainly in English-speaking countries.

"We have been on the frontlines of the cyberbattle field. Who are you gonna call? Mandiant owns that space, and it's an important space to own," Mandia said of his 9-year-old company. "We started building footprints of an attacker ... FireEye's virtual detection is the best detection" of advanced malware, he said.

"It was a natural fit with our responding and containing" of the threat strategy, said Mandia, who noted that Mandiant has worked with 33 percent of the Fortune 100, and its 500 customers represent 13 different industry sectors. About half of its sales come from endpoint products and subscriptions, he said, and the other half from incident response engagements.

Mandiant competitor Access Data says the acquisition demonstrates how IR and forensics are becoming "hot." Craig Carpenter, senior vice president of strategy for AccessData, says forensics and IR are now part and parcel of cybersecurity. "The reason for this deal is that we now live in a world of constant compromise. When you know you will be compromised, you can’t just continue trying to keep the bad guys out -- you also need to investigate every compromise, figure out what happened, prevent it from ever happening again, and clean up the mess," he says.

But Carpenter says Mandiant's approach to IR "only makes sense if a customer will only get compromised once" -- which is obviously not the case for virtually anyone -- "or where the compromise is a bespoke event that must be dealt with as a one-off."

And "for every other compromise, companies need and want to be able to handle things in-house as much as possible," Carpenter says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-23
** UNSUPPORTED WHEN ASSIGNED ** peg-markdown 0.4.14 has a NULL pointer dereference in process_raw_blocks in markdown_lib.c. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
PUBLISHED: 2020-09-23
A vulnerability in the web management interface of Cisco Unity Connection could allow an authenticated remote attacker to overwrite files on the underlying filesystem. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by sending a crafted HTTP re...
PUBLISHED: 2020-09-23
A vulnerability in the email message scanning of Cisco AsyncOS Software for Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to bypass configured filters on the device. The vulnerability is due to improper validation of incoming emails. An attacker could exploit t...
PUBLISHED: 2020-09-23
A vulnerability in the web-based management interface of Cisco Unified Communications Manager (UCM) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected device. The vulnerability is due to insufficient CSRF protections for the web-based...
PUBLISHED: 2020-09-23
A vulnerability in the web-based management interface of Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. The vulnerability exists because th...