Startup Of The Week: FireEyeStartup Of The Week: FireEye
FireEye deploys virtual victims to uncover new malware.
January 29, 2009
FireEye aims to protect enterprises from Web-based security threats, including malware and botnets. The company deploys an appliance on the customer premises that runs suspicious Web and network traffic against a set of virtual computers. It alerts administrators if a virtual computer gets compromised. It also can help IT find PCs that might have malware trying to contact a control server or botnet.
--Andrew Conry-Murray FIREEYE
HEADQUARTERS: Milpitas, Calif.
PRODUCT: FireEye 4200 security appliance, Malware Analysis & Exchange Network
PRINCIPALS: Ashar Aziz, founder and CEO; Bahman Mahbod, VP of engineering; Zane M. Taylor, VP of operations
INVESTORS: Sequoia Capital, Norwest Venture Partners, Jafco, SVB Capital, DAG Ventures, Juniper Networks
EARLY CUSTOMERS: University of California, Berkeley; Canaras Capital
BACKGROUND: Founder Aziz also founded Terraspring, a data center automation and virtualization company. Terraspring was acquired by Sun Microsystems and became Sun N1, with Aziz as the technology leader for N1.
"The browser is the new target for malware," says founder and CEO Aziz. "Legitimate Web sites are being compromised and downloading malware onto computers that come to visit them." He also says malware is highly dynamic, making it hard for traditional signatures and URL databases to keep up with changing attacks and compromised Web sites. FireEye employs several different technologies, including heuristics and virtual machines, to detect real-time attacks against PCs while also keeping false positives to a minimum. How It Works FireEye deploys an appliance at customer sites. The appliance sits out of band but monitors all inbound network traffic. The company combines signatures and heuristics to examine inbound traffic for evidence of suspicious behavior. "We have tuned these algorithms to be highly sensitive, which increases the rate of potential false positives," says Aziz.
To counteract false positives, it captures and replays suspect traffic against a set of virtual machines that run inside the appliance. These VMs imitate full PCs, including operating systems and applications. If a virtual victim gets compromised, the system knows there was an attack on the wire and will alert administrators.
Administrators can share information with FireEye's Malware Analysis & Exchange Network. This network automatically updates other FireEye appliances so that they can identify exploit code without having to run traffic through a virtual machine.
The FireEye system can't block attacks.
FireEye combines concepts from intrusion detection, honeypots, and virtualization to create a new wrinkle for protecting against dynamic malware.
The product's inability to stop attacks may appeal to customers that don't want a startup to be responsible for blocking traffic. However, companies must be prepared to invest the resources into chasing down alerts and remediating exploits. The 4200 isn't a set-it-and-forget-it product.
We'd like to see FireEye more tightly integrate with URL-blocking technology and trouble-ticket systems.
About the Author(s)
You May Also Like
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023
What's In Your Cloud?Nov 30, 2023
Everything You Need to Know About DNS AttacksNov 30, 2023
Passwords Are Passe: Next Gen Authentication Addresses Today's Threats
What Ransomware Groups Look for in Enterprise Victims
How to Use Threat Intelligence to Mitigate Third-Party Risk
Concerns Mount Over Ransomware, Zero-Day Bugs, and AI-Enabled Malware
Securing the Remote Worker: How to Mitigate Off-Site Cyberattacks