3. 3
Virtual
Machine-Based
Model of Detection
Purpose-Built for Security
Hardened Hypervisor
Scalable
Portable
SECURITY
Needs To Be
To Address
The New Threat
Landscape
FINDS KNOWN/ UNKNOWN
CYBER-ATTACKS IN REALTIMEACROSSALLVECTORS
4. 4
FireEye’s Technology: State of the Art Detection
CORRELATEANALYZE
( 5 0 0 , 0 0 0 O B J E C T S / H O U R )
Within VMs
Across VMs
Cross-enterprise
Network
Email
Mobile
Files
Exploit
Callback
Malware
Download
Lateral
Transfer
Exfiltration
DETONATE
6. 6
Why Trust FireEye?
11 of 13
Zero Days
from 2013
discovered by FireEye
First to detect malware
Over 80%
of the times
(compared to traditional
AV engines)
55
Industry-leading
Customer Net Promoter
Score
7. 7
Real World Tests, Real World Results
Data Collection Methodologies
Dynamic Threat
Intelligence
Email Threat
Prevention
Network Threat
Prevention
1,614 NX and EX PoV Appliances
with 2-way Sharing License from
October 2013 to March 2014
348Customer Survey of
Deployment Topology at time of PoV
8. 8
Real World Tests, Real World Results By the Number
What Was Discovered During FireEye PoV
1216*
PoV
Customers
20+
Industries
97%
Customers
Compromised
27%
Had APT
63
Countries
* 1217 PoV executed (one customer conducted two PoV)
9. 9
43%
29%
20%
N. America EMEA APAC
JAPAN LATAM ROW
FireEye POV Customers By Region
Number of PoV
Customers
% PoV
N. AMERICA 528 43%
EMEA 351 29%
APAC 242 20%
JAPAN 54 4%
LATAM 38 3%
ROW 3 <1%
10. 10
FireEye PoV Customers By Industry
16%
Government
6%
Energy
18%
Financial
5%
Retail
7%
High-Tech
7%
Chemical &
Manufacturing
7%
Consulting
Others
(12+) 30%
Others
4%
Healthcare
11. 11
Traditional Defense Fails to Stop Today’s Threats
Exploit Malware
Download
Command
and Control
of PoV customers were compromised
(attacks went through customers’ defense)97%
of PoV customers had
CnC communication75%
12. 12
Today’s Malware is Highly Targeted
of all the unique malware
detected
was seen ONCE
75%
208,184
Malware Download
124,289
Unique Malware
93,755
Malware Seen ONCE
13. 13
Traditional Security Solution in POV
Cisco
Check Point
PAN
Juniper
Fortinet
Others
212
Firewall
Blue Coat
WebSense
Cisco
McAfee
Fortinet
Others
119
Proxy
138
McAfee
Cisco
HP
SourceFire
Check Point
Others
IDS/IPS
McAfee
SymantecTrend
Microsoft
Kaspersky
Others
75
Network AV
McAfee
Symantec
Trend
Microsoft
Sophos
Others
169
Desktop AV
14. 14
AV Ineffective for Today’s Threat
124,289
Unique Malware MD5s
During PoVs
63,035
MD5s Known To
Top 6 AV Vendors in PoV
25%
Malware Undetected
By Any of Top 6 AVs
62%
Malware Undetected
By At Least
4 of the Top 6 AVs
15. 15
File-based Sandbox Also Insufficient for Today’s Threat
PoV Customers
Reported Having
File-based Sandbox
18
PoV Customers
Had Compromised
Endpoints withActive
Callback
15
They Were Protected By
32% 32% 11% 11% 5% 5% 5%
16. 16
Ignorant of environment
Fixed behavior, no data
Theft capacity
Nuisance infection
, loss of productivity
Cost of cleaning up
device and restoring
Noisy, sends spam, or DDOS, consumes
System wide resources, is able to send and
Receive instructions
Leads to disruption
and potential
For embarrassment
as source
of illegal activity
Risk Exposure
Steals personal data, Identity theft, banking information,
credit cards, social security numbers, resilient communication
System, modular system incremental payloads
Reputation risk, targets
sensitive and controlled data,
disclosure has potential for
reduced morale/confidence
from victims, grievances and
regulatory controls may lead
to possible legal action.
Remotely controlled asset, highly functional , is able to hide,
is aware of it’s environment
Sells access and steals data to make money
Financial Risk
Steals corporate
credentials
For network access
, email, etc.
Will Leak or Sell
confidential information,
Provides exposure
To all other threat levels
Highly targeted, preferred
tool of Nation State Actors.
stealthy campaigns
Major Business Risk.
Espionage .
Steals competitive
Advantage
Intellectual property
Trade secrets
R&D
Commercial and
Political data
1
2
3
4
5
Low
High
APT 1
Trojan 17
Backdoor 1
Bot 5
Virus 1
Infostealer 2
Worm 1
18. 18
Example: Council on Foreign Relations (CFR) Attack
Lateral spread
infecting more machines
About CFR:
• Independent, nonpartisan organization, think tank, and publisher
• Influential among US policy makers
• Members include preeminent personalities and corporations
19. 19
FireEye Platform: Workflow
1 FireEye
Network
Platforms
Monitor
Flows for
Events
Signature-less virtual
execution technology
Monitors for Targeted
and Zero-day attacks
Multi-vector threat
defense
Real-time threat
protection
MVX
2 FireEye
Network
Platforms
Alert FireEye
HX On Event
+ OS
Change
Report
20. 20
FireEye Platform: Workflow
3 FireEye HX
Validates
Endpoints For
Compromise
Agent Anywhere™ Automatically
Investigates Endpoints No Matter Where They Are
Reach Endpoints
Anywhere
Understand What
Happened Without
Forensics
Detect Events in
the Past
Airplane
Hotel
Corporate Headquarters
Home
Office
Coffee
Shop
21. 21
FireEye Platform: Workflow
4 Contain &
Isolate
Compromised
Devices
Deny attackers
access to systems
with a single mouse
click while still
allowing remote
investigation.
Airplane
Hotel
Corporate Headquarters
Home
Office
Coffee
Shop
22. 22
Large and Growing Base of Customers
Small Medium Enterprise
Government Infrastructure High Tech Healthcare
Financial Services,
Insurance
Retail
Small Medium Enterprise
23. 23
Key Takeaways: FireEye by the Numbers
Malware events
detected
in customer networks
in 2013
Callbacks to
184 countries
detected in 2013
APT campaigns
detailed in
the APT
Encyclopedia
Purpose built VMs
and EndpointAgents
Deployed At Points of
Attack
IncidentsAddressed
by FireEye Security
Experts
Customers across
various verticals
actively contributing
to threat intelligence
54M 45M 248 4M 1000s 1500+