FireEye today announced today that it has purchased privately held incident response (IR) and endpoint security firm Mandiant in a $1 billion deal consisting of 90 percent in stock and 10 percent in cash transactions.

The two firms already had close ties. In April 2012, they said they would integrate FireEye's network detection with Mandiant's host-based detection features to offer more comprehensive protection against advanced attacks. The goal was to correlate FireEye's malware analysis with Mandiant's endpoint view for a more complete picture of an attack, the companies said at the time.

The acquisition created quite a buzz around the industry today, with two leading-edge and widely respected security firms now under one roof. Mandiant will become a global services and cloud solutions arm of FireEye, offering security consulting, incident response, and managed services. Its endpoint threat detection and response line will be incorporated into FireEye's new Oculus continuous monitoring platform.

Kevin Mandia, founder and CEO of Mandiant, was named senior vice president and chief operating officer of FireEye. "This is an exciting day," Mandiant said in an investor call about the acquisition. "What I've learned ... is that every customer wants host-based protection and a network-based product. We want to bridge these so when there's a network alert" it's handled quickly at the affected endpoints, he said. "People have been asking us for this for years, and we're going to provide it."

David DeWalt, chairman of the board and chief executive officer of FireEye, called Mandiant the "gold standard" in security. "They often get the first call when a serious breach occurs in an organization," he said. "Strategically, Mandiant brings us closer to the breach when it occurs."

DeWalt said the acquisition of Mandiant, which made $100 million in revenue last year, fits with the company's stated strategy during its IPO tour last year. He said the addition of Mandiant's family of products allows the company to leverage the endpoint management framework for its virtual machine (VM)-based technology in its Multi-Vector Virtual Execution engine, which supports real-time threat protection for Web, email, data center, and mobile and is used by some 1,500 customers in the government and private sector.

One of the first fruits of the acquisition: a VM-based next-generation intrusion prevention system (IPS) that will roll out in the first quarter of this year, DeWalt said. "There are other products in our pipeline that we are not announcing today" as well, he said.

Mandiant's around 500 employees bring the FireEye employee count to around 2,000, he said, spanning more than 40 countries. Mandiant traditionally has had a tiny international presence, with less than 5 percent of its sales outside the U.S., so the acquisition will give the firm global exposure. "We will deliver a full array of services in vulnerability assessment, incident response management, and continuous monitoring," DeWalt said.

Mandiant became more of a household name early last year when it published a detailed report exposing APT-1, a Chinese cyberespionage unit associated with the Chinese military. The firm's report on APT-1 said the unit had been behind targeted attacks on hundreds of companies across 20 major industries, mainly in English-speaking countries.

"We have been on the frontlines of the cyberbattle field. Who are you gonna call? Mandiant owns that space, and it's an important space to own," Mandia said of his 9-year-old company. "We started building footprints of an attacker ... FireEye's virtual detection is the best detection" of advanced malware, he said.

"It was a natural fit with our responding and containing" of the threat strategy, said Mandia, who noted that Mandiant has worked with 33 percent of the Fortune 100, and its 500 customers represent 13 different industry sectors. About half of its sales come from endpoint products and subscriptions, he said, and the other half from incident response engagements.

Mandiant competitor Access Data says the acquisition demonstrates how IR and forensics are becoming "hot." Craig Carpenter, senior vice president of strategy for AccessData, says forensics and IR are now part and parcel of cybersecurity. "The reason for this deal is that we now live in a world of constant compromise. When you know you will be compromised, you can’t just continue trying to keep the bad guys out -- you also need to investigate every compromise, figure out what happened, prevent it from ever happening again, and clean up the mess," he says.

But Carpenter says Mandiant's approach to IR "only makes sense if a customer will only get compromised once" -- which is obviously not the case for virtually anyone -- "or where the compromise is a bespoke event that must be dealt with as a one-off."

And "for every other compromise, companies need and want to be able to handle things in-house as much as possible," Carpenter says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.